CA: Factor OCSP generation & certificate storage into reusable function. (#2958)
This new function will be shared by both IssueCertificate and IssueCertificateForPrecertificate.
This commit is contained in:
parent
90ba766af9
commit
84ce8f3729
70
ca/ca.go
70
ca/ca.go
|
@ -32,7 +32,6 @@ import (
|
|||
corePB "github.com/letsencrypt/boulder/core/proto"
|
||||
csrlib "github.com/letsencrypt/boulder/csr"
|
||||
berrors "github.com/letsencrypt/boulder/errors"
|
||||
"github.com/letsencrypt/boulder/features"
|
||||
"github.com/letsencrypt/boulder/goodkey"
|
||||
blog "github.com/letsencrypt/boulder/log"
|
||||
"github.com/letsencrypt/boulder/metrics"
|
||||
|
@ -404,7 +403,6 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
|
|||
if issueReq.RegistrationID == nil {
|
||||
return emptyCert, berrors.InternalServerError("RegistrationID is nil")
|
||||
}
|
||||
regID := *issueReq.RegistrationID
|
||||
|
||||
notAfter, serialBigInt, err := ca.generateNotAfterAndSerialNumber()
|
||||
if err != nil {
|
||||
|
@ -416,42 +414,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
|
|||
return emptyCert, err
|
||||
}
|
||||
|
||||
cert := core.Certificate{
|
||||
DER: certDER,
|
||||
}
|
||||
|
||||
var ocspResp []byte
|
||||
if features.Enabled(features.GenerateOCSPEarly) {
|
||||
ocspResp, err = ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
|
||||
CertDER: certDER,
|
||||
Status: "good",
|
||||
})
|
||||
if err != nil {
|
||||
err = berrors.InternalServerError(err.Error())
|
||||
ca.log.AuditInfo(fmt.Sprintf("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err))
|
||||
// Ignore errors here to avoid orphaning the certificate. The
|
||||
// ocsp-updater will look for certs with a zero ocspLastUpdated
|
||||
// and generate the initial response in this case.
|
||||
}
|
||||
}
|
||||
|
||||
// Store the cert with the certificate authority, if provided
|
||||
_, err = ca.sa.AddCertificate(ctx, certDER, regID, ocspResp)
|
||||
if err != nil {
|
||||
err = berrors.InternalServerError(err.Error())
|
||||
// Note: This log line is parsed by cmd/orphan-finder. If you make any
|
||||
// changes here, you should make sure they are reflected in orphan-finder.
|
||||
ca.log.AuditErr(fmt.Sprintf(
|
||||
"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d]",
|
||||
core.SerialToString(serialBigInt),
|
||||
hex.EncodeToString(certDER),
|
||||
err,
|
||||
regID,
|
||||
))
|
||||
return emptyCert, err
|
||||
}
|
||||
|
||||
return cert, nil
|
||||
return ca.generateOCSPAndStoreCertificate(ctx, *issueReq.RegistrationID, serialBigInt, certDER)
|
||||
}
|
||||
|
||||
func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error) {
|
||||
|
@ -601,3 +564,34 @@ func (ca *CertificateAuthorityImpl) issueCertificateOrPrecertificate(ctx context
|
|||
|
||||
return certDER, nil
|
||||
}
|
||||
|
||||
func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(ctx context.Context, regID int64, serialBigInt *big.Int, certDER []byte) (core.Certificate, error) {
|
||||
ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
|
||||
CertDER: certDER,
|
||||
Status: "good",
|
||||
})
|
||||
if err != nil {
|
||||
err = berrors.InternalServerError(err.Error())
|
||||
ca.log.AuditInfo(fmt.Sprintf("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err))
|
||||
// Ignore errors here to avoid orphaning the certificate. The
|
||||
// ocsp-updater will look for certs with a zero ocspLastUpdated
|
||||
// and generate the initial response in this case.
|
||||
}
|
||||
|
||||
_, err = ca.sa.AddCertificate(ctx, certDER, regID, ocspResp)
|
||||
if err != nil {
|
||||
err = berrors.InternalServerError(err.Error())
|
||||
// Note: This log line is parsed by cmd/orphan-finder. If you make any
|
||||
// changes here, you should make sure they are reflected in orphan-finder.
|
||||
ca.log.AuditErr(fmt.Sprintf(
|
||||
"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d]",
|
||||
core.SerialToString(serialBigInt),
|
||||
hex.EncodeToString(certDER),
|
||||
err,
|
||||
regID,
|
||||
))
|
||||
return core.Certificate{}, err
|
||||
}
|
||||
|
||||
return core.Certificate{DER: certDER}, nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue