From 5dc490dfe242e9b14456ccbcb4f0f479aea81dd1 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 25 Sep 2025 15:52:38 -0700 Subject: [PATCH 1/2] Use GetRevocationStatus instead of GetCertificateStatus (#8402) In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table. In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked. Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions. This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed. Part of https://github.com/letsencrypt/boulder/issues/8322 (cherry picked from commit a5cf3725098fc487116173170fb1f55d2117a1af) --- core/objects.go | 5 +++ mocks/sa.go | 2 +- ra/ra.go | 4 +- ra/ra_test.go | 25 +++++------ sa/model.go | 35 ---------------- sa/sa_test.go | 106 ++++++++++++----------------------------------- sa/saro.go | 38 +++++++++++++---- wfe2/wfe.go | 4 +- wfe2/wfe_test.go | 19 ++++----- 9 files changed, 87 insertions(+), 151 deletions(-) diff --git a/core/objects.go b/core/objects.go index 62e35191120..f8e49a82255 100644 --- a/core/objects.go +++ b/core/objects.go @@ -83,6 +83,11 @@ var OCSPStatusToInt = map[OCSPStatus]int{ OCSPStatusRevoked: ocsp.Revoked, } +const ( + RevocationStatusGood int64 = 0 + RevocationStatusRevoked int64 = 1 +) + // DNSPrefix is attached to DNS names in DNS challenges const DNSPrefix = "_acme-challenge" diff --git a/mocks/sa.go b/mocks/sa.go index cc1f830459a..bac6fbb1970 100644 --- a/mocks/sa.go +++ b/mocks/sa.go @@ -213,7 +213,7 @@ func (sa *StorageAuthorityReadOnly) GetCertificateStatus(_ context.Context, req // GetRevocationStatus is a mock func (sa *StorageAuthorityReadOnly) GetRevocationStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*sapb.RevocationStatus, error) { - return nil, nil + return nil, errors.New("no revocation status") } // SerialsForIncident is a mock diff --git a/ra/ra.go b/ra/ra.go index 54e51cce500..92cad085586 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -1683,12 +1683,12 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert // certificates that were previously revoked for a reason other than // keyCompromise, and which are now being updated to keyCompromise instead. func (ra *RegistrationAuthorityImpl) updateRevocationForKeyCompromise(ctx context.Context, serialString string, issuerID issuance.NameID) error { - status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: serialString}) + status, err := ra.SA.GetRevocationStatus(ctx, &sapb.Serial{Serial: serialString}) if err != nil { return berrors.NotFoundError("unable to confirm that serial %q was ever issued: %s", serialString, err) } - if status.Status != string(core.OCSPStatusRevoked) { + if status.Status != core.RevocationStatusRevoked { // Internal server error, because we shouldn't be in the function at all // unless the cert was already revoked. return fmt.Errorf("unable to re-revoke serial %q which is not currently revoked", serialString) diff --git a/ra/ra_test.go b/ra/ra_test.go index 88fa3f01537..372f30a7c9f 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -3511,20 +3511,20 @@ type mockSARevocation struct { sapb.StorageAuthorityClient known map[string]*x509.Certificate - revoked map[string]*corepb.CertificateStatus + revoked map[string]*sapb.RevocationStatus blocked []*sapb.AddBlockedKeyRequest } func newMockSARevocation(known *x509.Certificate) *mockSARevocation { return &mockSARevocation{ known: map[string]*x509.Certificate{core.SerialToString(known.SerialNumber): known}, - revoked: make(map[string]*corepb.CertificateStatus), + revoked: make(map[string]*sapb.RevocationStatus), blocked: make([]*sapb.AddBlockedKeyRequest, 0), } } func (msar *mockSARevocation) reset() { - msar.revoked = make(map[string]*corepb.CertificateStatus) + msar.revoked = make(map[string]*sapb.RevocationStatus) msar.blocked = make([]*sapb.AddBlockedKeyRequest, 0) } @@ -3552,14 +3552,13 @@ func (msar *mockSARevocation) GetLintPrecertificate(_ context.Context, req *sapb return nil, berrors.UnknownSerialError() } -func (msar *mockSARevocation) GetCertificateStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.CertificateStatus, error) { +func (msar *mockSARevocation) GetRevocationStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*sapb.RevocationStatus, error) { if status, present := msar.revoked[req.Serial]; present { return status, nil } - if cert, present := msar.known[req.Serial]; present { - return &corepb.CertificateStatus{ - Serial: core.SerialToString(cert.SerialNumber), - IssuerID: int64(issuance.IssuerNameID(cert)), + if _, present := msar.known[req.Serial]; present { + return &sapb.RevocationStatus{ + Status: core.RevocationStatusGood, }, nil } return nil, berrors.UnknownSerialError() @@ -3598,14 +3597,12 @@ func (msar *mockSARevocation) RevokeCertificate(_ context.Context, req *sapb.Rev if _, present := msar.revoked[req.Serial]; present { return nil, berrors.AlreadyRevokedError("already revoked") } - cert, present := msar.known[req.Serial] + _, present := msar.known[req.Serial] if !present { return nil, berrors.UnknownSerialError() } - msar.revoked[req.Serial] = &corepb.CertificateStatus{ - Serial: req.Serial, - IssuerID: int64(issuance.IssuerNameID(cert)), - Status: string(core.OCSPStatusRevoked), + msar.revoked[req.Serial] = &sapb.RevocationStatus{ + Status: core.RevocationStatusRevoked, RevokedReason: req.Reason, } return &emptypb.Empty{}, nil @@ -3772,7 +3769,7 @@ func TestRevokeCertByKey(t *testing.T) { // Reset and have the Subscriber revoke for a different reason. // Then re-revoking using the key should work. - mockSA.revoked = make(map[string]*corepb.CertificateStatus) + mockSA.revoked = make(map[string]*sapb.RevocationStatus) _, err = ra.RevokeCertByApplicant(context.Background(), &rapb.RevokeCertByApplicantRequest{ Cert: cert.Raw, Code: int64(revocation.Unspecified), diff --git a/sa/model.go b/sa/model.go index 0384d01b382..1abdb002564 100644 --- a/sa/model.go +++ b/sa/model.go @@ -161,41 +161,6 @@ func SelectCertificateStatus(ctx context.Context, s db.OneSelector, serial strin return model.toPb(), err } -// RevocationStatusModel represents a small subset of the columns in the -// certificateStatus table, used to determine the authoritative revocation -// status of a certificate. -type RevocationStatusModel struct { - Status core.OCSPStatus `db:"status"` - RevokedDate time.Time `db:"revokedDate"` - RevokedReason revocation.Reason `db:"revokedReason"` -} - -// SelectRevocationStatus returns the authoritative revocation information for -// the certificate with the given serial. -func SelectRevocationStatus(ctx context.Context, s db.OneSelector, serial string) (*sapb.RevocationStatus, error) { - var model RevocationStatusModel - err := s.SelectOne( - ctx, - &model, - "SELECT status, revokedDate, revokedReason FROM certificateStatus WHERE serial = ? LIMIT 1", - serial, - ) - if err != nil { - return nil, err - } - - statusInt, ok := core.OCSPStatusToInt[model.Status] - if !ok { - return nil, fmt.Errorf("got unrecognized status %q", model.Status) - } - - return &sapb.RevocationStatus{ - Status: int64(statusInt), - RevokedDate: timestamppb.New(model.RevokedDate), - RevokedReason: int64(model.RevokedReason), - }, nil -} - var mediumBlobSize = int(math.Pow(2, 24)) type issuedNameModel struct { diff --git a/sa/sa_test.go b/sa/sa_test.go index 6422b3287b2..da85905dd70 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -396,15 +396,19 @@ func TestAddPrecertificate(t *testing.T) { defer cleanUp() reg := createWorkingRegistration(t, sa) + regID := reg.Id - // Create a throw-away self signed certificate with a random name and - // serial number + // Add a cert to the DB to test with. serial, testCert := test.ThrowAwayCert(t, clk) - - // Add the cert as a precertificate - regID := reg.Id + _, err := sa.AddSerial(ctx, &sapb.AddSerialRequest{ + RegID: regID, + Serial: serial, + Created: timestamppb.New(testCert.NotBefore), + Expires: timestamppb.New(testCert.NotAfter), + }) + test.AssertNotError(t, err, "failed