Update to c/image main branch

> go get github.com/containers/image/v5@main
> make vendor

... to make sure that we don't regress against Skopeo 1.9.3.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

vendor/github.com/letsencrypt/boulder/core/interfaces.go

@@ -7,7 +7,6 @@ import (
 // PolicyAuthority defines the public interface for the Boulder PA
 // TODO(#5891): Move this interface to a more appropriate location.
 type PolicyAuthority interface {
-	WillingToIssue(domain identifier.ACMEIdentifier) error
 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(t AcmeChallenge) bool

vendor/github.com/letsencrypt/boulder/core/objects.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/crypto/ocsp"
 	"gopkg.in/square/go-jose.v2"
 
 	"github.com/letsencrypt/boulder/identifier"
@@ -78,6 +79,11 @@ const (
 	OCSPStatusRevoked = OCSPStatus("revoked")
 )
 
+var OCSPStatusToInt = map[OCSPStatus]int{
+	OCSPStatusGood:    ocsp.Good,
+	OCSPStatusRevoked: ocsp.Revoked,
+}
+
 // DNSPrefix is attached to DNS names in DNS challenges
 const DNSPrefix = "_acme-challenge"
 
@@ -534,3 +540,34 @@ type SuggestedWindow struct {
 type RenewalInfo struct {
 	SuggestedWindow SuggestedWindow `json:"suggestedWindow"`
 }
+
+// RenewalInfoSimple constructs a `RenewalInfo` object and suggested window
+// using a very simple renewal calculation: calculate a point 2/3rds of the way
+// through the validity period, then give a 2-day window around that. Both the
+// `issued` and `expires` timestamps are expected to be UTC.
+func RenewalInfoSimple(issued time.Time, expires time.Time) RenewalInfo {
+	validity := expires.Add(time.Second).Sub(issued)
+	renewalOffset := validity / time.Duration(3)
+	idealRenewal := expires.Add(-renewalOffset)
+	return RenewalInfo{
+		SuggestedWindow: SuggestedWindow{
+			Start: idealRenewal.Add(-24 * time.Hour),
+			End:   idealRenewal.Add(24 * time.Hour),
+		},
+	}
+}
+
+// RenewalInfoImmediate constructs a `RenewalInfo` object with a suggested
+// window in the past. Per the draft-ietf-acme-ari-00 spec, clients should
+// attempt to renew immediately if the suggested window is in the past. The
+// passed `now` is assumed to be a timestamp representing the current moment in
+// time.
+func RenewalInfoImmediate(now time.Time) RenewalInfo {
+	oneHourAgo := now.Add(-1 * time.Hour)
+	return RenewalInfo{
+		SuggestedWindow: SuggestedWindow{
+			Start: oneHourAgo,
+			End:   oneHourAgo.Add(time.Minute * 30),
+		},
+	}
+}

vendor/github.com/letsencrypt/boulder/core/util.go

@@ -13,9 +13,9 @@ import (
 	"expvar"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math/big"
 	mrand "math/rand"
+	"os"
 	"reflect"
 	"regexp"
 	"sort"
@@ -245,7 +245,7 @@ func UniqueLowerNames(names []string) (unique []string) {
 
 // LoadCert loads a PEM certificate specified by filename or returns an error
 func LoadCert(filename string) (*x509.Certificate, error) {
-	certPEM, err := ioutil.ReadFile(filename)
+	certPEM, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/letsencrypt/boulder/errors/errors.go

@@ -128,6 +128,13 @@ func FailedValidationError(msg string, args ...interface{}) error {
 	}
 }
 
+func RegistrationsPerIPError(msg string, args ...interface{}) error {
+	return &BoulderError{
+		Type:   RateLimit,
+		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/", args...),
+	}
+}
+
 func RejectedIdentifierError(msg string, args ...interface{}) error {
 	return New(RejectedIdentifier, msg, args...)
 }

vendor/github.com/letsencrypt/boulder/features/featureflag_string.go

@@ -39,11 +39,13 @@ func _() {
 	_ = x[RejectDuplicateCSRExtensions-28]
 	_ = x[ROCSPStage1-29]
 	_ = x[ROCSPStage2-30]
+	_ = x[ROCSPStage3-31]
+	_ = x[ROCSPStage6-32]
 }
 
-const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage1ROCSPStage2"
+const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage1ROCSPStage2ROCSPStage3ROCSPStage6"
 
