Update Vendor of containers/(common, image, buildah)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor/github.com/letsencrypt/boulder/core/objects.go

@@ -175,11 +175,6 @@ type ValidationRecord struct {
 	//   ...
 	// }
 	AddressesTried []net.IP `json:"addressesTried,omitempty"`
-
-	// OldTLS is true if any request in the validation chain used HTTPS and negotiated
-	// a TLS version lower than 1.2.
-	// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
-	OldTLS bool `json:"oldTLS,omitempty"`
 }
 
 func looksLikeKeyAuthorization(str string) error {

vendor/github.com/letsencrypt/boulder/core/util.go

@@ -26,6 +26,8 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )
 
+const Unspecified = "Unspecified"
+
 // Package Variables Variables
 
 // BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)")
@@ -182,7 +184,7 @@ func ValidSerial(serial string) bool {
 func GetBuildID() (retID string) {
 	retID = BuildID
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }
@@ -191,7 +193,7 @@ func GetBuildID() (retID string) {
 func GetBuildTime() (retID string) {
 	retID = BuildTime
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }
@@ -200,7 +202,7 @@ func GetBuildTime() (retID string) {
 func GetBuildHost() (retID string) {
 	retID = BuildHost
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }

vendor/github.com/letsencrypt/boulder/errors/errors.go

@@ -12,6 +12,7 @@ package errors
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/letsencrypt/boulder/identifier"
 )
@@ -56,6 +57,10 @@ type BoulderError struct {
 	Type      ErrorType
 	Detail    string
 	SubErrors []SubBoulderError
+
+	// RetryAfter the duration a client should wait before retrying the request
+	// which resulted in this error.
+	RetryAfter time.Duration
 }
 
 // SubBoulderError represents sub-errors specific to an identifier that are
@@ -77,9 +82,10 @@ func (be *BoulderError) Unwrap() error {
 // provided subErrs to the existing BoulderError.
 func (be *BoulderError) WithSubErrors(subErrs []SubBoulderError) *BoulderError {
 	return &BoulderError{
-		Type:      be.Type,
-		Detail:    be.Detail,
-		SubErrors: append(be.SubErrors, subErrs...),
+		Type:       be.Type,
+		Detail:     be.Detail,
+		SubErrors:  append(be.SubErrors, subErrs...),
+		RetryAfter: be.RetryAfter,
 	}
 }
 
@@ -107,31 +113,35 @@ func NotFoundError(msg string, args ...interface{}) error {
 	return New(NotFound, msg, args...)
 }
 
-func RateLimitError(msg string, args ...interface{}) error {
+func RateLimitError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func DuplicateCertificateError(msg string, args ...interface{}) error {
+func DuplicateCertificateError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/duplicate-certificate-limit/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/duplicate-certificate-limit/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func FailedValidationError(msg string, args ...interface{}) error {
+func FailedValidationError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/failed-validation-limit/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/failed-validation-limit/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func RegistrationsPerIPError(msg string, args ...interface{}) error {
+func RegistrationsPerIPError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 