to add test serial") issuedTime := mustTimestamp("2018-04-01 07:00") - _, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ + _, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ Der: testCert.Raw, RegID: regID, Issued: issuedTime, @@ -413,11 +417,9 @@ func TestAddPrecertificate(t *testing.T) { test.AssertNotError(t, err, "Couldn't add test cert") // It should have the expected certificate status - certStatus, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) + certStatus, err := sa.GetRevocationStatus(ctx, &sapb.Serial{Serial: serial}) test.AssertNotError(t, err, "Couldn't get status for test cert") - test.AssertEquals(t, certStatus.Status, string(core.OCSPStatusGood)) - now := clk.Now() - test.AssertEquals(t, now, certStatus.OcspLastUpdated.AsTime()) + test.AssertEquals(t, certStatus.Status, core.RevocationStatusGood) // It should show up in the issued names table issuedNamesSerial, err := findIssuedName(ctx, sa.dbMap, reverseFQDN(testCert.DNSNames[0])) @@ -1787,10 +1789,9 @@ func TestRevokeCertificate(t *testing.T) { sa, fc, cleanUp := initSA(t) defer cleanUp() - reg := createWorkingRegistration(t, sa) // Add a cert to the DB to test with. + reg := createWorkingRegistration(t, sa) serial, testCert := test.ThrowAwayCert(t, fc) - issuedTime := sa.clk.Now() _, err := sa.AddSerial(ctx, &sapb.AddSerialRequest{ RegID: reg.Id, Serial: core.SerialToString(testCert.SerialNumber), @@ -1801,14 +1802,14 @@ func TestRevokeCertificate(t *testing.T) { _, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ Der: testCert.Raw, RegID: reg.Id, - Issued: timestamppb.New(issuedTime), + Issued: timestamppb.New(testCert.NotBefore), IssuerNameID: 1, }) test.AssertNotError(t, err, "Couldn't add test cert") - status, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) + status, err := sa.GetRevocationStatus(ctx, &sapb.Serial{Serial: serial}) test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusGood) + test.AssertEquals(t, status.Status, core.RevocationStatusGood) fc.Add(1 * time.Hour) @@ -1824,12 +1825,11 @@ func TestRevokeCertificate(t *testing.T) { }) test.AssertNotError(t, err, "RevokeCertificate with no OCSP response should succeed") - status, err = sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) + status, err = sa.GetRevocationStatus(ctx, &sapb.Serial{Serial: serial}) test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusRevoked) + test.AssertEquals(t, status.Status, core.RevocationStatusRevoked) test.AssertEquals(t, status.RevokedReason, reason) test.AssertEquals(t, status.RevokedDate.AsTime(), now) - test.AssertEquals(t, status.OcspLastUpdated.AsTime(), now) _, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{ IssuerID: 1, @@ -1840,59 +1840,6 @@ func TestRevokeCertificate(t *testing.T) { test.AssertError(t, err, "RevokeCertificate should've failed when certificate already revoked") } -func TestRevokeCertificateWithShard(t *testing.T) { - sa, fc, cleanUp := initSA(t) - defer cleanUp() - - // Add a cert to the DB to test with. - reg := createWorkingRegistration(t, sa) - eeCert, err := core.LoadCert("../test/hierarchy/ee-e1.cert.pem") - test.AssertNotError(t, err, "failed to load test cert") - _, err = sa.AddSerial(ctx, &sapb.AddSerialRequest{ - RegID: reg.Id, - Serial: core.SerialToString(eeCert.SerialNumber), - Created: timestamppb.New(eeCert.NotBefore), - Expires: timestamppb.New(eeCert.NotAfter), - }) - test.AssertNotError(t, err, "failed to add test serial") - _, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ - Der: eeCert.Raw, - RegID: reg.Id, - Issued: timestamppb.New(eeCert.NotBefore), - IssuerNameID: 1, - }) - test.AssertNotError(t, err, "failed to add test cert") - - serial := core.SerialToString(eeCert.SerialNumber) - fc.Add(1 * time.Hour) - now := fc.Now() - reason := int64(1) - - _, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{ - IssuerID: 1, - ShardIdx: 9, - Serial: serial, - Date: timestamppb.New(now), - Reason: reason, - }) - test.AssertNotError(t, err, "RevokeCertificate with no OCSP response should succeed") - - status, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) - test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusRevoked) - test.AssertEquals(t, status.RevokedReason, reason) - test.AssertEquals(t, status.RevokedDate.AsTime(), now) - test.AssertEquals(t, status.OcspLastUpdated.AsTime(), now) - test.AssertEquals(t, status.NotAfter.AsTime(), eeCert.NotAfter) - - var result revokedCertModel - err = sa.dbMap.SelectOne( - ctx, &result, `SELECT * FROM revokedCertificates WHERE serial = ?`, core.SerialToString(eeCert.SerialNumber)) - test.AssertNotError(t, err, "should be exactly one row in revokedCertificates") - test.AssertEquals(t, result.ShardIdx, int64(9)) - test.AssertEquals(t, result.RevokedReason, revocation.KeyCompromise) -} - func TestUpdateRevokedCertificate(t *testing.T) { sa, fc, cleanUp := initSA(t) defer cleanUp() @@ -1900,7 +1847,6 @@ func TestUpdateRevokedCertificate(t *testing.T) { // Add a cert to the DB to test with. reg := createWorkingRegistration(t, sa) serial, testCert := test.ThrowAwayCert(t, fc) - issuedTime := fc.Now() _, err := sa.AddSerial(ctx, &sapb.AddSerialRequest{ RegID: reg.Id, Serial: core.SerialToString(testCert.SerialNumber), @@ -1911,7 +1857,7 @@ func TestUpdateRevokedCertificate(t *testing.T) { _, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ Der: testCert.Raw, RegID: reg.Id, - Issued: timestamppb.New(issuedTime), + Issued: timestamppb.New(testCert.NotBefore), IssuerNameID: 1, }) test.AssertNotError(t, err, "Couldn't add test cert") @@ -1944,10 +1890,10 @@ func TestUpdateRevokedCertificate(t *testing.T) { test.AssertNotError(t, err, "RevokeCertificate failed") // Double check that setup worked. - status, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) + status, err := sa.GetRevocationStatus(ctx, &sapb.Serial{Serial: serial}) test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusRevoked) - test.AssertEquals(t, revocation.Reason(status.RevokedReason), revocation.CessationOfOperation) + test.AssertEquals(t, status.Status, core.RevocationStatusRevoked) + test.AssertEquals(t, status.RevokedReason, int64(revocation.CessationOfOperation)) fc.Add(1 * time.Hour) // Try to update its revocation info with no backdate @@ -3000,10 +2946,10 @@ func TestGetRevokedCerts(t *testing.T) { test.AssertNotError(t, err, "failed to add test cert") // Check that it worked. - status, err := sa.GetCertificateStatus( + status, err := sa.GetRevocationStatus( ctx, &sapb.Serial{Serial: core.SerialToString(eeCert.SerialNumber)}) test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusGood) + test.AssertEquals(t, status.Status, core.RevocationStatusGood) // Here's a little helper func we'll use to call GetRevokedCerts and count // how many results it returned. @@ -3107,10 +3053,10 @@ func TestGetRevokedCertsByShard(t *testing.T) { test.AssertNotError(t, err, "failed to add test cert") // Check that it worked. - status, err := sa.GetCertificateStatus( + status, err := sa.GetRevocationStatus( ctx, &sapb.Serial{Serial: core.SerialToString(eeCert.SerialNumber)}) test.AssertNotError(t, err, "GetCertificateStatus failed") - test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusGood) + test.AssertEquals(t, status.Status, core.RevocationStatusGood) // Here's a little helper func we'll use to call GetRevokedCertsByShard and count // how many results it returned. diff --git a/sa/saro.go b/sa/saro.go index 10dbf503a4a..5fb16ca1dc1 100644 --- a/sa/saro.go +++ b/sa/saro.go @@ -155,7 +155,8 @@ func (ssa *SQLStorageAuthorityRO) GetRegistrationByKey(ctx context.Context, req // GetSerialMetadata returns metadata stored alongside the serial number, // such as the RegID whose certificate request created that serial, and when -// the certificate with that serial will expire. +// the certificate with that serial will expire. If the serial does not