SA: Update RPC interface to proto3 (#5043)

One slightly surprising / interesting thing: Since core types like Order and Registration are still proto2 and have pointer fields, there are actually some places in this PR where I had to add a `*` rather than delete an `&`, because I was taking a pointer field from one of those core types and passing it as a field in an SA RPC request. Fixes #5037.
2020-08-25 10:28:41 -07:00 · 2020-08-25 10:28:41 -07:00 · 8dd386b6bc
parent 8685e7aec2
commit 8dd386b6bc
23 changed files with 695 additions and 773 deletions
--- a/ca/ca.go
+++ b/ca/ca.go
@ -545,10 +545,10 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 	nowNanos := ca.clk.Now().UnixNano()
 	expiresNanos := validity.NotAfter.UnixNano()
 	_, err = ca.sa.AddSerial(ctx, &sapb.AddSerialRequest{
-		Serial:  &serialHex,
-		RegID:   &regID,
-		Created: &nowNanos,
-		Expires: &expiresNanos,
+		Serial:  serialHex,
+		RegID:   regID,
+		Created: nowNanos,
+		Expires: expiresNanos,
 	})
 	if err != nil {
 		return nil, err
@ -571,15 +571,15 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss

 	req := &sapb.AddCertificateRequest{
 		Der:    precertDER,
-		RegID:  &regID,
+		RegID:  regID,
 		Ocsp:   ocspResp.Response,
-		Issued: &nowNanos,
+		Issued: nowNanos,
 	}

 	// we currently only use one issuer, in the future when we support multiple
 	// the issuer will need to be derived from issueReq
 	issuerID := idForIssuer(ca.defaultIssuer.cert)
-	req.IssuerID = &issuerID
+	req.IssuerID = issuerID

 	_, err = ca.sa.AddPrecertificate(ctx, req)
 	if err != nil {
@ -949,9 +949,9 @@ func (ca *CertificateAuthorityImpl) integrateOrphan() error {
 		issuedNanos := issued.UnixNano()
 		_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
 			Der:    orphan.DER,
-			RegID:  &orphan.RegID,
+			RegID:  orphan.RegID,
 			Ocsp:   orphan.OCSPResp,
-			Issued: &issuedNanos,
+			Issued: issuedNanos,
 		})
 		if err != nil && !berrors.Is(err, berrors.Duplicate) {
 			return fmt.Errorf("failed to store orphaned precertificate: %s", err)
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -1013,7 +1013,7 @@ func (qsa *queueSA) AddPrecertificate(ctx context.Context, req *sapb.AddCertific
 	} else if qsa.duplicate {
 		return nil, berrors.DuplicateError("is a dupe")
 	}
-	issued := time.Unix(0, *req.Issued)
+	issued := time.Unix(0, req.Issued)
 	qsa.issuedPrecert = &issued
 	return nil, nil
 }
--- a/cmd/admin-revoker/main_test.go
+++ b/cmd/admin-revoker/main_test.go
@ -65,7 +65,6 @@ func TestRevokeBatch(t *testing.T) {
 	serials := []*big.Int{big.NewInt(1), big.NewInt(2), big.NewInt(3)}
 	k, err := rsa.GenerateKey(rand.Reader, 512)
 	test.AssertNotError(t, err, "failed to generate test key")
-	issued := time.Now().UnixNano()
 	for _, serial := range serials {
 		template := &x509.Certificate{
 			SerialNumber: serial,
@ -75,8 +74,8 @@ func TestRevokeBatch(t *testing.T) {
 		test.AssertNotError(t, err, "failed to generate test cert")
 		_, err = ssa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
 			Der:    der,
-			RegID:  &reg.ID,
-			Issued: &issued,
+			RegID:  reg.ID,
+			Issued: time.Now().UnixNano(),
 		})
 		test.AssertNotError(t, err, "failed to add test cert")
 		now := time.Now()
--- a/cmd/boulder-janitor/orders_test.go
+++ b/cmd/boulder-janitor/orders_test.go
@ -97,7 +97,7 @@ func TestDeleteOrder(t *testing.T) {
 	test.AssertNotError(t, err, "error calling deleteHandler")

 	// The order should be gone
-	_, err = ssa.GetOrder(ctx, &sapb.OrderRequest{Id: testOrder.Id})
+	_, err = ssa.GetOrder(ctx, &sapb.OrderRequest{Id: *testOrder.Id})
 	test.AssertError(t, err, "found order after deleting it")
 	test.AssertEquals(t, berrors.Is(err, berrors.NotFound), true)

--- a/cmd/ocsp-updater/main_test.go
+++ b/cmd/ocsp-updater/main_test.go
@ -77,6 +77,10 @@ func setup(t *testing.T) (*OCSPUpdater, core.StorageAuthority, *db.WrappedMap, c
 	return updater, sa, dbMap, fc, cleanUp
 }

+func nowNano(fc clock.Clock) int64 {
+	return fc.Now().UnixNano()
+}
+
 func TestGenerateAndStoreOCSPResponse(t *testing.T) {
 	updater, sa, _, fc, cleanUp := setup(t)
 	defer cleanUp()
@ -88,12 +92,11 @@ func TestGenerateAndStoreOCSPResponse(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCert, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -113,21 +116,20 @@ func TestGenerateOCSPResponses(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCertA, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCertA.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")
 	parsedCertB, err := core.LoadCert("test-cert-b.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCertB.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert-b.pem")

@ -170,12 +172,11 @@ func TestFindStaleOCSPResponses(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCert, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -212,12 +213,11 @@ func TestFindStaleOCSPResponsesRevokedReason(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCert, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -245,12 +245,11 @@ func TestOldOCSPResponsesTick(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCert, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -277,12 +276,11 @@ func TestOldOCSPResponsesTickIsExpired(t *testing.T) {
 	serial := core.SerialToString(parsedCert.SerialNumber)

 	// Add a new test certificate
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -327,12 +325,11 @@ func TestStoreResponseGuard(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)
 	parsedCert, err := core.LoadCert("test-cert.pem")
 	test.AssertNotError(t, err, "Couldn't read test certificate")
-	issued := fc.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    parsedCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: nowNano(fc),
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert.pem")

@ -343,9 +340,9 @@ func TestStoreResponseGuard(t *testing.T) {
 	reason := int64(0)
 	revokedDate := fc.Now().UnixNano()
 	err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
-		Serial: &serialStr,
-		Reason: &reason,
-		Date:   &revokedDate,
+		Serial: serialStr,
+		Reason: reason,
+		Date:   revokedDate,
 	})
 	test.AssertNotError(t, err, "Failed to revoked certificate")

@ -387,9 +384,9 @@ func TestGenerateOCSPResponsePrecert(t *testing.T) {
 	issuedTime := fc.Now().UnixNano()
 	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    testCert.Raw,
-		RegID:  &regID,
+		RegID:  regID,
 		Ocsp:   ocspResp,
-		Issued: &issuedTime,
+		Issued: issuedTime,
 	})
 	test.AssertNotError(t, err, "Couldn't add test-cert2.der")

@ -444,17 +441,17 @@ func TestIssuerInfo(t *testing.T) {
 	id := int64(1234)
 	_, err = sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
 		Der:      certA,
-		RegID:    &reg.ID,
+		RegID:    reg.ID,
 		Ocsp:     []byte{1, 2, 3},
-		Issued:   &now,
-		IssuerID: &id,
+		Issued:   now,
+		IssuerID: id,
 	})
 	test.AssertNotError(t, err, "sa.AddPrecertificate failed")
 	_, err = sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
 		Der:    certB,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   []byte{1, 2, 3},
-		Issued: &now,
+		Issued: now,
 	})
 	test.AssertNotError(t, err, "sa.AddPrecertificate failed")

@ -463,7 +460,7 @@ func TestIssuerInfo(t *testing.T) {
 	test.AssertNotError(t, err, "findStaleOCSPResponses failed")
 	test.AssertEquals(t, len(statuses), 2)
 	test.AssertEquals(t, *statuses[0].IssuerID, id)
-	test.Assert(t, statuses[1].IssuerID == nil, "second status doesn't have nil IssuerID")
+	test.Assert(t, *statuses[1].IssuerID == 0, "second status doesn't have zero IssuerID")

 	_, err = updater.generateResponse(context.Background(), statuses[0])
 	test.AssertNotError(t, err, "generateResponse failed")
--- a/cmd/orphan-finder/main.go
+++ b/cmd/orphan-finder/main.go
@ -134,7 +134,7 @@ func checkDER(sai certificateStorage, der []byte) (*x509.Certificate, orphanType
 	case certOrphan:
 		_, err = sai.GetCertificate(ctx, orphanSerial)
 	case precertOrphan:
-		_, err = sai.GetPrecertificate(ctx, &sapb.Serial{Serial: &orphanSerial})
+		_, err = sai.GetPrecertificate(ctx, &sapb.Serial{Serial: orphanSerial})
 	default:
 		err = errors.New("unknown orphan type")
 	}
@ -214,12 +214,11 @@ func storeParsedLogLine(sa certificateStorage, ca ocspGenerator, logger blog.Log
 	case certOrphan:
 		_, err = sa.AddCertificate(ctx, der, regID, response, &issuedDate)
 	case precertOrphan:
-		issued := issuedDate.UnixNano()
 		_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 			Der:    der,
-			RegID:  &regID,
+			RegID:  regID,
 			Ocsp:   response,
-			Issued: &issued,
+			Issued: issuedDate.UnixNano(),
 		})
 	default:
 		// Shouldn't happen but be defensive anyway
@ -358,9 +357,9 @@ func main() {
 			issued := issuedDate.UnixNano()
 			_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 				Der:    der,
-				RegID:  regID,
+				RegID:  *regID,
 				Ocsp:   response,
-				Issued: &issued,
+				Issued: issued,
 			})
 		default:
 			err = errors.New("unknown orphan type")
--- a/cmd/orphan-finder/main_test.go
+++ b/cmd/orphan-finder/main_test.go
@ -67,13 +67,13 @@ func (m *mockSA) AddPrecertificate(ctx context.Context, req *sapb.AddCertificate
 	}
 	precert := core.Certificate{
 		DER:            req.Der,
-		RegistrationID: *req.RegID,
+		RegistrationID: req.RegID,
 		Serial:         core.SerialToString(parsed.SerialNumber),
 	}
-	if req.Issued == nil {
+	if req.Issued == 0 {
 		precert.Issued = m.clk.Now()
 	} else {
-		precert.Issued = time.Unix(0, *req.Issued)
+		precert.Issued = time.Unix(0, req.Issued)
 	}
 	m.precertificates = append(m.precertificates, precert)
 	return &corepb.Empty{}, nil
@ -84,7 +84,7 @@ func (m *mockSA) GetPrecertificate(ctx context.Context, req *sapb.Serial) (*core
 		return nil, berrors.NotFoundError("no precerts stored")
 	}
 	for _, precert := range m.precertificates {
-		if precert.Serial == *req.Serial {
+		if precert.Serial == req.Serial {
 			return bgrpc.CertToPB(precert), nil
 		}
 	}
@ -241,7 +241,7 @@ func TestParseLine(t *testing.T) {
 				var storedCert core.Certificate
 				switch typ {
 				case precertOrphan:
-					resp, err := sa.GetPrecertificate(context.Background(), &sapb.Serial{Serial: &testCertSerial})
+					resp, err := sa.GetPrecertificate(context.Background(), &sapb.Serial{Serial: testCertSerial})
 					test.AssertNotError(t, err, "Error getting test precert serial from SA")
 					precert, err := bgrpc.PBToCert(resp)
 					test.AssertNotError(t, err, "Error getting test precert from GetPrecertificate pb response")
--- a/goodkey/good_key.go
+++ b/goodkey/good_key.go
@ -128,7 +128,7 @@ func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) erro
 		exists, err := policy.dbCheck(ctx, &sapb.KeyBlockedRequest{KeyHash: digest[:]})
 		if err != nil {
 			return err
-		} else if exists.Exists != nil && *exists.Exists {
+		} else if exists.Exists {
 			return badKey("public key is forbidden")
 		}
 	}
--- a/goodkey/good_key_test.go
+++ b/goodkey/good_key_test.go
@ -259,10 +259,9 @@ func TestNonRefKey(t *testing.T) {
 	test.AssertError(t, testingPolicy.GoodKey(context.Background(), private.PublicKey), "Accepted non-reference key")
 }

-func TestDBBlacklist(t *testing.T) {
-	exists := false
+func TestDBBlocklistAccept(t *testing.T) {
 	testCheck := func(context.Context, *sapb.KeyBlockedRequest) (*sapb.Exists, error) {
-		return &sapb.Exists{Exists: &exists}, nil
+		return &sapb.Exists{Exists: false}, nil
 	}

 	policy, err := NewKeyPolicy("", "", testCheck)
@ -272,7 +271,18 @@ func TestDBBlacklist(t *testing.T) {
 	test.AssertNotError(t, err, "ecdsa.GenerateKey failed")
 	err = policy.GoodKey(context.Background(), k.Public())
 	test.AssertNotError(t, err, "GoodKey failed with a non-blocked key")
-	exists = true
+}
+
+func TestDBBlocklistReject(t *testing.T) {
+	testCheck := func(context.Context, *sapb.KeyBlockedRequest) (*sapb.Exists, error) {
+		return &sapb.Exists{Exists: true}, nil
+	}
+
+	policy, err := NewKeyPolicy("", "", testCheck)
+	test.AssertNotError(t, err, "NewKeyPolicy failed")
+
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	test.AssertNotError(t, err, "ecdsa.GenerateKey failed")
 	err = policy.GoodKey(context.Background(), k.Public())
 	test.AssertError(t, err, "GoodKey didn't fail with a blocked key")
 	test.Assert(t, errors.Is(err, ErrBadKey), "returned error is wrong type")
--- a/grpc/pb-marshalling.go
+++ b/grpc/pb-marshalling.go
@ -414,7 +414,7 @@ func PBToAuthzMap(pb *sapb.Authorizations) (map[string]*core.Authorization, erro
 		if err != nil {
 			return nil, err
 		}
-		m[*v.Domain] = &authz
+		m[v.Domain] = &authz
 	}
 	return m, nil
 }
--- a/grpc/sa-wrappers.go
+++ b/grpc/sa-wrappers.go
@ -28,7 +28,7 @@ func NewStorageAuthorityClient(inner sapb.StorageAuthorityClient) *StorageAuthor
 }

 func (sac StorageAuthorityClientWrapper) GetRegistration(ctx context.Context, regID int64) (core.Registration, error) {
-	response, err := sac.inner.GetRegistration(ctx, &sapb.RegistrationID{Id: &regID})
+	response, err := sac.inner.GetRegistration(ctx, &sapb.RegistrationID{Id: regID})
 	if err != nil {
 		return core.Registration{}, err
 	}
@ -59,7 +59,7 @@ func (sac StorageAuthorityClientWrapper) GetRegistrationByKey(ctx context.Contex
 }

 func (sac StorageAuthorityClientWrapper) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
-	response, err := sac.inner.GetCertificate(ctx, &sapb.Serial{Serial: &serial})
+	response, err := sac.inner.GetCertificate(ctx, &sapb.Serial{Serial: serial})
 	if err != nil {
 		return core.Certificate{}, err
 	}
@ -81,7 +81,7 @@ func (sac StorageAuthorityClientWrapper) GetPrecertificate(ctx context.Context,
 }

 func (sac StorageAuthorityClientWrapper) GetCertificateStatus(ctx context.Context, serial string) (core.CertificateStatus, error) {
-	response, err := sac.inner.GetCertificateStatus(ctx, &sapb.Serial{Serial: &serial})
+	response, err := sac.inner.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial})
 	if err != nil {
 		return core.CertificateStatus{}, err
 	}
@ -98,8 +98,8 @@ func (sac StorageAuthorityClientWrapper) CountCertificatesByNames(ctx context.Co
 	response, err := sac.inner.CountCertificatesByNames(ctx, &sapb.CountCertificatesByNamesRequest{
 		Names: domains,
 		Range: &sapb.Range{
-			Earliest: &earliestNano,
-			Latest:   &latestNano,
+			Earliest: earliestNano,
+			Latest:   latestNano,
 		},
 	})
 	if err != nil {
@ -119,8 +119,8 @@ func (sac StorageAuthorityClientWrapper) CountRegistrationsByIP(ctx context.Cont

 	response, err := sac.inner.CountRegistrationsByIP(ctx, &sapb.CountRegistrationsByIPRequest{
 		Range: &sapb.Range{
-			Earliest: &earliestNano,
-			Latest:   &latestNano,
+			Earliest: earliestNano,
+			Latest:   latestNano,
 		},
 		Ip: ip,
 	})
@ -132,7 +132,7 @@ func (sac StorageAuthorityClientWrapper) CountRegistrationsByIP(ctx context.Cont
 		return 0, errIncompleteResponse
 	}

-	return int(responseToInt(response)), nil
+	return int(response.Count), nil
 }

 func (sac StorageAuthorityClientWrapper) CountRegistrationsByIPRange(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error) {
@ -141,8 +141,8 @@ func (sac StorageAuthorityClientWrapper) CountRegistrationsByIPRange(ctx context

 	response, err := sac.inner.CountRegistrationsByIPRange(ctx, &sapb.CountRegistrationsByIPRequest{
 		Range: &sapb.Range{
-			Earliest: &earliestNano,
-			Latest:   &latestNano,
+			Earliest: earliestNano,
+			Latest:   latestNano,
 		},
 		Ip: ip,
 	})
@ -154,14 +154,7 @@ func (sac StorageAuthorityClientWrapper) CountRegistrationsByIPRange(ctx context
 		return 0, errIncompleteResponse
 	}

-	return int(responseToInt(response)), nil
-}
-
-func responseToInt(resp *sapb.Count) int64 {
-	if resp.Count != nil {
-		return *resp.Count
-	}
-	return 0
+	return int(response.Count), nil
 }

 func (sac StorageAuthorityClientWrapper) CountOrders(ctx context.Context, acctID int64, earliest, latest time.Time) (int, error) {
@ -169,10 +162,10 @@ func (sac StorageAuthorityClientWrapper) CountOrders(ctx context.Context, acctID
 	latestNano := latest.UnixNano()

 	response, err := sac.inner.CountOrders(ctx, &sapb.CountOrdersRequest{
-		AccountID: &acctID,
+		AccountID: acctID,
 		Range: &sapb.Range{
-			Earliest: &earliestNano,
-			Latest:   &latestNano,
+			Earliest: earliestNano,
+			Latest:   latestNano,
 		},
 	})
 	if err != nil {
@ -183,14 +176,14 @@ func (sac StorageAuthorityClientWrapper) CountOrders(ctx context.Context, acctID
 		return 0, errIncompleteResponse
 	}

-	return int(responseToInt(response)), nil
+	return int(response.Count), nil
 }

 func (sac StorageAuthorityClientWrapper) CountFQDNSets(ctx context.Context, window time.Duration, domains []string) (int64, error) {
 	windowNanos := window.Nanoseconds()

 	response, err := sac.inner.CountFQDNSets(ctx, &sapb.CountFQDNSetsRequest{
-		Window:  &windowNanos,
+		Window:  windowNanos,
 		Domains: domains,
 	})
 	if err != nil {
@ -201,7 +194,7 @@ func (sac StorageAuthorityClientWrapper) CountFQDNSets(ctx context.Context, wind
 		return 0, errIncompleteResponse
 	}

-	return responseToInt(response), nil
+	return response.Count, nil
 }

 func (sac StorageAuthorityClientWrapper) PreviousCertificateExists(
@ -246,13 +239,6 @@ func (sac StorageAuthorityClientWrapper) AddSerial(
 	return empty, nil
 }

-func boolPointerToBool(b *bool) bool {
-	if b == nil {
-		return false
-	}
-	return *b
-}
-
 func (sac StorageAuthorityClientWrapper) FQDNSetExists(ctx context.Context, domains []string) (bool, error) {
 	response, err := sac.inner.FQDNSetExists(ctx, &sapb.FQDNSetExistsRequest{Domains: domains})
 	if err != nil {
@ -263,7 +249,7 @@ func (sac StorageAuthorityClientWrapper) FQDNSetExists(ctx context.Context, doma
 		return false, errIncompleteResponse
 	}

-	return boolPointerToBool(response.Exists), nil
+	return response.Exists, nil
 }

 func (sac StorageAuthorityClientWrapper) NewRegistration(ctx context.Context, reg core.Registration) (core.Registration, error) {
@ -310,23 +296,23 @@ func (sac StorageAuthorityClientWrapper) AddCertificate(
 	}
 	response, err := sac.inner.AddCertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    der,
-		RegID:  &regID,
+		RegID:  regID,
 		Ocsp:   ocspResponse,
-		Issued: &issuedTS,
+		Issued: issuedTS,
 	})
 	if err != nil {
 		return "", err
 	}

-	if response == nil || response.Digest == nil {
+	if response == nil {
 		return "", errIncompleteResponse
 	}

-	return *response.Digest, nil
+	return response.Digest, nil
 }

 func (sac StorageAuthorityClientWrapper) DeactivateRegistration(ctx context.Context, id int64) error {
-	_, err := sac.inner.DeactivateRegistration(ctx, &sapb.RegistrationID{Id: &id})
+	_, err := sac.inner.DeactivateRegistration(ctx, &sapb.RegistrationID{Id: id})
 	if err != nil {
 		return err
 	}
@ -514,11 +500,11 @@ func NewStorageAuthorityServer(inner core.StorageAuthority) *StorageAuthoritySer
 }

 func (sas StorageAuthorityServerWrapper) GetRegistration(ctx context.Context, request *sapb.RegistrationID) (*corepb.Registration, error) {
-	if request == nil || request.Id == nil {
+	if core.IsAnyNilOrZero(request, request.Id) {
 		return nil, errIncompleteRequest
 	}

-	reg, err := sas.inner.GetRegistration(ctx, *request.Id)
+	reg, err := sas.inner.GetRegistration(ctx, request.Id)
 	if err != nil {
 		return nil, err
 	}
@ -546,11 +532,11 @@ func (sas StorageAuthorityServerWrapper) GetRegistrationByKey(ctx context.Contex
 }

 func (sas StorageAuthorityServerWrapper) GetCertificate(ctx context.Context, request *sapb.Serial) (*corepb.Certificate, error) {
-	if request == nil || request.Serial == nil {
+	if core.IsAnyNilOrZero(request, request.Serial) {
 		return nil, errIncompleteRequest
 	}

-	cert, err := sas.inner.GetCertificate(ctx, *request.Serial)
+	cert, err := sas.inner.GetCertificate(ctx, request.Serial)
 	if err != nil {
 		return nil, err
 	}
@ -559,18 +545,18 @@ func (sas StorageAuthorityServerWrapper) GetCertificate(ctx context.Context, req
 }

 func (sas StorageAuthorityServerWrapper) GetPrecertificate(ctx context.Context, request *sapb.Serial) (*corepb.Certificate, error) {
-	if request == nil || request.Serial == nil {
+	if core.IsAnyNilOrZero(request, request.Serial) {
 		return nil, errIncompleteRequest
 	}
 	return sas.inner.GetPrecertificate(ctx, request)
 }

 func (sas StorageAuthorityServerWrapper) GetCertificateStatus(ctx context.Context, request *sapb.Serial) (*corepb.CertificateStatus, error) {
-	if request == nil || request.Serial == nil {
+	if core.IsAnyNilOrZero(request, request.Serial) {
 		return nil, errIncompleteRequest
 	}

-	certStatus, err := sas.inner.GetCertificateStatus(ctx, *request.Serial)
+	certStatus, err := sas.inner.GetCertificateStatus(ctx, request.Serial)
 	if err != nil {
 		return nil, err
 	}
@ -579,11 +565,11 @@ func (sas StorageAuthorityServerWrapper) GetCertificateStatus(ctx context.Contex
 }

 func (sas StorageAuthorityServerWrapper) CountCertificatesByNames(ctx context.Context, request *sapb.CountCertificatesByNamesRequest) (*sapb.CountByNames, error) {
-	if request == nil || request.Range == nil || request.Range.Earliest == nil || request.Range.Latest == nil || request.Names == nil {
+	if core.IsAnyNilOrZero(request, request.Range, request.Range.Earliest, request.Range.Latest, request.Names) {
 		return nil, errIncompleteRequest
 	}

-	byNames, err := sas.inner.CountCertificatesByNames(ctx, request.Names, time.Unix(0, *request.Range.Earliest), time.Unix(0, *request.Range.Latest))
+	byNames, err := sas.inner.CountCertificatesByNames(ctx, request.Names, time.Unix(0, request.Range.Earliest), time.Unix(0, request.Range.Latest))
 	if err != nil {
 		return nil, err
 	}
@ -592,73 +578,69 @@ func (sas StorageAuthorityServerWrapper) CountCertificatesByNames(ctx context.Co
 }

 func (sas StorageAuthorityServerWrapper) CountRegistrationsByIP(ctx context.Context, request *sapb.CountRegistrationsByIPRequest) (*sapb.Count, error) {
-	if request == nil || request.Ip == nil || request.Range == nil || request.Range.Earliest == nil || request.Range.Latest == nil {
+	if core.IsAnyNilOrZero(request, request.Range, request.Range.Earliest, request.Range.Latest, request.Ip) {
 		return nil, errIncompleteRequest
 	}

 	count, err := sas.inner.CountRegistrationsByIP(
 		ctx,
 		net.IP(request.Ip),
-		time.Unix(0, *request.Range.Earliest),
-		time.Unix(0, *request.Range.Latest))
+		time.Unix(0, request.Range.Earliest),
+		time.Unix(0, request.Range.Latest))
 	if err != nil {
 		return nil, err
 	}

-	castedCount := int64(count)
-	return &sapb.Count{Count: &castedCount}, nil
+	return &sapb.Count{Count: int64(count)}, nil
 }

 func (sas StorageAuthorityServerWrapper) CountRegistrationsByIPRange(ctx context.Context, request *sapb.CountRegistrationsByIPRequest) (*sapb.Count, error) {
-	if request == nil || request.Ip == nil || request.Range == nil || request.Range.Earliest == nil || request.Range.Latest == nil {
+	if core.IsAnyNilOrZero(request, request.Range, request.Range.Earliest, request.Range.Latest, request.Ip) {
 		return nil, errIncompleteRequest
 	}

 	count, err := sas.inner.CountRegistrationsByIPRange(
 		ctx,
 		net.IP(request.Ip),
-		time.Unix(0, *request.Range.Earliest),
-		time.Unix(0, *request.Range.Latest))
+		time.Unix(0, request.Range.Earliest),
+		time.Unix(0, request.Range.Latest))
 	if err != nil {
 		return nil, err
 	}

-	castedCount := int64(count)
-	return &sapb.Count{Count: &castedCount}, nil
+	return &sapb.Count{Count: int64(count)}, nil
 }

 func (sas StorageAuthorityServerWrapper) CountOrders(ctx context.Context, request *sapb.CountOrdersRequest) (*sapb.Count, error) {
-	if request == nil || request.AccountID == nil || request.Range == nil || request.Range.Earliest == nil || request.Range.Latest == nil {
+	if core.IsAnyNilOrZero(request, request.AccountID, request.Range, request.Range.Earliest, request.Range.Latest) {
 		return nil, errIncompleteRequest
 	}

 	count, err := sas.inner.CountOrders(ctx,
-		*request.AccountID,
-		time.Unix(0, *request.Range.Earliest),
-		time.Unix(0, *request.Range.Latest),
+		request.AccountID,
+		time.Unix(0, request.Range.Earliest),
+		time.Unix(0, request.Range.Latest),
 	)
 	if err != nil {
 		return nil, err
 	}

-	castedCount := int64(count)
-	return &sapb.Count{Count: &castedCount}, nil
+	return &sapb.Count{Count: int64(count)}, nil
 }

 func (sas StorageAuthorityServerWrapper) CountFQDNSets(ctx context.Context, request *sapb.CountFQDNSetsRequest) (*sapb.Count, error) {
-	if request == nil || request.Window == nil || request.Domains == nil {
+	if core.IsAnyNilOrZero(request, request.Window, request.Domains) {
 		return nil, errIncompleteRequest
 	}

-	window := time.Duration(*request.Window)
+	window := time.Duration(request.Window)

 	count, err := sas.inner.CountFQDNSets(ctx, window, request.Domains)
 	if err != nil {
 		return nil, err
 	}

-	castedCount := int64(count)
-	return &sapb.Count{Count: &castedCount}, nil
+	return &sapb.Count{Count: int64(count)}, nil
 }

 func (sas StorageAuthorityServerWrapper) FQDNSetExists(ctx context.Context, request *sapb.FQDNSetExistsRequest) (*sapb.Exists, error) {
@ -671,14 +653,14 @@ func (sas StorageAuthorityServerWrapper) FQDNSetExists(ctx context.Context, requ
 		return nil, err
 	}

-	return &sapb.Exists{Exists: &exists}, nil
+	return &sapb.Exists{Exists: exists}, nil
 }

 func (sac StorageAuthorityServerWrapper) PreviousCertificateExists(
 	ctx context.Context,
 	req *sapb.PreviousCertificateExistsRequest,
 ) (*sapb.Exists, error) {
-	if req == nil || req.Domain == nil || req.RegID == nil {
+	if core.IsAnyNilOrZero(req, req.Domain, req.RegID) {
 		return nil, errIncompleteRequest
 	}
 	return sac.inner.PreviousCertificateExists(ctx, req)
@ -721,25 +703,25 @@ func (sas StorageAuthorityServerWrapper) UpdateRegistration(ctx context.Context,
 }

 func (sas StorageAuthorityServerWrapper) AddCertificate(ctx context.Context, request *sapb.AddCertificateRequest) (*sapb.AddCertificateResponse, error) {
-	if request == nil || request.Der == nil || request.RegID == nil || request.Issued == nil {
+	if core.IsAnyNilOrZero(request, request.Der, request.RegID, request.Issued) {
 		return nil, errIncompleteRequest
 	}

-	reqIssued := time.Unix(0, *request.Issued)
-	digest, err := sas.inner.AddCertificate(ctx, request.Der, *request.RegID, request.Ocsp, &reqIssued)
+	reqIssued := time.Unix(0, request.Issued)
+	digest, err := sas.inner.AddCertificate(ctx, request.Der, request.RegID, request.Ocsp, &reqIssued)
 	if err != nil {
 		return nil, err
 	}

-	return &sapb.AddCertificateResponse{Digest: &digest}, nil
+	return &sapb.AddCertificateResponse{Digest: digest}, nil
 }

 func (sas StorageAuthorityServerWrapper) DeactivateRegistration(ctx context.Context, request *sapb.RegistrationID) (*corepb.Empty, error) {
-	if request == nil || request.Id == nil {
+	if core.IsAnyNilOrZero(request, request.Id) {
 		return nil, errIncompleteRequest
 	}

-	err := sas.inner.DeactivateRegistration(ctx, *request.Id)
+	err := sas.inner.DeactivateRegistration(ctx, request.Id)
 	if err != nil {
 		return nil, err
 	}
@ -792,7 +774,7 @@ func (sas StorageAuthorityServerWrapper) FinalizeOrder(ctx context.Context, orde
 }

 func (sas StorageAuthorityServerWrapper) GetOrder(ctx context.Context, request *sapb.OrderRequest) (*corepb.Order, error) {
-	if request == nil || request.Id == nil {
+	if core.IsAnyNilOrZero(request, request.Id) {
 		return nil, errIncompleteRequest
 	}

@ -802,14 +784,14 @@ func (sas StorageAuthorityServerWrapper) GetOrder(ctx context.Context, request *
 func (sas StorageAuthorityServerWrapper) GetOrderForNames(
 	ctx context.Context,
 	request *sapb.GetOrderForNamesRequest) (*corepb.Order, error) {
-	if request == nil || request.AcctID == nil || len(request.Names) == 0 {
+	if core.IsAnyNilOrZero(request, request.AcctID, len(request.Names)) {
 		return nil, errIncompleteRequest
 	}
 	return sas.inner.GetOrderForNames(ctx, request)
 }

 func (sas StorageAuthorityServerWrapper) GetAuthorization2(ctx context.Context, request *sapb.AuthorizationID2) (*corepb.Authorization, error) {
-	if request == nil || request.Id == nil {
+	if core.IsAnyNilOrZero(request, request.Id) {
 		return nil, errIncompleteRequest
 	}

@ -817,7 +799,7 @@ func (sas StorageAuthorityServerWrapper) GetAuthorization2(ctx context.Context,
 }

 func (sas StorageAuthorityServerWrapper) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*corepb.Empty, error) {
-	if req == nil || req.Serial == nil || req.Date == nil || req.Response == nil {
+	if core.IsAnyNilOrZero(req, req.Serial, req.Reason, req.Date, req.Response) {
 		return nil, errIncompleteRequest
 	}
 	return &corepb.Empty{}, sas.inner.RevokeCertificate(ctx, req)
@ -832,7 +814,7 @@ func (sas StorageAuthorityServerWrapper) NewAuthorizations2(ctx context.Context,
 }

 func (sas StorageAuthorityServerWrapper) GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error) {
-	if req == nil || req.Domains == nil || req.RegistrationID == nil || req.Now == nil {
+	if core.IsAnyNilOrZero(req, req.Domains, req.RequireV2Authzs, req.RegistrationID, req.Now) {
 		return nil, errIncompleteRequest
 	}

@ -840,7 +822,7 @@ func (sas StorageAuthorityServerWrapper) GetAuthorizations2(ctx context.Context,
 }

 func (sas StorageAuthorityServerWrapper) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) (*corepb.Empty, error) {
-	if req == nil || req.Status == nil || req.Attempted == nil || req.Expires == nil || req.Id == nil {
+	if core.IsAnyNilOrZero(req, req.Status, req.Attempted, req.Expires, req.Id) {
 		return nil, errIncompleteRequest
 	}

@ -848,7 +830,7 @@ func (sas StorageAuthorityServerWrapper) FinalizeAuthorization2(ctx context.Cont
 }

 func (sas StorageAuthorityServerWrapper) GetPendingAuthorization2(ctx context.Context, req *sapb.GetPendingAuthorizationRequest) (*corepb.Authorization, error) {
-	if req == nil || req.RegistrationID == nil || req.IdentifierValue == nil || req.ValidUntil == nil {
+	if core.IsAnyNilOrZero(req, req.RegistrationID, req.IdentifierValue, req.ValidUntil) {
 		return nil, errIncompleteRequest
 	}

@ -856,7 +838,7 @@ func (sas StorageAuthorityServerWrapper) GetPendingAuthorization2(ctx context.Co
 }

 func (sas StorageAuthorityServerWrapper) CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error) {
-	if req == nil || req.Id == nil {
+	if core.IsAnyNilOrZero(req, req.Id) {
 		return nil, errIncompleteRequest
 	}

@ -864,7 +846,7 @@ func (sas StorageAuthorityServerWrapper) CountPendingAuthorizations2(ctx context
 }

 func (sas StorageAuthorityServerWrapper) GetValidOrderAuthorizations2(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (*sapb.Authorizations, error) {
-	if req == nil || req.AcctID == nil || req.Id == nil {
+	if core.IsAnyNilOrZero(req, req.AcctID, req.Id) {
 		return nil, errIncompleteRequest
 	}

@ -872,7 +854,7 @@ func (sas StorageAuthorityServerWrapper) GetValidOrderAuthorizations2(ctx contex
 }

 func (sas StorageAuthorityServerWrapper) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error) {
-	if req == nil || req.RegistrationID == nil || req.Hostname == nil || req.Range == nil || req.Range.Earliest == nil || req.Range.Latest == nil {
+	if core.IsAnyNilOrZero(req, req.RegistrationID, req.Hostname, req.Range, req.Range.Earliest, req.Range.Latest) {
 		return nil, errIncompleteRequest
 	}

@ -880,7 +862,7 @@ func (sas StorageAuthorityServerWrapper) CountInvalidAuthorizations2(ctx context
 }

 func (sas StorageAuthorityServerWrapper) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error) {
-	if req == nil || req.Domains == nil || req.RegistrationID == nil || req.Now == nil {
+	if core.IsAnyNilOrZero(req, req.Domains, req.RegistrationID, req.Now) {
 		return nil, errIncompleteRequest
 	}

@ -888,7 +870,7 @@ func (sas StorageAuthorityServerWrapper) GetValidAuthorizations2(ctx context.Con
 }

 func (sas StorageAuthorityServerWrapper) DeactivateAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*corepb.Empty, error) {
-	if req == nil || req.Id == nil {
+	if core.IsAnyNilOrZero(req, req.Id) {
 		return nil, errIncompleteRequest
 	}

--- a/mocks/mocks.go
+++ b/mocks/mocks.go
@ -386,9 +386,8 @@ func (sa *StorageAuthority) PreviousCertificateExists(
 	_ context.Context,
 	_ *sapb.PreviousCertificateExistsRequest,
 ) (*sapb.Exists, error) {
-	f := false
 	return &sapb.Exists{
-		Exists: &f,
+		Exists: false,
 	}, nil
 }

@ -486,9 +485,9 @@ func (sa *StorageAuthority) FinalizeOrder(_ context.Context, order *corepb.Order

 // GetOrder is a mock
 func (sa *StorageAuthority) GetOrder(_ context.Context, req *sapb.OrderRequest) (*corepb.Order, error) {
-	if *req.Id == 2 {
+	if req.Id == 2 {
 		return nil, berrors.NotFoundError("bad")
-	} else if *req.Id == 3 {
+	} else if req.Id == 3 {
 		return nil, errors.New("very bad")
 	}

@ -498,7 +497,7 @@ func (sa *StorageAuthority) GetOrder(_ context.Context, req *sapb.OrderRequest)
 	created := sa.clk.Now().AddDate(-30, 0, 0).Unix()
 	exp := sa.clk.Now().AddDate(30, 0, 0).Unix()
 	validOrder := &corepb.Order{
-		Id:                req.Id,
+		Id:                &req.Id,
 		RegistrationID:    &one,
 		Created:           &created,
 		Expires:           &exp,
@ -510,37 +509,37 @@ func (sa *StorageAuthority) GetOrder(_ context.Context, req *sapb.OrderRequest)
 	}

 	// Order ID doesn't have a certificate serial yet
-	if *req.Id == 4 {
+	if req.Id == 4 {
 		pending := string(core.StatusPending)
 		validOrder.Status = &pending
-		validOrder.Id = req.Id
+		validOrder.Id = &req.Id
 		validOrder.CertificateSerial = nil
 		validOrder.Error = nil
 		return validOrder, nil
 	}

 	// Order ID 6 belongs to reg ID 6
-	if *req.Id == 6 {
+	if req.Id == 6 {
 		six := int64(6)
-		validOrder.Id = req.Id
+		validOrder.Id = &req.Id
 		validOrder.RegistrationID = &six
 	}

 	// Order ID 7 is ready, but expired
-	if *req.Id == 7 {
+	if req.Id == 7 {
 		ready := string(core.StatusReady)
 		validOrder.Status = &ready
 		exp = sa.clk.Now().AddDate(-30, 0, 0).Unix()
 		validOrder.Expires = &exp
 	}

-	if *req.Id == 8 {
+	if req.Id == 8 {
 		ready := string(core.StatusReady)
 		validOrder.Status = &ready
 	}

 	// Order 9 is fresh
-	if *req.Id == 9 {
+	if req.Id == 9 {
 		now := sa.clk.Now().Unix()
 		validOrder.Created = &now
 	}
@ -597,17 +596,17 @@ func (sa *StorageAuthority) CountInvalidAuthorizations2(ctx context.Context, req
 }

 func (sa *StorageAuthority) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error) {
-	if *req.RegistrationID != 1 && *req.RegistrationID != 5 && *req.RegistrationID != 4 {
+	if req.RegistrationID != 1 && req.RegistrationID != 5 && req.RegistrationID != 4 {
 		return &sapb.Authorizations{}, nil
 	}
-	now := time.Unix(0, *req.Now)
+	now := time.Unix(0, req.Now)
 	auths := &sapb.Authorizations{}
 	for _, name := range req.Domains {
 		if sa.authorizedDomains[name] || name == "not-an-example.com" || name == "bad.example.com" {
 			exp := now.AddDate(100, 0, 0)
 			authzPB, err := bgrpc.AuthzToPB(core.Authorization{
 				Status:         core.StatusValid,
-				RegistrationID: *req.RegistrationID,
+				RegistrationID: req.RegistrationID,
 				Expires:        &exp,
 				Identifier: identifier.ACMEIdentifier{
 					Type:  "dns",
@ -623,9 +622,8 @@ func (sa *StorageAuthority) GetValidAuthorizations2(ctx context.Context, req *sa
 			if err != nil {
 				return nil, err
 			}
-			n := name
 			auths.Authz = append(auths.Authz, &sapb.Authorizations_MapElement{
-				Domain: &n,
+				Domain: name,
 				Authz:  authzPB,
 			})
 		}
@ -663,7 +661,7 @@ func (sa *StorageAuthority) GetAuthorization2(ctx context.Context, id *sapb.Auth
 		},
 	}

-	switch *id.Id {
+	switch id.Id {
 	case authzIdValid:
 		exp := sa.clk.Now().AddDate(100, 0, 0)
 		authz.Expires = &exp
@ -705,8 +703,7 @@ func (sa *StorageAuthority) AddBlockedKey(context.Context, *sapb.AddBlockedKeyRe

 // KeyBlocked is a mock
 func (sa *StorageAuthority) KeyBlocked(ctx context.Context, req *sapb.KeyBlockedRequest) (*sapb.Exists, error) {
-	exists := false
-	return &sapb.Exists{Exists: &exists}, nil
+	return &sapb.Exists{Exists: false}, nil
 }

 // Publisher is a mock
@ -787,14 +784,14 @@ func (sa *SAWithFailedChallenges) GetAuthorization2(ctx context.Context, id *sap
 	authz.Expires = &exp
 	// 55 returns an authz with a failed challenge that has the problem type
 	// statically prefixed by the V1ErrorNS
-	if *id.Id == 55 {
+	if id.Id == 55 {
 		prob.Type = probs.V1ErrorNS + prob.Type
 		authz.Challenges[0].Error = prob
 		return bgrpc.AuthzToPB(authz)
 	}
 	// 56 returns an authz with a failed challenge that has no error
 	// namespace on the problem type.
-	if *id.Id == 56 {
+	if id.Id == 56 {
 		authz.Challenges[0].Error = prob
 		return bgrpc.AuthzToPB(authz)
 	}
--- a/ra/mock_test.go
+++ b/ra/mock_test.go
@ -21,18 +21,15 @@ func (sa *mockInvalidAuthorizationsAuthority) PreviousCertificateExists(
 	_ context.Context,
 	_ *sapb.PreviousCertificateExistsRequest,
 ) (*sapb.Exists, error) {
-	f := false
 	return &sapb.Exists{
-		Exists: &f,
+		Exists: false,
 	}, nil
 }

 func (sa *mockInvalidAuthorizationsAuthority) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error) {
-	var count int64
-	if *req.Hostname == sa.domainWithFailures {
-		count = 1
+	if req.Hostname == sa.domainWithFailures {
+		return &sapb.Count{Count: 1}, nil
+	} else {
+		return &sapb.Count{}, nil
 	}
-	return &sapb.Count{
-		Count: &count,
-	}, nil
 }
--- a/ra/ra.go
+++ b/ra/ra.go
@ -422,18 +422,11 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
 	return nil
 }

-func intPointerToInt(ip *int64) int {
-	if ip != nil {
-		return int(*ip)
-	}
-	return 0
-}
-
 func (ra *RegistrationAuthorityImpl) checkPendingAuthorizationLimit(ctx context.Context, regID int64) error {
 	limit := ra.rlPolicies.PendingAuthorizationsPerAccount()
 	if limit.Enabled() {
 		countPB, err := ra.SA.CountPendingAuthorizations2(ctx, &sapb.RegistrationID{
-			Id: &regID,
+			Id: regID,
 		})
 		if err != nil {
 			return err
@ -441,7 +434,7 @@ func (ra *RegistrationAuthorityImpl) checkPendingAuthorizationLimit(ctx context.
 		// Most rate limits have a key for overrides, but there is no meaningful key
 		// here.
 		noKey := ""
-		if intPointerToInt(countPB.Count) >= limit.GetThreshold(noKey, regID) {
+		if int(countPB.Count) >= limit.GetThreshold(noKey, regID) {
 			ra.rateLimitCounter.WithLabelValues("pending_authorizations_by_registration_id", "exceeded").Inc()
 			ra.log.Infof("Rate limit exceeded, PendingAuthorizationsByRegID, regID: %d", regID)
 			return berrors.RateLimitError("too many currently pending authorizations")
@ -478,14 +471,12 @@ func (ra *RegistrationAuthorityImpl) checkInvalidAuthorizationLimit(ctx context.
 	}
 	latest := ra.clk.Now().Add(ra.pendingAuthorizationLifetime)
 	earliest := latest.Add(-limit.Window.Duration)
-	latestNanos := latest.UnixNano()
-	earliestNanos := earliest.UnixNano()
 	req := &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: &regID,
-		Hostname:       &hostname,
+		RegistrationID: regID,
+		Hostname:       hostname,
 		Range: &sapb.Range{
-			Earliest: &earliestNanos,
-			Latest:   &latestNanos,
+			Earliest: earliest.UnixNano(),
+			Latest:   latest.UnixNano(),
 		},
 	}
 	count, err := ra.SA.CountInvalidAuthorizations2(ctx, req)
@ -495,7 +486,7 @@ func (ra *RegistrationAuthorityImpl) checkInvalidAuthorizationLimit(ctx context.
 	// Most rate limits have a key for overrides, but there is no meaningful key
 	// here.
 	noKey := ""
-	if intPointerToInt(count.Count) >= limit.GetThreshold(noKey, regID) {
+	if count.Count >= int64(limit.GetThreshold(noKey, regID)) {
 		ra.log.Infof("Rate limit exceeded, InvalidAuthorizationsByRegID, regID: %d", regID)
 		return berrors.RateLimitError("too many failed authorizations recently")
 	}
@ -548,9 +539,9 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, reque
 	if ra.reuseValidAuthz {
 		now := ra.clk.Now().UnixNano()
 		authzMapPB, err := ra.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
-			RegistrationID: &regID,
+			RegistrationID: regID,
 			Domains:        []string{identifier.Value},
-			Now:            &now,
+			Now:            now,
 		})
 		if err != nil {
 			outErr := berrors.InternalServerError(
@ -580,13 +571,12 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, reque
 		}
 	}

-	nowishNano := ra.clk.Now().Add(time.Hour).UnixNano()
 	identifierTypeString := string(identifier.Type)
 	req := &sapb.GetPendingAuthorizationRequest{
-		RegistrationID:  &regID,
-		IdentifierType:  &identifierTypeString,
-		IdentifierValue: &identifier.Value,
-		ValidUntil:      &nowishNano,
+		RegistrationID:  regID,
+		IdentifierType:  identifierTypeString,
+		IdentifierValue: identifier.Value,
+		ValidUntil:      ra.clk.Now().Add(time.Hour).UnixNano(),
 	}
 	pendingPB, err := ra.SA.GetPendingAuthorization2(ctx, req)
 	if err != nil && !berrors.Is(err, berrors.NotFound) {
@ -601,13 +591,13 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, reque

 	if features.Enabled(features.V1DisableNewValidations) {
 		exists, err := ra.SA.PreviousCertificateExists(ctx, &sapb.PreviousCertificateExistsRequest{
-			Domain: &identifier.Value,
-			RegID:  &regID,
+			Domain: identifier.Value,
+			RegID:  regID,
 		})
 		if err != nil {
 			return core.Authorization{}, err
 		}
-		if !*exists.Exists {
+		if !exists.Exists {
 			return core.Authorization{}, berrors.UnauthorizedError("Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)")
 		}
 	}
@ -705,12 +695,10 @@ func (ra *RegistrationAuthorityImpl) checkOrderAuthorizations(
 	names []string,
 	acctID accountID,
 	orderID orderID) (map[string]*core.Authorization, error) {
-	acctIDInt := int64(acctID)
-	orderIDInt := int64(orderID)
 	// Get all of the valid authorizations for this account/order
 	req := &sapb.GetValidOrderAuthorizationsRequest{
-		Id:     &orderIDInt,
-		AcctID: &acctIDInt,
+		Id:     int64(orderID),
+		AcctID: int64(acctID),
 	}
 	authzMapPB, err := ra.SA.GetValidOrderAuthorizations2(ctx, req)
 	if err != nil {
@ -739,11 +727,10 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizations(ctx context.Context, na
 	for i := range names {
 		names[i] = strings.ToLower(names[i])
 	}
-	nowUnix := now.UnixNano()
 	authMapPB, err := ra.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
-		RegistrationID: &regID,
+		RegistrationID: regID,
 		Domains:        names,
-		Now:            &nowUnix,
+		Now:            now.UnixNano(),
 	})
 	if err != nil {
 		return nil, err
@ -1316,12 +1303,8 @@ func (ra *RegistrationAuthorityImpl) enforceNameCounts(

 	var badNames []string
 	for _, entry := range counts {
-		// Should not happen, but be defensive.
-		if entry.Name == nil {
-			return nil, fmt.Errorf("CountByNames_MapElement had nil Name")
-		}
-		if intPointerToInt(entry.Count) >= limit.GetThreshold(*entry.Name, regID) {
-			badNames = append(badNames, *entry.Name)
+		if int(entry.Count) >= limit.GetThreshold(entry.Name, regID) {
+			badNames = append(badNames, entry.Name)
 		}
 	}
 	return badNames, nil
@ -1514,8 +1497,6 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 	if err != nil {
 		return err
 	}
-	status := string(challenge.Status)
-	ctype := string(challenge.Type)
 	var expires int64
 	if challenge.Status == core.StatusInvalid {
 		expires = authExpires.UnixNano()
@ -1527,10 +1508,10 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 		return err
 	}
 	err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
-		Id:                &authzID,
-		Status:            &status,
-		Expires:           &expires,
-		Attempted:         &ctype,
+		Id:                authzID,
+		Status:            string(challenge.Status),
+		Expires:           expires,
+		Attempted:         string(challenge.Type),
 		ValidationRecords: vr.Records,
 		ValidationError:   vr.Problems,
 	})
@ -1701,13 +1682,10 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert
 		return err
 	}
 	serial := core.SerialToString(cert.SerialNumber)
-	// for some reason we use int32 and int64 for the reason in different
-	// protobuf messages, so we have to re-cast it here.
-	reason64 := int64(code)
 	err = ra.SA.RevokeCertificate(ctx, &sapb.RevokeCertificateRequest{
-		Serial:   &serial,
-		Reason:   &reason64,
-		Date:     &revokedAt,
+		Serial:   serial,
+		Reason:   int64(code),
+		Date:     revokedAt,
 		Response: ocspResponse.Response,
 	})
 	if err != nil {
@ -1720,14 +1698,14 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert
 		}
 		req := &sapb.AddBlockedKeyRequest{
 			KeyHash: digest[:],
-			Added:   &revokedAt,
-			Source:  &source,
+			Added:   revokedAt,
+			Source:  source,
 		}
 		if comment != "" {
-			req.Comment = &comment
+			req.Comment = comment
 		}
 		if features.Enabled(features.StoreRevokerInfo) && revokedBy != 0 {
-			req.RevokedBy = &revokedBy
+			req.RevokedBy = revokedBy
 		}
 		if _, err = ra.SA.AddBlockedKey(ctx, req); err != nil {
 			return err
@ -1828,7 +1806,7 @@ func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context
 	if err != nil {
 		return err
 	}
-	if _, err := ra.SA.DeactivateAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID}); err != nil {
+	if _, err := ra.SA.DeactivateAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID}); err != nil {
 		return err
 	}
 	return nil
@ -1872,11 +1850,10 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New

 	// See if there is an existing unexpired pending (or ready) order that can be reused
 	// for this account
-	useV2Authzs := true
 	existingOrder, err := ra.SA.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID:              order.RegistrationID,
+		AcctID:              *order.RegistrationID,
 		Names:               order.Names,
-		UseV2Authorizations: &useV2Authzs,
+		UseV2Authorizations: true,
 	})
 	// If there was an error and it wasn't an acceptable "NotFound" error, return
 	// immediately
@ -1910,12 +1887,11 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New

 	// We do not want any legacy V1 API authorizations not associated with an
 	// order to be returned from the SA so we set requireV2Authzs to true
-	requireV2Authzs := true
 	getAuthReq := &sapb.GetAuthorizationsRequest{
-		RegistrationID:  order.RegistrationID,
-		Now:             &authzExpiryCutoff,
+		RegistrationID:  *order.RegistrationID,
+		Now:             authzExpiryCutoff,
 		Domains:         order.Names,
-		RequireV2Authzs: &requireV2Authzs,
+		RequireV2Authzs: true,
 	}
 	existingAuthz, err := ra.SA.GetAuthorizations2(ctx, getAuthReq)
 	if err != nil {
@ -1931,7 +1907,7 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 		if *v.Authz.Status == string(core.StatusValid) && !ra.reuseValidAuthz {
 			continue
 		}
-		nameToExistingAuthz[*v.Domain] = v.Authz
+		nameToExistingAuthz[v.Domain] = v.Authz
 	}

 	// For each of the names in the order, if there is an acceptable
--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@ -88,24 +88,22 @@ func createPendingAuthorization(t *testing.T, sa core.StorageAuthority, domain s
 func createFinalizedAuthorization(t *testing.T, sa core.StorageAuthority, domain string, exp time.Time, status string) int64 {
 	t.Helper()
 	pendingID := createPendingAuthorization(t, sa, domain, exp)
-	expInt := exp.UnixNano()
-	attempted := string(core.ChallengeTypeHTTP01)
 	err := sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
-		Id:        &pendingID,
-		Status:    &status,
-		Expires:   &expInt,
-		Attempted: &attempted,
+		Id:        pendingID,
+		Status:    status,
+		Expires:   exp.UnixNano(),
+		Attempted: string(core.ChallengeTypeHTTP01),
 	})
 	test.AssertNotError(t, err, "sa.FinalizeAuthorizations2 failed")
 	return pendingID
 }

-func getAuthorization(t *testing.T, id string, sa *sa.SQLStorageAuthority) core.Authorization {
+func getAuthorization(t *testing.T, id string, sa core.StorageAuthority) core.Authorization {
 	t.Helper()
 	var dbAuthz core.Authorization
 	idInt, err := strconv.ParseInt(id, 10, 64)
 	test.AssertNotError(t, err, "strconv.ParseInt failed")
-	dbAuthzPB, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &idInt})
+	dbAuthzPB, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: idInt})
 	test.AssertNotError(t, err, "Could not fetch authorization from database")
 	dbAuthz, err = bgrpc.PBToAuthz(dbAuthzPB)
 	test.AssertNotError(t, err, "bgrpc.PBToAuthz failed")
@ -1389,8 +1387,8 @@ func (m mockSAWithNameCounts) CountCertificatesByNames(ctx context.Context, name
 func nameCount(domain string, count int) *sapb.CountByNames_MapElement {
 	pbInt := int64(count)
 	return &sapb.CountByNames_MapElement{
-		Name:  &domain,
-		Count: &pbInt,
+		Name:  domain,
+		Count: pbInt,
 	}
 }

@ -1690,7 +1688,7 @@ func (m mockSAWithFQDNSet) CountFQDNSets(_ context.Context, _ time.Duration, nam
 	var count int64
 	for _, name := range names {
 		if entry, ok := m.nameCounts[name]; ok {
-			count += *entry.Count
+			count += entry.Count
 		}
 	}
 	return count, nil
@ -1801,7 +1799,7 @@ func TestDeactivateAuthorization(t *testing.T) {
 	authz := getAuthorization(t, fmt.Sprintf("%d", authzID), sa)
 	err := ra.DeactivateAuthorization(ctx, authz)
 	test.AssertNotError(t, err, "Could not deactivate authorization")
-	deact, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+	deact, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 	test.AssertNotError(t, err, "Could not get deactivated authorization with ID "+authz.ID)
 	test.AssertEquals(t, *deact.Status, string(core.StatusDeactivated))
 }
@ -2312,18 +2310,16 @@ func TestNewOrderReuseInvalidAuthz(t *testing.T) {
 	// It should have one authorization
 	test.AssertEquals(t, numAuthorizations(order), 1)

-	status := string(core.StatusInvalid)
-	attempted := string(core.ChallengeTypeDNS01)
 	err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
-		Id:        &order.V2Authorizations[0],
-		Status:    &status,
-		Expires:   order.Expires,
-		Attempted: &attempted,
+		Id:        order.V2Authorizations[0],
+		Status:    string(core.StatusInvalid),
+		Expires:   *order.Expires,
+		Attempted: string(core.ChallengeTypeDNS01),
 	})
 	test.AssertNotError(t, err, "FinalizeAuthorization2 failed")

 	// The order associated with the authz should now be invalid
-	updatedOrder, err := ra.SA.GetOrder(ctx, &sapb.OrderRequest{Id: order.Id})
+	updatedOrder, err := ra.SA.GetOrder(ctx, &sapb.OrderRequest{Id: *order.Id})
 	test.AssertNotError(t, err, "Error getting order to check status")
 	test.AssertEquals(t, *updatedOrder.Status, "invalid")

@ -2358,7 +2354,7 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations(
 			// A static fake ID we can check for in a unit test
 			ID:             "bad-bad-not-good",
 			Identifier:     identifier.DNSIdentifier("*.zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			// Authz is valid
 			Status: "valid",
 			Challenges: []core.Challenge{
@ -2378,7 +2374,7 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations(
 			// A static fake ID we can check for in a unit test
 			ID:             "reused-valid-authz",
 			Identifier:     identifier.DNSIdentifier("zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			// Authz is valid
 			Status: "valid",
 			Challenges: []core.Challenge{
@ -2406,7 +2402,7 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations2(
 			// A static fake ID we can check for in a unit test
 			ID:             "1",
 			Identifier:     identifier.DNSIdentifier("*.zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			// Authz is valid
 			Status: "valid",
 			Challenges: []core.Challenge{
@ -2426,7 +2422,7 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations2(
 			// A static fake ID we can check for in a unit test
 			ID:             "2",
 			Identifier:     identifier.DNSIdentifier("zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			// Authz is valid
 			Status: "valid",
 			Challenges: []core.Challenge{
@ -2554,7 +2550,7 @@ func TestNewOrderWildcard(t *testing.T) {
 	for _, authzID := range order.V2Authorizations {
 		// We should be able to retrieve the authz from the db without error
 		authzID := authzID
-		authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+		authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 		test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 		authz, err := bgrpc.PBToAuthz(authzPB)
 		test.AssertNotError(t, err, "bgrpc.PBToAuthz failed")
@ -2602,7 +2598,7 @@ func TestNewOrderWildcard(t *testing.T) {
 	for _, authzID := range order.V2Authorizations {
 		// We should be able to retrieve the authz from the db without error
 		authzID := authzID
-		authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+		authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 		test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 		authz, err := bgrpc.PBToAuthz(authzPB)
 		test.AssertNotError(t, err, "bgrpc.PBToAuthz failed")
@ -2637,7 +2633,7 @@ func TestNewOrderWildcard(t *testing.T) {
 	// We expect the order is in Pending status
 	test.AssertEquals(t, *order.Status, string(core.StatusPending))
 	var authz core.Authorization
-	authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &normalOrder.V2Authorizations[0]})
+	authzPB, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: normalOrder.V2Authorizations[0]})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 	authz, err = bgrpc.PBToAuthz(authzPB)
 	test.AssertNotError(t, err, "bgrpc.PBToAuthz failed")
@ -2664,7 +2660,7 @@ func TestNewOrderWildcard(t *testing.T) {
 	// The authz should be a different ID than the previous authz
 	test.AssertNotEquals(t, order.V2Authorizations[0], normalOrder.V2Authorizations[0])
 	// We expect the authorization is available
-	authzPB, err = ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &order.V2Authorizations[0]})
+	authzPB, err = ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: order.V2Authorizations[0]})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 	authz, err = bgrpc.PBToAuthz(authzPB)
 	test.AssertNotError(t, err, "bgrpc.PBToAuthz failed")
@ -2708,7 +2704,7 @@ func (msa *mockSANearExpiredAuthz) GetAuthorizations(
 			// A static fake ID we can check for in a unit test
 			ID:             "near-expired-authz",
 			Identifier:     identifier.DNSIdentifier("zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			Expires:        &msa.expiry,
 			Status:         "valid",
 			Challenges: []core.Challenge{
@ -2730,7 +2726,7 @@ func (msa *mockSANearExpiredAuthz) GetAuthorizations2(
 			// A static fake ID we can check for in a unit test
 			ID:             "1",
 			Identifier:     identifier.DNSIdentifier("zombo.com"),
-			RegistrationID: *req.RegistrationID,
+			RegistrationID: req.RegistrationID,
 			Expires:        &msa.expiry,
 			Status:         "valid",
 			Challenges: []core.Challenge{
@ -3069,7 +3065,7 @@ func TestFinalizeOrder(t *testing.T) {
 				// Check that the order now has a serial for the issued certificate
 				updatedOrder, err := sa.GetOrder(
 					context.Background(),
-					&sapb.OrderRequest{Id: tc.OrderReq.Order.Id})
+					&sapb.OrderRequest{Id: *tc.OrderReq.Order.Id})
 				test.AssertNotError(t, err, "Error getting order to check serial")
 				test.AssertNotEquals(t, *updatedOrder.CertificateSerial, "")
 				test.AssertEquals(t, *updatedOrder.Status, "valid")
@ -3134,7 +3130,7 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) {
 	// Check that the order now has a serial for the issued certificate
 	updatedOrder, err := sa.GetOrder(
 		context.Background(),
-		&sapb.OrderRequest{Id: mixedOrder.Id})
+		&sapb.OrderRequest{Id: *mixedOrder.Id})
 	test.AssertNotError(t, err, "Error getting order to check serial")
 	test.AssertNotEquals(t, *updatedOrder.CertificateSerial, "")
 	test.AssertEquals(t, *updatedOrder.Status, "valid")
@ -3211,24 +3207,21 @@ func TestFinalizeOrderWildcard(t *testing.T) {
 	test.AssertNotError(t, err, "NewOrder failed for wildcard domain order")
 	test.AssertEquals(t, numAuthorizations(validOrder), 1)
 	// We expect to be able to get the authorization by ID
-	_, err = sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &validOrder.V2Authorizations[0]})
+	_, err = sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: validOrder.V2Authorizations[0]})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")

