VA: Add a method for performing MPIC compliant challenge validation

core/objects.go

@@ -150,24 +150,6 @@ type ValidationRecord struct {
 	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
 	// instead look like A:host:port or AAAA:host:port
 	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
-
-	// Perspective uniquely identifies the Network Perspective used to perform
-	// the validation, as specified in BRs Section 5.4.1, Requirement 2.7
-	// ("Multi-Perspective Issuance Corroboration attempts from each Network
-	// Perspective"). It should uniquely identify either the Primary Perspective
-	// (VA) or a group of RVAs deployed in the same datacenter.
-	Perspective string `json:"perspective,omitempty"`
-
-	// RIR indicates the Regional Internet Registry where this RVA is located.
-	// This field is used to identify the RIR region from which a given
-	// validation was performed, as specified in the "Phased Implementation
-	// Timeline" in BRs Section 3.2.2.9. It must be one of the following values:
-	//   - ARIN
-	//   - RIPE
-	//   - APNIC
-	//   - LACNIC
-	//   - AfriNIC
-	RIR string `json:"rir,omitempty"`
 }
 
 // Challenge is an aggregate of all data needed for any challenges.

go.mod

@@ -1,6 +1,6 @@
 module github.com/letsencrypt/boulder
 
-go 1.22.0
+go 1.23.0
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.32.2

grpc/pb-marshalling.go

@@ -179,7 +179,7 @@ func PBToValidationRecord(in *corepb.ValidationRecord) (record core.ValidationRe
 	}, nil
 }
 
-func ValidationResultToPB(records []core.ValidationRecord, prob *probs.ProblemDetails) (*vapb.ValidationResult, error) {
+func ValidationResultToPB(records []core.ValidationRecord, prob *probs.ProblemDetails, perspective, rir string) (*vapb.ValidationResult, error) {
 	recordAry := make([]*corepb.ValidationRecord, len(records))
 	var err error
 	for i, v := range records {
@@ -193,8 +193,10 @@ func ValidationResultToPB(records []core.ValidationRecord, prob *probs.ProblemDe
 		return nil, err
 	}
 	return &vapb.ValidationResult{
-		Records:  recordAry,
-		Problems: marshalledProbs,
+		Records:     recordAry,
+		Problems:    marshalledProbs,
+		Perspective: perspective,
+		Rir:         rir,
 	}, nil
 }
 

grpc/pb-marshalling_test.go

@@ -154,7 +154,7 @@ func TestValidationResult(t *testing.T) {
 	result := []core.ValidationRecord{vrA, vrB}
 	prob := &probs.ProblemDetails{Type: probs.TLSProblem, Detail: "asd", HTTPStatus: 200}
 
-	pb, err := ValidationResultToPB(result, prob)
+	pb, err := ValidationResultToPB(result, prob, "", "")
 	test.AssertNotError(t, err, "ValidationResultToPB failed")
 	test.Assert(t, pb != nil, "Returned vapb.ValidationResult is nil")
 

ra/ra.go

@@ -1748,7 +1748,7 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 	} else {
 		expires = ra.clk.Now().Add(ra.authorizationLifetime)
 	}
-	vr, err := bgrpc.ValidationResultToPB(challenge.ValidationRecord, challenge.Error)
+	vr, err := bgrpc.ValidationResultToPB(challenge.ValidationRecord, challenge.Error, "", "")
 	if err != nil {
 		return err
 	}

ra/ra_test.go

@@ -156,6 +156,10 @@ func (dva *DummyValidationAuthority) PerformValidation(ctx context.Context, req
 	return dva.PerformValidationRequestResultReturn, dva.PerformValidationRequestResultError
 }
 
+func (dva *DummyValidationAuthority) ValidateChallenge(ctx context.Context, req *vapb.ValidationRequest, _ ...grpc.CallOption) (*vapb.ValidationResult, error) {
+	return nil, status.Error(codes.Unimplemented, "not implemented")
+}
+
 var (
 	// These values we simulate from the client
 	AccountKeyJSONA = []byte(`{

va/caa_test.go

@@ -589,7 +589,7 @@ func (b caaBrokenDNS) LookupCAA(_ context.Context, domain string) ([]*dns.CAA, s
 }
 
 func TestDisabledMultiCAARechecking(t *testing.T) {
-	brokenRVA, _ := setupRemote(nil, "broken", caaBrokenDNS{}, "", "")
+	brokenRVA, _ := setupRemote(nil, "broken", caaBrokenDNS{})
 	remoteVAs := []RemoteVA{{brokenRVA, "broken"}}
 	va, _ := setup(nil, 0, "local", remoteVAs, nil)
 
@@ -663,10 +663,10 @@ func TestMultiCAARechecking(t *testing.T) {
 		brokenUA   = "broken"
 		hijackedUA = "hijacked"
 	)
-	remoteVA, _ := setupRemote(nil, remoteUA, nil, "", "")
-	brokenVA, _ := setupRemote(nil, brokenUA, caaBrokenDNS{}, "", "")
+	remoteVA, _ := setupRemote(nil, remoteUA, nil)
+	brokenVA, _ := setupRemote(nil, brokenUA, caaBrokenDNS{})
 	// Returns incorrect results
-	hijackedVA, _ := setupRemote(nil, hijackedUA, caaHijackedDNS{}, "", "")
+	hijackedVA, _ := setupRemote(nil, hijackedUA, caaHijackedDNS{})
 
 	testCases := []struct {
 		name                     string

va/dns_test.go

@@ -23,7 +23,7 @@ func TestDNSValidationEmpty(t *testing.T) {
 
 	// This test calls PerformValidation directly, because that is where the
 	// metrics checked below are incremented.
-	req := createValidationRequest("empty-txts.com", core.ChallengeTypeDNS01)
+	req := createPerformValidationRequest("empty-txts.com", core.ChallengeTypeDNS01)
 	res, _ := va.PerformValidation(context.Background(), req)
 	test.AssertEquals(t, res.Problems.ProblemType, "unauthorized")
 	test.AssertEquals(t, res.Problems.Detail, "No TXT record found at _acme-challenge.empty-txts.com")

va/proto/va.proto

@@ -7,6 +7,7 @@ import "core/proto/core.proto";
 
 service VA {
   rpc PerformValidation(PerformValidationRequest) returns (ValidationResult) {}
+  rpc ValidateChallenge(ValidationRequest) returns (ValidationResult) {}
 }
 
 service CAA {
@@ -43,3 +44,11 @@ message ValidationResult {
   string perspective = 3;
   string rir = 4;
 }
+
+message ValidationRequest {
+  core.Identifier identifier = 1;
+  core.Challenge challenge = 2;
+  int64 regID = 3;
+  string authzID = 4;
+  string keyAuthorization = 5;
+}