CA: Factor OCSP generation & certificate storage into reusable function. (#2958)

This new function will be shared by both IssueCertificate and
IssueCertificateForPrecertificate.
This commit is contained in:
Brian Smith 2017-08-11 12:55:28 -10:00 committed by Roland Bracewell Shoemaker
parent 90ba766af9
commit 84ce8f3729
1 changed files with 32 additions and 38 deletions

View File

@ -32,7 +32,6 @@ import (
corePB "github.com/letsencrypt/boulder/core/proto"
csrlib "github.com/letsencrypt/boulder/csr"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/features"
"github.com/letsencrypt/boulder/goodkey"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
@ -404,7 +403,6 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
if issueReq.RegistrationID == nil {
return emptyCert, berrors.InternalServerError("RegistrationID is nil")
}
regID := *issueReq.RegistrationID
notAfter, serialBigInt, err := ca.generateNotAfterAndSerialNumber()
if err != nil {
@ -416,42 +414,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
return emptyCert, err
}
cert := core.Certificate{
DER: certDER,
}
var ocspResp []byte
if features.Enabled(features.GenerateOCSPEarly) {
ocspResp, err = ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
CertDER: certDER,
Status: "good",
})
if err != nil {
err = berrors.InternalServerError(err.Error())
ca.log.AuditInfo(fmt.Sprintf("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err))
// Ignore errors here to avoid orphaning the certificate. The
// ocsp-updater will look for certs with a zero ocspLastUpdated
// and generate the initial response in this case.
}
}
// Store the cert with the certificate authority, if provided
_, err = ca.sa.AddCertificate(ctx, certDER, regID, ocspResp)
if err != nil {
err = berrors.InternalServerError(err.Error())
// Note: This log line is parsed by cmd/orphan-finder. If you make any
// changes here, you should make sure they are reflected in orphan-finder.
ca.log.AuditErr(fmt.Sprintf(
"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d]",
core.SerialToString(serialBigInt),
hex.EncodeToString(certDER),
err,
regID,
))
return emptyCert, err
}
return cert, nil
return ca.generateOCSPAndStoreCertificate(ctx, *issueReq.RegistrationID, serialBigInt, certDER)
}
func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error) {
@ -601,3 +564,34 @@ func (ca *CertificateAuthorityImpl) issueCertificateOrPrecertificate(ctx context
return certDER, nil
}
func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(ctx context.Context, regID int64, serialBigInt *big.Int, certDER []byte) (core.Certificate, error) {
ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
CertDER: certDER,
Status: "good",
})
if err != nil {
err = berrors.InternalServerError(err.Error())
ca.log.AuditInfo(fmt.Sprintf("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err))
// Ignore errors here to avoid orphaning the certificate. The
// ocsp-updater will look for certs with a zero ocspLastUpdated
// and generate the initial response in this case.
}
_, err = ca.sa.AddCertificate(ctx, certDER, regID, ocspResp)
if err != nil {
err = berrors.InternalServerError(err.Error())
// Note: This log line is parsed by cmd/orphan-finder. If you make any
// changes here, you should make sure they are reflected in orphan-finder.
ca.log.AuditErr(fmt.Sprintf(
"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d]",
core.SerialToString(serialBigInt),
hex.EncodeToString(certDER),
err,
regID,
))
return core.Certificate{}, err
}
return core.Certificate{DER: certDER}, nil
}