Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow clients to select a "profile" via ACME API query parameters #7309

Open
5 of 7 tasks
Tracked by #7310
, #7311
...
aarongable opened this issue Feb 6, 2024 · 6 comments
Open
5 of 7 tasks
Tracked by #7310
, #7311
...

Allow clients to select a "profile" via ACME API query parameters #7309

aarongable opened this issue Feb 6, 2024 · 6 comments
Labels
area/ca area/ra area/sa area/wfe blocked

Comments

@aarongable
Copy link
Contributor

aarongable commented Feb 6, 2024
edited

This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this 2024 OKR.

The design we have landed on is

  1. the CA (and the WFE?) will be configured with multiple profiles, each of which has a human-readable name (and maybe a guaranteed-unique ID).
  2. the client will specify the profile they want as a query parameter on their directory URL -- this means profile selection only requires users to update their directory url, and doesn't require client software itself to be updated -- and the parameter will be reflected back in the directory object so it gets used in the new-order request as well.
  3. the SA will store the requested profile on the Order object so it can be used at finalization time

Subtasks:
This was referenced Feb 6, 2024
Open
Open
@orangepizza
Copy link
Contributor

orangepizza commented Feb 12, 2024
edited

I'm sure it'd currently in active discussing internally, but is there conclusion about how DB should save profiles?
it needs to not replaced to some other profile even if config doesn't have that profile, but not sure if it editing of a profile in boulder config file (needs to) / (must not) retroactively change old orders made with that profile name:
and does OCSP/CRL processor needs to able to recall how old profile no longer in config file was configured, or one can just decide by how long cert last?

@aarongable
Copy link
Contributor Author

We haven't yet come to a conclusion on how best to store the profile in the database. The two key considerations are:

  1. Inside the orders table vs in a new table (having everything in one place is handy, but adding a column to an already-large table is expensive and difficult)
  2. Storing a profile name vs a content-addressed profile hash ID (the former means we can use the same profile identifier everywhere including in the WFE, the latter prevents accidental issues where a profile is changed while keeping the name the same)

The OCSP and CRL systems do not need to know anything about profiles, as far as I'm aware at this time.

@orangepizza
Copy link
Contributor

Wonder if it can use https://mariadb.com/kb/en/instant-add-column-for-innodb/ , if mariadb is same version with what docker image grabs it should possible.
About hash/string, I kinda tilt with string, because updating profiles something done in past like allowing new feature/ slight change backdate, and invalidate old orders (becasue CA no longer knows it) because of it sounds weird.

@aarongable
Copy link
Contributor Author

aarongable commented Feb 12, 2024
edited

Wonder if it can use https://mariadb.com/kb/en/instant-add-column-for-innodb/ , if mariadb is same version with what docker image grabs it should possible.

We've discussed this option in the past, and instead opted for other solutions. It is an option again this time, but only one option.

About hash/string, I kinda tilt with string, because updating profiles something done in past like allowing new feature/ slight change backdate, and invalidate old orders (becasue CA no longer knows it) because of it sounds weird.

Yes, we've modified the profile in the past. We've also had an incident because of it. So immutable profiles is definitely something we're considering.

@orangepizza
Copy link
Contributor

think profile inside order is too early to be immutable, because profile update will need to happen someday (like BR, new or old not allows old one as-is), it only needs to be immutable once it enters finalization and passed to CA. WFE or RA could have hold map of old to new profile hashs and update it at the start of finalization, but now that map needs to be set by human with raw hashes and looks more error prone

@aarongable
Copy link
Contributor Author

it only needs to be immutable once it enters finalization and passed to CA.

True, good point.

WFE or RA could have hold map of old to new profile hashs and update it at the start of finalization, but now that map needs to be set by human with raw hashes and looks more error prone

Nah, the CA could just have two maps: human-readable profile name to profile, and content-addressed profile ID to profile. At precertificate issuance time, it would use the first map to look up the correct profile based on the profile name associated with the order. It would then bake the corresponding profile ID into the issuance token. Then at final certificate issuance time, it would use that unique ID to look up the exact same profile for the final certificate. The unique content-addressed hash IDs would be computed inside the CA when it loads its config.

@jsha jsha mentioned this issue Feb 20, 2024
Closed
This was referenced Feb 20, 2024
Merged
Merged
pgporada added a commit that referenced this issue Mar 5, 2024
@pgporada
CA: gRPC plumbing for multiple certificate profiles (#7331)
bb82726 
Adds a new `certProfileName` message to the
`CA.IssueCertificateRequest`. This field contains a human-readable
"name" set by the
[WFE2](#7332), and in turn
the RA. At the time of precertificate issuance, the receiving CA will
determine if it is capable of fulfilling the `ra.CA.IssuePrecertificate`
request for the given `certProfileName`. If the name is found in the
CA's map, the CA will return a `capb.IssuePrecertificateResponse`
message with a populated `certProfileHash` field back to the RA. When
that RA calls `ra.CA.IssueCertificateForPrecertificate`, it will send
that same `certProfileHash` message to a CA which must ensure it
contains a certificate profile matching the provided hash. If the hash
in found in the CA's map a final certificate issuance attempt will
proceed. This is done to prevent certificate profile changes in the
duration between requests from causing a mismatch between precerticate
and final certificate.

Part of #7309
Part of #6966
@beautifulentropy beautifulentropy mentioned this issue Mar 8, 2024
Merged
@aarongable aarongable mentioned this issue Mar 12, 2024
Merged
pgporada pushed a commit that referenced this issue Mar 14, 2024
@aarongable
Add certificateProfileName to RA, SA, and Core order protos (#7381)
8d169a8 
This adds the profile name to the proto messages necessary to propagate
it from the WFE to the SA, and from the SA to the CA. This change is
safe to land prior to any logic being added, and unblocks
profile-handling logic changes to the WFE, RA, SA, and CA.

Part of #7309
beautifulentropy added a commit that referenced this issue Mar 20, 2024
@beautifulentropy
WFE: Add support for certificate profiles (#7373)
c6b5055 
- Parse and validate the `profile` field in `newOrder` requests.
- Pass the `profile` field from `newOrder` calls to the resulting
`RA.NewOrder` call.
- When the client requests a specific profile, ensure that the profile
field is populated in the order returned.

Fixes #7332
Part of #7309
@pgporada pgporada mentioned this issue Mar 20, 2024
Merged
This was referenced Apr 2, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ca area/ra area/sa area/wfe blocked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarongable @orangepizza