Move //revocation/reasons.go into the post-OCSP world (#8355)

Define the acceptable revocation reason codes directly in our
`revocation` package. Make the int-to-string and string-to-int
conversion capabilities into immutable functions, rather than ad-hoc
dictionary lookups. Do the same for the user- or admin-allowed reasons.
These changes make the revocation package wholly standalone, with no
dependencies (except fmt).

Update all of our logic and tests to use revocation.Reasons instead of
constants from the /x/crypto/ocsp package. This removes all reliance on
the /x/crypto/ocsp package for revocation reasons, which felt awkward in
a CRLs-only world.

Finally, take advantage of the improvements above to give the ceremony
CRL tool the ability to take revocation reasons as strings, rather than
integers. This behavior matches the capabilities already present in the
admin revoke-cert tool

Fixes #8328

Author: aarongable

cmd/admin/cert.go

@@ -14,8 +14,6 @@ import (
 	"sync/atomic"
 	"unicode"
 
-	"golang.org/x/crypto/ocsp"
-
 	core "github.com/letsencrypt/boulder/core"
 	berrors "github.com/letsencrypt/boulder/errors"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -76,24 +74,18 @@ func (s *subcommandRevokeCert) Run(ctx context.Context, a *admin) error {
 		return fmt.Errorf("got unacceptable parallelism %d", s.parallelism)
 	}
 
-	reasonCode := revocation.Reason(-1)
-	for code := range revocation.AdminAllowedReasons {
-		if s.reasonStr == revocation.ReasonToString[code] {
-			reasonCode = code
-			break
-		}
-	}
-	if reasonCode == revocation.Reason(-1) {
-		return fmt.Errorf("got unacceptable revocation reason %q", s.reasonStr)
+	reasonCode, err := revocation.StringToReason(s.reasonStr)
+	if err != nil {
+		return fmt.Errorf("looking up revocation reason: %w", err)
 	}
 
-	if s.skipBlock && reasonCode == ocsp.KeyCompromise {
+	if s.skipBlock && reasonCode == revocation.KeyCompromise {
 		// We would only add the SPKI hash of the pubkey to the blockedKeys table if
 		// the revocation reason is keyCompromise.
 		return errors.New("-skip-block-key only makes sense with -reason=1")
 	}
 
-	if s.malformed && reasonCode == ocsp.KeyCompromise {
+	if s.malformed && reasonCode == revocation.KeyCompromise {
 		// This is because we can't extract and block the pubkey if we can't
 		// parse the certificate.
 		return errors.New("cannot revoke malformed certs for reason keyCompromise")

cmd/bad-key-revoker/main.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/jmhodges/clock"
 	"github.com/prometheus/client_golang/prometheus"
-	"golang.org/x/crypto/ocsp"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 
@@ -20,6 +19,7 @@ import (
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	blog "github.com/letsencrypt/boulder/log"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
+	"github.com/letsencrypt/boulder/revocation"
 	"github.com/letsencrypt/boulder/sa"
 )
 
@@ -190,7 +190,7 @@ func (bkr *badKeyRevoker) revokeCerts(certs []unrevokedCertificate) error {
 		_, err := bkr.raClient.AdministrativelyRevokeCertificate(context.Background(), &rapb.AdministrativelyRevokeCertificateRequest{
 			Cert:      cert.DER,
 			Serial:    cert.Serial,
-			Code:      int64(ocsp.KeyCompromise),
+			Code:      int64(revocation.KeyCompromise),
 			AdminName: "bad-key-revoker",
 		})
 		if err != nil {

cmd/ceremony/main.go

@@ -27,6 +27,7 @@ import (
 	"github.com/letsencrypt/boulder/goodkey"
 	"github.com/letsencrypt/boulder/linter"
 	"github.com/letsencrypt/boulder/pkcs11helpers"
+	"github.com/letsencrypt/boulder/revocation"
 	"github.com/letsencrypt/boulder/strictyaml"
 )
 