-var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 177, 190, 204, 222, 240, 259, 275, 294, 318, 329, 345, 361, 377, 407, 424, 444, 458, 471, 479, 504, 532, 543, 554}
+var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 177, 190, 204, 222, 240, 259, 275, 294, 318, 329, 345, 361, 377, 407, 424, 444, 458, 471, 479, 504, 532, 543, 554, 565, 576}
 
 func (i FeatureFlag) String() string {
 	if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

vendor/github.com/letsencrypt/boulder/features/features.go

@@ -105,6 +105,18 @@ const (
 	// to Redis, and does serve responses from Redis when appropriate (when
 	// they are fresh, and agree with MariaDB's status for the certificate).
 	ROCSPStage2
+	// ROCSPStage3 enables querying Redis, live-signing a response, and serving
+	// from Redis, without any fallback to serving bytes from MariaDB. In this
+	// mode we still make a parallel request to MariaDB to cross-check the
+	// _status_ of the response. If that request indicates a different status
+	// than what's stored in Redis, we'll trigger a fresh signing and serve and
+	// store the result.
+	ROCSPStage3
+	// ROCSPStage6 disables writing full OCSP Responses to MariaDB during
+	// (pre)certificate issuance and during revocation. Because Stage 4 involved
+	// disabling ocsp-updater, this means that no ocsp response bytes will be
+	// written to the database anymore.
+	ROCSPStage6
 )
 
 // List of features and their default value, protected by fMu
@@ -140,6 +152,8 @@ var features = map[FeatureFlag]bool{
 	RejectDuplicateCSRExtensions:   false,
 	ROCSPStage1:                    false,
 	ROCSPStage2:                    false,
+	ROCSPStage3:                    false,
+	ROCSPStage6:                    false,
 }
 
 var fMu = new(sync.RWMutex)

vendor/github.com/letsencrypt/boulder/goodkey/blocked.go

@@ -6,7 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
-	"io/ioutil"
+	"os"
 
 	"github.com/letsencrypt/boulder/core"
 
@@ -42,16 +42,14 @@ func (b blockedKeys) blocked(key crypto.PublicKey) (bool, error) {
 // SHA256 hashes of SubjectPublicKeyInfo's in the input YAML file
 // with the expected format:
 //
-// ```
-// blocked:
-//   - cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=
-//   <snipped>
-//   - Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=
-// ```
+//	blocked:
+//	  - cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=
+//	  <snipped>
+//	  - Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=
 //
 // If no hashes are found in the input YAML an error is returned.
 func loadBlockedKeysList(filename string) (*blockedKeys, error) {
-	yamlBytes, err := ioutil.ReadFile(filename)
+	yamlBytes, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/letsencrypt/boulder/goodkey/weak.go

@@ -11,7 +11,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 )
 
 type truncatedHash [10]byte
@@ -21,7 +21,7 @@ type WeakRSAKeys struct {
 }
 
 func LoadWeakRSASuffixes(path string) (*WeakRSAKeys, error) {
-	f, err := ioutil.ReadFile(path)
+	f, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto

@@ -5,6 +5,7 @@ option go_package = "github.com/letsencrypt/boulder/sa/proto";
 
 import "core/proto/core.proto";
 import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
 
 service StorageAuthority {
   // Getters
@@ -14,6 +15,7 @@ service StorageAuthority {
   rpc GetCertificate(Serial) returns (core.Certificate) {}
   rpc GetPrecertificate(Serial) returns (core.Certificate) {}
   rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
   rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
   rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
   rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
@@ -34,6 +36,7 @@ service StorageAuthority {
   rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
   rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
   rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
+  rpc IncidentsForSerial(Serial) returns (Incidents) {}
   // Adders
   rpc NewRegistration(core.Registration) returns (core.Registration) {}
   rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
@@ -287,6 +290,10 @@ message Incident {
   bool enabled = 5;
 }
 
+message Incidents {
+  repeated Incident incidents = 1;
+}
+
 message SerialsForIncidentRequest {
   string incidentTable = 1;
 }
@@ -304,3 +311,9 @@ message GetRevokedCertsRequest {
   int64 expiresBefore = 3; // Unix timestamp (nanoseconds), exclusive
   int64 revokedBefore = 4; // Unix timestamp (nanoseconds)
 }
+
+message RevocationStatus {
+  int64 status = 1;
+  int64 revokedReason = 2;
+  google.protobuf.Timestamp revokedDate = 3; // Unix timestamp (nanoseconds)
+}