vendor/github.com/letsencrypt/boulder/features/featureflag_string.go

@@ -16,36 +16,37 @@ func _() {
 	_ = x[StreamlineOrderAndAuthzs-5]
 	_ = x[V1DisableNewValidations-6]
 	_ = x[ExpirationMailerDontLookTwice-7]
-	_ = x[CAAValidationMethods-8]
-	_ = x[CAAAccountURI-9]
-	_ = x[EnforceMultiVA-10]
-	_ = x[MultiVAFullResults-11]
-	_ = x[MandatoryPOSTAsGET-12]
-	_ = x[AllowV1Registration-13]
-	_ = x[StoreRevokerInfo-14]
-	_ = x[RestrictRSAKeySizes-15]
-	_ = x[FasterNewOrdersRateLimit-16]
-	_ = x[ECDSAForAll-17]
-	_ = x[ServeRenewalInfo-18]
-	_ = x[GetAuthzReadOnly-19]
-	_ = x[GetAuthzUseIndex-20]
-	_ = x[CheckFailedAuthorizationsFirst-21]
-	_ = x[AllowReRevocation-22]
-	_ = x[MozRevocationReasons-23]
-	_ = x[OldTLSOutbound-24]
-	_ = x[OldTLSInbound-25]
-	_ = x[SHA1CSRs-26]
-	_ = x[AllowUnrecognizedFeatures-27]
-	_ = x[RejectDuplicateCSRExtensions-28]
-	_ = x[ROCSPStage1-29]
-	_ = x[ROCSPStage2-30]
-	_ = x[ROCSPStage3-31]
+	_ = x[OldTLSInbound-8]
+	_ = x[OldTLSOutbound-9]
+	_ = x[ROCSPStage1-10]
+	_ = x[ROCSPStage2-11]
+	_ = x[ROCSPStage3-12]
+	_ = x[CAAValidationMethods-13]
+	_ = x[CAAAccountURI-14]
+	_ = x[EnforceMultiVA-15]
+	_ = x[MultiVAFullResults-16]
+	_ = x[MandatoryPOSTAsGET-17]
+	_ = x[AllowV1Registration-18]
+	_ = x[StoreRevokerInfo-19]
+	_ = x[RestrictRSAKeySizes-20]
+	_ = x[FasterNewOrdersRateLimit-21]
+	_ = x[ECDSAForAll-22]
+	_ = x[ServeRenewalInfo-23]
+	_ = x[GetAuthzReadOnly-24]
+	_ = x[GetAuthzUseIndex-25]
+	_ = x[CheckFailedAuthorizationsFirst-26]
+	_ = x[AllowReRevocation-27]
+	_ = x[MozRevocationReasons-28]
+	_ = x[SHA1CSRs-29]
+	_ = x[AllowUnrecognizedFeatures-30]
+	_ = x[RejectDuplicateCSRExtensions-31]
 	_ = x[ROCSPStage6-32]
+	_ = x[ROCSPStage7-33]
 }
 
-const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage1ROCSPStage2ROCSPStage3ROCSPStage6"
+const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceOldTLSInboundOldTLSOutboundROCSPStage1ROCSPStage2ROCSPStage3CAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage6ROCSPStage7"
 
-var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 177, 190, 204, 222, 240, 259, 275, 294, 318, 329, 345, 361, 377, 407, 424, 444, 458, 471, 479, 504, 532, 543, 554, 565, 576}
+var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 170, 184, 195, 206, 217, 237, 250, 264, 282, 300, 319, 335, 354, 378, 389, 405, 421, 437, 467, 484, 504, 512, 537, 565, 576, 587}
 
 func (i FeatureFlag) String() string {
 	if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

vendor/github.com/letsencrypt/boulder/features/features.go

@@ -20,6 +20,11 @@ const (
 	StreamlineOrderAndAuthzs
 	V1DisableNewValidations
 	ExpirationMailerDontLookTwice
+	OldTLSInbound
+	OldTLSOutbound
+	ROCSPStage1
+	ROCSPStage2
+	ROCSPStage3
 
 	//   Currently in-use features
 	// Check CAA and respect validationmethods parameter.
@@ -79,14 +84,6 @@ const (
 	//   with the certificate's keypair, the cert will be revoked with reason
 	//   keyCompromise, regardless of what revocation reason they request.
 	MozRevocationReasons
-	// OldTLSOutbound allows the VA to negotiate TLS 1.0 and TLS 1.1 during
-	// HTTPS redirects. When it is set to false, the VA will only connect to
-	// HTTPS servers that support TLS 1.2 or above.
-	OldTLSOutbound
-	// OldTLSInbound controls whether the WFE rejects inbound requests using
-	// TLS 1.0 and TLS 1.1. Because WFE does not terminate TLS in production,
-	// we rely on the TLS-Version header (set by our reverse proxy).
-	OldTLSInbound
 	// SHA1CSRs controls whether the /acme/finalize endpoint rejects CSRs that
 	// are self-signed using SHA1.
 	SHA1CSRs
@@ -98,25 +95,15 @@ const (
 	// go1.19.
 	RejectDuplicateCSRExtensions
 
-	// ROCSPStage1 enables querying Redis, live-signing response, and storing
-	// to Redis, but doesn't serve responses from Redis.
-	ROCSPStage1
-	// ROCSPStage2 enables querying Redis, live-signing a response, and storing
-	// to Redis, and does serve responses from Redis when appropriate (when
-	// they are fresh, and agree with MariaDB's status for the certificate).
-	ROCSPStage2
-	// ROCSPStage3 enables querying Redis, live-signing a response, and serving
-	// from Redis, without any fallback to serving bytes from MariaDB. In this
-	// mode we still make a parallel request to MariaDB to cross-check the
-	// _status_ of the response. If that request indicates a different status
-	// than what's stored in Redis, we'll trigger a fresh signing and serve and
-	// store the result.
-	ROCSPStage3
 	// ROCSPStage6 disables writing full OCSP Responses to MariaDB during
 	// (pre)certificate issuance and during revocation. Because Stage 4 involved
 	// disabling ocsp-updater, this means that no ocsp response bytes will be
 	// written to the database anymore.
 	ROCSPStage6
+	// ROCSPStage7 disables generating OCSP responses during issuance and
+	// revocation. This affects codepaths in both the RA (revocation) and the CA
+	// (precert "birth certificates").
+	ROCSPStage7
 )
 
 // List of features and their default value, protected by fMu
@@ -154,6 +141,7 @@ var features = map[FeatureFlag]bool{
 	ROCSPStage2:                    false,
 	ROCSPStage3:                    false,
 	ROCSPStage6:                    false,
+	ROCSPStage7:                    false,
 }
 
 var fMu = new(sync.RWMutex)

vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto

@@ -7,56 +7,89 @@ import "core/proto/core.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
 
-service StorageAuthority {
-  // Getters
-  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
-  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
-  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
-  rpc GetCertificate(Serial) returns (core.Certificate) {}
-  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
-  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
-  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
+// StorageAuthorityReadOnly exposes only those SA methods which are read-only.
+service StorageAuthorityReadOnly {
   rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
+  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
+  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
+  rpc CountOrders(CountOrdersRequest) returns (Count) {}
+  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
   rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
   rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
-  rpc CountOrders(CountOrdersRequest) returns (Count) {}
-  // Return a count of authorizations with status "invalid" that belong to
-  // a given registration ID and expire in the given time range.
-  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
-  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
   rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
-  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
   rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
   rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetCertificate(Serial) returns (core.Certificate) {}
+  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
+  rpc GetOrder(OrderRequest) returns (core.Order) {}
+  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
   rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
-  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
-  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
-  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
-  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
-  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
-  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
+  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
+  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
+  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
+  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
   rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
+  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
+  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
   rpc IncidentsForSerial(Serial) returns (Incidents) {}
+  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
+  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
+}
+
+// StorageAuthority provides full read/write access to the database.
+service StorageAuthority {
+  // Getters: this list must be identical to the StorageAuthorityReadOnly rpcs.
+  rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
+  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
+  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
+  rpc CountOrders(CountOrdersRequest) returns (Count) {}
+  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
+  rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
+  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
+  rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
+  rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetCertificate(Serial) returns (core.Certificate) {}
+  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
+  rpc GetOrder(OrderRequest) returns (core.Order) {}
+  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
+  rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
+  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
+  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
+  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
+  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
+  rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
+  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
+  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
+  rpc IncidentsForSerial(Serial) returns (Incidents) {}
+  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
+  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
   // Adders
-  rpc NewRegistration(core.Registration) returns (core.Registration) {}
-  rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
+  rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
   rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
   rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
   rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
+  rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
   rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
+  rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
+  rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
+  rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
   rpc NewOrder(NewOrderRequest) returns (core.Order) {}
   rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
-  rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
-  rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
-  rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
-  rpc GetOrder(OrderRequest) returns (core.Order) {}
-  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
+  rpc NewRegistration(core.Registration) returns (core.Registration) {}
   rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
+  rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
+  rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
+  rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
   rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
-  rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
-  rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
-  rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
-  rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
 }
 
 message RegistrationID {
@@ -124,6 +157,7 @@ message CountCertificatesByNamesRequest {
 
 message CountByNames {
   map<string, int64> counts = 1;
+  google.protobuf.Timestamp earliest = 2; // Unix timestamp (nanoseconds)
 }
 
 message CountRegistrationsByIPRequest {