RA: Audit log and track cert profile names and hashes (letsencrypt#7433)

* Adds `CertProfileName` to the CAs `capb.IssuePrecertificateResponse` so the RA can receive the CAs configured default profile name for audit logging/metrics. This is useful for when the RA sends an empty string as the profile name to the CA, but we want to know exactly what the profile name chosen by the CA was, rather than just relying on comparing hashes between CA and RA audit logs. * Adds the profile name and hash to RA audit logs emitted after a successful issuance. * Adds new labels to the existing `new_certificates` metric exported by the RA. ``` # HELP new_certificates A counter of new certificates including the certificate profile name and hexadecimal certificate profile hash # TYPE new_certificates counter new_certificates{profileHash="de4c8c8866ed46b1d4af0d79e6b7ecf2d1ea625e26adcbbd3979ececd8fbd05a",profileName="defaultBoulderCertificateProfile"} 2 ``` Fixes letsencrypt#7421
plesk · May 30, 2024 · 7e71d49 · 7e71d49
1 parent 82253d5
commit 7e71d49
Show file tree

Hide file tree

Showing 6 changed files with 205 additions and 106 deletions.
diff --git a/ca/ca.go b/ca/ca.go
@@ -315,7 +315,7 @@ func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		return nil, err
 	}
 
-	precertDER, certProfileHash, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity)
+	precertDER, cpwid, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity)
 	if err != nil {
 		return nil, err
 	}
@@ -327,7 +327,8 @@ func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 
 	return &capb.IssuePrecertificateResponse{
 		DER:             precertDER,
-		CertProfileHash: certProfileHash,
+		CertProfileName: cpwid.name,
+		CertProfileHash: cpwid.hash[:],
 	}, nil
 }
 
@@ -496,7 +497,7 @@ func generateSKID(pk crypto.PublicKey) ([]byte, error) {
 	return skid[0:20:20], nil
 }
 
-func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context, issueReq *capb.IssueCertificateRequest, serialBigInt *big.Int, validity validity) ([]byte, []byte, error) {
+func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context, issueReq *capb.IssueCertificateRequest, serialBigInt *big.Int, validity validity) ([]byte, *certProfileWithID, error) {
 	// The CA must check if it is capable of issuing for the given certificate
 	// profile name. The name is checked here instead of the hash because the RA
 	// is unaware of what certificate profiles exist. Pre-existing orders stored
@@ -599,5 +600,5 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 	ca.log.AuditInfof("Signing precert success: issuer=[%s] serial=[%s] regID=[%d] names=[%s] precertificate=[%s] certProfileName=[%s] certProfileHash=[%x]",
 		issuer.Name(), serialHex, issueReq.RegistrationID, strings.Join(csr.DNSNames, ", "), hex.EncodeToString(certDER), certProfile.name, certProfile.hash)
 
-	return certDER, certProfile.hash[:], nil
+	return certDER, &certProfileWithID{certProfile.name, certProfile.hash, nil}, nil
 }
diff --git a/ca/proto/ca.pb.go b/ca/proto/ca.pb.go