appear +// in the serials table, it returns error NotFound. func (ssa *SQLStorageAuthorityRO) GetSerialMetadata(ctx context.Context, req *sapb.Serial) (*sapb.SerialMetadata, error) { if req == nil || req.Serial == "" { return nil, errIncompleteRequest @@ -255,6 +256,12 @@ func (ssa *SQLStorageAuthorityRO) GetCertificateStatus(ctx context.Context, req // GetRevocationStatus takes a hexadecimal string representing the full serial // number of a certificate and returns a minimal set of data about that cert's // current validity. +// +// If the certificate appears in the revokedCertificates table, it returns +// RevocationStatusRevoked. If the certificate does not appear in the +// revokedCertificates table but does appear in the serials table, it returns +// RevocationStatusGood. If the certificate does not appear in the serials +// table, it returns error NotFound. func (ssa *SQLStorageAuthorityRO) GetRevocationStatus(ctx context.Context, req *sapb.Serial) (*sapb.RevocationStatus, error) { if req.Serial == "" { return nil, errIncompleteRequest @@ -263,15 +270,32 @@ func (ssa *SQLStorageAuthorityRO) GetRevocationStatus(ctx context.Context, req * return nil, fmt.Errorf("invalid certificate serial %s", req.Serial) } - status, err := SelectRevocationStatus(ctx, ssa.dbReadOnlyMap, req.Serial) - if err != nil { - if db.IsNoRows(err) { - return nil, berrors.NotFoundError("certificate status with serial %q not found", req.Serial) + var model revokedCertModel + err := ssa.dbReadOnlyMap.SelectOne( + ctx, + &model, + "SELECT * FROM revokedCertificates WHERE serial = ? LIMIT 1", + req.Serial, + ) + if db.IsNoRows(err) { + // The revokedCertificates table only holds revoked certificates, so serials + // that aren't found are considered to be not revoked. Double check that the + // serial exists at all before asserting that it's good. + _, err := ssa.GetSerialMetadata(ctx, req) + if err != nil { + // GetSerialMetadata handles returning NotFound if appropriate. + return nil, err } - return nil, err + return &sapb.RevocationStatus{Status: core.RevocationStatusGood}, nil + } else if err != nil { + return nil, fmt.Errorf("retrieving revoked certificate row: %w", err) } - return status, nil + return &sapb.RevocationStatus{ + Status: core.RevocationStatusRevoked, + RevokedDate: timestamppb.New(model.RevokedDate), + RevokedReason: int64(model.RevokedReason), + }, nil } // FQDNSetTimestampsForWindow returns the issuance timestamps for each diff --git a/wfe2/wfe.go b/wfe2/wfe.go index efe6aa90051..bc79d21982a 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2143,12 +2143,12 @@ func (wfe *WebFrontEndImpl) determineARIWindow(ctx context.Context, serial strin } // Check if the serial is revoked. - status, err := wfe.sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial}) + status, err := wfe.sa.GetRevocationStatus(ctx, &sapb.Serial{Serial: serial}) if err != nil { return core.RenewalInfo{}, fmt.Errorf("checking if existing certificate has been revoked: %w", err) } - if status.Status == string(core.OCSPStatusRevoked) { + if status.Status == core.RevocationStatusRevoked { // The existing certificate is revoked, renew immediately. return core.RenewalInfoImmediate(wfe.clk.Now(), ""), nil } diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index affa9e85419..b56619ceff4 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -2074,13 +2074,13 @@ func TestUpdateAccount(t *testing.T) { type mockSAWithCert struct { sapb.StorageAuthorityReadOnlyClient cert *x509.Certificate - status core.OCSPStatus + status int64 } func newMockSAWithCert(t *testing.T, sa sapb.StorageAuthorityReadOnlyClient) *mockSAWithCert { cert, err := core.LoadCert("../test/hierarchy/ee-r3.cert.pem") test.AssertNotError(t, err, "Failed to load test cert") - return &mockSAWithCert{sa, cert, core.OCSPStatusGood} + return &mockSAWithCert{sa, cert, core.RevocationStatusGood} } // GetCertificate returns the mock SA's hard-coded certificate, issued