Use a unix socket to talk to pkimetal

docker-compose.yml

@@ -21,6 +21,7 @@ services:
       - .:/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
       - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+      - pkimetal-socket:/var/run/pkimetal
     networks:
       bouldernet:
         ipv4_address: 10.77.77.77
@@ -144,9 +145,11 @@ services:
       - bouldernet
 
   bpkimetal:
-    image: ghcr.io/pkimetal/pkimetal:v1.20.0
-    networks:
-      - bouldernet
+    image: ghcr.io/pkimetal/pkimetal:v1.41.0
+    volumes:
+      - pkimetal-socket:/var/run/pkimetal
+      - ./test/pkimetal-config.yaml:/config/config.yaml:ro
+    network_mode: none
 
   bvitess:
     # The `letsencrypt/boulder-vtcomboserver:latest` tag is automatically built
@@ -181,6 +184,17 @@ services:
         aliases:
           - boulder-vitess
 
+volumes:
+  # Shared between bpkimetal (which listens on a unix socket here) and any
+  # boulder container that needs to reach pkimetal. Owned by uid 1001 so
+  # the default pkimetal user in the container can create the socket.
+  pkimetal-socket:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: "uid=1001,gid=1001,mode=0755"
+
 networks:
   # This network represents the data-center internal network. It is used for
   # boulder services and their infrastructure, such as consul, mariadb, and

linter/lints/rfc/lint_cert_via_pkimetal.go

@@ -6,10 +6,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"slices"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/zmap/zcrypto/x509"
@@ -20,10 +22,28 @@ import (
 // PKIMetalConfig and its execute method provide a shared basis for linting
 // both certs and CRLs using PKIMetal.
 type PKIMetalConfig struct {
-	Addr        string        `toml:"addr" comment:"The address where a pkilint REST API can be reached."`
+	Socket      string        `toml:"socket" comment:"Path to a unix socket where a pkilint REST API is listening."`
 	Severity    string        `toml:"severity" comment:"The minimum severity of findings to report (meta, debug, info, notice, warning, error, bug, or fatal)."`
 	Timeout     time.Duration `toml:"timeout" comment:"How long, in nanoseconds, to wait before giving up."`
 	IgnoreLints []string      `toml:"ignore_lints" comment:"The unique Validator:Code IDs of lint findings which should be ignored."`
+
+	clientOnce sync.Once
+	client     *http.Client
+}
+
+func (pkim *PKIMetalConfig) httpClient() *http.Client {
+	pkim.clientOnce.Do(func() {
+		socket := pkim.Socket
+		pkim.client = &http.Client{
+			Transport: &http.Transport{
+				DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+					var d net.Dialer
+					return d.DialContext(ctx, "unix", socket)
+				},
+			},
+		}
+	})
+	return pkim.client
 }
 
 func (pkim *PKIMetalConfig) execute(endpoint string, der []byte) (*lint.LintResult, error) {
@@ -35,7 +55,8 @@ func (pkim *PKIMetalConfig) execute(endpoint string, der []byte) (*lint.LintResu
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	apiURL, err := url.JoinPath(pkim.Addr, endpoint)
+	// Host is ignored by our unix-socket transport, so any valid base works.
+	apiURL, err := url.JoinPath("http://pkimetal", endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("constructing pkimetal url: %w", err)
 	}
@@ -56,7 +77,7 @@ func (pkim *PKIMetalConfig) execute(endpoint string, der []byte) (*lint.LintResu
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Add("Accept", "application/json")
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := pkim.httpClient().Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("making POST request to pkimetal API: %s (timeout %s)", err, timeout)
 	}
@@ -141,8 +162,8 @@ func (l *certViaPKIMetal) Configure() any {
 
 func (l *certViaPKIMetal) CheckApplies(c *x509.Certificate) bool {
 	// This lint applies to all certificates issued by Boulder, as long as it has
-	// been configured with an address to reach out to. If not, skip it.
-	return l.Addr != ""
+	// been configured with a socket to reach out to. If not, skip it.
+	return l.Socket != ""
 }
 
 func (l *certViaPKIMetal) Execute(c *x509.Certificate) *lint.LintResult {

linter/lints/rfc/lint_crl_via_pkimetal.go

@@ -33,8 +33,8 @@ func (l *crlViaPKIMetal) Configure() any {
 
 func (l *crlViaPKIMetal) CheckApplies(c *x509.RevocationList) bool {
 	// This lint applies to all CRLs issued by Boulder, as long as it has
-	// been configured with an address to reach out to. If not, skip it.
-	return l.Addr != ""
+	// been configured with a socket to reach out to. If not, skip it.
+	return l.Socket != ""
 }
 
 func (l *crlViaPKIMetal) Execute(c *x509.RevocationList) *lint.LintResult {

test/config-next/zlint.toml

@@ -1,5 +1,5 @@
 [e_pkimetal_lint_cabf_serverauth_cert]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = [
@@ -18,11 +18,14 @@ ignore_lints = [
   # Some linters continue to complain about the lack of an AIA OCSP URI, even
   # when a CRLDP is present.
   "certlint:br_certificates_must_include_an_http_url_of_the_ocsp_responder",
-  "x509lint:no_ocsp_over_http"
+  "x509lint:no_ocsp_over_http",
+  # ctlint requires CCADB data to verify SCT signatures; our test issuers are
+  # not in CCADB so this warning fires for every issued certificate.
+  "ctlint:cannot_verify_sct_signature_without_issuer_spki,_which_could_not_be_found_in_the_available_ccadb_data",
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = []

test/config/zlint.toml

@@ -1,5 +1,5 @@
 [e_pkimetal_lint_cabf_serverauth_cert]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = [
@@ -15,10 +15,13 @@ ignore_lints = [
   # issued under the "classic" profile, but have removed it from our "tlsserver"
   # and "shortlived" profiles.
   "pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present",
+  # ctlint requires CCADB data to verify SCT signatures; our test issuers are
+  # not in CCADB so this warning fires for every issued certificate.
+  "ctlint:cannot_verify_sct_signature_without_issuer_spki,_which_could_not_be_found_in_the_available_ccadb_data",
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = []

test/entrypoint.sh

@@ -46,8 +46,8 @@ configure_database_endpoints
 ./test/wait-for-it.sh boulder-mariadb 3306
 ./test/wait-for-it.sh boulder-proxysql 6033
 
-# make sure we can reach pkilint
-./test/wait-for-it.sh bpkimetal 8080
+# make sure pkimetal's unix socket is ready
+./test/wait-for-socket.sh /var/run/pkimetal/pkimetal.sock
 
 if [[ $# -eq 0 ]]; then
     exec python3 ./start.py

test/pkimetal-config.yaml

@@ -0,0 +1,5 @@
+server:
+  # Disable the TCP webserver; we only listen on a unix socket so callers
+  # do not need any network access to reach pkimetal.
+  webserverPort: 0
+  webserverPath: /var/run/pkimetal/pkimetal.sock

test/wait-for-socket.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e -u
+
+socket="${1}"
+max_tries=40
+
+for n in $(seq 1 "${max_tries}"); do
+  if [ -S "${socket}" ]; then
+    echo "Socket ${socket} is ready"
+    exit 0
+  fi
+  echo "$(date) - still waiting for socket ${socket}"
+  sleep 1
+done
+
+echo "timed out waiting for socket ${socket}"
+exit 1