From 21b18667b266b2c96f05eaa8c87d71a4c321ccb0 Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Fri, 15 Dec 2023 07:36:59 -0800
Subject: [PATCH] Remove static test certs from SA unittests (#7217)

Fixes https://github.com/letsencrypt/boulder/issues/6279
---
 sa/sa_test.go      | 365 ++++++++++++++++++++++-----------------------
 sa/test-cert.der   | Bin 1157 -> 0 bytes
 sa/test-cert2.der  | Bin 1119 -> 0 bytes
 sa/www.eff.org.der | Bin 1975 -> 0 bytes
 4 files changed, 179 insertions(+), 186 deletions(-)
 delete mode 100644 sa/test-cert.der
 delete mode 100644 sa/test-cert2.der
 delete mode 100644 sa/www.eff.org.der

diff --git a/sa/sa_test.go b/sa/sa_test.go
index 36fc2ae8a..f072062b8 100644
--- a/sa/sa_test.go
+++ b/sa/sa_test.go
@@ -528,52 +528,51 @@ func TestAddPrecertificateKeyHash(t *testing.T) {
 }
 
 func TestAddCertificate(t *testing.T) {
-	sa, _, cleanUp := initSA(t)
+	sa, clk, cleanUp := initSA(t)
 	defer cleanUp()
 
 	reg := createWorkingRegistration(t, sa)
 
-	// An example cert taken from EFF's website
-	certDER, err := os.ReadFile("www.eff.org.der")
-	test.AssertNotError(t, err, "Couldn't read example cert DER")
+	serial, testCert := test.ThrowAwayCert(t, clk)
 
-	// Calling AddCertificate with a non-nil issued should succeed
 	issuedTime := sa.clk.Now()
-	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER,
+	_, err := sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
 		RegID:  reg.Id,
 		Issued: timestamppb.New(issuedTime),
 	})
-	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
+	test.AssertNotError(t, err, "Couldn't add test cert")
 
-	retrievedCert, err := sa.GetCertificate(ctx, &sapb.Serial{Serial: "000000000000000000000000000000021bd4"})
-	test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial")
-	test.AssertByteEquals(t, certDER, retrievedCert.Der)
-	// Because nil was provided as the Issued time we expect the cert was stored
-	// with an issued time equal to now
+	retrievedCert, err := sa.GetCertificate(ctx, &sapb.Serial{Serial: serial})
+	test.AssertNotError(t, err, "Couldn't get test cert by full serial")
+	test.AssertByteEquals(t, testCert.Raw, retrievedCert.Der)
 	test.AssertEquals(t, retrievedCert.Issued.AsTime(), issuedTime)
 
-	// Test cert generated locally by Boulder, with names [example.com,
-	// www.example.com, admin.example.com]
-	certDER2, err := os.ReadFile("test-cert.der")
-	test.AssertNotError(t, err, "Couldn't read example cert DER")
-	serial := "ffdd9b8a82126d96f61d378d5ba99a0474f0"
-
-	// Add the certificate with a specific issued time instead of nil
-	issuedTime = time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC)
+	// Calling AddCertificate with empty args should fail.
 	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER2,
+		Der:    nil,
 		RegID:  reg.Id,
 		Issued: timestamppb.New(issuedTime),
 	})
-	test.AssertNotError(t, err, "Couldn't add test-cert.der")
-
-	retrievedCert2, err := sa.GetCertificate(ctx, &sapb.Serial{Serial: serial})
-	test.AssertNotError(t, err, "Couldn't get test-cert.der")
-	test.AssertByteEquals(t, certDER2, retrievedCert2.Der)
-	// The cert should have been added with the specific issued time we provided
-	// as the issued field.
-	test.AssertEquals(t, retrievedCert2.Issued.AsTime(), issuedTime)
+	test.AssertError(t, err, "shouldn't be able to add cert with no DER")
+	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  0,
+		Issued: timestamppb.New(issuedTime),
+	})
+	test.AssertError(t, err, "shouldn't be able to add cert with no regID")
+	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  reg.Id,
+		Issued: nil,
+	})
+	test.AssertError(t, err, "shouldn't be able to add cert with no issued timestamp")
+	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  reg.Id,
+		Issued: timestamppb.New(time.Time{}),
+	})
+	test.AssertError(t, err, "shouldn't be able to add cert with zero issued timestamp")
 }
 
 func TestAddCertificateDuplicate(t *testing.T) {
@@ -601,78 +600,105 @@ func TestAddCertificateDuplicate(t *testing.T) {
 
 }
 
-func TestCountCertificatesByNames(t *testing.T) {
+func TestCountCertificatesByNamesTimeRange(t *testing.T) {
 	sa, clk, cleanUp := initSA(t)
 	defer cleanUp()
 
-	// Test cert generated locally by Boulder, with names [example.com,
-	// www.example.com, admin.example.com]
-	certDER, err := os.ReadFile("test-cert.der")
-	test.AssertNotError(t, err, "Couldn't read example cert DER")
+	reg := createWorkingRegistration(t, sa)
+	_, testCert := test.ThrowAwayCert(t, clk)
+	_, err := sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  reg.Id,
+		Issued: timestamppb.New(testCert.NotBefore),
+	})
+	test.AssertNotError(t, err, "Couldn't add test cert")
+	name := testCert.DNSNames[0]
 
-	cert, err := x509.ParseCertificate(certDER)
-	test.AssertNotError(t, err, "Couldn't parse example cert DER")
-
-	// Set the test clock's time to the time from the test certificate, plus an
-	// hour to account for rounding.
-	clk.Add(time.Hour - clk.Now().Sub(cert.NotBefore))
+	// Move time forward, so the cert was issued slightly in the past.
+	clk.Add(time.Hour)
 	now := clk.Now()
 	yesterday := clk.Now().Add(-24 * time.Hour)
 	twoDaysAgo := clk.Now().Add(-48 * time.Hour)
 	tomorrow := clk.Now().Add(24 * time.Hour)
 
 	// Count for a name that doesn't have any certs
-	req := &sapb.CountCertificatesByNamesRequest{
-		Names: []string{"example.com"},
+	counts, err := sa.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
+		Names: []string{"does.not.exist"},
 		Range: &sapb.Range{
 			Earliest: timestamppb.New(yesterday),
 			Latest:   timestamppb.New(now),
 		},
-	}
-	counts, err := sa.CountCertificatesByNames(ctx, req)
+	})
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts.Counts), 1)
-	test.AssertEquals(t, counts.Counts["example.com"], int64(0))
-
-	// Add the test cert and query for its names.
-	reg := createWorkingRegistration(t, sa)
-	issued := sa.clk.Now()
-	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER,
-		RegID:  reg.Id,
-		Issued: timestamppb.New(issued),
-	})
-	test.AssertNotError(t, err, "Couldn't add test-cert.der")
+	test.AssertEquals(t, counts.Counts["does.not.exist"], int64(0))
 
 	// Time range including now should find the cert.
-	counts, err = sa.CountCertificatesByNames(ctx, req)
+	counts, err = sa.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
+		Names: testCert.DNSNames,
+		Range: &sapb.Range{
+			Earliest: timestamppb.New(yesterday),
+			Latest:   timestamppb.New(now),
+		},
+	})
 	test.AssertNotError(t, err, "sa.CountCertificatesByName failed")
 	test.AssertEquals(t, len(counts.Counts), 1)
-	test.AssertEquals(t, counts.Counts["example.com"], int64(1))
+	test.AssertEquals(t, counts.Counts[name], int64(1))
 
 	// Time range between two days ago and yesterday should not find the cert.
-	req.Range.Earliest = timestamppb.New(twoDaysAgo)
-	req.Range.Latest = timestamppb.New(yesterday)
-	counts, err = sa.CountCertificatesByNames(ctx, req)
+	counts, err = sa.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
+		Names: testCert.DNSNames,
+		Range: &sapb.Range{
+			Earliest: timestamppb.New(twoDaysAgo),
+			Latest:   timestamppb.New(yesterday),
+		},
+	})
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts.Counts), 1)
-	test.AssertEquals(t, counts.Counts["example.com"], int64(0))
+	test.AssertEquals(t, counts.Counts[name], int64(0))
 
 	// Time range between now and tomorrow also should not (time ranges are
 	// inclusive at the tail end, but not the beginning end).
-	req.Range.Earliest = timestamppb.New(now)
-	req.Range.Latest = timestamppb.New(tomorrow)
-	counts, err = sa.CountCertificatesByNames(ctx, req)
+	counts, err = sa.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
+		Names: testCert.DNSNames,
+		Range: &sapb.Range{
+			Earliest: timestamppb.New(now),
+			Latest:   timestamppb.New(tomorrow),
+		},
+	})
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts.Counts), 1)
-	test.AssertEquals(t, counts.Counts["example.com"], int64(0))
+	test.AssertEquals(t, counts.Counts[name], int64(0))
+}
 
-	// Add a second test cert (for example.co.bn) and query for multiple names.
-	names := []string{"example.com", "foo.com", "example.co.bn"}
+func TestCountCertificatesByNamesParallel(t *testing.T) {
+	sa, clk, cleanUp := initSA(t)
+	defer cleanUp()
+
+	// Create two certs with different names and add them both to the database.
+	reg := createWorkingRegistration(t, sa)
+
+	_, testCert := test.ThrowAwayCert(t, clk)
+	_, err := sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  reg.Id,
+		Issued: timestamppb.New(testCert.NotBefore),
+	})
+	test.AssertNotError(t, err, "Couldn't add test cert")
+
+	_, testCert2 := test.ThrowAwayCert(t, clk)
+	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert2.Raw,
+		RegID:  reg.Id,
+		Issued: timestamppb.New(testCert2.NotBefore),
+	})
+	test.AssertNotError(t, err, "Couldn't add test cert")
 
