letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WFE: Remove unnecessary x509.ParseCertificate (#5811) 

Re-parsing the certificate after we're sure we issued it accomplishes
nothing except wasting CPU cycles. This duplicate work was left over
after the removal of the old codepath which was incapable of revoking
precertificates.
This commit is contained in:
Aaron Gable 2021-11-24 12:33:51 -08:00 committed by GitHub
parent 215ee7f01d
commit 1e67f7b5fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
wfe2/wfe.go
View File

@ -807,38 +807,28 @@ func (wfe *WebFrontEndImpl) processRevocation(
} }
// Parse the provided certificate // Parse the provided certificate
providedCert, err := x509.ParseCertificate(revokeRequest.CertificateDER) parsedCertificate, err := x509.ParseCertificate(revokeRequest.CertificateDER)
if err != nil { if err != nil {
return probs.Malformed("Unable to parse certificate DER") return probs.Malformed("Unable to parse certificate DER")
} }
// Compute and record the serial number of the provided certificate // Compute and record the serial number of the provided certificate
serial := core.SerialToString(providedCert.SerialNumber) serial := core.SerialToString(parsedCertificate.SerialNumber)
logEvent.Extra["ProvidedCertificateSerial"] = serial logEvent.Extra["CertificateSerial"] = serial
beeline.AddFieldToTrace(ctx, "request.serial", serial) beeline.AddFieldToTrace(ctx, "cert.serial", serial)
// Try to validate the signature on the provided cert using its corresponding // Try to validate the signature on the provided cert using its corresponding
// issuer certificate. // issuer certificate.
issuerNameID := issuance.GetIssuerNameID(providedCert) issuerNameID := issuance.GetIssuerNameID(parsedCertificate)
issuerCert, ok := wfe.issuerCertificates[issuerNameID] issuerCert, ok := wfe.issuerCertificates[issuerNameID]
if !ok || issuerCert == nil { if !ok || issuerCert == nil {
return probs.NotFound("Certificate from unrecognized issuer") return probs.NotFound("Certificate from unrecognized issuer")
} }
err = providedCert.CheckSignatureFrom(issuerCert.Certificate) err = parsedCertificate.CheckSignatureFrom(issuerCert.Certificate)
if err != nil { if err != nil {
return probs.NotFound("No such certificate") return probs.NotFound("No such certificate")
} }
logEvent.Extra["CertificateDNSNames"] = parsedCertificate.DNSNames
// Now that we're sure we issued it, parse the certificate into memory.
parsedCertificate, err := x509.ParseCertificate(providedCert.Raw)
if err != nil {
// InternalServerError because certDER came from our own DB, or was
// confirmed issued by one of our own issuers.
return probs.ServerInternal("invalid parse of stored certificate")
}
logEvent.Extra["RetrievedCertificateSerial"] = serial
beeline.AddFieldToTrace(ctx, "cert.serial", serial)
logEvent.Extra["RetrievedCertificateDNSNames"] = parsedCertificate.DNSNames
beeline.AddFieldToTrace(ctx, "cert.dnsnames", parsedCertificate.DNSNames) beeline.AddFieldToTrace(ctx, "cert.dnsnames", parsedCertificate.DNSNames)
if parsedCertificate.NotAfter.Before(wfe.clk.Now()) { if parsedCertificate.NotAfter.Before(wfe.clk.Now()) {