 	// Finalize the authorization with the challenge validated
-	status := string(core.StatusValid)
-	attempted := string(core.ChallengeTypeDNS01)
-	expInt := ra.clk.Now().Add(time.Hour * 24 * 7).UnixNano()
 	err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
-		Id:        &validOrder.V2Authorizations[0],
-		Status:    &status,
-		Expires:   &expInt,
-		Attempted: &attempted,
+		Id:        validOrder.V2Authorizations[0],
+		Status:    string(core.StatusValid),
+		Expires:   ra.clk.Now().Add(time.Hour * 24 * 7).UnixNano(),
+		Attempted: string(core.ChallengeTypeDNS01),
 	})
 	test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")

 	// Refresh the order so the SA sets its status
 	validOrder, err = sa.GetOrder(ctx, &sapb.OrderRequest{
-		Id: validOrder.Id,
+		Id: *validOrder.Id,
 	})
 	test.AssertNotError(t, err, "Could not refresh valid order from SA")

@ -3284,13 +3277,11 @@ func TestIssueCertificateAuditLog(t *testing.T) {
 		})
 		test.AssertNotError(t, err, "sa.NewAuthorzations2 failed")
 		// Finalize the authz
-		status := "valid"
-		expInt := exp.UnixNano()
 		err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
-			Id:        &ids.Ids[0],
-			Status:    &status,
-			Expires:   &expInt,
-			Attempted: &chalType,
+			Id:        ids.Ids[0],
+			Status:    "valid",
+			Expires:   exp.UnixNano(),
+			Attempted: chalType,
 		})
 		test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
 		return ids.Ids[0]
@ -3639,14 +3630,12 @@ func TestIssueCertificateInnerErrs(t *testing.T) {
 		})
 		test.AssertNotError(t, err, "sa.NewAuthorzations2 failed")
 		// Finalize the authz
-		status := "valid"
-		expInt := exp.UnixNano()
 		attempted := string(httpChal.Type)
 		err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
-			Id:        &ids.Ids[0],
-			Status:    &status,
-			Expires:   &expInt,
-			Attempted: &attempted,
+			Id:        ids.Ids[0],
+			Status:    "valid",
+			Expires:   exp.UnixNano(),
+			Attempted: attempted,
 		})
 		test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
 		return ids.Ids[0]
@ -3765,12 +3754,7 @@ type mockSAPreviousValidations struct {
 }

 func (ms *mockSAPreviousValidations) PreviousCertificateExists(ctx context.Context, req *sapb.PreviousCertificateExistsRequest) (*sapb.Exists, error) {
-	t := true
-	f := false
-	if *req.Domain == ms.existsDomain {
-		return &sapb.Exists{Exists: &t}, nil
-	}
-	return &sapb.Exists{Exists: &f}, nil
+	return &sapb.Exists{Exists: req.Domain == ms.existsDomain}, nil
 }

 func (ms *mockSAPreviousValidations) GetPendingAuthorization(_ context.Context, _ *sapb.GetPendingAuthorizationRequest) (*core.Authorization, error) {
@ -3941,8 +3925,8 @@ func TestRevocationAddBlockedKey(t *testing.T) {
 	test.AssertNotError(t, err, "RevokeCertificateWithReg failed")
 	test.Assert(t, mockSA.added != nil, "blocked key was not added when reason was keyCompromise")
 	test.Assert(t, bytes.Equal(digest[:], mockSA.added.KeyHash), "key hash mismatch")
-	test.AssertEquals(t, *mockSA.added.Source, "API")
-	test.Assert(t, mockSA.added.Comment == nil, "Comment is not nil")
+	test.AssertEquals(t, mockSA.added.Source, "API")
+	test.Assert(t, mockSA.added.Comment == "", "Comment is not empty")
 	test.AssertEquals(t, test.CountCounterVec(
 		"reason", "keyCompromise", ra.revocationReasonCounter), 1)

@ -3951,9 +3935,9 @@ func TestRevocationAddBlockedKey(t *testing.T) {
 	test.AssertNotError(t, err, "AdministrativelyRevokeCertificate failed")
 	test.Assert(t, mockSA.added != nil, "blocked key was not added when reason was keyCompromise")
 	test.Assert(t, bytes.Equal(digest[:], mockSA.added.KeyHash), "key hash mismatch")
-	test.AssertEquals(t, *mockSA.added.Source, "admin-revoker")
-	test.Assert(t, mockSA.added.Comment != nil, "Comment is nil")
-	test.AssertEquals(t, *mockSA.added.Comment, "revoked by root")
+	test.AssertEquals(t, mockSA.added.Source, "admin-revoker")
+	test.Assert(t, mockSA.added.Comment != "", "Comment is nil")
+	test.AssertEquals(t, mockSA.added.Comment, "revoked by root")
 	test.AssertEquals(t, test.CountCounterVec(
 		"reason", "keyCompromise", ra.revocationReasonCounter), 2)
 }
--- a/sa/precertificates.go
+++ b/sa/precertificates.go
@ -20,16 +20,14 @@ var errIncompleteRequest = errors.New("Incomplete gRPC request message")

 // AddSerial writes a record of a serial number generation to the DB.
 func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error) {
-	if req == nil || req.Created == nil || req.Expires == nil || req.Serial == nil || req.RegID == nil {
+	if core.IsAnyNilOrZero(req.Created, req.Expires, req.Serial, req.RegID) {
 		return nil, errIncompleteRequest
 	}
-	created := time.Unix(0, *req.Created)
-	expires := time.Unix(0, *req.Expires)
 	err := ssa.dbMap.WithContext(ctx).Insert(&recordedSerialModel{
-		Serial:         *req.Serial,
-		RegistrationID: *req.RegID,
-		Created:        created,
-		Expires:        expires,
+		Serial:         req.Serial,
+		RegistrationID: req.RegID,
+		Created:        time.Unix(0, req.Created),
+		Expires:        time.Unix(0, req.Expires),
 	})
 	if err != nil {
 		return nil, err
@ -39,19 +37,19 @@ func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSeri

 // AddPrecertificate writes a record of a precertificate generation to the DB.
 func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error) {
-	if req == nil || req.Der == nil || req.Issued == nil || req.RegID == nil {
+	if core.IsAnyNilOrZero(req.Der, req.Issued, req.RegID) {
 		return nil, errIncompleteRequest
 	}
 	parsed, err := x509.ParseCertificate(req.Der)
 	if err != nil {
 		return nil, err
 	}
-	issued := time.Unix(0, *req.Issued)
+	issued := time.Unix(0, req.Issued)
 	serialHex := core.SerialToString(parsed.SerialNumber)

 	preCertModel := &precertificateModel{
 		Serial:         serialHex,
-		RegistrationID: *req.RegID,
+		RegistrationID: req.RegID,
 		DER:            req.Der,
 		Issued:         issued,
 		Expires:        parsed.NotAfter,
@ -125,16 +123,16 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
 // GetPrecertificate takes a serial number and returns the corresponding
 // precertificate, or error if it does not exist.
 func (ssa *SQLStorageAuthority) GetPrecertificate(ctx context.Context, reqSerial *sapb.Serial) (*corepb.Certificate, error) {
-	if !core.ValidSerial(*reqSerial.Serial) {
+	if !core.ValidSerial(reqSerial.Serial) {
 		return nil,
-			fmt.Errorf("Invalid precertificate serial %q", *reqSerial.Serial)
+			fmt.Errorf("Invalid precertificate serial %q", reqSerial.Serial)
 	}
-	cert, err := SelectPrecertificate(ssa.dbMap.WithContext(ctx), *reqSerial.Serial)
+	cert, err := SelectPrecertificate(ssa.dbMap.WithContext(ctx), reqSerial.Serial)
 	if err != nil {
 		if db.IsNoRows(err) {
 			return nil, berrors.NotFoundError(
 				"precertificate with serial %q not found",
-				*reqSerial.Serial)
+				reqSerial.Serial)
 		}
 		return nil, err
 	}
--- a/sa/precertificates_test.go
+++ b/sa/precertificates_test.go
@ -43,12 +43,11 @@ func TestAddPrecertificate(t *testing.T) {
 		ocspResp := []byte{0, 0, 1}
 		regID := reg.ID
 		issuedTime := time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC)
-		issuedTimeNano := issuedTime.UnixNano()
 		_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 			Der:    testCert.Raw,
-			RegID:  &regID,
+			RegID:  regID,
 			Ocsp:   ocspResp,
-			Issued: &issuedTimeNano,
+			Issued: issuedTime.UnixNano(),
 		})
 		test.AssertNotError(t, err, "Couldn't add test cert")

@ -88,9 +87,9 @@ func TestAddPrecertificate(t *testing.T) {
 		// error
 		_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 			Der:    testCert.Raw,
-			RegID:  &regID,
+			RegID:  regID,
 			Ocsp:   ocspResp,
-			Issued: &issuedTimeNano,
+			Issued: issuedTime.UnixNano(),
 		})
 		if err == nil {
 			t.Fatalf("Expected error inserting duplicate precertificate, got none")
@ -109,12 +108,11 @@ func TestAddPrecertificateKeyHash(t *testing.T) {
 	reg := satest.CreateWorkingRegistration(t, sa)

 	serial, testCert := test.ThrowAwayCert(t, 1)
-	issued := testCert.NotBefore.UnixNano()
 	_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    testCert.Raw,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   []byte{1, 2, 3},
-		Issued: &issued,
+		Issued: testCert.NotBefore.UnixNano(),
 	})
 	test.AssertNotError(t, err, "failed to add precert")

--- a/sa/proto/sa.pb.go
+++ b/sa/proto/sa.pb.go
@ -35,7 +35,7 @@ type RegistrationID struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id *int64 `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
+	Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
 }

 func (x *RegistrationID) Reset() {
@ -71,8 +71,8 @@ func (*RegistrationID) Descriptor() ([]byte, []int) {
 }

 func (x *RegistrationID) GetId() int64 {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return 0
 }
@ -82,7 +82,7 @@ type JSONWebKey struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Jwk []byte `protobuf:"bytes,1,opt,name=jwk" json:"jwk,omitempty"`
+	Jwk []byte `protobuf:"bytes,1,opt,name=jwk,proto3" json:"jwk,omitempty"`
 }

 func (x *JSONWebKey) Reset() {
@ -129,7 +129,7 @@ type AuthorizationID struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id *string `protobuf:"bytes,1,opt,name=id" json:"id,omitempty"`
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 }

 func (x *AuthorizationID) Reset() {
@ -165,8 +165,8 @@ func (*AuthorizationID) Descriptor() ([]byte, []int) {
 }

 func (x *AuthorizationID) GetId() string {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return ""
 }
@ -176,11 +176,11 @@ type GetPendingAuthorizationRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	RegistrationID  *int64  `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
-	IdentifierType  *string `protobuf:"bytes,2,opt,name=identifierType" json:"identifierType,omitempty"`
-	IdentifierValue *string `protobuf:"bytes,3,opt,name=identifierValue" json:"identifierValue,omitempty"`
+	RegistrationID  int64  `protobuf:"varint,1,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
+	IdentifierType  string `protobuf:"bytes,2,opt,name=identifierType,proto3" json:"identifierType,omitempty"`
+	IdentifierValue string `protobuf:"bytes,3,opt,name=identifierValue,proto3" json:"identifierValue,omitempty"`
 	// Result must be valid until at least this Unix timestamp (nanos)
-	ValidUntil *int64 `protobuf:"varint,4,opt,name=validUntil" json:"validUntil,omitempty"`
+	ValidUntil int64 `protobuf:"varint,4,opt,name=validUntil,proto3" json:"validUntil,omitempty"`
 }

 func (x *GetPendingAuthorizationRequest) Reset() {
@ -216,29 +216,29 @@ func (*GetPendingAuthorizationRequest) Descriptor() ([]byte, []int) {
 }

 func (x *GetPendingAuthorizationRequest) GetRegistrationID() int64 {
-	if x != nil && x.RegistrationID != nil {
-		return *x.RegistrationID
+	if x != nil {
+		return x.RegistrationID
 	}
 	return 0
 }

 func (x *GetPendingAuthorizationRequest) GetIdentifierType() string {
-	if x != nil && x.IdentifierType != nil {
-		return *x.IdentifierType
+	if x != nil {
+		return x.IdentifierType
 	}
 	return ""
 }

 func (x *GetPendingAuthorizationRequest) GetIdentifierValue() string {
-	if x != nil && x.IdentifierValue != nil {
-		return *x.IdentifierValue
+	if x != nil {
+		return x.IdentifierValue
 	}
 	return ""
 }

 func (x *GetPendingAuthorizationRequest) GetValidUntil() int64 {
-	if x != nil && x.ValidUntil != nil {
-		return *x.ValidUntil
+	if x != nil {
+		return x.ValidUntil
 	}
 	return 0
 }
@ -248,9 +248,9 @@ type GetValidAuthorizationsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	RegistrationID *int64   `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
-	Domains        []string `protobuf:"bytes,2,rep,name=domains" json:"domains,omitempty"`
-	Now            *int64   `protobuf:"varint,3,opt,name=now" json:"now,omitempty"` // Unix timestamp (nanoseconds)
+	RegistrationID int64    `protobuf:"varint,1,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
+	Domains        []string `protobuf:"bytes,2,rep,name=domains,proto3" json:"domains,omitempty"`
+	Now            int64    `protobuf:"varint,3,opt,name=now,proto3" json:"now,omitempty"` // Unix timestamp (nanoseconds)
 }

 func (x *GetValidAuthorizationsRequest) Reset() {
@ -286,8 +286,8 @@ func (*GetValidAuthorizationsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *GetValidAuthorizationsRequest) GetRegistrationID() int64 {
-	if x != nil && x.RegistrationID != nil {
-		return *x.RegistrationID
+	if x != nil {
+		return x.RegistrationID
 	}
 	return 0
 }
@ -300,8 +300,8 @@ func (x *GetValidAuthorizationsRequest) GetDomains() []string {
 }

 func (x *GetValidAuthorizationsRequest) GetNow() int64 {
-	if x != nil && x.Now != nil {
-		return *x.Now
+	if x != nil {
+		return x.Now
 	}
 	return 0
 }
@ -311,7 +311,7 @@ type ValidAuthorizations struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Valid []*ValidAuthorizations_MapElement `protobuf:"bytes,1,rep,name=valid" json:"valid,omitempty"`
+	Valid []*ValidAuthorizations_MapElement `protobuf:"bytes,1,rep,name=valid,proto3" json:"valid,omitempty"`
 }

 func (x *ValidAuthorizations) Reset() {
@ -358,7 +358,7 @@ type Serial struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Serial *string `protobuf:"bytes,1,opt,name=serial" json:"serial,omitempty"`
+	Serial string `protobuf:"bytes,1,opt,name=serial,proto3" json:"serial,omitempty"`
 }

 func (x *Serial) Reset() {
@ -394,8 +394,8 @@ func (*Serial) Descriptor() ([]byte, []int) {
 }

 func (x *Serial) GetSerial() string {
-	if x != nil && x.Serial != nil {
-		return *x.Serial
+	if x != nil {
+		return x.Serial
 	}
 	return ""
 }
@ -405,8 +405,8 @@ type Range struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Earliest *int64 `protobuf:"varint,1,opt,name=earliest" json:"earliest,omitempty"` // Unix timestamp (nanoseconds)
-	Latest   *int64 `protobuf:"varint,2,opt,name=latest" json:"latest,omitempty"`     // Unix timestamp (nanoseconds)
+	Earliest int64 `protobuf:"varint,1,opt,name=earliest,proto3" json:"earliest,omitempty"` // Unix timestamp (nanoseconds)
+	Latest   int64 `protobuf:"varint,2,opt,name=latest,proto3" json:"latest,omitempty"`     // Unix timestamp (nanoseconds)
 }

 func (x *Range) Reset() {
@ -442,15 +442,15 @@ func (*Range) Descriptor() ([]byte, []int) {
 }

 func (x *Range) GetEarliest() int64 {
-	if x != nil && x.Earliest != nil {
-		return *x.Earliest
+	if x != nil {
+		return x.Earliest
 	}
 	return 0
 }

 func (x *Range) GetLatest() int64 {
-	if x != nil && x.Latest != nil {
-		return *x.Latest
+	if x != nil {
+		return x.Latest
 	}
 	return 0
 }
@ -460,7 +460,7 @@ type Count struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Count *int64 `protobuf:"varint,1,opt,name=count" json:"count,omitempty"`
+	Count int64 `protobuf:"varint,1,opt,name=count,proto3" json:"count,omitempty"`
 }

 func (x *Count) Reset() {
@ -496,8 +496,8 @@ func (*Count) Descriptor() ([]byte, []int) {
 }

 func (x *Count) GetCount() int64 {
-	if x != nil && x.Count != nil {
-		return *x.Count
+	if x != nil {
+		return x.Count
 	}
 	return 0
 }
@ -507,8 +507,8 @@ type CountCertificatesByNamesRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Range *Range   `protobuf:"bytes,1,opt,name=range" json:"range,omitempty"`
-	Names []string `protobuf:"bytes,2,rep,name=names" json:"names,omitempty"`
+	Range *Range   `protobuf:"bytes,1,opt,name=range,proto3" json:"range,omitempty"`
+	Names []string `protobuf:"bytes,2,rep,name=names,proto3" json:"names,omitempty"`
 }

 func (x *CountCertificatesByNamesRequest) Reset() {
@ -562,7 +562,7 @@ type CountByNames struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	CountByNames []*CountByNames_MapElement `protobuf:"bytes,1,rep,name=countByNames" json:"countByNames,omitempty"`
+	CountByNames []*CountByNames_MapElement `protobuf:"bytes,1,rep,name=countByNames,proto3" json:"countByNames,omitempty"`
 }

 func (x *CountByNames) Reset() {
@ -609,8 +609,8 @@ type CountRegistrationsByIPRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Ip    []byte `protobuf:"bytes,1,opt,name=ip" json:"ip,omitempty"`
-	Range *Range `protobuf:"bytes,2,opt,name=range" json:"range,omitempty"`
+	Ip    []byte `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
+	Range *Range `protobuf:"bytes,2,opt,name=range,proto3" json:"range,omitempty"`
 }

 func (x *CountRegistrationsByIPRequest) Reset() {
@ -664,10 +664,10 @@ type CountInvalidAuthorizationsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	RegistrationID *int64  `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
-	Hostname       *string `protobuf:"bytes,2,opt,name=hostname" json:"hostname,omitempty"`
+	RegistrationID int64  `protobuf:"varint,1,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
+	Hostname       string `protobuf:"bytes,2,opt,name=hostname,proto3" json:"hostname,omitempty"`
 	// Count authorizations that expire in this range.
-	Range *Range `protobuf:"bytes,3,opt,name=range" json:"range,omitempty"`
+	Range *Range `protobuf:"bytes,3,opt,name=range,proto3" json:"range,omitempty"`
 }