 	// Override countCertificatesByName with an implementation of certCountFunc
 	// that will block forever if it's called in serial, but will succeed if
 	// called in parallel.
+	names := []string{"does.not.exist", testCert.DNSNames[0], testCert2.DNSNames[0]}
+
 	var interlocker sync.WaitGroup
 	interlocker.Add(len(names))
 	sa.parallelismPerRPC = len(names)
@@ -683,31 +709,26 @@ func TestCountCertificatesByNames(t *testing.T) {
 		return oldCertCountFunc(ctx, sel, domain, timeRange)
 	}
 
-	certDER2, err := os.ReadFile("test-cert2.der")
-	test.AssertNotError(t, err, "Couldn't read test-cert2.der")
-	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER2,
-		RegID:  reg.Id,
-		Issued: timestamppb.New(issued),
+	counts, err := sa.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
+		Names: names,
+		Range: &sapb.Range{
+			Earliest: timestamppb.New(clk.Now().Add(-time.Hour)),
+			Latest:   timestamppb.New(clk.Now().Add(time.Hour)),
+		},
 	})
-	test.AssertNotError(t, err, "Couldn't add test-cert2.der")
-	req.Names = names
-	req.Range.Earliest = timestamppb.New(yesterday)
-	req.Range.Latest = timestamppb.New(now.Add(10000 * time.Hour))
-	counts, err = sa.CountCertificatesByNames(ctx, req)
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts.Counts), 3)
 
+	// We expect there to be two of each of the names that do exist, because
+	// test.ThrowAwayCert creates certs for subdomains of example.com, and
+	// CountCertificatesByNames counts all certs under the same registered domain.
 	expected := map[string]int64{
-		"example.co.bn": 1,
-		"foo.com":       0,
-		"example.com":   1,
+		"does.not.exist":      0,
+		testCert.DNSNames[0]:  2,
+		testCert2.DNSNames[0]: 2,
 	}
-	for name, count := range counts.Counts {
-		domain := name
-		actualCount := count
-		expectedCount := expected[domain]
-		test.AssertEquals(t, actualCount, expectedCount)
+	for name, count := range expected {
+		test.AssertEquals(t, count, counts.Counts[name])
 	}
 }
 
@@ -1144,25 +1165,23 @@ func TestAddIssuedNames(t *testing.T) {
 }
 
 func TestPreviousCertificateExists(t *testing.T) {
-	sa, _, cleanUp := initSA(t)
+	sa, clk, cleanUp := initSA(t)
 	defer cleanUp()
 
 	reg := createWorkingRegistration(t, sa)
 
-	// An example cert taken from EFF's website
-	certDER, err := os.ReadFile("www.eff.org.der")
-	test.AssertNotError(t, err, "reading cert DER")
+	_, testCert := test.ThrowAwayCert(t, clk)
 
 	issued := sa.clk.Now()
-	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          certDER,
+	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
+		Der:          testCert.Raw,
 		Issued:       timestamppb.New(issued),
 		RegID:        reg.Id,
 		IssuerNameID: 1,
 	})
 	test.AssertNotError(t, err, "Failed to add precertificate")
 	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER,
+		Der:    testCert.Raw,
 		RegID:  reg.Id,
 		Issued: timestamppb.New(issued),
 	})
@@ -1174,9 +1193,9 @@ func TestPreviousCertificateExists(t *testing.T) {
 		regID    int64
 		expected bool
 	}{
-		{"matches", "www.eff.org", reg.Id, true},
-		{"wrongDomain", "wwoof.org", reg.Id, false},
-		{"wrongAccount", "www.eff.org", 3333, false},
+		{"matches", testCert.DNSNames[0], reg.Id, true},
+		{"wrongDomain", "example.org", reg.Id, false},
+		{"wrongAccount", testCert.DNSNames[0], 3333, false},
 	}
 
 	for _, testCase := range cases {
@@ -2054,18 +2073,15 @@ func TestRevokeCertificate(t *testing.T) {
 
 	reg := createWorkingRegistration(t, sa)
 	// Add a cert to the DB to test with.
-	certDER, err := os.ReadFile("www.eff.org.der")
-	test.AssertNotError(t, err, "Couldn't read example cert DER")
+	serial, testCert := test.ThrowAwayCert(t, fc)
 	issuedTime := sa.clk.Now()
-	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          certDER,
+	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
+		Der:          testCert.Raw,
 		RegID:        reg.Id,
 		Issued:       timestamppb.New(issuedTime),
 		IssuerNameID: 1,
 	})
-	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
-
-	serial := "000000000000000000000000000000021bd4"
+	test.AssertNotError(t, err, "Couldn't add test cert")
 
 	status, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial})
 	test.AssertNotError(t, err, "GetCertificateStatus failed")
@@ -2163,17 +2179,15 @@ func TestUpdateRevokedCertificate(t *testing.T) {
 
