ca: unexport IssuePrecertificate and IssueCertificateForPrecertificate (#8092)

These methods are still preserved as-is for now, and still take proto
messages as arguments. But they are not exported as RPCs. Refactoring
the arguments will be a followup PR.

Part of #8039

ca/ca.go

@@ -295,7 +295,7 @@ var ocspStatusToCode = map[string]int{
 	"unknown": ocsp.Unknown,
 }
 
-// IssuePrecertificate is the first step in the [issuance cycle]. It allocates and stores a serial number,
+// issuePrecertificate is the first step in the [issuance cycle]. It allocates and stores a serial number,
 // selects a certificate profile, generates and stores a linting certificate, sets the serial's status to
 // "wait", signs and stores a precertificate, updates the serial's status to "good", then returns the
 // precertificate.
@@ -305,7 +305,7 @@ var ocspStatusToCode = map[string]int{
 // the configuration for a specific profile _name_ changes.
 //
 // [issuance cycle]: https://github.com/letsencrypt/boulder/blob/main/docs/ISSUANCE-CYCLE.md
-func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *capb.IssueCertificateRequest) (*capb.IssuePrecertificateResponse, error) {
+func (ca *certificateAuthorityImpl) issuePrecertificate(ctx context.Context, issueReq *capb.IssueCertificateRequest) (*capb.IssuePrecertificateResponse, error) {
 	// issueReq.orderID may be zero, for ACMEv1 requests.
 	if core.IsAnyNilOrZero(issueReq, issueReq.Csr, issueReq.RegistrationID, issueReq.CertProfileName) {
 		return nil, berrors.InternalServerError("Incomplete issue certificate request")
@@ -360,7 +360,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 	if ca.sctClient == nil {
 		return nil, errors.New("IssueCertificate called with a nil SCT service")
 	}
-	precert, err := ca.IssuePrecertificate(ctx, issueReq)
+	precert, err := ca.issuePrecertificate(ctx, issueReq)
 	if err != nil {
 		return nil, err
 	}
@@ -368,7 +368,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 	if err != nil {
 		return nil, err
 	}
-	cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	cert, err := ca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            scts.SctDER,
 		RegistrationID:  issueReq.RegistrationID,
@@ -381,7 +381,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 	return &capb.IssueCertificateResponse{DER: cert.Der}, nil
 }
 
-// IssueCertificateForPrecertificate final step in the [issuance cycle].
+// issueCertificateForPrecertificate final step in the [issuance cycle].
 //
 // Given a precertificate and a set of SCTs for that precertificate, it generates
 // a linting final certificate, then signs a final certificate using a real issuer.
@@ -391,10 +391,10 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 //
 // It's critical not to sign two different final certificates for the same
 // precertificate. This can happen, for instance, if the caller provides a
-// different set of SCTs on subsequent calls to  IssueCertificateForPrecertificate.
+// different set of SCTs on subsequent calls to  issueCertificateForPrecertificate.
-// We rely on the RA not to call IssueCertificateForPrecertificate twice for the
+// We rely on the RA not to call issueCertificateForPrecertificate twice for the
 // same serial. This is accomplished by the fact that
-// IssueCertificateForPrecertificate is only ever called in a straight-through
+// issueCertificateForPrecertificate is only ever called in a straight-through
 // RPC path without retries. If there is any error, including a networking
 // error, the whole certificate issuance attempt fails and any subsequent
 // issuance will use a different serial number.
@@ -405,7 +405,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 // serial number at the same time.
 //
 // [issuance cycle]: https://github.com/letsencrypt/boulder/blob/main/docs/ISSUANCE-CYCLE.md
-func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx context.Context, req *capb.IssueCertificateForPrecertificateRequest) (*corepb.Certificate, error) {
+func (ca *certificateAuthorityImpl) issueCertificateForPrecertificate(ctx context.Context, req *capb.IssueCertificateForPrecertificateRequest) (*corepb.Certificate, error) {
 	// issueReq.orderID may be zero, for ACMEv1 requests.
 	if core.IsAnyNilOrZero(req, req.DER, req.SCTs, req.RegistrationID, req.CertProfileHash) {
 		return nil, berrors.InternalServerError("Incomplete cert for precertificate request")

ca/ca_test.go

@@ -335,7 +335,7 @@ func TestIssuePrecertificate(t *testing.T) {
 				issueReq := &capb.IssueCertificateRequest{Csr: testCase.csr, RegistrationID: arbitraryRegID, CertProfileName: "legacy"}
 
 				var certDER []byte
-				response, err := ca.IssuePrecertificate(ctx, issueReq)
+				response, err := ca.issuePrecertificate(ctx, issueReq)
 				test.AssertNotError(t, err, "Failed to issue precertificate")
 				certDER = response.DER
 
