add boulder-mtca

Author: jsha

cmd/boulder-mtca/main.go

@@ -0,0 +1,81 @@
+package notmain
+
+import (
+	"context"
+	"flag"
+	"os"
+
+	"github.com/jmhodges/clock"
+
+	"github.com/letsencrypt/boulder/cmd"
+	bgrpc "github.com/letsencrypt/boulder/grpc"
+	"github.com/letsencrypt/boulder/issuance"
+	mtca "github.com/letsencrypt/boulder/mtca"
+	mtcapb "github.com/letsencrypt/boulder/mtca/proto"
+)
+
+type Config struct {
+	MTCA struct {
+		cmd.ServiceConfig
+
+		GRPCMTCA *cmd.GRPCServerConfig
+
+		// Issuer holds the configuration for a single MTCA instance with a single mtcaID.
+		// We run a separate process for each issuer.
+		// TODO: the issuance package parses the CA certificate as a self-signed X.509
+		// certificate, but per MTC draft, a CA SHOULD be represented by an RFC 9925
+		// unsigned certificate: https://www.rfc-editor.org/rfc/rfc9925.html.
+		Issuer issuance.IssuerConfig
+	}
+
+	Syslog        cmd.SyslogConfig
+	OpenTelemetry cmd.OpenTelemetryConfig
+}
+
+func main() {
+	grpcAddr := flag.String("addr", "", "gRPC listen address override")
+	debugAddr := flag.String("debug-addr", "", "Debug server address override")
+	configFile := flag.String("config", "", "File path to the configuration file for this service")
+	flag.Parse()
+	if *configFile == "" {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	var c Config
+	err := cmd.ReadConfigFile(*configFile, &c)
+	cmd.FailOnError(err, "Reading JSON config file into config structure")
+
+	if *grpcAddr != "" {
+		c.MTCA.GRPCMTCA.Address = *grpcAddr
+	}
+	if *debugAddr != "" {
+		c.MTCA.DebugAddr = *debugAddr
+	}
+
+	scope, logger, oTelShutdown := cmd.StatsAndLogging(c.Syslog, c.OpenTelemetry, c.MTCA.DebugAddr)
+	defer oTelShutdown(context.Background())
+	cmd.LogStartup(logger)
+
+	tlsConfig, err := c.MTCA.TLS.Load(scope)
+	cmd.FailOnError(err, "Loading TLS config")
+
+	clk := clock.New()
+
+	issuer, err := issuance.LoadIssuer(c.MTCA.Issuer, clk)
+	cmd.FailOnError(err, "Loading issuer")
+
+	mtcaImpl := mtca.New(issuer)
+
+	srv := bgrpc.NewServer(c.MTCA.GRPCMTCA, logger).Add(
+		&mtcapb.MTCA_ServiceDesc, mtcaImpl)
+
+	start, err := srv.Build(tlsConfig, scope, clk)
+	cmd.FailOnError(err, "Unable to setup MTCA gRPC server")
+
+	cmd.FailOnError(start(), "MTCA gRPC service failed")
+}
+
+func init() {
+	cmd.RegisterCommand("boulder-mtca", main, &cmd.ConfigValidator{Config: &Config{}})
+}

cmd/boulder/main.go

@@ -7,6 +7,7 @@ import (
 
 	_ "github.com/letsencrypt/boulder/cmd/bad-key-revoker"
 	_ "github.com/letsencrypt/boulder/cmd/boulder-ca"
+	_ "github.com/letsencrypt/boulder/cmd/boulder-mtca"
 	_ "github.com/letsencrypt/boulder/cmd/boulder-observer"
 	_ "github.com/letsencrypt/boulder/cmd/boulder-publisher"
 	_ "github.com/letsencrypt/boulder/cmd/boulder-ra"

cmd/boulder/main_test.go

@@ -31,6 +31,8 @@ func TestConfigValidation(t *testing.T) {
 		switch cmdName {
 		case "boulder-ca":
 			fileNames = []string{"ca.json"}
+		case "boulder-mtca":
+			fileNames = []string{"mtca.json"}
 		case "boulder-observer":
 			fileNames = []string{"observer.yml"}
 		case "boulder-publisher":

mtca/mtca.go

@@ -0,0 +1,26 @@
+package mtca
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/letsencrypt/boulder/issuance"
+	mtcapb "github.com/letsencrypt/boulder/mtca/proto"
+)
+
+var _ mtcapb.MTCAServer = &mtca{}
+
+func New(issuer *issuance.Issuer) *mtca {
+	return &mtca{
+		issuer: issuer,
+	}
+}
+
+type mtca struct {
+	mtcapb.UnimplementedMTCAServer
+	issuer *issuance.Issuer
+}
+
+func (m *mtca) Issue(ctx context.Context, req *mtcapb.IssueRequest) (*mtcapb.IssueResponse, error) {
+	return nil, fmt.Errorf("not implemented")
+}

mtca/proto/mtca.pb.go

@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package mtca;
+option go_package = "github.com/letsencrypt/boulder/mtca/proto";
+
+// MTCA issues MTC certificates.
+service MTCA {
+  // Submit requests that the CA start the process of creating a standalone certificate
+  // for the given request. It returns once a checkpoint has been signed that includes
+  // that certificate's TBSCertificateLogEntry, but does not wait for cosignatures.
+  rpc Issue(IssueRequest) returns (IssueResponse) {}
+}
+
+message IssueRequest {
+  // Next unused field number: 4
+  bytes csr = 1;
+  int64 registrationID = 2;
+  int64 orderID = 3;
+}
+
+message IssueResponse {
+  // Next unused field number: 4
+  string mtcLogID = 1;
+  int64 mtcSerialNumber = 2;
+  int64 checkpointSubtreeID = 3;
+}