letsencrypt · jsha · Oct 21, 2021 · Oct 19, 2021 · Oct 19, 2021 · Oct 20, 2021
@@ -37,3 +37,5 @@ tags
 .idea
 
 .vscode/*
+.hierarchy/
+.softhsm-tokens/
@@ -9,6 +9,8 @@ services:
     volumes:
       - .:/go/src/github.com/letsencrypt/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
+      - ./.hierarchy:/hierarchy/:cached
+      - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
     networks:
       bluenet:
         ipv4_address: 10.77.77.77

@@ -76,7 +76,7 @@ func genCert(path string) error {
 func main() {
 	// If one of the output files already exists, assume this ran once
 	// already for the container and don't re-run.
-	outputFile := "/tmp/root-signing-pub-rsa.pem"
+	outputFile := "/hierarchy/root-signing-pub-rsa.pem"
 	if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() {
 		fmt.Println("skipping certificate generation: already exists")
 		return
@@ -113,13 +113,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-a.pem",
 		"CommonName": "CA intermediate (RSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-a.pem",
 		"CommonName": "CA intermediate (ECDSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
@@ -134,13 +134,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-b.pem",
 		"CommonName": "CA intermediate (RSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-b.pem",
 		"CommonName": "CA intermediate (ECDSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")

@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (ecdsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
-    issuer-certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:

@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:

@@ -8,4 +8,4 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
@@ -8,4 +8,4 @@ key:
     type: rsa
     rsa-mod-length: 2048
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
@@ -5,10 +5,10 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    certificate-path: /tmp/intermediate-cert-rsa-a.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    certificate-path: /hierarchy/intermediate-cert-rsa-a.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
-    response-path: /tmp/intermediate-ocsp-rsa.b64
+    response-path: /hierarchy/intermediate-ocsp-rsa.b64
 ocsp-profile:
     this-update: 2020-01-01 12:00:00
     next-update: 2039-01-01 12:00:00

@@ -8,8 +8,8 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/root-signing-pub-ecdsa.pem
-    certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/root-signing-pub-ecdsa.pem
+    certificate-path: /hierarchy/root-cert-ecdsa.pem
 certificate-profile:
     signature-algorithm: ECDSAWithSHA384
     common-name: CA root (ECDSA)

@@ -8,8 +8,8 @@ key:
     type: rsa
     rsa-mod-length: 4096
 outputs:
-    public-key-path: /tmp/root-signing-pub-rsa.pem
-    certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/root-signing-pub-rsa.pem
+    certificate-path: /hierarchy/root-cert-rsa.pem
 certificate-profile:
     signature-algorithm: SHA256WithRSA
     common-name: CA root (RSA)

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",

@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
   "syslog": {

@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",

@@ -12,9 +12,9 @@
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",

@@ -52,6 +52,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }
@@ -41,20 +41,20 @@
     },
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "staleTimeout": "5m",

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",

@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
 

@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",

@@ -11,7 +11,7 @@
     "weakKeyFile": "test/example-weak-keys.json",
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
-    "issuerCertPath":  "/tmp/intermediate-cert-rsa-a.pem",
+    "issuerCertPath":  "/hierarchy/intermediate-cert-rsa-a.pem",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/ra.boulder/cert.pem",

@@ -53,6 +53,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }
@@ -40,12 +40,12 @@
       }
     },
     "certificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "alternateCertificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "staleTimeout": "5m",
     "authorizationLifetimeDays": 30,