@@ -446,7 +446,7 @@ func TestMultipleIssuers(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to remake CA")
 
 	// Test that an RSA CSR gets issuance from an RSA issuer.
-	issuedCert, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
+	issuedCert, err := ca.issuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	cert, err := x509.ParseCertificate(issuedCert.DER)
 	test.AssertNotError(t, err, "Certificate failed to parse")
@@ -462,7 +462,7 @@ func TestMultipleIssuers(t *testing.T) {
 	test.AssertMetricWithLabelsEquals(t, ca.metrics.signatureCount, prometheus.Labels{"purpose": "precertificate", "status": "success"}, 1)
 
 	// Test that an ECDSA CSR gets issuance from an ECDSA issuer.
-	issuedCert, err = ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
+	issuedCert, err = ca.issuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	cert, err = x509.ParseCertificate(issuedCert.DER)
 	test.AssertNotError(t, err, "Certificate failed to parse")
@@ -531,7 +531,7 @@ func TestUnpredictableIssuance(t *testing.T) {
 	seenE2 := false
 	seenR3 := false
 	for i := 0; i < 20; i++ {
-		result, err := ca.IssuePrecertificate(ctx, req)
+		result, err := ca.issuePrecertificate(ctx, req)
 		test.AssertNotError(t, err, "Failed to issue test certificate")
 		cert, err := x509.ParseCertificate(result.DER)
 		test.AssertNotError(t, err, "Failed to parse test certificate")
@@ -712,7 +712,7 @@ func TestInvalidCSRs(t *testing.T) {
 			t.Parallel()
 			serializedCSR := mustRead(testCase.csrPath)
 			issueReq := &capb.IssueCertificateRequest{Csr: serializedCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"}
-			_, err = ca.IssuePrecertificate(ctx, issueReq)
+			_, err = ca.issuePrecertificate(ctx, issueReq)
 
 			test.AssertErrorIs(t, err, testCase.errorType)
 			test.AssertMetricWithLabelsEquals(t, ca.metrics.signatureCount, prometheus.Labels{"purpose": "cert"}, 0)
@@ -748,7 +748,7 @@ func TestRejectValidityTooLong(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to create CA")
 
 	// Test that the CA rejects CSRs that would expire after the intermediate cert
-	_, err = ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
+	_, err = ca.issuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
 	test.AssertError(t, err, "Cannot issue a certificate that expires after the intermediate certificate")
 	test.AssertErrorIs(t, err, berrors.InternalServer)
 }
@@ -841,7 +841,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to create CA")
 
 	issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: 0, CertProfileName: "legacy"}
-	precert, err := ca.IssuePrecertificate(ctx, &issueReq)
+	precert, err := ca.issuePrecertificate(ctx, &issueReq)
 	test.AssertNotError(t, err, "Failed to issue precert")
 	parsedPrecert, err := x509.ParseCertificate(precert.DER)
 	test.AssertNotError(t, err, "Failed to parse precert")
@@ -860,7 +860,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
 	}
 
 	test.AssertNotError(t, err, "Failed to marshal SCT")
-	cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	cert, err := ca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            sctBytes,
 		RegistrationID:  arbitraryRegID,
@@ -912,7 +912,7 @@ func TestIssueCertificateForPrecertificateWithSpecificCertificateProfile(t *test
 		OrderID:         0,
 		CertProfileName: selectedProfile,
 	}
-	precert, err := ca.IssuePrecertificate(ctx, &issueReq)
+	precert, err := ca.issuePrecertificate(ctx, &issueReq)
 	test.AssertNotError(t, err, "Failed to issue precert")
 	parsedPrecert, err := x509.ParseCertificate(precert.DER)
 	test.AssertNotError(t, err, "Failed to parse precert")
@@ -931,7 +931,7 @@ func TestIssueCertificateForPrecertificateWithSpecificCertificateProfile(t *test
 	}
 
 	test.AssertNotError(t, err, "Failed to marshal SCT")
-	cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	cert, err := ca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            sctBytes,
 		RegistrationID:  arbitraryRegID,
@@ -1024,10 +1024,10 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 	}
 
 	issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: 0, CertProfileName: "legacy"}
-	precert, err := ca.IssuePrecertificate(ctx, &issueReq)
+	precert, err := ca.issuePrecertificate(ctx, &issueReq)
 	test.AssertNotError(t, err, "Failed to issue precert")
 	test.AssertMetricWithLabelsEquals(t, ca.metrics.signatureCount, prometheus.Labels{"purpose": "precertificate", "status": "success"}, 1)
-	_, err = ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	_, err = ca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            sctBytes,
 		RegistrationID:  arbitraryRegID,
@@ -1061,7 +1061,7 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 		testCtx.fc)
 	test.AssertNotError(t, err, "Failed to create CA")
 