@@ -447,7 +448,7 @@ type crlConfig struct {
 		RevokedCertificates []struct {
 			CertificatePath  string `yaml:"certificate-path"`
 			RevocationDate   string `yaml:"revocation-date"`
-			RevocationReason int    `yaml:"revocation-reason"`
+			RevocationReason string `yaml:"revocation-reason"`
 		} `yaml:"revoked-certificates"`
 	} `yaml:"crl-profile"`
 	SkipLints []string `yaml:"skip-lints"`
@@ -487,7 +488,7 @@ func (cc crlConfig) validate() error {
 		if rc.RevocationDate == "" {
 			return errors.New("crl-profile.revoked-certificates.revocation-date is required")
 		}
-		if rc.RevocationReason == 0 {
+		if rc.RevocationReason == "" {
 			return errors.New("crl-profile.revoked-certificates.revocation-reason is required")
 		}
 	}
@@ -994,9 +995,13 @@ func crlCeremony(configBytes []byte) error {
 			SerialNumber:   cert.SerialNumber,
 			RevocationTime: revokedAt,
 		}
-		encReason, err := asn1.Marshal(rc.RevocationReason)
+		reasonCode, err := revocation.StringToReason(rc.RevocationReason)
 		if err != nil {
-			return fmt.Errorf("failed to marshal revocation reason %q: %s", rc.RevocationReason, err)
+			return fmt.Errorf("looking up revocation reason: %w", err)
+		}
+		encReason, err := asn1.Marshal(reasonCode)
+		if err != nil {
+			return fmt.Errorf("failed to marshal revocation reason %d (%q): %s", reasonCode, rc.RevocationReason, err)
 		}
 		revokedCert.Extensions = []pkix.Extension{{
 			Id:    asn1.ObjectIdentifier{2, 5, 29, 21}, // id-ce-reasonCode

cmd/ceremony/main_test.go

@@ -1187,7 +1187,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1219,7 +1219,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1252,7 +1252,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1261,7 +1261,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates: []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					}{{}},
 				},
 			},
@@ -1291,7 +1291,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1300,7 +1300,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates: []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					}{{
 						CertificatePath: "path",
 					}},
@@ -1332,7 +1332,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1341,7 +1341,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates: []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					}{{
 						CertificatePath: "path",
 						RevocationDate:  "date",
@@ -1374,7 +1374,7 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					} `yaml:"revoked-certificates"`
 				}{
 					ThisUpdate: "this-update",
@@ -1383,11 +1383,11 @@ func TestCRLConfig(t *testing.T) {
 					RevokedCertificates: []struct {
 						CertificatePath  string `yaml:"certificate-path"`
 						RevocationDate   string `yaml:"revocation-date"`
-						RevocationReason int    `yaml:"revocation-reason"`
+						RevocationReason string `yaml:"revocation-reason"`
 					}{{
 						CertificatePath:  "path",
 						RevocationDate:   "date",
-						RevocationReason: 1,
+						RevocationReason: "keyCompromise",
 					}},
 				},
 			},

crl/updater/updater.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/jmhodges/clock"
 	"github.com/prometheus/client_golang/prometheus"
-	"golang.org/x/crypto/ocsp"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
@@ -23,6 +22,7 @@ import (
 	cspb "github.com/letsencrypt/boulder/crl/storer/proto"
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
+	"github.com/letsencrypt/boulder/revocation"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 )
 
@@ -207,7 +207,7 @@ func reRevoked(a *proto.CRLEntry, b *proto.CRLEntry) (*proto.CRLEntry, error) {
 	if b.RevokedAt.AsTime().Before(a.RevokedAt.AsTime()) {
 		first, second = b, a
 	}
-	if first.Reason != ocsp.KeyCompromise && second.Reason == ocsp.KeyCompromise {
+	if revocation.Reason(first.Reason) != revocation.KeyCompromise && revocation.Reason(second.Reason) == revocation.KeyCompromise {
 		return second, nil
 	}
 	// The RA has logic to prevent re-revocation for any reason other than KeyCompromise,

crl/updater/updater_test.go

@@ -11,7 +11,6 @@ import (
 	"testing"
 	"time"
 