 func (x *CountInvalidAuthorizationsRequest) Reset() {
@ -703,15 +703,15 @@ func (*CountInvalidAuthorizationsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *CountInvalidAuthorizationsRequest) GetRegistrationID() int64 {
-	if x != nil && x.RegistrationID != nil {
-		return *x.RegistrationID
+	if x != nil {
+		return x.RegistrationID
 	}
 	return 0
 }

 func (x *CountInvalidAuthorizationsRequest) GetHostname() string {
-	if x != nil && x.Hostname != nil {
-		return *x.Hostname
+	if x != nil {
+		return x.Hostname
 	}
 	return ""
 }
@ -728,8 +728,8 @@ type CountOrdersRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	AccountID *int64 `protobuf:"varint,1,opt,name=accountID" json:"accountID,omitempty"`
-	Range     *Range `protobuf:"bytes,2,opt,name=range" json:"range,omitempty"`
+	AccountID int64  `protobuf:"varint,1,opt,name=accountID,proto3" json:"accountID,omitempty"`
+	Range     *Range `protobuf:"bytes,2,opt,name=range,proto3" json:"range,omitempty"`
 }

 func (x *CountOrdersRequest) Reset() {
@ -765,8 +765,8 @@ func (*CountOrdersRequest) Descriptor() ([]byte, []int) {
 }

 func (x *CountOrdersRequest) GetAccountID() int64 {
-	if x != nil && x.AccountID != nil {
-		return *x.AccountID
+	if x != nil {
+		return x.AccountID
 	}
 	return 0
 }
@ -783,8 +783,8 @@ type CountFQDNSetsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Window  *int64   `protobuf:"varint,1,opt,name=window" json:"window,omitempty"`
-	Domains []string `protobuf:"bytes,2,rep,name=domains" json:"domains,omitempty"`
+	Window  int64    `protobuf:"varint,1,opt,name=window,proto3" json:"window,omitempty"`
+	Domains []string `protobuf:"bytes,2,rep,name=domains,proto3" json:"domains,omitempty"`
 }

 func (x *CountFQDNSetsRequest) Reset() {
@ -820,8 +820,8 @@ func (*CountFQDNSetsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *CountFQDNSetsRequest) GetWindow() int64 {
-	if x != nil && x.Window != nil {
-		return *x.Window
+	if x != nil {
+		return x.Window
 	}
 	return 0
 }
@ -838,7 +838,7 @@ type FQDNSetExistsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Domains []string `protobuf:"bytes,1,rep,name=domains" json:"domains,omitempty"`
+	Domains []string `protobuf:"bytes,1,rep,name=domains,proto3" json:"domains,omitempty"`
 }

 func (x *FQDNSetExistsRequest) Reset() {
@ -885,8 +885,8 @@ type PreviousCertificateExistsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Domain *string `protobuf:"bytes,1,opt,name=domain" json:"domain,omitempty"`
-	RegID  *int64  `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
+	Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	RegID  int64  `protobuf:"varint,2,opt,name=regID,proto3" json:"regID,omitempty"`
 }

 func (x *PreviousCertificateExistsRequest) Reset() {
@ -922,15 +922,15 @@ func (*PreviousCertificateExistsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *PreviousCertificateExistsRequest) GetDomain() string {
-	if x != nil && x.Domain != nil {
-		return *x.Domain
+	if x != nil {
+		return x.Domain
 	}
 	return ""
 }

 func (x *PreviousCertificateExistsRequest) GetRegID() int64 {
-	if x != nil && x.RegID != nil {
-		return *x.RegID
+	if x != nil {
+		return x.RegID
 	}
 	return 0
 }
@ -940,7 +940,7 @@ type Exists struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Exists *bool `protobuf:"varint,1,opt,name=exists" json:"exists,omitempty"`
+	Exists bool `protobuf:"varint,1,opt,name=exists,proto3" json:"exists,omitempty"`
 }

 func (x *Exists) Reset() {
@ -976,8 +976,8 @@ func (*Exists) Descriptor() ([]byte, []int) {
 }

 func (x *Exists) GetExists() bool {
-	if x != nil && x.Exists != nil {
-		return *x.Exists
+	if x != nil {
+		return x.Exists
 	}
 	return false
 }
@ -987,10 +987,10 @@ type AddSerialRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	RegID   *int64  `protobuf:"varint,1,opt,name=regID" json:"regID,omitempty"`
-	Serial  *string `protobuf:"bytes,2,opt,name=serial" json:"serial,omitempty"`
-	Created *int64  `protobuf:"varint,3,opt,name=created" json:"created,omitempty"` // Unix timestamp (nanoseconds)
-	Expires *int64  `protobuf:"varint,4,opt,name=expires" json:"expires,omitempty"` // Unix timestamp (nanoseconds)
+	RegID   int64  `protobuf:"varint,1,opt,name=regID,proto3" json:"regID,omitempty"`
+	Serial  string `protobuf:"bytes,2,opt,name=serial,proto3" json:"serial,omitempty"`
+	Created int64  `protobuf:"varint,3,opt,name=created,proto3" json:"created,omitempty"` // Unix timestamp (nanoseconds)
+	Expires int64  `protobuf:"varint,4,opt,name=expires,proto3" json:"expires,omitempty"` // Unix timestamp (nanoseconds)
 }

 func (x *AddSerialRequest) Reset() {
@ -1026,29 +1026,29 @@ func (*AddSerialRequest) Descriptor() ([]byte, []int) {
 }

 func (x *AddSerialRequest) GetRegID() int64 {
-	if x != nil && x.RegID != nil {
-		return *x.RegID
+	if x != nil {
+		return x.RegID
 	}
 	return 0
 }

 func (x *AddSerialRequest) GetSerial() string {
-	if x != nil && x.Serial != nil {
-		return *x.Serial
+	if x != nil {
+		return x.Serial
 	}
 	return ""
 }

 func (x *AddSerialRequest) GetCreated() int64 {
-	if x != nil && x.Created != nil {
-		return *x.Created
+	if x != nil {
+		return x.Created
 	}
 	return 0
 }

 func (x *AddSerialRequest) GetExpires() int64 {
-	if x != nil && x.Expires != nil {
-		return *x.Expires
+	if x != nil {
+		return x.Expires
 	}
 	return 0
 }
@ -1058,16 +1058,16 @@ type AddCertificateRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Der   []byte `protobuf:"bytes,1,opt,name=der" json:"der,omitempty"`
-	RegID *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
+	Der   []byte `protobuf:"bytes,1,opt,name=der,proto3" json:"der,omitempty"`
+	RegID int64  `protobuf:"varint,2,opt,name=regID,proto3" json:"regID,omitempty"`
 	// A signed OCSP response for the certificate contained in "der".
 	// Note: The certificate status in the OCSP response is assumed to be 0 (good).
-	Ocsp []byte `protobuf:"bytes,3,opt,name=ocsp" json:"ocsp,omitempty"`
-	// An optional issued time. When not present the SA defaults to using
+	Ocsp []byte `protobuf:"bytes,3,opt,name=ocsp,proto3" json:"ocsp,omitempty"`
+	// An issued time. When not present the SA defaults to using
 	// the current time. The orphan-finder uses this parameter to add
 	// certificates with the correct historic issued date
-	Issued   *int64 `protobuf:"varint,4,opt,name=issued" json:"issued,omitempty"`
-	IssuerID *int64 `protobuf:"varint,5,opt,name=issuerID" json:"issuerID,omitempty"`
+	Issued   int64 `protobuf:"varint,4,opt,name=issued,proto3" json:"issued,omitempty"`
+	IssuerID int64 `protobuf:"varint,5,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
 }

 func (x *AddCertificateRequest) Reset() {
@ -1110,8 +1110,8 @@ func (x *AddCertificateRequest) GetDer() []byte {
 }

 func (x *AddCertificateRequest) GetRegID() int64 {
-	if x != nil && x.RegID != nil {
-		return *x.RegID
+	if x != nil {
+		return x.RegID
 	}
 	return 0
 }
@ -1124,15 +1124,15 @@ func (x *AddCertificateRequest) GetOcsp() []byte {
 }

 func (x *AddCertificateRequest) GetIssued() int64 {
-	if x != nil && x.Issued != nil {
-		return *x.Issued
+	if x != nil {
+		return x.Issued
 	}
 	return 0
 }

 func (x *AddCertificateRequest) GetIssuerID() int64 {
-	if x != nil && x.IssuerID != nil {
-		return *x.IssuerID
+	if x != nil {
+		return x.IssuerID
 	}
 	return 0
 }
@ -1142,7 +1142,7 @@ type AddCertificateResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Digest *string `protobuf:"bytes,1,opt,name=digest" json:"digest,omitempty"`
+	Digest string `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"`
 }

 func (x *AddCertificateResponse) Reset() {
@ -1178,8 +1178,8 @@ func (*AddCertificateResponse) Descriptor() ([]byte, []int) {
 }

 func (x *AddCertificateResponse) GetDigest() string {
-	if x != nil && x.Digest != nil {
-		return *x.Digest
+	if x != nil {
+		return x.Digest
 	}
 	return ""
 }
@ -1189,8 +1189,8 @@ type OrderRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id                  *int64 `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
-	UseV2Authorizations *bool  `protobuf:"varint,2,opt,name=useV2Authorizations" json:"useV2Authorizations,omitempty"`
+	Id                  int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	UseV2Authorizations bool  `protobuf:"varint,2,opt,name=useV2Authorizations,proto3" json:"useV2Authorizations,omitempty"`
 }

 func (x *OrderRequest) Reset() {
@ -1226,15 +1226,15 @@ func (*OrderRequest) Descriptor() ([]byte, []int) {
 }

 func (x *OrderRequest) GetId() int64 {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return 0
 }

 func (x *OrderRequest) GetUseV2Authorizations() bool {
-	if x != nil && x.UseV2Authorizations != nil {
-		return *x.UseV2Authorizations
+	if x != nil {
+		return x.UseV2Authorizations
 	}
 	return false
 }
@ -1244,8 +1244,8 @@ type GetValidOrderAuthorizationsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id     *int64 `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
-	AcctID *int64 `protobuf:"varint,2,opt,name=acctID" json:"acctID,omitempty"`
+	Id     int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	AcctID int64 `protobuf:"varint,2,opt,name=acctID,proto3" json:"acctID,omitempty"`
 }

 func (x *GetValidOrderAuthorizationsRequest) Reset() {
@ -1281,15 +1281,15 @@ func (*GetValidOrderAuthorizationsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *GetValidOrderAuthorizationsRequest) GetId() int64 {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return 0
 }

 func (x *GetValidOrderAuthorizationsRequest) GetAcctID() int64 {
-	if x != nil && x.AcctID != nil {
-		return *x.AcctID
+	if x != nil {
+		return x.AcctID
 	}
 	return 0
 }
@ -1299,9 +1299,9 @@ type GetOrderForNamesRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	AcctID              *int64   `protobuf:"varint,1,opt,name=acctID" json:"acctID,omitempty"`
-	Names               []string `protobuf:"bytes,2,rep,name=names" json:"names,omitempty"`
-	UseV2Authorizations *bool    `protobuf:"varint,3,opt,name=useV2Authorizations" json:"useV2Authorizations,omitempty"`
+	AcctID              int64    `protobuf:"varint,1,opt,name=acctID,proto3" json:"acctID,omitempty"`
+	Names               []string `protobuf:"bytes,2,rep,name=names,proto3" json:"names,omitempty"`
+	UseV2Authorizations bool     `protobuf:"varint,3,opt,name=useV2Authorizations,proto3" json:"useV2Authorizations,omitempty"`
 }

 func (x *GetOrderForNamesRequest) Reset() {
@ -1337,8 +1337,8 @@ func (*GetOrderForNamesRequest) Descriptor() ([]byte, []int) {
 }

 func (x *GetOrderForNamesRequest) GetAcctID() int64 {
-	if x != nil && x.AcctID != nil {
-		return *x.AcctID
+	if x != nil {
+		return x.AcctID
 	}
 	return 0
 }
@ -1351,8 +1351,8 @@ func (x *GetOrderForNamesRequest) GetNames() []string {
 }

 func (x *GetOrderForNamesRequest) GetUseV2Authorizations() bool {
-	if x != nil && x.UseV2Authorizations != nil {
-		return *x.UseV2Authorizations
+	if x != nil {
+		return x.UseV2Authorizations
 	}
 	return false
 }
@ -1362,10 +1362,10 @@ type GetAuthorizationsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	RegistrationID  *int64   `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
-	Domains         []string `protobuf:"bytes,2,rep,name=domains" json:"domains,omitempty"`
-	Now             *int64   `protobuf:"varint,3,opt,name=now" json:"now,omitempty"`                         // Unix timestamp (nanoseconds)
-	RequireV2Authzs *bool    `protobuf:"varint,4,opt,name=requireV2Authzs" json:"requireV2Authzs,omitempty"` // Do not include legacy V1 authzs
+	RegistrationID  int64    `protobuf:"varint,1,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
+	Domains         []string `protobuf:"bytes,2,rep,name=domains,proto3" json:"domains,omitempty"`
+	Now             int64    `protobuf:"varint,3,opt,name=now,proto3" json:"now,omitempty"`                         // Unix timestamp (nanoseconds)
+	RequireV2Authzs bool     `protobuf:"varint,4,opt,name=requireV2Authzs,proto3" json:"requireV2Authzs,omitempty"` // Do not include legacy V1 authzs
 }

 func (x *GetAuthorizationsRequest) Reset() {
@ -1401,8 +1401,8 @@ func (*GetAuthorizationsRequest) Descriptor() ([]byte, []int) {
 }

 func (x *GetAuthorizationsRequest) GetRegistrationID() int64 {
-	if x != nil && x.RegistrationID != nil {
-		return *x.RegistrationID
+	if x != nil {
+		return x.RegistrationID
 	}
 	return 0
 }
@ -1415,15 +1415,15 @@ func (x *GetAuthorizationsRequest) GetDomains() []string {
 }

 func (x *GetAuthorizationsRequest) GetNow() int64 {
-	if x != nil && x.Now != nil {
-		return *x.Now
+	if x != nil {
+		return x.Now
 	}
 	return 0
 }

 func (x *GetAuthorizationsRequest) GetRequireV2Authzs() bool {
-	if x != nil && x.RequireV2Authzs != nil {
-		return *x.RequireV2Authzs
+	if x != nil {
+		return x.RequireV2Authzs
 	}
 	return false
 }
@ -1433,7 +1433,7 @@ type Authorizations struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Authz []*Authorizations_MapElement `protobuf:"bytes,1,rep,name=authz" json:"authz,omitempty"`
+	Authz []*Authorizations_MapElement `protobuf:"bytes,1,rep,name=authz,proto3" json:"authz,omitempty"`
 }

 func (x *Authorizations) Reset() {
@ -1480,7 +1480,7 @@ type AddPendingAuthorizationsRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Authz []*proto1.Authorization `protobuf:"bytes,1,rep,name=authz" json:"authz,omitempty"`
+	Authz []*proto1.Authorization `protobuf:"bytes,1,rep,name=authz,proto3" json:"authz,omitempty"`
 }

 func (x *AddPendingAuthorizationsRequest) Reset() {
@ -1527,7 +1527,7 @@ type AuthorizationIDs struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Ids []string `protobuf:"bytes,1,rep,name=ids" json:"ids,omitempty"`
+	Ids []string `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"`
 }

 func (x *AuthorizationIDs) Reset() {
@ -1574,7 +1574,7 @@ type AuthorizationID2 struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id *int64 `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
+	Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
 }

 func (x *AuthorizationID2) Reset() {
@ -1610,8 +1610,8 @@ func (*AuthorizationID2) Descriptor() ([]byte, []int) {
 }

 func (x *AuthorizationID2) GetId() int64 {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return 0
 }
@ -1621,7 +1621,7 @@ type Authorization2IDs struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Ids []int64 `protobuf:"varint,1,rep,name=ids" json:"ids,omitempty"`
+	Ids []int64 `protobuf:"varint,1,rep,packed,name=ids,proto3" json:"ids,omitempty"`
 }

 func (x *Authorization2IDs) Reset() {
@ -1668,10 +1668,10 @@ type RevokeCertificateRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Serial   *string `protobuf:"bytes,1,opt,name=serial" json:"serial,omitempty"`
-	Reason   *int64  `protobuf:"varint,2,opt,name=reason" json:"reason,omitempty"`
-	Date     *int64  `protobuf:"varint,3,opt,name=date" json:"date,omitempty"` // Unix timestamp (nanoseconds)
-	Response []byte  `protobuf:"bytes,4,opt,name=response" json:"response,omitempty"`
+	Serial   string `protobuf:"bytes,1,opt,name=serial,proto3" json:"serial,omitempty"`
+	Reason   int64  `protobuf:"varint,2,opt,name=reason,proto3" json:"reason,omitempty"`
+	Date     int64  `protobuf:"varint,3,opt,name=date,proto3" json:"date,omitempty"` // Unix timestamp (nanoseconds)
+	Response []byte `protobuf:"bytes,4,opt,name=response,proto3" json:"response,omitempty"`
 }

 func (x *RevokeCertificateRequest) Reset() {
@ -1707,22 +1707,22 @@ func (*RevokeCertificateRequest) Descriptor() ([]byte, []int) {
 }

 func (x *RevokeCertificateRequest) GetSerial() string {
-	if x != nil && x.Serial != nil {
-		return *x.Serial
+	if x != nil {
+		return x.Serial
 	}
 	return ""
 }

 func (x *RevokeCertificateRequest) GetReason() int64 {
-	if x != nil && x.Reason != nil {
-		return *x.Reason
+	if x != nil {
+		return x.Reason
 	}
 	return 0
 }

 func (x *RevokeCertificateRequest) GetDate() int64 {
-	if x != nil && x.Date != nil {
-		return *x.Date
+	if x != nil {
+		return x.Date
 	}
 	return 0
 }
@ -1739,12 +1739,12 @@ type FinalizeAuthorizationRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id                *int64                     `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
-	Status            *string                    `protobuf:"bytes,2,opt,name=status" json:"status,omitempty"`
-	Expires           *int64                     `protobuf:"varint,3,opt,name=expires" json:"expires,omitempty"` // Unix timestamp (nanoseconds)
-	Attempted         *string                    `protobuf:"bytes,4,opt,name=attempted" json:"attempted,omitempty"`
-	ValidationRecords []*proto1.ValidationRecord `protobuf:"bytes,5,rep,name=validationRecords" json:"validationRecords,omitempty"`
-	ValidationError   *proto1.ProblemDetails     `protobuf:"bytes,6,opt,name=validationError" json:"validationError,omitempty"`
+	Id                int64                      `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Status            string                     `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
+	Expires           int64                      `protobuf:"varint,3,opt,name=expires,proto3" json:"expires,omitempty"` // Unix timestamp (nanoseconds)
+	Attempted         string                     `protobuf:"bytes,4,opt,name=attempted,proto3" json:"attempted,omitempty"`
+	ValidationRecords []*proto1.ValidationRecord `protobuf:"bytes,5,rep,name=validationRecords,proto3" json:"validationRecords,omitempty"`
+	ValidationError   *proto1.ProblemDetails     `protobuf:"bytes,6,opt,name=validationError,proto3" json:"validationError,omitempty"`
 }

 func (x *FinalizeAuthorizationRequest) Reset() {
@ -1780,29 +1780,29 @@ func (*FinalizeAuthorizationRequest) Descriptor() ([]byte, []int) {
 }

 func (x *FinalizeAuthorizationRequest) GetId() int64 {
-	if x != nil && x.Id != nil {
-		return *x.Id
+	if x != nil {
+		return x.Id
 	}
 	return 0
 }

 func (x *FinalizeAuthorizationRequest) GetStatus() string {
-	if x != nil && x.Status != nil {
-		return *x.Status
+	if x != nil {
+		return x.Status
 	}
 	return ""
 }

 func (x *FinalizeAuthorizationRequest) GetExpires() int64 {
-	if x != nil && x.Expires != nil {
-		return *x.Expires
+	if x != nil {
+		return x.Expires
 	}
 	return 0
 }