-	_, err = errorca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	_, err = errorca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            sctBytes,
 		RegistrationID:  arbitraryRegID,

ca/ocsp_test.go

@@ -46,7 +46,7 @@ func TestOCSP(t *testing.T) {
 
 	// Issue a certificate from an RSA issuer, request OCSP from the same issuer,
 	// and make sure it works.
-	rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
+	rsaCertPB, err := ca.issuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	rsaCert, err := x509.ParseCertificate(rsaCertPB.DER)
 	test.AssertNotError(t, err, "Failed to parse rsaCert")
@@ -69,7 +69,7 @@ func TestOCSP(t *testing.T) {
 
 	// Issue a certificate from an ECDSA issuer, request OCSP from the same issuer,
 	// and make sure it works.
-	ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
+	ecdsaCertPB, err := ca.issuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID, CertProfileName: "legacy"})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	ecdsaCert, err := x509.ParseCertificate(ecdsaCertPB.DER)
 	test.AssertNotError(t, err, "Failed to parse ecdsaCert")

ca/proto/ca.pb.go

@@ -692,20 +692,8 @@ var file_ca_proto_rawDesc = []byte{
 	0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x22, 0x2b, 0x0a, 0x13, 0x47,
 	0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
 	0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32, 0xa6, 0x02, 0x0a, 0x14, 0x43, 0x65, 0x72,
+	0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32, 0x67, 0x0a, 0x14, 0x43, 0x65, 0x72, 0x74,
-	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
-	0x79, 0x12, 0x55, 0x0a, 0x13, 0x49, 0x73, 0x73, 0x75, 0x65, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72,
-	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73,
-	0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65,
-	0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x66, 0x0a, 0x21, 0x49, 0x73, 0x73, 0x75,
-	0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50,
-	0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x2e,
-	0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
-	0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x63, 0x6f,
-	0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00,
 	0x12, 0x4f, 0x0a, 0x10, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
 	0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43,
 	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
@@ -752,25 +740,20 @@ var file_ca_proto_goTypes = []interface{}{
 	(*GenerateCRLResponse)(nil),                      // 8: ca.GenerateCRLResponse
 	(*timestamppb.Timestamp)(nil),                    // 9: google.protobuf.Timestamp
 	(*proto.CRLEntry)(nil),                           // 10: core.CRLEntry
-	(*proto.Certificate)(nil),                        // 11: core.Certificate
 }
 var file_ca_proto_depIdxs = []int32{
 	9,  // 0: ca.GenerateOCSPRequest.revokedAt:type_name -> google.protobuf.Timestamp
 	7,  // 1: ca.GenerateCRLRequest.metadata:type_name -> ca.CRLMetadata
 	10, // 2: ca.GenerateCRLRequest.entry:type_name -> core.CRLEntry
 	9,  // 3: ca.CRLMetadata.thisUpdate:type_name -> google.protobuf.Timestamp
-	0,  // 4: ca.CertificateAuthority.IssuePrecertificate:input_type -> ca.IssueCertificateRequest
+	0,  // 4: ca.CertificateAuthority.IssueCertificate:input_type -> ca.IssueCertificateRequest
-	3,  // 5: ca.CertificateAuthority.IssueCertificateForPrecertificate:input_type -> ca.IssueCertificateForPrecertificateRequest
+	4,  // 5: ca.OCSPGenerator.GenerateOCSP:input_type -> ca.GenerateOCSPRequest
-	0,  // 6: ca.CertificateAuthority.IssueCertificate:input_type -> ca.IssueCertificateRequest
+	6,  // 6: ca.CRLGenerator.GenerateCRL:input_type -> ca.GenerateCRLRequest
-	4,  // 7: ca.OCSPGenerator.GenerateOCSP:input_type -> ca.GenerateOCSPRequest
+	1,  // 7: ca.CertificateAuthority.IssueCertificate:output_type -> ca.IssueCertificateResponse
-	6,  // 8: ca.CRLGenerator.GenerateCRL:input_type -> ca.GenerateCRLRequest
+	5,  // 8: ca.OCSPGenerator.GenerateOCSP:output_type -> ca.OCSPResponse
-	2,  // 9: ca.CertificateAuthority.IssuePrecertificate:output_type -> ca.IssuePrecertificateResponse
+	8,  // 9: ca.CRLGenerator.GenerateCRL:output_type -> ca.GenerateCRLResponse
-	11, // 10: ca.CertificateAuthority.IssueCertificateForPrecertificate:output_type -> core.Certificate
+	7,  // [7:10] is the sub-list for method output_type
-	1,  // 11: ca.CertificateAuthority.IssueCertificate:output_type -> ca.IssueCertificateResponse
+	4,  // [4:7] is the sub-list for method input_type
-	5,  // 12: ca.OCSPGenerator.GenerateOCSP:output_type -> ca.OCSPResponse
-	8,  // 13: ca.CRLGenerator.GenerateCRL:output_type -> ca.GenerateCRLResponse
-	9,  // [9:14] is the sub-list for method output_type
-	4,  // [4:9] is the sub-list for method input_type
 	4,  // [4:4] is the sub-list for extension type_name
 	4,  // [4:4] is the sub-list for extension extendee
 	0,  // [0:4] is the sub-list for field type_name