 	// Add a cert to the DB to test with.
 	reg := createWorkingRegistration(t, sa)
-	certDER, err := os.ReadFile("www.eff.org.der")
-	serial := "000000000000000000000000000000021bd4"
+	serial, testCert := test.ThrowAwayCert(t, fc)
 	issuedTime := fc.Now()
-	test.AssertNotError(t, err, "Couldn't read example cert DER")
-	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          certDER,
+	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
+		Der:          testCert.Raw,
 		RegID:        reg.Id,
 		Issued:       timestamppb.New(issuedTime),
 		IssuerNameID: 1,
 	})
-	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
+	test.AssertNotError(t, err, "Couldn't add test cert")
 	fc.Add(1 * time.Hour)
 
 	// Try to update it before its been revoked
@@ -2277,22 +2291,21 @@ func TestUpdateRevokedCertificateWithShard(t *testing.T) {
 
 	// Add a cert to the DB to test with.
 	reg := createWorkingRegistration(t, sa)
-	eeCert, err := core.LoadCert("../test/hierarchy/ee-e1.cert.pem")
-	test.AssertNotError(t, err, "failed to load test cert")
-	_, err = sa.AddSerial(ctx, &sapb.AddSerialRequest{
+	serial, testCert := test.ThrowAwayCert(t, fc)
+	_, err := sa.AddSerial(ctx, &sapb.AddSerialRequest{
 		RegID:   reg.Id,
-		Serial:  core.SerialToString(eeCert.SerialNumber),
-		Created: timestamppb.New(eeCert.NotBefore),
-		Expires: timestamppb.New(eeCert.NotAfter),
+		Serial:  core.SerialToString(testCert.SerialNumber),
+		Created: timestamppb.New(testCert.NotBefore),
+		Expires: timestamppb.New(testCert.NotAfter),
 	})
 	test.AssertNotError(t, err, "failed to add test serial")
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          eeCert.Raw,
+		Der:          testCert.Raw,
 		RegID:        reg.Id,
-		Issued:       timestamppb.New(eeCert.NotBefore),
+		Issued:       timestamppb.New(testCert.NotBefore),
 		IssuerNameID: 1,
 	})
-	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
+	test.AssertNotError(t, err, "Couldn't add test cert")
 	fc.Add(1 * time.Hour)
 
 	// Now revoke it with a shardIdx, so that it gets updated in both the
@@ -2301,7 +2314,7 @@ func TestUpdateRevokedCertificateWithShard(t *testing.T) {
 	_, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
 		IssuerID: 1,
 		ShardIdx: 9,
-		Serial:   core.SerialToString(eeCert.SerialNumber),
+		Serial:   serial,
 		Date:     timestamppb.New(revokedTime),
 		Reason:   ocsp.CessationOfOperation,
 		Response: []byte{1, 2, 3},
@@ -2313,7 +2326,7 @@ func TestUpdateRevokedCertificateWithShard(t *testing.T) {
 	_, err = sa.UpdateRevokedCertificate(context.Background(), &sapb.RevokeCertificateRequest{
 		IssuerID: 1,
 		ShardIdx: 9,
-		Serial:   core.SerialToString(eeCert.SerialNumber),
+		Serial:   serial,
 		Date:     timestamppb.New(fc.Now()),
 		Backdate: timestamppb.New(revokedTime),
 		Reason:   ocsp.KeyCompromise,
@@ -2323,7 +2336,7 @@ func TestUpdateRevokedCertificateWithShard(t *testing.T) {
 
 	var result revokedCertModel
 	err = sa.dbMap.SelectOne(
-		ctx, &result, `SELECT * FROM revokedCertificates WHERE serial = ?`, core.SerialToString(eeCert.SerialNumber))
+		ctx, &result, `SELECT * FROM revokedCertificates WHERE serial = ?`, serial)
 	test.AssertNotError(t, err, "should be exactly one row in revokedCertificates")
 	test.AssertEquals(t, result.ShardIdx, int64(9))
 	test.AssertEquals(t, result.RevokedReason, revocation.Reason(ocsp.KeyCompromise))
@@ -2339,22 +2352,21 @@ func TestUpdateRevokedCertificateWithShardInterim(t *testing.T) {
 
 	// Add a cert to the DB to test with.
 	reg := createWorkingRegistration(t, sa)
-	eeCert, err := core.LoadCert("../test/hierarchy/ee-e1.cert.pem")
-	test.AssertNotError(t, err, "failed to load test cert")
-	_, err = sa.AddSerial(ctx, &sapb.AddSerialRequest{
+	serial, testCert := test.ThrowAwayCert(t, fc)
+	_, err := sa.AddSerial(ctx, &sapb.AddSerialRequest{
 		RegID:   reg.Id,
-		Serial:  core.SerialToString(eeCert.SerialNumber),
-		Created: timestamppb.New(eeCert.NotBefore),
-		Expires: timestamppb.New(eeCert.NotAfter),
+		Serial:  serial,
+		Created: timestamppb.New(testCert.NotBefore),
+		Expires: timestamppb.New(testCert.NotAfter),
 	})
 	test.AssertNotError(t, err, "failed to add test serial")
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          eeCert.Raw,
+		Der:          testCert.Raw,
 		RegID:        reg.Id,
-		Issued:       timestamppb.New(eeCert.NotBefore),
+		Issued:       timestamppb.New(testCert.NotBefore),
 		IssuerNameID: 1,
 	})
-	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
+	test.AssertNotError(t, err, "Couldn't add test cert")
 	fc.Add(1 * time.Hour)
 
 	// Now revoke it *without* a shardIdx, so that it only gets updated in the
@@ -2362,7 +2374,7 @@ func TestUpdateRevokedCertificateWithShardInterim(t *testing.T) {
 	revokedTime := timestamppb.New(fc.Now())
 	_, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
 		IssuerID: 1,
-		Serial:   core.SerialToString(eeCert.SerialNumber),
+		Serial:   serial,
 		Date:     revokedTime,
 		Reason:   ocsp.CessationOfOperation,
 		Response: []byte{1, 2, 3},
@@ -2371,7 +2383,7 @@ func TestUpdateRevokedCertificateWithShardInterim(t *testing.T) {
 
 	// Confirm that setup worked as expected.
 	status, err := sa.GetCertificateStatus(
-		ctx, &sapb.Serial{Serial: core.SerialToString(eeCert.SerialNumber)})
+		ctx, &sapb.Serial{Serial: serial})
 	test.AssertNotError(t, err, "GetCertificateStatus failed")
 	test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusRevoked)
 
@@ -2386,7 +2398,7 @@ func TestUpdateRevokedCertificateWithShardInterim(t *testing.T) {
 	_, err = sa.UpdateRevokedCertificate(context.Background(), &sapb.RevokeCertificateRequest{
 		IssuerID: 1,
 		ShardIdx: 9,
-		Serial:   core.SerialToString(eeCert.SerialNumber),
+		Serial:   serial,
 		Date:     timestamppb.New(fc.Now()),
 		Backdate: revokedTime,
 		Reason:   ocsp.KeyCompromise,
@@ -2396,7 +2408,7 @@ func TestUpdateRevokedCertificateWithShardInterim(t *testing.T) {
 
 	var result revokedCertModel
 	err = sa.dbMap.SelectOne(
-		ctx, &result, `SELECT * FROM revokedCertificates WHERE serial = ?`, core.SerialToString(eeCert.SerialNumber))
+		ctx, &result, `SELECT * FROM revokedCertificates WHERE serial = ?`, serial)
 	test.AssertNotError(t, err, "should be exactly one row in revokedCertificates")
 	test.AssertEquals(t, result.ShardIdx, int64(9))
 	test.AssertEquals(t, result.RevokedReason, revocation.Reason(ocsp.KeyCompromise))
@@ -2408,39 +2420,6 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 
 	reg := createWorkingRegistration(t, sa)
 
-	// An example cert taken from EFF's website
-	certDER, err := os.ReadFile("www.eff.org.der")
-	test.AssertNotError(t, err, "Unexpected error reading www.eff.org.der test file")
-	cert, err := x509.ParseCertificate(certDER)
-	test.AssertNotError(t, err, "Unexpected error parsing www.eff.org.der test file")
-	names := cert.DNSNames
-
-	expires := fc.Now().Add(time.Hour * 2).UTC()
-	issued := fc.Now()
-	serial := "thrilla"
-
-	// Add a FQDN set for the names so that it will be considered a renewal
-	tx, err := sa.dbMap.BeginTx(ctx)
-	test.AssertNotError(t, err, "Failed to open transaction")
-	err = addFQDNSet(ctx, tx, names, serial, issued, expires)
-	test.AssertNotError(t, err, "Failed to add name set")
-	test.AssertNotError(t, tx.Commit(), "Failed to commit transaction")
-
-	// Add the certificate with the same names.
-	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          certDER,
-		Issued:       timestamppb.New(issued),
-		RegID:        reg.Id,
-		IssuerNameID: 1,
-	})
-	test.AssertNotError(t, err, "Failed to add precertificate")
-	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER,
-		RegID:  reg.Id,
-		Issued: timestamppb.New(issued),
-	})
-	test.AssertNotError(t, err, "Failed to add certificate")
-
 	assertIsRenewal := func(t *testing.T, name string, expected bool) {
 		t.Helper()
 		var count int
@@ -2457,36 +2436,50 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 		test.AssertEquals(t, count, 1)
 	}
 
-	// All of the names should have a issuedNames row marking it as a renewal.
-	for _, name := range names {
-		assertIsRenewal(t, name, true)
-	}
-
-	// Add a certificate with different names.
-	certDER, err = os.ReadFile("test-cert.der")
-	test.AssertNotError(t, err, "Unexpected error reading test-cert.der test file")
-	cert, err = x509.ParseCertificate(certDER)
-	test.AssertNotError(t, err, "Unexpected error parsing test-cert.der test file")
-	names = cert.DNSNames
-
-	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-		Der:          certDER,
-		Issued:       timestamppb.New(issued),
+	// Add a certificate with a never-before-seen name.
+	_, testCert := test.ThrowAwayCert(t, fc)
+	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
+		Der:          testCert.Raw,
+		Issued:       timestamppb.New(testCert.NotBefore),
 		RegID:        reg.Id,
 		IssuerNameID: 1,
 	})
 	test.AssertNotError(t, err, "Failed to add precertificate")
 	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
-		Der:    certDER,
+		Der:    testCert.Raw,
 		RegID:  reg.Id,
-		Issued: timestamppb.New(issued),
+		Issued: timestamppb.New(testCert.NotBefore),
 	})
 	test.AssertNotError(t, err, "Failed to add certificate")
 
 	// None of the names should have a issuedNames row marking it as a renewal.
-	for _, name := range names {
+	for _, name := range testCert.DNSNames {
 		assertIsRenewal(t, name, false)
 	}
+
+	// Make a new cert and add its FQDN set to the db so it will be considered a
+	// renewal
+	serial, testCert := test.ThrowAwayCert(t, fc)
+	err = addFQDNSet(ctx, sa.dbMap, testCert.DNSNames, serial, testCert.NotBefore, testCert.NotAfter)
+	test.AssertNotError(t, err, "Failed to add name set")
+	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
+		Der:          testCert.Raw,
+		Issued:       timestamppb.New(testCert.NotBefore),
+		RegID:        reg.Id,
+		IssuerNameID: 1,
+	})
+	test.AssertNotError(t, err, "Failed to add precertificate")
+	_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
+		Der:    testCert.Raw,
+		RegID:  reg.Id,
+		Issued: timestamppb.New(testCert.NotBefore),
+	})
+	test.AssertNotError(t, err, "Failed to add certificate")
+
+	// All of the names should have a issuedNames row marking it as a renewal.
+	for _, name := range testCert.DNSNames {
+		assertIsRenewal(t, name, true)
+	}
 }
 
 func TestCountCertificatesRenewalBit(t *testing.T) {
diff --git a/sa/test-cert.der b/sa/test-cert.der
deleted file mode 100644
index 37eb6b82a843b0d1b75b555f10dbf44cced22ecf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1157
zcmXqLVrevJV$NK^%*4pVB+T&t?(D86q1<WTWX*e{SI%N7`C!1y#;Mij(e|B}k&&B~
z!9d<n)<Bw#Ih2K&M<gS$prBGABQZHUwMZc?F*{Yk+0j5woY&CQz|zRV$k5o_z#t05
zH8e6ZhjI;M45bVtzy=5lCZ^<O=INzYB<2?6r0ON-=NdFIDk0m*$jZRn#K_M86z5`U
zVq|348)H=cT3z|H-1_oGU5n%DERwvseM%=No=h$+vw6Sl7u%clYz~R`xx1`%Is)Xr
zoEE#hk^9WWdd01Vb*oCQt`ff}sr&Sx(0gf9nH*WIV?sAmxDFm<4rwVWnEq&^TF9M~
zWmW$w+Ky!BOlxs5Szop@#;i`Yo4NZ?%+YA~qqb+~Yrooid(YbyDfM+y!9RMZcxX>!
z^L}4j*OT|}PQ)Mk?J^TrG3#t%W!%8T>^RNs^^TDGTe~{Dg4JtNRyQByixyg&^@TfC
z#;%ovZByTV&6Q2NqCz)@2Y!+~ephI{KIb{USh1ZIC)1WFXaD@SQi^MSaO3~oOon!i
zrDxYRuy!_Y(cpW|#LURRxVVXNJ1|5x8}I?cQI?;P@jnX-GZX6q16dGXl|{@zgpEU+
zjggg=otY8NVlv<XNehFNGZ`>I6!Wo&v4|*5*kdQq;I(Jrp_1Zf`xX5bg--u(AP-Wk
z%pzeR)*$k`!e8iTf@rhOeDQh{$<2CZuN*rKvS21NGP1-O#2Bc-_y&w^QW+&B1y=g{
zIr+(nIT`uIB~~T|21fe%$;AZ*MsRgZZED!m8R#b_=cejs78jSM7U?FZ7L^!SfgB^q
zVr*d8gqdiX_{+=7kyB9<H*%6v2kDh(Q817*kXazLK%z|yYAKQ;{p6w?gJh6G1(q0t
zC<87ww)93GMkYpJIQg(KYcaDJxEd(I9L~fjhSiLMVqmC21D=V=K$u6+C0`*tBe6sw
zBqP66Av`mu1UYd7vlB3JGcs%uv%NTd$ERC$XS4-odgq*1{K_FUV{h(cji+4aJG0C#
z-xU49xYFZ{`03D%ld8D>8J?NE`^0_Gf6-QTZC)&13@bma7Pxog(!s<nF_OWt?1zI4
zPEK_=mdUCq@Gh(8L8e88{2#}bvrZL`Yb*tHyz`}!^ncBG{dDu*@Fi<5A68Z_dT6aO
zA@bnPQ%TQt|DSN#k@#HXa-O5g#dx9l#fy1DTURg$g-3rq_cP|il=jx(Z)PU<%_e2O
z_jvjF2AlZ5{#Cs!)wV)Rr_RYQ`y=gOJfS7t$Z*TGI4;hm%^FM-JyTcx_;|Oz`xR5#
h^rYGU?;n-^B3GqjbHC_B$H}h~4_n7&E#8tX1^~G$l<NQh

