Support pkimetal via Unix socket

docker-compose.yml

@@ -20,6 +20,7 @@ services:
       - .:/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
       - ./test/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
+      - pkimetal-socket:/var/run/pkimetal
     networks:
       bouldernet:
         ipv4_address: 10.77.77.77
@@ -141,7 +142,10 @@ services:
       - bouldernet
 
   bpkimetal:
-    image: ghcr.io/pkimetal/pkimetal:v1.20.0
+    image: ghcr.io/pkimetal/pkimetal:v1.32.0
+    volumes:
+      - pkimetal-socket:/var/run/pkimetal
+      - ./test/config/pkimetal.yaml:/config.yaml:ro
     networks:
       - bouldernet
 
@@ -208,3 +212,6 @@ networks:
       driver: default
       config:
         - subnet: 64.112.117.128/25
+
+volumes:
+  pkimetal-socket:

linter/lints/rfc/lint_cert_via_pkimetal.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"slices"
@@ -21,6 +22,7 @@ import (
 // both certs and CRLs using PKIMetal.
 type PKIMetalConfig struct {
 	Addr        string        `toml:"addr" comment:"The address where a pkilint REST API can be reached."`
+	Socket      string        `toml:"socket" comment:"The Unix socket path where a pkilint REST API can be reached. If set, this takes precedence over Addr."`
 	Severity    string        `toml:"severity" comment:"The minimum severity of findings to report (meta, debug, info, notice, warning, error, bug, or fatal)."`
 	Timeout     time.Duration `toml:"timeout" comment:"How long, in nanoseconds, to wait before giving up."`
 	IgnoreLints []string      `toml:"ignore_lints" comment:"The unique Validator:Code IDs of lint findings which should be ignored."`
@@ -35,9 +37,36 @@ func (pkim *PKIMetalConfig) execute(endpoint string, der []byte) (*lint.LintResu
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	apiURL, err := url.JoinPath(pkim.Addr, endpoint)
-	if err != nil {
-		return nil, fmt.Errorf("constructing pkimetal url: %w", err)
+	// Create HTTP client based on whether we're using Unix socket or HTTP
+	var client *http.Client
+	var apiURL string
+	var err error
+
+	if pkim.Socket != "" {
+		// Use Unix socket connection
+		client = &http.Client{
+			Timeout: timeout,
+			Transport: &http.Transport{
+				DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+					return (&net.Dialer{}).DialContext(ctx, "unix", pkim.Socket)
+				},
+			},
+		}
+		// For Unix sockets, we use a dummy HTTP URL. The hostname is ignored since
+		// the custom DialContext overrides the connection mechanism to use the socket path.
+		apiURL, err = url.JoinPath("http://localhost", endpoint)
+		if err != nil {
+			return nil, fmt.Errorf("constructing pkimetal url: %w", err)
+		}
+	} else {
+		// Use regular HTTP connection
+		client = &http.Client{
+			Timeout: timeout,
+		}
+		apiURL, err = url.JoinPath(pkim.Addr, endpoint)
+		if err != nil {
+			return nil, fmt.Errorf("constructing pkimetal url: %w", err)
+		}
 	}
 
 	// reqForm matches PKIMetal's documented form-urlencoded request format. It
@@ -56,7 +85,7 @@ func (pkim *PKIMetalConfig) execute(endpoint string, der []byte) (*lint.LintResu
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Add("Accept", "application/json")
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("making POST request to pkimetal API: %s (timeout %s)", err, timeout)
 	}
@@ -141,8 +170,8 @@ func (l *certViaPKIMetal) Configure() any {
 
 func (l *certViaPKIMetal) CheckApplies(c *x509.Certificate) bool {
 	// This lint applies to all certificates issued by Boulder, as long as it has
-	// been configured with an address to reach out to. If not, skip it.
-	return l.Addr != ""
+	// been configured with an address or socket to reach out to. If not, skip it.
+	return l.Addr != "" || l.Socket != ""
 }
 
 func (l *certViaPKIMetal) Execute(c *x509.Certificate) *lint.LintResult {

linter/lints/rfc/lint_crl_via_pkimetal.go

@@ -33,8 +33,8 @@ func (l *crlViaPKIMetal) Configure() any {
 
 func (l *crlViaPKIMetal) CheckApplies(c *x509.RevocationList) bool {
 	// This lint applies to all CRLs issued by Boulder, as long as it has
-	// been configured with an address to reach out to. If not, skip it.
-	return l.Addr != ""
+	// been configured with an address or socket to reach out to. If not, skip it.
+	return l.Addr != "" || l.Socket != ""
 }
 
 func (l *crlViaPKIMetal) Execute(c *x509.RevocationList) *lint.LintResult {

test/config-next/pkimetal.yaml

@@ -0,0 +1,2 @@
+server:
+  webserverPath: /var/run/pkimetal/pkimetal.sock

test/config-next/zlint.toml

@@ -1,5 +1,5 @@
 [e_pkimetal_lint_cabf_serverauth_cert]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = [
@@ -22,7 +22,7 @@ ignore_lints = [
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = []

test/config/pkimetal.yaml

@@ -0,0 +1,2 @@
+server:
+  webserverPath: /var/run/pkimetal/pkimetal.sock

test/config/zlint.toml

@@ -1,5 +1,5 @@
 [e_pkimetal_lint_cabf_serverauth_cert]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = [
@@ -18,7 +18,7 @@ ignore_lints = [
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]
-addr = "http://bpkimetal:8080"
+socket = "/var/run/pkimetal/pkimetal.sock"
 severity = "notice"
 timeout = 2000000000 # 2 seconds
 ignore_lints = []