-	"golang.org/x/crypto/ocsp"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -25,6 +24,7 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
+	"github.com/letsencrypt/boulder/revocation"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 	"github.com/letsencrypt/boulder/test"
 )
@@ -278,7 +278,7 @@ func TestUpdateShard(t *testing.T) {
 			entries: []*corepb.CRLEntry{
 				{
 					Serial:    "0311b5d430823cfa25b0fc85d14c54ee35",
-					Reason:    int32(ocsp.KeyCompromise),
+					Reason:    int32(revocation.KeyCompromise),
 					RevokedAt: now,
 				},
 			},
@@ -287,17 +287,17 @@ func TestUpdateShard(t *testing.T) {
 			entries: []*corepb.CRLEntry{
 				{
 					Serial:    "0311b5d430823cfa25b0fc85d14c54ee35",
-					Reason:    int32(ocsp.KeyCompromise),
+					Reason:    int32(revocation.KeyCompromise),
 					RevokedAt: now,
 				},
 				{
 					Serial:    "037d6a05a0f6a975380456ae605cee9889",
-					Reason:    int32(ocsp.AffiliationChanged),
+					Reason:    int32(revocation.AffiliationChanged),
 					RevokedAt: now,
 				},
 				{
 					Serial:    "03aa617ab8ee58896ba082bfa25199c884",
-					Reason:    int32(ocsp.Unspecified),
+					Reason:    int32(revocation.Unspecified),
 					RevokedAt: now,
 				},
 			},
@@ -310,9 +310,9 @@ func TestUpdateShard(t *testing.T) {
 	test.AssertNotError(t, err, "updateShard")
 
 	expectedEntries := map[string]int32{
-		"0311b5d430823cfa25b0fc85d14c54ee35": int32(ocsp.KeyCompromise),
-		"037d6a05a0f6a975380456ae605cee9889": int32(ocsp.AffiliationChanged),
-		"03aa617ab8ee58896ba082bfa25199c884": int32(ocsp.Unspecified),
+		"0311b5d430823cfa25b0fc85d14c54ee35": int32(revocation.KeyCompromise),
+		"037d6a05a0f6a975380456ae605cee9889": int32(revocation.AffiliationChanged),
+		"03aa617ab8ee58896ba082bfa25199c884": int32(revocation.Unspecified),
 	}
 	for r := range bytes.SplitSeq(recordingUploader.crlBody, []byte("\n")) {
 		if len(r) == 0 {
@@ -580,25 +580,25 @@ func TestAddFromStream(t *testing.T) {
 	yesterday := now.Add(-24 * time.Hour)
 	simpleEntry := &corepb.CRLEntry{
 		Serial:    "abcdefg",
-		Reason:    ocsp.CessationOfOperation,
+		Reason:    int32(revocation.CessationOfOperation),
 		RevokedAt: timestamppb.New(yesterday),
 	}
 
 	reRevokedEntry := &corepb.CRLEntry{
 		Serial:    "abcdefg",
-		Reason:    ocsp.KeyCompromise,
+		Reason:    int32(revocation.KeyCompromise),
 		RevokedAt: timestamppb.New(now),
 	}
 
 	reRevokedEntryOld := &corepb.CRLEntry{
 		Serial:    "abcdefg",
-		Reason:    ocsp.KeyCompromise,
+		Reason:    int32(revocation.KeyCompromise),
 		RevokedAt: timestamppb.New(now.Add(-48 * time.Hour)),
 	}
 
 	reRevokedEntryBadReason := &corepb.CRLEntry{
 		Serial:    "abcdefg",
-		Reason:    ocsp.AffiliationChanged,
+		Reason:    int32(revocation.AffiliationChanged),
 		RevokedAt: timestamppb.New(now),
 	}
 
@@ -691,12 +691,12 @@ func TestAddFromStreamDisallowedSerialPrefix(t *testing.T) {
 	input := []*corepb.CRLEntry{
 		{
 			Serial:    "abcdefg",
-			Reason:    ocsp.CessationOfOperation,
+			Reason:    int32(revocation.CessationOfOperation),
 			RevokedAt: timestamppb.New(yesterday),
 		},
 		{
 			Serial:    "01020304",
-			Reason:    ocsp.CessationOfOperation,
+			Reason:    int32(revocation.CessationOfOperation),
 			RevokedAt: timestamppb.New(yesterday),
 		},
 	}