diff --git a/sa/test-cert2.der b/sa/test-cert2.der
deleted file mode 100644
index 7600377d7a3109de12061f78b40d698934ba2549..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1119
zcmXqLVu?0rVs>7@%*4pVB+T%Cff$>?HHl5HV^{^6yhYSK!VGxXIJMe5+P?ELGIFyr
z7|0vS8c4G-hq5s9h-4%d6jUl?BqnF47Ad49W~VARI~vG|^BS5O8W<QGm>L18C?MC&
zzz_%_TmuP1F#{2>0m8hg6^Xe8IjMTd`Fcrt22G4g$hI-EGB7tW@-qO%xtN+585!m+
z{&-1#?bFCSvt`Q*rml34c(Pq3ZM%!tE&m#yZ+~BIyi%~!I`!b+8`CD%tMr_DGCTYP
z?;)9#4FZ`{jD&ev=jt|3GRf-_pHnlX!Zc(~%JQWdJc0e|xnlM$>C5mxmCRBe)4x)A
zj>*TXr*+w^IlC_&ENng=B=@Jo&2iI*Eh0>7+K;nmcw8~5c^`Q<YL2+qrI7U7lWnHH
z_c&Uyt4u$rS}`q4vVZHtf4WUGx7>LxKJjJNh0@1wHiRE9yPopv#)qc4&WCmH&xo=z
z`*klf?c9ke8AVcZN2)gWt?6A7=#X&ls;q`pMRiT)bm?1+U*?zXS|Tk!+u384Q{{tS
zp((LxVlMK$Ow5c7jEkEXrvgJ{q5&T;3}yKl8UM4eFf*|(FpvfDRaroR%c0H2$jZvj
z%m`;O8SsFlg+a=h3>YAa`B=nQM9k*$2(Se0d~N@)>P67Y7nY0HMcp=#2Psx&kuVTz
z5cyr<FZ44(v{`4qc)f|_W<9f4j-3WsFq0V>S>g<04AfwJ1I9L~jFOT9D}DW({N%)(
zjQrvfD-#0)BmMm3;sOIBxH_gbHEik(^b?bFQ}r{8i%V0BbdytyN(>}GjuB)LG~jPS
zOEBsn8F>~3133ek1yTzn+QgtnBGOf^esWQcK{8080!xfRlmQnTTY4i8BNHPq6nxm2
zwU}89Tn&_9&SGK|!)iuBF)&P^!OFyBAj~7^lCKb+kyxS-l96Ak5T2P+f}C`L83mYh
z85wqO**Rsp%=$%7^OPcPyWQyiZ6@3O=X$8(0mG6fg|AkA{;yX!A#!*488(MX&)n94
z@EW1&RV@qqDs}Ig?f0*4_s(^=c+sijV64THYx`7RSFmn8T$*ieTA;TjB37bpPuHh|
z4sDmu1>}WFcnY7eTD9W-GcoQ9rcZQk<xbD6yZp{j<>dZp3M>DmF-gium!ujWyt0@<
zdG|}E(_YIGCkU3mo#eN}?4-|uq`N#%ERVc-`A+s9%giM@yHD#aSFwrwa^L@ML4?xm
zH9wa*B<t=i&sIz}G~aYz#_>a0RN5Dh@~U^o-}>;}+j(P=Y5ou4CN7OS!K-?IAFc|q
Q_WSg1rdHM5nDezu0J8p#cmMzZ