 func (x *FinalizeAuthorizationRequest) GetAttempted() string {
-	if x != nil && x.Attempted != nil {
-		return *x.Attempted
+	if x != nil {
+		return x.Attempted
 	}
 	return ""
 }
@ -1826,11 +1826,11 @@ type AddBlockedKeyRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	KeyHash   []byte  `protobuf:"bytes,1,opt,name=keyHash" json:"keyHash,omitempty"`
-	Added     *int64  `protobuf:"varint,2,opt,name=added" json:"added,omitempty"` // Unix timestamp (nanoseconds)
-	Source    *string `protobuf:"bytes,3,opt,name=source" json:"source,omitempty"`
-	Comment   *string `protobuf:"bytes,4,opt,name=comment" json:"comment,omitempty"`
-	RevokedBy *int64  `protobuf:"varint,5,opt,name=revokedBy" json:"revokedBy,omitempty"`
+	KeyHash   []byte `protobuf:"bytes,1,opt,name=keyHash,proto3" json:"keyHash,omitempty"`
+	Added     int64  `protobuf:"varint,2,opt,name=added,proto3" json:"added,omitempty"` // Unix timestamp (nanoseconds)
+	Source    string `protobuf:"bytes,3,opt,name=source,proto3" json:"source,omitempty"`
+	Comment   string `protobuf:"bytes,4,opt,name=comment,proto3" json:"comment,omitempty"`
+	RevokedBy int64  `protobuf:"varint,5,opt,name=revokedBy,proto3" json:"revokedBy,omitempty"`
 }

 func (x *AddBlockedKeyRequest) Reset() {
@ -1873,29 +1873,29 @@ func (x *AddBlockedKeyRequest) GetKeyHash() []byte {
 }

 func (x *AddBlockedKeyRequest) GetAdded() int64 {
-	if x != nil && x.Added != nil {
-		return *x.Added
+	if x != nil {
+		return x.Added
 	}
 	return 0
 }

 func (x *AddBlockedKeyRequest) GetSource() string {
-	if x != nil && x.Source != nil {
-		return *x.Source
+	if x != nil {
+		return x.Source
 	}
 	return ""
 }

 func (x *AddBlockedKeyRequest) GetComment() string {
-	if x != nil && x.Comment != nil {
-		return *x.Comment
+	if x != nil {
+		return x.Comment
 	}
 	return ""
 }

 func (x *AddBlockedKeyRequest) GetRevokedBy() int64 {
-	if x != nil && x.RevokedBy != nil {
-		return *x.RevokedBy
+	if x != nil {
+		return x.RevokedBy
 	}
 	return 0
 }
@ -1905,7 +1905,7 @@ type KeyBlockedRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	KeyHash []byte `protobuf:"bytes,1,opt,name=keyHash" json:"keyHash,omitempty"`
+	KeyHash []byte `protobuf:"bytes,1,opt,name=keyHash,proto3" json:"keyHash,omitempty"`
 }

 func (x *KeyBlockedRequest) Reset() {
@ -1952,8 +1952,8 @@ type ValidAuthorizations_MapElement struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Domain *string               `protobuf:"bytes,1,opt,name=domain" json:"domain,omitempty"`
-	Authz  *proto1.Authorization `protobuf:"bytes,2,opt,name=authz" json:"authz,omitempty"`
+	Domain string                `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	Authz  *proto1.Authorization `protobuf:"bytes,2,opt,name=authz,proto3" json:"authz,omitempty"`
 }

 func (x *ValidAuthorizations_MapElement) Reset() {
@ -1989,8 +1989,8 @@ func (*ValidAuthorizations_MapElement) Descriptor() ([]byte, []int) {
 }

 func (x *ValidAuthorizations_MapElement) GetDomain() string {
-	if x != nil && x.Domain != nil {
-		return *x.Domain
+	if x != nil {
+		return x.Domain
 	}
 	return ""
 }
@ -2007,8 +2007,8 @@ type CountByNames_MapElement struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Name  *string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
-	Count *int64  `protobuf:"varint,2,opt,name=count" json:"count,omitempty"`
+	Name  string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Count int64  `protobuf:"varint,2,opt,name=count,proto3" json:"count,omitempty"`
 }

 func (x *CountByNames_MapElement) Reset() {
@ -2044,15 +2044,15 @@ func (*CountByNames_MapElement) Descriptor() ([]byte, []int) {
 }

 func (x *CountByNames_MapElement) GetName() string {
-	if x != nil && x.Name != nil {
-		return *x.Name
+	if x != nil {
+		return x.Name
 	}
 	return ""
 }

 func (x *CountByNames_MapElement) GetCount() int64 {
-	if x != nil && x.Count != nil {
-		return *x.Count
+	if x != nil {
+		return x.Count
 	}
 	return 0
 }
@ -2062,8 +2062,8 @@ type Authorizations_MapElement struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Domain *string               `protobuf:"bytes,1,opt,name=domain" json:"domain,omitempty"`
-	Authz  *proto1.Authorization `protobuf:"bytes,2,opt,name=authz" json:"authz,omitempty"`
+	Domain string                `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	Authz  *proto1.Authorization `protobuf:"bytes,2,opt,name=authz,proto3" json:"authz,omitempty"`
 }

 func (x *Authorizations_MapElement) Reset() {
@ -2099,8 +2099,8 @@ func (*Authorizations_MapElement) Descriptor() ([]byte, []int) {
 }

 func (x *Authorizations_MapElement) GetDomain() string {
-	if x != nil && x.Domain != nil {
-		return *x.Domain
+	if x != nil {
+		return x.Domain
 	}
 	return ""
 }
@ -2467,7 +2467,7 @@ var file_sa_proto_sa_proto_rawDesc = []byte{
 	0x72, 0x65, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69,
 	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63,
 	0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x73, 0x61, 0x2f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/sa/proto/sa.proto
+++ b/sa/proto/sa.proto
@ -1,4 +1,4 @@
-syntax = "proto2";
+syntax = "proto3";

 package sa;
 option go_package = "github.com/letsencrypt/boulder/sa/proto";
@ -50,84 +50,84 @@ service StorageAuthority {
 }

 message RegistrationID {
-  optional int64 id = 1;
+  int64 id = 1;
 }

 message JSONWebKey {
-  optional bytes jwk = 1; 
+  bytes jwk = 1; 
 }

 message AuthorizationID {
-  optional string id = 1;
+  string id = 1;
 }

 message GetPendingAuthorizationRequest {
-  optional int64 registrationID = 1;
-  optional string identifierType = 2;
-  optional string identifierValue = 3;
+  int64 registrationID = 1;
+  string identifierType = 2;
+  string identifierValue = 3;
  // Result must be valid until at least this Unix timestamp (nanos)
-  optional int64 validUntil = 4;
+  int64 validUntil = 4;
 }

 message GetValidAuthorizationsRequest {
-  optional int64 registrationID = 1;
+  int64 registrationID = 1;
  repeated string domains = 2;
-  optional int64 now = 3; // Unix timestamp (nanoseconds)
+  int64 now = 3; // Unix timestamp (nanoseconds)
 }

 message ValidAuthorizations {
  message MapElement {
-          optional string domain = 1;
-          optional core.Authorization authz = 2;
+          string domain = 1;
+          core.Authorization authz = 2;
  }
  repeated MapElement valid = 1;
 }

 message Serial {
-  optional string serial = 1;
+  string serial = 1;
 }

 message Range {
-  optional int64 earliest = 1; // Unix timestamp (nanoseconds)
-  optional int64 latest = 2;   // Unix timestamp (nanoseconds)
+  int64 earliest = 1; // Unix timestamp (nanoseconds)
+  int64 latest = 2;   // Unix timestamp (nanoseconds)
 }

 message Count {
-  optional int64 count = 1;
+  int64 count = 1;
 }

 message CountCertificatesByNamesRequest {
-  optional Range range = 1;
+  Range range = 1;
  repeated string names = 2;
 }

 message CountByNames {
  message MapElement {
-          optional string name = 1;
-          optional int64 count = 2;
+          string name = 1;
+          int64 count = 2;
  }
  repeated MapElement countByNames = 1;
 }

 message CountRegistrationsByIPRequest {
-  optional bytes ip = 1;
-  optional Range range = 2;
+  bytes ip = 1;
+  Range range = 2;
 }

 message CountInvalidAuthorizationsRequest {
-  optional int64 registrationID = 1;
-  optional string hostname = 2;
+  int64 registrationID = 1;
+  string hostname = 2;
  // Count authorizations that expire in this range.
-  optional Range range = 3;
+  Range range = 3;
 }

 message CountOrdersRequest {
-  optional int64 accountID = 1;
-  optional Range range = 2;
+  int64 accountID = 1;
+  Range range = 2;
 }

 message CountFQDNSetsRequest {
-  optional int64 window = 1;
+  int64 window = 1;
  repeated string domains = 2;
 }

@ -136,65 +136,65 @@ message FQDNSetExistsRequest {
 }

 message PreviousCertificateExistsRequest {
-  optional string domain = 1;
-  optional int64 regID = 2;
+  string domain = 1;
+  int64 regID = 2;
 }

 message Exists {
-  optional bool exists = 1;
+  bool exists = 1;
 }

 message AddSerialRequest {
-  optional int64 regID = 1;
-  optional string serial = 2;
-  optional int64 created = 3; // Unix timestamp (nanoseconds)
-  optional int64 expires = 4; // Unix timestamp (nanoseconds)
+  int64 regID = 1;
+  string serial = 2;
+  int64 created = 3; // Unix timestamp (nanoseconds)
+  int64 expires = 4; // Unix timestamp (nanoseconds)
 }

 message AddCertificateRequest {
-  optional bytes der = 1;
-  optional int64 regID = 2;
+  bytes der = 1;
+  int64 regID = 2;
  // A signed OCSP response for the certificate contained in "der".
  // Note: The certificate status in the OCSP response is assumed to be 0 (good).
-  optional bytes ocsp = 3;
-  // An optional issued time. When not present the SA defaults to using
+  bytes ocsp = 3;
+  // An issued time. When not present the SA defaults to using
  // the current time. The orphan-finder uses this parameter to add
  // certificates with the correct historic issued date
-  optional int64 issued = 4;
-  optional int64 issuerID = 5;
+  int64 issued = 4;
+  int64 issuerID = 5;
 }

 message AddCertificateResponse {
-  optional string digest = 1;
+  string digest = 1;
 }

 message OrderRequest {
-  optional int64 id = 1;
-  optional bool useV2Authorizations = 2;
+  int64 id = 1;
+  bool useV2Authorizations = 2;
 }

 message GetValidOrderAuthorizationsRequest {
-  optional int64 id = 1;
-  optional int64 acctID = 2;
+  int64 id = 1;
+  int64 acctID = 2;
 }

 message GetOrderForNamesRequest {
-  optional int64 acctID = 1;
+  int64 acctID = 1;
  repeated string names = 2;
-  optional bool useV2Authorizations = 3;
+  bool useV2Authorizations = 3;
 }

 message GetAuthorizationsRequest {
-  optional int64 registrationID = 1;
+  int64 registrationID = 1;
  repeated string domains = 2;
-  optional int64 now = 3; // Unix timestamp (nanoseconds)
-  optional bool requireV2Authzs = 4; // Do not include legacy V1 authzs
+  int64 now = 3; // Unix timestamp (nanoseconds)
+  bool requireV2Authzs = 4; // Do not include legacy V1 authzs
 }

 message Authorizations {
  message MapElement {
-          optional string domain = 1;
-          optional core.Authorization authz = 2;
+          string domain = 1;
+          core.Authorization authz = 2;
  }
  repeated MapElement authz = 1;
 }
@ -208,7 +208,7 @@ message AuthorizationIDs {
 }

 message AuthorizationID2 {
-  optional int64 id = 1;
+  int64 id = 1;
 }

 message Authorization2IDs {
@ -216,29 +216,29 @@ message Authorization2IDs {
 }

 message RevokeCertificateRequest {
-  optional string serial = 1;
-  optional int64 reason = 2;
-  optional int64 date = 3; // Unix timestamp (nanoseconds)
-  optional bytes response = 4;
+  string serial = 1;
+  int64 reason = 2;
+  int64 date = 3; // Unix timestamp (nanoseconds)
+  bytes response = 4;
 }

 message FinalizeAuthorizationRequest {
-  optional int64 id = 1;
-  optional string status = 2;
-  optional int64 expires = 3; // Unix timestamp (nanoseconds)
-  optional string attempted = 4;
+  int64 id = 1;
+  string status = 2;
+  int64 expires = 3; // Unix timestamp (nanoseconds)
+  string attempted = 4;
  repeated core.ValidationRecord validationRecords = 5;
-  optional core.ProblemDetails validationError = 6;
+  core.ProblemDetails validationError = 6;
 }

 message AddBlockedKeyRequest {
-  optional bytes keyHash = 1;
-  optional int64 added = 2; // Unix timestamp (nanoseconds)
-  optional string source = 3;
-  optional string comment = 4;
-  optional int64 revokedBy = 5;
+  bytes keyHash = 1;
+  int64 added = 2; // Unix timestamp (nanoseconds)
+  string source = 3;
+  string comment = 4;
+  int64 revokedBy = 5;
 }

 message KeyBlockedRequest {
-  optional bytes keyHash = 1;
+  bytes keyHash = 1;
 }
--- a/sa/sa.go
+++ b/sa/sa.go
@ -286,8 +286,8 @@ func (ssa *SQLStorageAuthority) CountCertificatesByNames(ctx context.Context, do
 		name := string(r.domain)
 		pbCount := int64(r.count)
 		ret = append(ret, &sapb.CountByNames_MapElement{
-			Name:  &name,
-			Count: &pbCount,
+			Name:  name,
+			Count: pbCount,
 		})
 	}
 	return ret, nil
@ -765,11 +765,8 @@ func (ssa *SQLStorageAuthority) PreviousCertificateExists(
 	ctx context.Context,
 	req *sapb.PreviousCertificateExistsRequest,
 ) (*sapb.Exists, error) {
-	t := true
-	exists := &sapb.Exists{Exists: &t}
-
-	f := false
-	notExists := &sapb.Exists{Exists: &f}
+	exists := &sapb.Exists{Exists: true}
+	notExists := &sapb.Exists{Exists: false}

 	// Find the most recently issued certificate containing this domain name.
 	var serial string
@ -779,7 +776,7 @@ func (ssa *SQLStorageAuthority) PreviousCertificateExists(
 		WHERE reversedName = ?
 		ORDER BY notBefore DESC
 		LIMIT 1`,
-		ReverseName(*req.Domain),
+		ReverseName(req.Domain),
 	)
 	if err != nil {
 		if db.IsNoRows(err) {
@ -796,7 +793,7 @@ func (ssa *SQLStorageAuthority) PreviousCertificateExists(
 		WHERE serial = ?
 		AND registrationID = ?`,
 		serial,
-		*req.RegID,
+		req.RegID,
 	)
 	if err != nil {
 		// If no rows found, that means the certificate we found in issuedNames wasn't
@ -831,7 +828,7 @@ func (ssa *SQLStorageAuthority) DeactivateAuthorization2(ctx context.Context, re
 		`UPDATE authz2 SET status = :deactivated WHERE id = :id and status IN (:valid,:pending)`,
 		map[string]interface{}{
 			"deactivated": statusUint(core.StatusDeactivated),
-			"id":          *req.Id,
+			"id":          req.Id,
 			"valid":       statusUint(core.StatusValid),
 			"pending":     statusUint(core.StatusPending),
 		},
@ -1036,15 +1033,15 @@ func (ssa *SQLStorageAuthority) namesForOrder(ctx context.Context, orderID int64

 // GetOrder is used to retrieve an already existing order object
 func (ssa *SQLStorageAuthority) GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error) {
-	omObj, err := ssa.dbMap.WithContext(ctx).Get(orderModel{}, *req.Id)
+	omObj, err := ssa.dbMap.WithContext(ctx).Get(orderModel{}, req.Id)
 	if err != nil {
 		if db.IsNoRows(err) {
-			return nil, berrors.NotFoundError("no order found for ID %d", *req.Id)
+			return nil, berrors.NotFoundError("no order found for ID %d", req.Id)
 		}
 		return nil, err
 	}
 	if omObj == nil {
-		return nil, berrors.NotFoundError("no order found for ID %d", *req.Id)
+		return nil, berrors.NotFoundError("no order found for ID %d", req.Id)
 	}
 	order, err := modelToOrder(omObj.(*orderModel))
 	if err != nil {
@ -1052,7 +1049,7 @@ func (ssa *SQLStorageAuthority) GetOrder(ctx context.Context, req *sapb.OrderReq
 	}
 	orderExp := time.Unix(0, *order.Expires)
 	if orderExp.Before(ssa.clk.Now()) {
-		return nil, berrors.NotFoundError("no order found for ID %d", *req.Id)
+		return nil, berrors.NotFoundError("no order found for ID %d", req.Id)
 	}

 	v2AuthzIDs, err := ssa.authzForOrder(ctx, *order.Id)
@ -1293,12 +1290,12 @@ func (ssa *SQLStorageAuthority) GetOrderForNames(
 		return nil, err
 	}

-	if result.RegistrationID != *req.AcctID {
+	if result.RegistrationID != req.AcctID {
 		return nil, berrors.NotFoundError("no order matching request found")
 	}

