From d27ac261f292589e1444e780235f427e4637f8b1 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Wed, 11 Sep 2024 11:55:17 -0400 Subject: [PATCH 1/3] Add a span around (pre)certificate signing --- ca/ca.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ca/ca.go b/ca/ca.go index e55b2d66560..03eef752b56 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -23,6 +23,9 @@ import ( "github.com/jmhodges/clock" "github.com/miekg/pkcs11" "github.com/prometheus/client_golang/prometheus" + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/codes" + "go.opentelemetry.io/otel/trace" "golang.org/x/crypto/cryptobyte" cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" "golang.org/x/crypto/ocsp" @@ -132,6 +135,7 @@ type certificateAuthorityImpl struct { clk clock.Clock log blog.Logger metrics *caMetrics + tracer trace.Tracer } var _ capb.CertificateAuthorityServer = (*certificateAuthorityImpl)(nil) @@ -272,6 +276,7 @@ func NewCertificateAuthorityImpl( keyPolicy: keyPolicy, log: logger, metrics: metrics, + tracer: otel.GetTracerProvider().Tracer("github.com/letsencrypt/boulder/ca"), clk: clk, } @@ -432,13 +437,17 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex return nil, berrors.InternalServerError("failed to prepare certificate signing: %s", err) } + _, span := ca.tracer.Start(ctx, "signing cert") certDER, err := issuer.Issue(issuanceToken) if err != nil { ca.metrics.noteSignError(err) ca.log.AuditErrf("Signing cert failed: issuer=[%s] serial=[%s] regID=[%d] names=[%s] certProfileName=[%s] certProfileHash=[%x] err=[%v]", issuer.Name(), serialHex, req.RegistrationID, names, certProfile.name, certProfile.hash, err) + span.SetStatus(codes.Error, err.Error()) + span.End() return nil, berrors.InternalServerError("failed to sign certificate: %s", err) } + span.End() err = tbsCertIsDeterministic(lintCertBytes, certDER) if err != nil { @@ -587,13 +596,17 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context return nil, nil, err } + _, span := ca.tracer.Start(ctx, "sign precert") certDER, err := issuer.Issue(issuanceToken) if err != nil { ca.metrics.noteSignError(err) ca.log.AuditErrf("Signing precert failed: issuer=[%s] serial=[%s] regID=[%d] names=[%s] certProfileName=[%s] certProfileHash=[%x] err=[%v]", issuer.Name(), serialHex, issueReq.RegistrationID, strings.Join(csr.DNSNames, ", "), certProfile.name, certProfile.hash, err) + span.SetStatus(codes.Error, err.Error()) + span.End() return nil, nil, berrors.InternalServerError("failed to sign precertificate: %s", err) } + span.End() err = tbsCertIsDeterministic(lintCertBytes, certDER) if err != nil { From 836766f5c4ebebb6280b62f3489933c4f8c01b1c Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Wed, 11 Sep 2024 14:27:58 -0400 Subject: [PATCH 2/3] Add a few attributes to the span, with what's being signed --- ca/ca.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ca/ca.go b/ca/ca.go index 03eef752b56..e0c265618c3 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -24,6 +24,7 @@ import ( "github.com/miekg/pkcs11" "github.com/prometheus/client_golang/prometheus" "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" "go.opentelemetry.io/otel/codes" "go.opentelemetry.io/otel/trace" "golang.org/x/crypto/cryptobyte" @@ -437,7 +438,11 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex return nil, berrors.InternalServerError("failed to prepare certificate signing: %s", err) } - _, span := ca.tracer.Start(ctx, "signing cert") + _, span := ca.tracer.Start(ctx, "signing cert", trace.WithAttributes( + attribute.String("serial", serialHex), + attribute.String("issuer", issuer.Name()), + attribute.String("certProfileName", certProfile.name), + )) certDER, err := issuer.Issue(issuanceToken) if err != nil { ca.metrics.noteSignError(err) @@ -596,7 +601,11 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context return nil, nil, err } - _, span := ca.tracer.Start(ctx, "sign precert") + _, span := ca.tracer.Start(ctx, "signing precert", trace.WithAttributes( + attribute.String("serial", serialHex), + attribute.String("issuer", issuer.Name()), + attribute.String("certProfileName", certProfile.name), + )) certDER, err := issuer.Issue(issuanceToken) if err != nil { ca.metrics.noteSignError(err) From 9c821141c73e78562ab5cd5d25c54b9e95cd3d60 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Wed, 11 Sep 2024 15:04:49 -0400 Subject: [PATCH 3/3] Names too --- ca/ca.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ca/ca.go b/ca/ca.go index e0c265618c3..d8c07a3271a 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -442,6 +442,7 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex attribute.String("serial", serialHex), attribute.String("issuer", issuer.Name()), attribute.String("certProfileName", certProfile.name), + attribute.StringSlice("names", issuanceReq.DNSNames), )) certDER, err := issuer.Issue(issuanceToken) if err != nil { @@ -605,6 +606,7 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context attribute.String("serial", serialHex), attribute.String("issuer", issuer.Name()), attribute.String("certProfileName", certProfile.name), + attribute.StringSlice("names", csr.DNSNames), )) certDER, err := issuer.Issue(issuanceToken) if err != nil {