diff --git a/sa/www.eff.org.der b/sa/www.eff.org.der
deleted file mode 100644
index 3b5f75b8c75d608b8a04de0959bc26b3b944dfac..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1975
zcmZ`)Ygp4}6mHU5kkTQxD|ZPX$SSm7kQN1pTq=r}F;+xSr-n2wkv1tw5bK=Ms@;^$
zd6^IFagTJ9IX7Vwoww<5itd6a?&_SII%Qr^LFR4DiA%VtKlUTflXJfJJ>NMe=ez+f
zuU)_;-Q*F&5DbgqkRO3uI#lhR?7lCDpdmv<!1)F$14E_a84{@i&Yp&<fKo7g6mlbn
zF<d5XL#A;i4LTY;C-`NGNF#xlF$7{DEhL9okxYW&NHd9J9Dx`~3q?{EbS%&dV6j3w
z7$nn*u`H5+yvUF?jBy~@6h|;N!bJA+2xcL{Aerf4M1UMk1c|5)i~(c8xLLfZ=gq`~
zF^LHPodulx&>#>X1eYs@*>q$9qsuKw8tW)A=;&EbR5HVeDuBO$^H%s|Vph^jGZcvp
zl;_2lhfzotgHbri;xrl$Mhjpc#mI?P0_PZ-B60qhrZ|#MEQ>CqOc+PfR2-i;u0fSx
zcwd3C^73*GVK!@M#)5`|;KAk&g;etLVwz;r`cHuij(oED&=8T>1^bD3zYpw!A<_36
zcEM-HRRy7OubMiGVjR^OsjF<BH;CH6s2k7U%q^%r_?Kp-sJpG@NKI^L)P=h@zxF;G
z{ZiGxU2%2s&h_*E0cSjDAV-JjHZ6ay%9nVJZCYZbT(00-USECGaKEnh<b$1uKdGxd
zzBoH{W#cvYr{>n|R?p7T>CZ;@RF`kK_G<GAa>Cx6J5lHF?YOX6-~5&Z&9Ao&`{Ke{
zw7#bDVQXq*{Ju9kYb!3zJGLmlV8X_W=YE;7MR`1+Qbn~EXJ?o?bQc}*?i2OtGsCJz
zRi4?q)$?io)G3bws+7CF4cl%pk4>Kbotizob#r_4m)4%ZQ$4rQoRDIKBj(0VG#oEI
za3G_=9G+WU(Wd@jZSHzs>t*XQe*i7`<AG<Jf4u=Mxl~kr$h)OxBKUb;@Uc0Ia^Y|0
z*BwjRivD(be_g|#h{B&sy0+#&8m%+<Wuf1lx|Px;*&dhL*0AC-=ht(MS#lxm?kcz3
z=fT~Ww&@+i^xg2}SCqEEA3XJoW5VBY2W0&j(tPgHK5zNkyPLqMuH?VAr!S8%j$dFn
zb>w!e?99I@Z08nrTQwfDWA^x!hq`B1g^pKk;g%fTc`xSIeRo>&f<kJ(_@}WU?eukX
zbkX@!8)vi|G$%sj$M&q7Zy$1T)i6t__f4XvBFS*}o!T{X7iP;QwXaLhIUJCpi@1?*
zJiDWH1O|&C5wyhxckmO@-n)`v3JDBEK*o<+n4d%<hQ-@Jm|#Rpgf;aZE#+6(OAHUb
zL4C*1NK_K#$Lpr1wWHr>80N;;v@X4MD0*a}HwYKlQIbHQs!;l$jhgr{uVq0gy<)Za
zbmM(U8{-CQ0pKr*0uin!N89DqKgF)0>Va_wE+}6>BN7)hoj0<9w^V9z`tm}<TPac*
zpPmGA?oNVWG4D_V%|M<oq>3!&ID4{IE36MI2o1|xH8^e4+G#6^J2ZBa8946`5@6tL
z2cuNTV>uaA9eyd1^fIoPW=PHfc%6fSosD_LB#YpK7y>EBScGKRGQxylI8HMrUZxO^
zMz~@E8IY!YUMBjs9ASvkGLj)|1jVrkZSI9VzB?W1%QB9~SxH_(2!y7r4usd3UL?tD
z8)f3JvX?P-nk5jDLipP31K7TJJl7#)VdtxNAas$HwDd|0s{uNpui+96hy!X*tS81j
zvcFw8V|}_^IKw5x3ts*K&NTxKgCL3136_Cz0}cSW<NIUKIBS182wPU9#RYv%(6YTs
zti>^qF-V2o`hF@#Vox)L7PDHOuj%7!`uG|g;}haQlu*ZT39pOp!2kQ;Pii9nLlV0n
zNOb&aVqs5#^pCE*&kAyMvs=`bw@T+kYD@egDqgr#I4ke!gx_15jYnSapZ3i9tLoqp
zT{a5(;mTo|@0G@e)RhlUSAXu?v^inT+Tu@8f7wpZRGSPICP(JKTX~%=pEPAdNz4BC
zPaf(tUQOKe-Y?k`j8jjlR#mr4&D}vqPpqDk-Zc636SITL7eAV`m(J;lc^3&HQukk}
zw7ZY`+wT2dXV5Q_w2PF^fPjSIlXfiKHd3>&+r0dBHT2=9FTbhpNa(bE<SG0z{5PrM
zcJLU`oTSX0d9FEazpwuCvdSrmEe{WVtzX|!*|qw7;KoJs&n?|OPh_|L^b&F-t88(K
MPIf&l_V3jH0Bu*xK>z>%