by the @@ -2099,16 +2099,15 @@ func (sa *mockSAWithCert) GetCertificate(_ context.Context, req *sapb.Serial, _ }, nil } -// GetCertificateStatus returns the mock SA's status, if the given serial matches. +// GetRevocationStatus returns the mock SA's status, if the given serial matches. // Otherwise, returns not found. -func (sa *mockSAWithCert) GetCertificateStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.CertificateStatus, error) { +func (sa *mockSAWithCert) GetRevocationStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*sapb.RevocationStatus, error) { if req.Serial != core.SerialToString(sa.cert.SerialNumber) { return nil, berrors.NotFoundError("Status for certificate with serial %q not found", req.Serial) } - return &corepb.CertificateStatus{ - Serial: core.SerialToString(sa.cert.SerialNumber), - Status: string(sa.status), + return &sapb.RevocationStatus{ + Status: sa.status, }, nil } @@ -3854,7 +3853,7 @@ func TestARI(t *testing.T) { // Ensure that a correct draft-ietf-acme-ari03 query for a revoked cert // results in a renewal window in the past. - msa.status = core.OCSPStatusRevoked + msa.status = core.RevocationStatusRevoked req, event = makeGet(certID, renewalInfoPath) resp = httptest.NewRecorder() wfe.RenewalInfo(context.Background(), event, resp, req) @@ -4014,8 +4013,8 @@ func (sa *mockSAForARI) IncidentsForSerial(ctx context.Context, in *sapb.Serial, return &sapb.Incidents{}, nil } -func (sa *mockSAForARI) GetCertificateStatus(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*corepb.CertificateStatus, error) { - return &corepb.CertificateStatus{Serial: in.Serial, Status: string(core.OCSPStatusGood)}, nil +func (sa *mockSAForARI) GetRevocationStatus(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*sapb.RevocationStatus, error) { + return &sapb.RevocationStatus{Status: core.RevocationStatusGood}, nil } func TestOrderMatchesReplacement(t *testing.T) { From 0e2dce0892c83b1eca5b07585e002d94bb2d8a88 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 2 Oct 2025 15:35:45 -0700 Subject: [PATCH 2/2] Copy schema change to sa/db/ --- .../20251002000000_AddRevokedSerialsIndex.sql | 10 +--------- .../20251002000000_AddRevokedSerialsIndex.sql | 9 +++++++++ 2 files changed, 10 insertions(+), 9 deletions(-) mode change 100644 => 120000 sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql create mode 100644 sa/db/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql diff --git a/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql b/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql deleted file mode 100644 index 44815cc4edf..00000000000 --- a/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql +++ /dev/null @@ -1,9 +0,0 @@ --- +migrate Up --- SQL in section 'Up' is executed when this migration is applied - -ALTER TABLE `revokedCertificates` ADD KEY `serial` (`serial`); - --- +migrate Down --- SQL section 'Down' is executed when this migration is rolled back - -ALTER TABLE `revokedCertificates` DROP KEY `serial`; diff --git a/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql b/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql new file mode 120000 index 00000000000..0ff24b0f35f --- /dev/null +++ b/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql @@ -0,0 +1 @@ +../../db/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql \ No newline at end of file diff --git a/sa/db/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql b/sa/db/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql new file mode 100644 index 00000000000..44815cc4edf --- /dev/null +++ b/sa/db/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql @@ -0,0 +1,9 @@ +-- +migrate Up +-- SQL in section 'Up' is executed when this migration is applied + +ALTER TABLE `revokedCertificates` ADD KEY `serial` (`serial`); + +-- +migrate Down +-- SQL section 'Down' is executed when this migration is rolled back + +ALTER TABLE `revokedCertificates` DROP KEY `serial`;