 	// Get the order
-	order, err := ssa.GetOrder(ctx, &sapb.OrderRequest{Id: &result.OrderID})
+	order, err := ssa.GetOrder(ctx, &sapb.OrderRequest{Id: result.OrderID})
 	if err != nil {
 		return nil, err
 	}
@ -1317,9 +1314,7 @@ func AuthzMapToPB(m map[string]*core.Authorization) (*sapb.Authorizations, error
 		if err != nil {
 			return nil, err
 		}
-		// Make a copy of k because it will be reassigned with each loop.
-		kCopy := k
-		resp.Authz = append(resp.Authz, &sapb.Authorizations_MapElement{Domain: &kCopy, Authz: authzPB})
+		resp.Authz = append(resp.Authz, &sapb.Authorizations_MapElement{Domain: k, Authz: authzPB})
 	}
 	return resp, nil
 }
@ -1350,12 +1345,12 @@ func (ssa *SQLStorageAuthority) NewAuthorizations2(ctx context.Context, req *sap
 // If no authorization is found matching the ID a berrors.NotFound type error is returned. This method
 // is intended to deprecate GetAuthorization.
 func (ssa *SQLStorageAuthority) GetAuthorization2(ctx context.Context, id *sapb.AuthorizationID2) (*corepb.Authorization, error) {
-	obj, err := ssa.dbMap.Get(authzModel{}, *id.Id)
+	obj, err := ssa.dbMap.Get(authzModel{}, id.Id)
 	if err != nil {
 		return nil, err
 	}
 	if obj == nil {
-		return nil, berrors.NotFoundError("authorization %d not found", *id.Id)
+		return nil, berrors.NotFoundError("authorization %d not found", id.Id)
 	}
 	return modelToAuthzPB(*(obj.(*authzModel)))
 }
@ -1365,13 +1360,11 @@ func (ssa *SQLStorageAuthority) GetAuthorization2(ctx context.Context, id *sapb.
 func authzModelMapToPB(m map[string]authzModel) (*sapb.Authorizations, error) {
 	resp := &sapb.Authorizations{}
 	for k, v := range m {
-		// Make a copy of k because it will be reassigned with each loop.
-		kCopy := k
 		authzPB, err := modelToAuthzPB(v)
 		if err != nil {
 			return nil, err
 		}
-		resp.Authz = append(resp.Authz, &sapb.Authorizations_MapElement{Domain: &kCopy, Authz: authzPB})
+		resp.Authz = append(resp.Authz, &sapb.Authorizations_MapElement{Domain: k, Authz: authzPB})
 	}
 	return resp, nil
 }
@ -1385,10 +1378,10 @@ func authzModelMapToPB(m map[string]authzModel) (*sapb.Authorizations, error) {
 func (ssa *SQLStorageAuthority) GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error) {
 	var authzModels []authzModel
 	params := []interface{}{
-		*req.RegistrationID,
+		req.RegistrationID,
 		statusUint(core.StatusValid),
 		statusUint(core.StatusPending),
-		time.Unix(0, *req.Now),
+		time.Unix(0, req.Now),
 		identifierTypeToUint[string(identifier.DNS)],
 	}
 	qmarks := make([]string, len(req.Domains))
@ -1474,7 +1467,7 @@ func (ssa *SQLStorageAuthority) GetAuthorizations2(ctx context.Context, req *sap
 // authorization is being moved to valid the validationRecord and expires fields must be set.
 // This method is intended to deprecate the FinalizeAuthorization method.
 func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) error {
-	if *req.Status != string(core.StatusValid) && *req.Status != string(core.StatusInvalid) {
+	if req.Status != string(core.StatusValid) && req.Status != string(core.StatusInvalid) {
 		return berrors.InternalServerError("authorization must have status valid or invalid")
 	}
 	query := `UPDATE authz2 SET
@ -1509,12 +1502,12 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
 		veJSON = j
 	}
 	params := map[string]interface{}{
-		"status":           statusToUint[*req.Status],
-		"attempted":        challTypeToUint[*req.Attempted],
+		"status":           statusToUint[req.Status],
+		"attempted":        challTypeToUint[req.Attempted],
 		"validationRecord": vrJSON,
-		"id":               *req.Id,
+		"id":               req.Id,
 		"pending":          statusUint(core.StatusPending),
-		"expires":          time.Unix(0, *req.Expires).UTC(),
+		"expires":          time.Unix(0, req.Expires).UTC(),
 		// if req.ValidationError is nil veJSON should also be nil
 		// which should result in a NULL field
 		"validationError": veJSON,
@ -1529,9 +1522,9 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
 		return err
 	}
 	if rows == 0 {
-		return berrors.NotFoundError("authorization with id %d not found", *req.Id)
+		return berrors.NotFoundError("authorization with id %d not found", req.Id)
 	} else if rows > 1 {
-		return berrors.InternalServerError("multiple rows updated for authorization id %d", *req.Id)
+		return berrors.InternalServerError("multiple rows updated for authorization id %d", req.Id)
 	}
 	return nil
 }
@ -1539,13 +1532,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
 // RevokeCertificate stores revocation information about a certificate. It will only store this
 // information if the certificate is not already marked as revoked.
 func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) error {
-	var reason revocation.Reason
-	if req.Reason == nil {
-		reason = revocation.Reason(0)
-	} else {
-		reason = revocation.Reason(*req.Reason)
-	}
-	revokedDate := time.Unix(0, *req.Date)
+	revokedDate := time.Unix(0, req.Date)
 	res, err := ssa.dbMap.Exec(
 		`UPDATE certificateStatus SET
 				status = ?,
@ -1555,11 +1542,11 @@ func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb
 				ocspResponse = ?
 			WHERE serial = ? AND status != ?`,
 		string(core.OCSPStatusRevoked),
-		reason,
+		revocation.Reason(req.Reason),
 		revokedDate,
 		revokedDate,
 		req.Response,
-		*req.Serial,
+		req.Serial,
 		string(core.OCSPStatusRevoked),
 	)
 	if err != nil {
@ -1572,7 +1559,7 @@ func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb
 	if rows == 0 {
 		// InternalServerError because we expected this certificate status to exist and
 		// not be revoked.
-		return berrors.InternalServerError("no certificate with serial %s and status %s", *req.Serial, string(core.OCSPStatusRevoked))
+		return berrors.InternalServerError("no certificate with serial %s and status %s", req.Serial, string(core.OCSPStatusRevoked))
 	}
 	return nil
 }
@ -1593,11 +1580,11 @@ func (ssa *SQLStorageAuthority) GetPendingAuthorization2(ctx context.Context, re
 			ORDER BY expires ASC
 			LIMIT 1 `, authzFields),
 		map[string]interface{}{
-			"regID":      *req.RegistrationID,
+			"regID":      req.RegistrationID,
 			"status":     statusUint(core.StatusPending),
-			"validUntil": time.Unix(0, *req.ValidUntil),
+			"validUntil": time.Unix(0, req.ValidUntil),
 			"dnsType":    identifierTypeToUint[string(identifier.DNS)],
-			"ident":      *req.IdentifierValue,
+			"ident":      req.IdentifierValue,
 		},
 	)
 	if err != nil {
@ -1619,7 +1606,7 @@ func (ssa *SQLStorageAuthority) CountPendingAuthorizations2(ctx context.Context,
 		expires > :expires AND
 		status = :status`,
 		map[string]interface{}{
-			"regID":   *req.Id,
+			"regID":   req.Id,
 			"expires": ssa.clk.Now(),
 			"status":  statusUint(core.StatusPending),
 		},
@ -1627,7 +1614,7 @@ func (ssa *SQLStorageAuthority) CountPendingAuthorizations2(ctx context.Context,
 	if err != nil {
 		return nil, err
 	}
-	return &sapb.Count{Count: &count}, nil
+	return &sapb.Count{Count: count}, nil
 }

 // GetValidOrderAuthorizations2 is used to find the valid, unexpired authorizations
@ -1646,10 +1633,10 @@ func (ssa *SQLStorageAuthority) GetValidOrderAuthorizations2(ctx context.Context
 			authzFields,
 		),
 		map[string]interface{}{
-			"regID":   *req.AcctID,
+			"regID":   req.AcctID,
 			"expires": ssa.clk.Now(),
 			"status":  statusUint(core.StatusValid),
-			"orderID": *req.Id,
+			"orderID": req.Id,
 		},
 	)
 	if err != nil {
@ -1685,18 +1672,18 @@ func (ssa *SQLStorageAuthority) CountInvalidAuthorizations2(ctx context.Context,
 		identifierType = :dnsType AND
 		identifierValue = :ident`,
 		map[string]interface{}{
-			"regID":           *req.RegistrationID,
+			"regID":           req.RegistrationID,
 			"dnsType":         identifierTypeToUint[string(identifier.DNS)],
-			"ident":           *req.Hostname,
-			"expiresEarliest": time.Unix(0, *req.Range.Earliest),
-			"expiresLatest":   time.Unix(0, *req.Range.Latest),
+			"ident":           req.Hostname,
+			"expiresEarliest": time.Unix(0, req.Range.Earliest),
+			"expiresLatest":   time.Unix(0, req.Range.Latest),
 			"status":          statusUint(core.StatusInvalid),
 		},
 	)
 	if err != nil {
 		return nil, err
 	}
-	return &sapb.Count{Count: &count}, nil
+	return &sapb.Count{Count: count}, nil
 }

 // GetValidAuthorizations2 returns the latest authorization for all
@ -1706,9 +1693,9 @@ func (ssa *SQLStorageAuthority) CountInvalidAuthorizations2(ctx context.Context,
 func (ssa *SQLStorageAuthority) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error) {
 	var authzModels []authzModel
 	params := []interface{}{
-		*req.RegistrationID,
+		req.RegistrationID,
 		statusUint(core.StatusValid),
-		time.Unix(0, *req.Now),
+		time.Unix(0, req.Now),
 		identifierTypeToUint[string(identifier.DNS)],
 	}
 	qmarks := make([]string, len(req.Domains))
@ -1767,24 +1754,24 @@ var blockedKeysColumns = "keyHash, added, source, comment"

 // AddBlockedKey adds a key hash to the blockedKeys table
 func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.AddBlockedKeyRequest) (*corepb.Empty, error) {
-	if req == nil || req.KeyHash == nil || req.Added == nil || req.Source == nil {
+	if core.IsAnyNilOrZero(req.KeyHash, req.Added, req.Source) {
 		return nil, errIncompleteRequest
 	}
-	sourceInt, ok := stringToSourceInt[*req.Source]
+	sourceInt, ok := stringToSourceInt[req.Source]
 	if !ok {
 		return nil, errors.New("unknown source")
 	}
 	cols, qs := blockedKeysColumns, "?, ?, ?, ?"
 	vals := []interface{}{
 		req.KeyHash,
-		time.Unix(0, *req.Added),
+		time.Unix(0, req.Added),
 		sourceInt,
 		req.Comment,
 	}
-	if features.Enabled(features.StoreRevokerInfo) && req.RevokedBy != nil {
+	if features.Enabled(features.StoreRevokerInfo) && req.RevokedBy != 0 {
 		cols += ", revokedBy"
 		qs += ", ?"
-		vals = append(vals, *req.RevokedBy)
+		vals = append(vals, req.RevokedBy)
 	}
 	_, err := ssa.dbMap.Exec(
 		fmt.Sprintf("INSERT INTO blockedKeys (%s) VALUES (%s)", cols, qs),
@ -1810,10 +1797,10 @@ func (ssa *SQLStorageAuthority) KeyBlocked(ctx context.Context, req *sapb.KeyBlo
 	var id int64
 	if err := ssa.dbMap.SelectOne(&id, `SELECT ID FROM blockedKeys WHERE keyHash = ?`, req.KeyHash); err != nil {
 		if db.IsNoRows(err) {
-			return &sapb.Exists{Exists: &exists}, nil
+			return &sapb.Exists{Exists: exists}, nil
 		}
 		return nil, err
 	}
 	exists = true
-	return &sapb.Exists{Exists: &exists}, nil
+	return &sapb.Exists{Exists: exists}, nil
 }
--- a/sa/sa_test.go
+++ b/sa/sa_test.go
@ -92,10 +92,10 @@ func createFinalizedAuthorization(t *testing.T, sa core.StorageAuthority, domain
 	expInt := exp.UnixNano()
 	attempted := string(core.ChallengeTypeHTTP01)
 	err := sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
-		Id:        &pendingID,
-		Status:    &status,
-		Expires:   &expInt,
-		Attempted: &attempted,
+		Id:        pendingID,
+		Status:    status,
+		Expires:   expInt,
+		Attempted: attempted,
 	})
 	test.AssertNotError(t, err, "sa.FinalizeAuthorizations2 failed")
 	return pendingID
@ -260,8 +260,8 @@ func TestCountCertificatesByNames(t *testing.T) {
 	counts, err := sa.CountCertificatesByNames(ctx, []string{"example.com"}, yesterday, now)
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts), 1)
-	test.AssertEquals(t, *counts[0].Name, "example.com")
-	test.AssertEquals(t, *counts[0].Count, int64(0))
+	test.AssertEquals(t, counts[0].Name, "example.com")
+	test.AssertEquals(t, counts[0].Count, int64(0))

 	// Add the test cert and query for its names.
 	reg := satest.CreateWorkingRegistration(t, sa)
@ -273,23 +273,23 @@ func TestCountCertificatesByNames(t *testing.T) {
 	counts, err = sa.CountCertificatesByNames(ctx, []string{"example.com"}, yesterday, now)
 	test.AssertNotError(t, err, "sa.CountCertificatesByName failed")
 	test.AssertEquals(t, len(counts), 1)
-	test.AssertEquals(t, *counts[0].Name, "example.com")
-	test.AssertEquals(t, *counts[0].Count, int64(1))
+	test.AssertEquals(t, counts[0].Name, "example.com")
+	test.AssertEquals(t, counts[0].Count, int64(1))

 	// Time range between two days ago and yesterday should not.
 	counts, err = sa.CountCertificatesByNames(ctx, []string{"example.com"}, twoDaysAgo, yesterday)
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts), 1)
-	test.AssertEquals(t, *counts[0].Name, "example.com")
-	test.AssertEquals(t, *counts[0].Count, int64(0))
+	test.AssertEquals(t, counts[0].Name, "example.com")
+	test.AssertEquals(t, counts[0].Count, int64(0))

 	// Time range between now and tomorrow also should not (time ranges are
 	// inclusive at the tail end, but not the beginning end).
 	counts, err = sa.CountCertificatesByNames(ctx, []string{"example.com"}, now, tomorrow)
 	test.AssertNotError(t, err, "Error counting certs.")
 	test.AssertEquals(t, len(counts), 1)
-	test.AssertEquals(t, *counts[0].Name, "example.com")
-	test.AssertEquals(t, *counts[0].Count, int64(0))
+	test.AssertEquals(t, counts[0].Name, "example.com")
+	test.AssertEquals(t, counts[0].Count, int64(0))

 	// Add a second test cert (for example.co.bn) and query for multiple names.
 	names := []string{"example.com", "foo.com", "example.co.bn"}
@ -321,8 +321,8 @@ func TestCountCertificatesByNames(t *testing.T) {
 		"example.com":   1,
 	}
 	for _, entry := range counts {
-		domain := *entry.Name
-		actualCount := *entry.Count
+		domain := entry.Name
+		actualCount := entry.Count
 		expectedCount := int64(expected[domain])
 		test.AssertEquals(t, actualCount, expectedCount)
 	}
@ -646,8 +646,8 @@ func TestPreviousCertificateExists(t *testing.T) {
 	issuedUnix := issued.UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    certDER,
-		Issued: &issuedUnix,
-		RegID:  &reg.ID,
+		Issued: issuedUnix,
+		RegID:  reg.ID,
 	})
 	test.AssertNotError(t, err, "Failed to add precertificate")
 	_, err = sa.AddCertificate(ctx, certDER, reg.ID, nil, &issued)
@ -668,12 +668,12 @@ func TestPreviousCertificateExists(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			exists, err := sa.PreviousCertificateExists(context.Background(),
 				&sapb.PreviousCertificateExistsRequest{
-					Domain: &testCase.domain,
-					RegID:  &testCase.regID,
+					Domain: testCase.domain,
+					RegID:  testCase.regID,
 				})
 			test.AssertNotError(t, err, "calling PreviousCertificateExists")
-			if *exists.Exists != testCase.expected {
-				t.Errorf("wanted %v got %v", testCase.expected, *exists.Exists)
+			if exists.Exists != testCase.expected {
+				t.Errorf("wanted %v got %v", testCase.expected, exists.Exists)
 			}
 		})
 	}
@ -686,12 +686,12 @@ func TestDeactivateAuthorization2(t *testing.T) {
 	// deactivate a pending authorization
 	expires := fc.Now().Add(time.Hour).UTC()
 	authzID := createPendingAuthorization(t, sa, "example.com", expires)
-	_, err := sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &authzID})
+	_, err := sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: authzID})
 	test.AssertNotError(t, err, "sa.DeactivateAuthorization2 failed")

 	// deactivate a valid authorization"
 	authzID = createFinalizedAuthorization(t, sa, "example.com", expires, "valid")
-	_, err = sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &authzID})
+	_, err = sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: authzID})
 	test.AssertNotError(t, err, "sa.DeactivateAuthorization2 failed")
 }

@ -989,7 +989,7 @@ func TestSetOrderProcessing(t *testing.T) {
 	// to processing
 	updatedOrder, err := sa.GetOrder(
 		context.Background(),
-		&sapb.OrderRequest{Id: order.Id})
+		&sapb.OrderRequest{Id: *order.Id})
 	test.AssertNotError(t, err, "GetOrder failed")
 	test.AssertEquals(t, *updatedOrder.Status, string(core.StatusProcessing))
 	test.AssertEquals(t, *updatedOrder.BeganProcessing, true)
@ -1043,7 +1043,7 @@ func TestFinalizeOrder(t *testing.T) {
 	// was correctly updated
 	updatedOrder, err := sa.GetOrder(
 		context.Background(),
-		&sapb.OrderRequest{Id: order.Id})
+		&sapb.OrderRequest{Id: *order.Id})
 	test.AssertNotError(t, err, "GetOrder failed")
 	test.AssertEquals(t, *updatedOrder.CertificateSerial, serial)
 	test.AssertEquals(t, *updatedOrder.Status, string(core.StatusValid))
@ -1103,7 +1103,7 @@ func TestOrder(t *testing.T) {
 	}

 	// Fetch the order by its ID and make sure it matches the expected
-	storedOrder, err := sa.GetOrder(context.Background(), &sapb.OrderRequest{Id: order.Id})
+	storedOrder, err := sa.GetOrder(context.Background(), &sapb.OrderRequest{Id: *order.Id})
 	test.AssertNotError(t, err, "sa.GetOrder failed")
 	test.AssertDeepEquals(t, storedOrder, expectedOrder)
 }
@ -1116,7 +1116,7 @@ func TestGetAuthorizationNoRows(t *testing.T) {

 	// An empty authz ID should result in a not found berror.
 	id := int64(123)
-	_, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &id})
+	_, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: id})
 	test.AssertError(t, err, "Didn't get an error looking up non-existent authz ID")
 	test.Assert(t, berrors.Is(err, berrors.NotFound), "GetAuthorization did not return a berrors.NotFound error")
 }
@ -1163,9 +1163,9 @@ func TestGetAuthorizations2(t *testing.T) {
 	expiryCutoff := fc.Now().AddDate(0, 0, 1).UnixNano()
 	// Get authorizations for the names used above.
 	authz, err := sa.GetAuthorizations2(context.Background(), &sapb.GetAuthorizationsRequest{
-		RegistrationID: &reg.ID,
+		RegistrationID: reg.ID,
 		Domains:        idents,
-		Now:            &expiryCutoff,
+		Now:            expiryCutoff,
 	})
 	// It should not fail
 	test.AssertNotError(t, err, "sa.GetAuthorizations2 failed")
@ -1175,9 +1175,9 @@ func TestGetAuthorizations2(t *testing.T) {

 	// Get authorizations for the names used above, and one name that doesn't exist
 	authz, err = sa.GetAuthorizations2(context.Background(), &sapb.GetAuthorizationsRequest{
-		RegistrationID: &reg.ID,
+		RegistrationID: reg.ID,
 		Domains:        append(idents, identD),
-		Now:            &expiryCutoff,
+		Now:            expiryCutoff,
 	})
 	// It should not fail
 	test.AssertNotError(t, err, "sa.GetAuthorizations2 failed")
@ -1261,7 +1261,7 @@ func TestFasterGetOrderForNames(t *testing.T) {
 	test.AssertNotError(t, err, "sa.NewOrder failed")

 	_, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &reg.ID,
+		AcctID: reg.ID,
 		Names:  []string{domain},
 	})
 	test.AssertNotError(t, err, "sa.GetOrderForNames failed")
@ -1294,7 +1294,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames for a set of names we haven't created an order for
 	// yet
 	result, err := sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regA.ID,
+		AcctID: regA.ID,
 		Names:  names,
 	})
 	// We expect the result to return an error
@ -1319,7 +1319,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames with the same account ID and set of names as the
 	// above NewOrder call
 	result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regA.ID,
+		AcctID: regA.ID,
 		Names:  names,
 	})
 	// It shouldn't error
@ -1331,7 +1331,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames with a different account ID from the NewOrder call
 	regB := int64(1337)
 	result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regB,
+		AcctID: regB,
 		Names:  names,
 	})
 	// It should error
@ -1347,7 +1347,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames again with the same account ID and set of names as
 	// the initial NewOrder call
 	result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regA.ID,
+		AcctID: regA.ID,
 		Names:  names,
 	})
 	// It should error since there is no result
@ -1380,7 +1380,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames with the same account ID and set of names as
 	// the earlier NewOrder call
 	result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regA.ID,
+		AcctID: regA.ID,
 		Names:  names,
 	})
 	// It should not error since a ready order can be reused.
@ -1402,7 +1402,7 @@ func TestGetOrderForNames(t *testing.T) {
 	// Call GetOrderForNames with the same account ID and set of names as
 	// the earlier NewOrder call
 	result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
-		AcctID: &regA.ID,
+		AcctID: regA.ID,
 		Names:  names,
 	})
 	// It should error since a valid order should not be reused.
@ -1433,7 +1433,7 @@ func TestStatusForOrder(t *testing.T) {
 	invalidID := createFinalizedAuthorization(t, sa, "invalid.your.order.is.up", expires, "invalid")
 	validID := createFinalizedAuthorization(t, sa, "valid.your.order.is.up", expires, "valid")
 	deactivatedID := createPendingAuthorization(t, sa, "deactivated.your.order.is.up", expires)
-	_, err := sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &deactivatedID})
+	_, err := sa.DeactivateAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: deactivatedID})
 	test.AssertNotError(t, err, "sa.DeactivateAuthorization2 failed")

 	testCases := []struct {
@ -1536,7 +1536,7 @@ func TestStatusForOrder(t *testing.T) {
 				test.AssertNotError(t, err, "Error finalizing order")
 			}
 			// Fetch the order by ID to get its calculated status
-			storedOrder, err := sa.GetOrder(ctx, &sapb.OrderRequest{Id: newOrder.Id})
+			storedOrder, err := sa.GetOrder(ctx, &sapb.OrderRequest{Id: *newOrder.Id})
 			test.AssertNotError(t, err, "GetOrder failed")
 			// The status shouldn't be nil
 			test.AssertNotNil(t, storedOrder.Status, "Order status was nil")
@ -1557,7 +1557,7 @@ func TestUpdateChallengesDeleteUnused(t *testing.T) {
 	// Create a pending authz
 	authzID := createFinalizedAuthorization(t, sa, "example.com", expires, "valid")

-	result, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+	result, err := sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")

 	if len(result.Challenges) != 1 {
@ -1582,9 +1582,9 @@ func TestRevokeCertificate(t *testing.T) {
 	issued := sa.clk.Now().UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    certDER,
-		RegID:  &reg.ID,
+		RegID:  reg.ID,
 		Ocsp:   nil,
-		Issued: &issued,
+		Issued: issued,
 	})
 	test.AssertNotError(t, err, "Couldn't add www.eff.org.der")