ca/proto/ca.proto

@@ -8,8 +8,6 @@ import "google/protobuf/timestamp.proto";
 
 // CertificateAuthority issues certificates.
 service CertificateAuthority {
-  rpc IssuePrecertificate(IssueCertificateRequest) returns (IssuePrecertificateResponse) {}
-  rpc IssueCertificateForPrecertificate(IssueCertificateForPrecertificateRequest) returns (core.Certificate) {}
   // IssueCertificate issues a precertificate, gets SCTs, issues a certificate, and returns that.
   rpc IssueCertificate(IssueCertificateRequest) returns (IssueCertificateResponse) {}
 }

ca/proto/ca_grpc.pb.go

@@ -8,7 +8,6 @@ package proto
 
 import (
 	context "context"
-	proto "github.com/letsencrypt/boulder/core/proto"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -20,17 +19,13 @@ import (
 const _ = grpc.SupportPackageIsVersion9
 
 const (
-	CertificateAuthority_IssuePrecertificate_FullMethodName               = "/ca.CertificateAuthority/IssuePrecertificate"
+	CertificateAuthority_IssueCertificate_FullMethodName = "/ca.CertificateAuthority/IssueCertificate"
-	CertificateAuthority_IssueCertificateForPrecertificate_FullMethodName = "/ca.CertificateAuthority/IssueCertificateForPrecertificate"
-	CertificateAuthority_IssueCertificate_FullMethodName                  = "/ca.CertificateAuthority/IssueCertificate"
 )
 
 // CertificateAuthorityClient is the client API for CertificateAuthority service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type CertificateAuthorityClient interface {
-	IssuePrecertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*IssuePrecertificateResponse, error)
-	IssueCertificateForPrecertificate(ctx context.Context, in *IssueCertificateForPrecertificateRequest, opts ...grpc.CallOption) (*proto.Certificate, error)
 	// IssueCertificate issues a precertificate, gets SCTs, issues a certificate, and returns that.
 	IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*IssueCertificateResponse, error)
 }
@@ -43,26 +38,6 @@ func NewCertificateAuthorityClient(cc grpc.ClientConnInterface) CertificateAutho
 	return &certificateAuthorityClient{cc}
 }
 
-func (c *certificateAuthorityClient) IssuePrecertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*IssuePrecertificateResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(IssuePrecertificateResponse)
-	err := c.cc.Invoke(ctx, CertificateAuthority_IssuePrecertificate_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *certificateAuthorityClient) IssueCertificateForPrecertificate(ctx context.Context, in *IssueCertificateForPrecertificateRequest, opts ...grpc.CallOption) (*proto.Certificate, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(proto.Certificate)
-	err := c.cc.Invoke(ctx, CertificateAuthority_IssueCertificateForPrecertificate_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *certificateAuthorityClient) IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*IssueCertificateResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(IssueCertificateResponse)
@@ -77,8 +52,6 @@ func (c *certificateAuthorityClient) IssueCertificate(ctx context.Context, in *I
 // All implementations must embed UnimplementedCertificateAuthorityServer
 // for forward compatibility
 type CertificateAuthorityServer interface {
-	IssuePrecertificate(context.Context, *IssueCertificateRequest) (*IssuePrecertificateResponse, error)
-	IssueCertificateForPrecertificate(context.Context, *IssueCertificateForPrecertificateRequest) (*proto.Certificate, error)
 	// IssueCertificate issues a precertificate, gets SCTs, issues a certificate, and returns that.
 	IssueCertificate(context.Context, *IssueCertificateRequest) (*IssueCertificateResponse, error)
 	mustEmbedUnimplementedCertificateAuthorityServer()
@@ -88,12 +61,6 @@ type CertificateAuthorityServer interface {
 type UnimplementedCertificateAuthorityServer struct {
 }
 
-func (UnimplementedCertificateAuthorityServer) IssuePrecertificate(context.Context, *IssueCertificateRequest) (*IssuePrecertificateResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method IssuePrecertificate not implemented")
-}
-func (UnimplementedCertificateAuthorityServer) IssueCertificateForPrecertificate(context.Context, *IssueCertificateForPrecertificateRequest) (*proto.Certificate, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method IssueCertificateForPrecertificate not implemented")
-}
 func (UnimplementedCertificateAuthorityServer) IssueCertificate(context.Context, *IssueCertificateRequest) (*IssueCertificateResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method IssueCertificate not implemented")
 }
@@ -110,42 +77,6 @@ func RegisterCertificateAuthorityServer(s grpc.ServiceRegistrar, srv Certificate
 	s.RegisterService(&CertificateAuthority_ServiceDesc, srv)
 }
 
-func _CertificateAuthority_IssuePrecertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(IssueCertificateRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(CertificateAuthorityServer).IssuePrecertificate(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: CertificateAuthority_IssuePrecertificate_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(CertificateAuthorityServer).IssuePrecertificate(ctx, req.(*IssueCertificateRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _CertificateAuthority_IssueCertificateForPrecertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(IssueCertificateForPrecertificateRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(CertificateAuthorityServer).IssueCertificateForPrecertificate(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: CertificateAuthority_IssueCertificateForPrecertificate_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(CertificateAuthorityServer).IssueCertificateForPrecertificate(ctx, req.(*IssueCertificateForPrecertificateRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _CertificateAuthority_IssueCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(IssueCertificateRequest)
 	if err := dec(in); err != nil {
@@ -171,14 +102,6 @@ var CertificateAuthority_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "ca.CertificateAuthority",
 	HandlerType: (*CertificateAuthorityServer)(nil),
 	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "IssuePrecertificate",
-			Handler:    _CertificateAuthority_IssuePrecertificate_Handler,
-		},
-		{
-			MethodName: "IssueCertificateForPrecertificate",
-			Handler:    _CertificateAuthority_IssueCertificateForPrecertificate_Handler,
-		},
 		{
 			MethodName: "IssueCertificate",
 			Handler:    _CertificateAuthority_IssueCertificate_Handler,

mocks/ca.go

@@ -23,11 +23,11 @@ type MockCA struct {
 
 // IssueCertificate is a mock
 func (ca *MockCA) IssueCertificate(ctx context.Context, req *capb.IssueCertificateRequest, _ ...grpc.CallOption) (*capb.IssueCertificateResponse, error) {
-	precert, err := ca.IssuePrecertificate(ctx, req)
+	precert, err := ca.issuePrecertificate(ctx, req)
 	if err != nil {
 		return nil, err
 	}
-	cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
+	cert, err := ca.issueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
 		DER:             precert.DER,
 		SCTs:            nil,
 		RegistrationID:  req.RegistrationID,
@@ -40,8 +40,8 @@ func (ca *MockCA) IssueCertificate(ctx context.Context, req *capb.IssueCertifica
 	return &capb.IssueCertificateResponse{DER: cert.Der}, nil
 }
 
-// IssuePrecertificate is a mock
+// issuePrecertificate is a mock
-func (ca *MockCA) IssuePrecertificate(ctx context.Context, req *capb.IssueCertificateRequest, _ ...grpc.CallOption) (*capb.IssuePrecertificateResponse, error) {
+func (ca *MockCA) issuePrecertificate(_ context.Context, req *capb.IssueCertificateRequest, _ ...grpc.CallOption) (*capb.IssuePrecertificateResponse, error) {
 	if ca.PEM == nil {
 		return nil, fmt.Errorf("MockCA's PEM field must be set before calling IssueCertificate")
 	}
@@ -58,8 +58,8 @@ func (ca *MockCA) IssuePrecertificate(ctx context.Context, req *capb.IssueCertif
 	}, nil
 }
 
-// IssueCertificateForPrecertificate is a mock
+// issueCertificateForPrecertificate is a mock
-func (ca *MockCA) IssueCertificateForPrecertificate(ctx context.Context, req *capb.IssueCertificateForPrecertificateRequest, _ ...grpc.CallOption) (*corepb.Certificate, error) {
+func (ca *MockCA) issueCertificateForPrecertificate(_ context.Context, req *capb.IssueCertificateForPrecertificateRequest, _ ...grpc.CallOption) (*corepb.Certificate, error) { //nolint:unparam // `error` is always nil
 	now := time.Now()
 	expires := now.Add(1 * time.Hour)