vendor/github.com/letsencrypt/boulder/sa/proto/sa_grpc.pb.go

@@ -31,6 +31,7 @@ type StorageAuthorityClient interface {
 	GetCertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
 	GetPrecertificate(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.Certificate, error)
 	GetCertificateStatus(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*proto.CertificateStatus, error)
+	GetRevocationStatus(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*RevocationStatus, error)
 	CountCertificatesByNames(ctx context.Context, in *CountCertificatesByNamesRequest, opts ...grpc.CallOption) (*CountByNames, error)
 	CountRegistrationsByIP(ctx context.Context, in *CountRegistrationsByIPRequest, opts ...grpc.CallOption) (*Count, error)
 	CountRegistrationsByIPRange(ctx context.Context, in *CountRegistrationsByIPRequest, opts ...grpc.CallOption) (*Count, error)
@@ -51,6 +52,7 @@ type StorageAuthorityClient interface {
 	KeyBlocked(ctx context.Context, in *KeyBlockedRequest, opts ...grpc.CallOption) (*Exists, error)
 	SerialsForIncident(ctx context.Context, in *SerialsForIncidentRequest, opts ...grpc.CallOption) (StorageAuthority_SerialsForIncidentClient, error)
 	GetRevokedCerts(ctx context.Context, in *GetRevokedCertsRequest, opts ...grpc.CallOption) (StorageAuthority_GetRevokedCertsClient, error)
+	IncidentsForSerial(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*Incidents, error)
 	// Adders
 	NewRegistration(ctx context.Context, in *proto.Registration, opts ...grpc.CallOption) (*proto.Registration, error)
 	UpdateRegistration(ctx context.Context, in *proto.Registration, opts ...grpc.CallOption) (*emptypb.Empty, error)
@@ -135,6 +137,15 @@ func (c *storageAuthorityClient) GetCertificateStatus(ctx context.Context, in *S
 	return out, nil
 }
 
+func (c *storageAuthorityClient) GetRevocationStatus(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*RevocationStatus, error) {
+	out := new(RevocationStatus)
+	err := c.cc.Invoke(ctx, "/sa.StorageAuthority/GetRevocationStatus", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *storageAuthorityClient) CountCertificatesByNames(ctx context.Context, in *CountCertificatesByNamesRequest, opts ...grpc.CallOption) (*CountByNames, error) {
 	out := new(CountByNames)
 	err := c.cc.Invoke(ctx, "/sa.StorageAuthority/CountCertificatesByNames", in, out, opts...)
@@ -343,6 +354,15 @@ func (x *storageAuthorityGetRevokedCertsClient) Recv() (*proto.CRLEntry, error)
 	return m, nil
 }
 
+func (c *storageAuthorityClient) IncidentsForSerial(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*Incidents, error) {
+	out := new(Incidents)
+	err := c.cc.Invoke(ctx, "/sa.StorageAuthority/IncidentsForSerial", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *storageAuthorityClient) NewRegistration(ctx context.Context, in *proto.Registration, opts ...grpc.CallOption) (*proto.Registration, error) {
 	out := new(proto.Registration)
 	err := c.cc.Invoke(ctx, "/sa.StorageAuthority/NewRegistration", in, out, opts...)
@@ -525,6 +545,7 @@ type StorageAuthorityServer interface {
 	GetCertificate(context.Context, *Serial) (*proto.Certificate, error)
 	GetPrecertificate(context.Context, *Serial) (*proto.Certificate, error)
 	GetCertificateStatus(context.Context, *Serial) (*proto.CertificateStatus, error)
+	GetRevocationStatus(context.Context, *Serial) (*RevocationStatus, error)
 	CountCertificatesByNames(context.Context, *CountCertificatesByNamesRequest) (*CountByNames, error)
 	CountRegistrationsByIP(context.Context, *CountRegistrationsByIPRequest) (*Count, error)
 	CountRegistrationsByIPRange(context.Context, *CountRegistrationsByIPRequest) (*Count, error)
@@ -545,6 +566,7 @@ type StorageAuthorityServer interface {
 	KeyBlocked(context.Context, *KeyBlockedRequest) (*Exists, error)
 	SerialsForIncident(*SerialsForIncidentRequest, StorageAuthority_SerialsForIncidentServer) error
 	GetRevokedCerts(*GetRevokedCertsRequest, StorageAuthority_GetRevokedCertsServer) error
+	IncidentsForSerial(context.Context, *Serial) (*Incidents, error)
 	// Adders
 	NewRegistration(context.Context, *proto.Registration) (*proto.Registration, error)
 	UpdateRegistration(context.Context, *proto.Registration) (*emptypb.Empty, error)
@@ -590,6 +612,9 @@ func (UnimplementedStorageAuthorityServer) GetPrecertificate(context.Context, *S
 func (UnimplementedStorageAuthorityServer) GetCertificateStatus(context.Context, *Serial) (*proto.CertificateStatus, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetCertificateStatus not implemented")
 }
+func (UnimplementedStorageAuthorityServer) GetRevocationStatus(context.Context, *Serial) (*RevocationStatus, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetRevocationStatus not implemented")
+}
 func (UnimplementedStorageAuthorityServer) CountCertificatesByNames(context.Context, *CountCertificatesByNamesRequest) (*CountByNames, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CountCertificatesByNames not implemented")
 }
@@ -644,6 +669,9 @@ func (UnimplementedStorageAuthorityServer) SerialsForIncident(*SerialsForInciden
 func (UnimplementedStorageAuthorityServer) GetRevokedCerts(*GetRevokedCertsRequest, StorageAuthority_GetRevokedCertsServer) error {
 	return status.Errorf(codes.Unimplemented, "method GetRevokedCerts not implemented")
 }
+func (UnimplementedStorageAuthorityServer) IncidentsForSerial(context.Context, *Serial) (*Incidents, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method IncidentsForSerial not implemented")
+}
 func (UnimplementedStorageAuthorityServer) NewRegistration(context.Context, *proto.Registration) (*proto.Registration, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method NewRegistration not implemented")
 }
@@ -822,6 +850,24 @@ func _StorageAuthority_GetCertificateStatus_Handler(srv interface{}, ctx context
 	return interceptor(ctx, in, info, handler)
 }
 
+func _StorageAuthority_GetRevocationStatus_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Serial)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StorageAuthorityServer).GetRevocationStatus(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/sa.StorageAuthority/GetRevocationStatus",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StorageAuthorityServer).GetRevocationStatus(ctx, req.(*Serial))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StorageAuthority_CountCertificatesByNames_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(CountCertificatesByNamesRequest)
 	if err := dec(in); err != nil {
@@ -1152,6 +1198,24 @@ func (x *storageAuthorityGetRevokedCertsServer) Send(m *proto.CRLEntry) error {
 	return x.ServerStream.SendMsg(m)
 }
 
+func _StorageAuthority_IncidentsForSerial_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Serial)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StorageAuthorityServer).IncidentsForSerial(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/sa.StorageAuthority/IncidentsForSerial",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StorageAuthorityServer).IncidentsForSerial(ctx, req.(*Serial))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StorageAuthority_NewRegistration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(proto.Registration)
 	if err := dec(in); err != nil {
@@ -1525,6 +1589,10 @@ var StorageAuthority_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetCertificateStatus",
 			Handler:    _StorageAuthority_GetCertificateStatus_Handler,
 		},
+		{
+			MethodName: "GetRevocationStatus",
+			Handler:    _StorageAuthority_GetRevocationStatus_Handler,
+		},
 		{
 			MethodName: "CountCertificatesByNames",
 			Handler:    _StorageAuthority_CountCertificatesByNames_Handler,
@@ -1589,6 +1657,10 @@ var StorageAuthority_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "KeyBlocked",
 			Handler:    _StorageAuthority_KeyBlocked_Handler,
 		},
+		{
+			MethodName: "IncidentsForSerial",
+			Handler:    _StorageAuthority_IncidentsForSerial_Handler,
+		},
 		{
 			MethodName: "NewRegistration",
 			Handler:    _StorageAuthority_NewRegistration_Handler,

vendor/github.com/letsencrypt/boulder/sa/proto/subsets.go

@@ -34,6 +34,7 @@ type StorageAuthorityGetterClient interface {
 	KeyBlocked(ctx context.Context, in *KeyBlockedRequest, opts ...grpc.CallOption) (*Exists, error)
 	GetOrder(ctx context.Context, in *OrderRequest, opts ...grpc.CallOption) (*proto.Order, error)
 	GetOrderForNames(ctx context.Context, in *GetOrderForNamesRequest, opts ...grpc.CallOption) (*proto.Order, error)
+	IncidentsForSerial(ctx context.Context, in *Serial, opts ...grpc.CallOption) (*Incidents, error)
 }
 
 // StorageAuthorityCertificateClient is a subset of the sapb.StorageAuthorityClient interface that only reads and writes certificates