@ -1601,9 +1601,9 @@ func TestRevokeCertificate(t *testing.T) {
 	reason := int64(1)
 	response := []byte{1, 2, 3}
 	err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
-		Serial:   &serial,
-		Date:     &dateUnix,
-		Reason:   &reason,
+		Serial:   serial,
+		Date:     dateUnix,
+		Reason:   reason,
 		Response: response,
 	})
 	test.AssertNotError(t, err, "RevokeCertificate failed")
@ -1617,9 +1617,9 @@ func TestRevokeCertificate(t *testing.T) {
 	test.AssertDeepEquals(t, status.OCSPResponse, response)

 	err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
-		Serial:   &serial,
-		Date:     &dateUnix,
-		Reason:   &reason,
+		Serial:   serial,
+		Date:     dateUnix,
+		Reason:   reason,
 		Response: response,
 	})
 	test.AssertError(t, err, "RevokeCertificate should've failed when certificate already revoked")
@ -1653,8 +1653,8 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 	issuedUnix := issued.UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    certDER,
-		Issued: &issuedUnix,
-		RegID:  &reg.ID,
+		Issued: issuedUnix,
+		RegID:  reg.ID,
 	})
 	test.AssertNotError(t, err, "Failed to add precertificate")
 	_, err = sa.AddCertificate(ctx, certDER, reg.ID, nil, &issued)
@ -1690,8 +1690,8 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 	issuedUnix = issued.UnixNano()
 	_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    certDER,
-		Issued: &issuedUnix,
-		RegID:  &reg.ID,
+		Issued: issuedUnix,
+		RegID:  reg.ID,
 	})
 	test.AssertNotError(t, err, "Failed to add precertificate")
 	_, err = sa.AddCertificate(ctx, certDER, reg.ID, nil, &issued)
@ -1782,8 +1782,8 @@ func TestCountCertificatesRenewalBit(t *testing.T) {
 			fc.Now().Add(5*time.Hour))
 		test.AssertNotError(t, err, "Unexpected err from CountCertificatesByNames")
 		for _, elem := range counts {
-			if *elem.Name == name {
-				return *elem.Count
+			if elem.Name == name {
+				return elem.Count
 			}
 		}
 		return 0
@ -1858,7 +1858,7 @@ func TestNewAuthorizations2(t *testing.T) {
 	test.AssertEquals(t, len(ids.Ids), 2)
 	for i, id := range ids.Ids {
 		id := id
-		dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &id})
+		dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: id})
 		test.AssertNotError(t, err, "sa.GetAuthorization failed")
 		// Everything but ID should match
 		req.Authz[i].Id = dbVer.Id
@ -1899,7 +1899,7 @@ func TestFinalizeAuthorization2(t *testing.T) {
 	url := "http://asd"
 	ip, _ := net.ParseIP("1.1.1.1").MarshalText()
 	err = sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
-		Id: &ids.Ids[0],
+		Id: ids.Ids[0],
 		ValidationRecords: []*corepb.ValidationRecord{
 			{
 				Hostname:    &ident,
@ -1908,13 +1908,13 @@ func TestFinalizeAuthorization2(t *testing.T) {
 				AddressUsed: ip,
 			},
 		},
-		Status:    &valid,
-		Expires:   &expires,
-		Attempted: &challType,
+		Status:    valid,
+		Expires:   expires,
+		Attempted: challType,
 	})
 	test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")

-	dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &ids.Ids[0]})
+	dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: ids.Ids[0]})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 	test.AssertEquals(t, *dbVer.Status, string(core.StatusValid))
 	test.AssertEquals(t, time.Unix(0, *dbVer.Expires).UTC(), fc.Now().Add(time.Hour*2).UTC())
@ -1927,7 +1927,7 @@ func TestFinalizeAuthorization2(t *testing.T) {
 	invalid := string(core.StatusInvalid)
 	prob, _ := bgrpc.ProblemDetailsToPB(probs.ConnectionFailure("it went bad captain"))
 	err = sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
-		Id: &ids.Ids[0],
+		Id: ids.Ids[0],
 		ValidationRecords: []*corepb.ValidationRecord{
 			{
 				Hostname:    &ident,
@ -1937,13 +1937,13 @@ func TestFinalizeAuthorization2(t *testing.T) {
 			},
 		},
 		ValidationError: prob,
-		Status:          &invalid,
-		Attempted:       &challType,
-		Expires:         &expires,
+		Status:          invalid,
+		Attempted:       challType,
+		Expires:         expires,
 	})
 	test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")

-	dbVer, err = sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: &ids.Ids[0]})
+	dbVer, err = sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: ids.Ids[0]})
 	test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
 	test.AssertEquals(t, *dbVer.Status, string(core.StatusInvalid))
 	test.AssertEquals(t, *dbVer.Challenges[0].Status, string(core.StatusInvalid))
@ -1964,18 +1964,18 @@ func TestGetPendingAuthorization2(t *testing.T) {
 	regID := int64(1)
 	validUntil := fc.Now().Add(time.Hour * 2).UTC().UnixNano()
 	dbVer, err := sa.GetPendingAuthorization2(context.Background(), &sapb.GetPendingAuthorizationRequest{
-		RegistrationID:  &regID,
-		IdentifierValue: &domain,
-		ValidUntil:      &validUntil,
+		RegistrationID:  regID,
+		IdentifierValue: domain,
+		ValidUntil:      validUntil,
 	})
 	test.AssertNotError(t, err, "sa.GetPendingAuthorization2 failed")
 	test.AssertEquals(t, fmt.Sprintf("%d", authzIDB), *dbVer.Id)

 	validUntil = fc.Now().UTC().UnixNano()
 	dbVer, err = sa.GetPendingAuthorization2(context.Background(), &sapb.GetPendingAuthorizationRequest{
-		RegistrationID:  &regID,
-		IdentifierValue: &domain,
-		ValidUntil:      &validUntil,
+		RegistrationID:  regID,
+		IdentifierValue: domain,
+		ValidUntil:      validUntil,
 	})
 	test.AssertNotError(t, err, "sa.GetPendingAuthorization2 failed")
 	test.AssertEquals(t, fmt.Sprintf("%d", authzIDA), *dbVer.Id)
@ -1993,26 +1993,26 @@ func TestCountPendingAuthorizations2(t *testing.T) {
 	// Registration has two new style pending authorizations
 	regID := int64(1)
 	count, err := sa.CountPendingAuthorizations2(context.Background(), &sapb.RegistrationID{
-		Id: &regID,
+		Id: regID,
 	})
 	test.AssertNotError(t, err, "sa.CountPendingAuthorizations2 failed")
-	test.AssertEquals(t, *count.Count, int64(2))
+	test.AssertEquals(t, count.Count, int64(2))

 	// Registration has two new style pending authorizations, one of which has expired
 	fc.Add(time.Hour * 2)
 	count, err = sa.CountPendingAuthorizations2(context.Background(), &sapb.RegistrationID{
-		Id: &regID,
+		Id: regID,
 	})
 	test.AssertNotError(t, err, "sa.CountPendingAuthorizations2 failed")
-	test.AssertEquals(t, *count.Count, int64(1))
+	test.AssertEquals(t, count.Count, int64(1))

 	// Registration with no authorizations should be 0
 	noReg := int64(20)
 	count, err = sa.CountPendingAuthorizations2(context.Background(), &sapb.RegistrationID{
-		Id: &noReg,
+		Id: noReg,
 	})
 	test.AssertNotError(t, err, "sa.CountPendingAuthorizations2 failed")
-	test.AssertEquals(t, *count.Count, int64(0))
+	test.AssertEquals(t, count.Count, int64(0))
 }

 func TestAuthzModelMapToPB(t *testing.T) {
@ -2053,9 +2053,9 @@ func TestAuthzModelMapToPB(t *testing.T) {
 	}

 	for _, el := range out.Authz {
-		model, ok := input[*el.Domain]
+		model, ok := input[el.Domain]
 		if !ok {
-			t.Errorf("output had element for %q, a hostname not present in input", *el.Domain)
+			t.Errorf("output had element for %q, a hostname not present in input", el.Domain)
 		}
 		authzPB := el.Authz
 		test.AssertEquals(t, *authzPB.Id, fmt.Sprintf("%d", model.ID))
@ -2067,7 +2067,7 @@ func TestAuthzModelMapToPB(t *testing.T) {
 			t.Errorf("Times didn't match. Got %s, expected %s (%d)", gotTime, model.Expires, *authzPB.Expires)
 		}
 		if len(el.Authz.Challenges) != bits.OnesCount(uint(model.Challenges)) {
-			t.Errorf("wrong number of challenges for %q: got %d, expected %d", *el.Domain,
+			t.Errorf("wrong number of challenges for %q: got %d, expected %d", el.Domain,
 				len(el.Authz.Challenges), bits.OnesCount(uint(model.Challenges)))
 		}
 		switch model.Challenges {
@ -2080,7 +2080,7 @@ func TestAuthzModelMapToPB(t *testing.T) {
 			test.AssertEquals(t, *el.Authz.Challenges[0].Type, "tls-alpn-01")
 		}

-		delete(input, *el.Domain)
+		delete(input, el.Domain)
 	}

 	for k := range input {
@ -2114,8 +2114,8 @@ func TestGetValidOrderAuthorizations2(t *testing.T) {
 	authzMap, err := sa.GetValidOrderAuthorizations2(
 		context.Background(),
 		&sapb.GetValidOrderAuthorizationsRequest{
-			Id:     order.Id,
-			AcctID: &reg.ID,
+			Id:     *order.Id,
+			AcctID: reg.ID,
 		})
 	test.AssertNotError(t, err, "sa.GetValidOrderAuthorizations failed")
 	test.AssertNotNil(t, authzMap, "sa.GetValidOrderAuthorizations result was nil")
@ -2135,8 +2135,8 @@ func TestGetValidOrderAuthorizations2(t *testing.T) {
 	authzMap, err = sa.GetValidOrderAuthorizations2(
 		context.Background(),
 		&sapb.GetValidOrderAuthorizationsRequest{
-			Id:     &missingID,
-			AcctID: &reg.ID,
+			Id:     missingID,
+			AcctID: reg.ID,
 		})
 	test.AssertNotError(t, err, "sa.GetValidOrderAuthorizations failed")
 	test.AssertEquals(t, len(authzMap.Authz), 0)
@ -2147,8 +2147,8 @@ func TestGetValidOrderAuthorizations2(t *testing.T) {
 	authzMap, err = sa.GetValidOrderAuthorizations2(
 		context.Background(),
 		&sapb.GetValidOrderAuthorizationsRequest{
-			Id:     order.Id,
-			AcctID: &wrongAcctID,
+			Id:     *order.Id,
+			AcctID: wrongAcctID,
 		})
 	test.AssertNotError(t, err, "sa.GetValidOrderAuthorizations failed")
 	test.AssertEquals(t, len(authzMap.Authz), 0)
@ -2169,15 +2169,15 @@ func TestCountInvalidAuthorizations2(t *testing.T) {

 	earliest, latest := fc.Now().Add(-time.Hour).UTC().UnixNano(), fc.Now().Add(time.Hour*5).UTC().UnixNano()
 	count, err := sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: &reg.ID,
-		Hostname:       &ident,
+		RegistrationID: reg.ID,
+		Hostname:       ident,
 		Range: &sapb.Range{
-			Earliest: &earliest,
-			Latest:   &latest,
+			Earliest: earliest,
+			Latest:   latest,
 		},
 	})
 	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed")
-	test.AssertEquals(t, *count.Count, int64(1))
+	test.AssertEquals(t, count.Count, int64(1))
 }

 func TestGetValidAuthorizations2(t *testing.T) {
@ -2196,12 +2196,12 @@ func TestGetValidAuthorizations2(t *testing.T) {
 			"aaa",
 			"bbb",
 		},
-		RegistrationID: &regID,
-		Now:            &now,
+		RegistrationID: regID,
+		Now:            now,
 	})
 	test.AssertNotError(t, err, "sa.GetValidAuthorizations2 failed")
 	test.AssertEquals(t, len(authzs.Authz), 1)
-	test.AssertEquals(t, *authzs.Authz[0].Domain, ident)
+	test.AssertEquals(t, authzs.Authz[0].Domain, ident)
 	test.AssertEquals(t, *authzs.Authz[0].Authz.Id, fmt.Sprintf("%d", authzID))
 }

@ -2220,7 +2220,7 @@ func TestGetOrderExpired(t *testing.T) {
 	})
 	test.AssertNotError(t, err, "NewOrder failed")
 	_, err = sa.GetOrder(context.Background(), &sapb.OrderRequest{
-		Id: order.Id,
+		Id: *order.Id,
 	})
 	test.AssertError(t, err, "GetOrder didn't fail for an expired order")
 	test.Assert(t, berrors.Is(err, berrors.NotFound), "GetOrder error wasn't of type NotFound")
@ -2239,23 +2239,23 @@ func TestBlockedKey(t *testing.T) {
 	source := "API"
 	_, err := sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash: hashA,
-		Added:   &added,
-		Source:  &source,
+		Added:   added,
+		Source:  source,
 	})
 	test.AssertNotError(t, err, "AddBlockedKey failed")
 	_, err = sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash: hashA,
-		Added:   &added,
-		Source:  &source,
+		Added:   added,
+		Source:  source,
 	})
 	test.AssertNotError(t, err, "AddBlockedKey failed with duplicate insert")

 	comment := "testing comments"
 	_, err = sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash: hashB,
-		Added:   &added,
-		Source:  &source,
-		Comment: &comment,
+		Added:   added,
+		Source:  source,
+		Comment: comment,
 	})
 	test.AssertNotError(t, err, "AddBlockedKey failed")

@ -2264,19 +2264,19 @@ func TestBlockedKey(t *testing.T) {
 	})
 	test.AssertNotError(t, err, "KeyBlocked failed")
 	test.Assert(t, exists != nil, "*sapb.Exists is nil")
-	test.Assert(t, *exists.Exists, "KeyBlocked returned false for blocked key")
+	test.Assert(t, exists.Exists, "KeyBlocked returned false for blocked key")
 	exists, err = sa.KeyBlocked(context.Background(), &sapb.KeyBlockedRequest{
 		KeyHash: hashB,
 	})
 	test.AssertNotError(t, err, "KeyBlocked failed")
 	test.Assert(t, exists != nil, "*sapb.Exists is nil")
-	test.Assert(t, *exists.Exists, "KeyBlocked returned false for blocked key")
+	test.Assert(t, exists.Exists, "KeyBlocked returned false for blocked key")
 	exists, err = sa.KeyBlocked(context.Background(), &sapb.KeyBlockedRequest{
 		KeyHash: []byte{5},
 	})
 	test.AssertNotError(t, err, "KeyBlocked failed")
 	test.Assert(t, exists != nil, "*sapb.Exists is nil")
-	test.Assert(t, !*exists.Exists, "KeyBlocked returned true for non-blocked key")
+	test.Assert(t, !exists.Exists, "KeyBlocked returned true for non-blocked key")
 }

 func TestAddBlockedKeyUnknownSource(t *testing.T) {
@ -2287,8 +2287,8 @@ func TestAddBlockedKeyUnknownSource(t *testing.T) {
 	source := "heyo"
 	_, err := sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash: []byte{1, 2, 3},
-		Added:   &added,
-		Source:  &source,
+		Added:   added,
+		Source:  source,
 	})
 	test.AssertError(t, err, "AddBlockedKey didn't fail with unknown source")
 	test.AssertEquals(t, err.Error(), "unknown source")
@ -2306,16 +2306,16 @@ func TestBlockedKeyRevokedBy(t *testing.T) {
 	source := "API"
 	_, err = sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash: []byte{1},
-		Added:   &added,
-		Source:  &source,
+		Added:   added,
+		Source:  source,
 	})
 	test.AssertNotError(t, err, "AddBlockedKey failed")
 	revoker := int64(1)
 	_, err = sa.AddBlockedKey(context.Background(), &sapb.AddBlockedKeyRequest{
 		KeyHash:   []byte{2},
-		Added:     &added,
-		Source:    &source,
-		RevokedBy: &revoker,
+		Added:     added,
+		Source:    source,
+		RevokedBy: revoker,
 	})
 	test.AssertNotError(t, err, "AddBlockedKey failed")
 }
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@ -775,11 +775,10 @@ func (wfe *WebFrontEndImpl) NewAuthorization(ctx context.Context, logEvent *web.
 }

 func (wfe *WebFrontEndImpl) regHoldsAuthorizations(ctx context.Context, regID int64, names []string) (bool, error) {
-	now := wfe.clk.Now().UnixNano()
 	authzMapPB, err := wfe.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
-		RegistrationID: &regID,
+		RegistrationID: regID,
 		Domains:        names,
-		Now:            &now,
+		Now:            wfe.clk.Now().UnixNano(),
 	})
 	if err != nil {
 		return false, err
@ -1048,7 +1047,7 @@ func (wfe *WebFrontEndImpl) ChallengeV2(
 		return
 	}
 	challengeID := slug[1]
-	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authorizationID})
+	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authorizationID})
 	if err != nil {
 		if berrors.Is(err, berrors.NotFound) {
 			notFound()
@ -1376,7 +1375,7 @@ func (wfe *WebFrontEndImpl) AuthorizationV2(ctx context.Context, logEvent *web.R
 		wfe.sendError(response, logEvent, probs.Malformed("Invalid authorization ID"), nil)
 		return
 	}
-	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 	if err != nil {
 		if berrors.Is(err, berrors.NotFound) {
 			notFound()
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@ -672,11 +672,10 @@ func (wfe *WebFrontEndImpl) NewAccount(
 }

 func (wfe *WebFrontEndImpl) acctHoldsAuthorizations(ctx context.Context, acctID int64, names []string) (bool, error) {
-	now := wfe.clk.Now().UnixNano()
 	authzMapPB, err := wfe.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
-		RegistrationID: &acctID,
+		RegistrationID: acctID,
 		Domains:        names,
-		Now:            &now,
+		Now:            wfe.clk.Now().UnixNano(),
 	})
 	if err != nil {
 		return false, err
@ -872,7 +871,7 @@ func (wfe *WebFrontEndImpl) revokeCertByKeyID(
 			// If there was an error, it was a not found error, and the precertificate
 			// revocation feature is enabled, then try to find a stored precert.
 			pbCert, err := wfe.SA.GetPrecertificate(ctx,
-				&sapb.Serial{Serial: &serial})
+				&sapb.Serial{Serial: serial})
 			if berrors.Is(err, berrors.NotFound) {
 				// If looking up a precert also returned a not found error then return
 				// a not found problem.
@ -1035,7 +1034,7 @@ func (wfe *WebFrontEndImpl) Challenge(
 		return
 	}
 	challengeID := slug[1]
-	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authorizationID})
+	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authorizationID})
 	if err != nil {
 		if berrors.Is(err, berrors.NotFound) {
 			notFound()
@ -1461,7 +1460,7 @@ func (wfe *WebFrontEndImpl) Authorization(
 		return
 	}

-	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
+	authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
 	if berrors.Is(err, berrors.NotFound) {
 		wfe.sendError(response, logEvent, probs.NotFound("No such authorization"), nil)
 		return
@ -2034,7 +2033,7 @@ func (wfe *WebFrontEndImpl) GetOrder(ctx context.Context, logEvent *web.RequestE
 	}

 	useV2Authzs := true
-	order, err := wfe.SA.GetOrder(ctx, &sapb.OrderRequest{Id: &orderID, UseV2Authorizations: &useV2Authzs})
+	order, err := wfe.SA.GetOrder(ctx, &sapb.OrderRequest{Id: orderID, UseV2Authorizations: useV2Authzs})
 	if err != nil {
 		if berrors.Is(err, berrors.NotFound) {
 			wfe.sendError(response, logEvent, probs.NotFound(fmt.Sprintf("No order for ID %d", orderID)), err)
@ -2104,7 +2103,7 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
 	}

 	useV2Authzs := true
-	order, err := wfe.SA.GetOrder(ctx, &sapb.OrderRequest{Id: &orderID, UseV2Authorizations: &useV2Authzs})
+	order, err := wfe.SA.GetOrder(ctx, &sapb.OrderRequest{Id: orderID, UseV2Authorizations: useV2Authzs})
 	if err != nil {
 		if berrors.Is(err, berrors.NotFound) {
 			wfe.sendError(response, logEvent, probs.NotFound(fmt.Sprintf("No order for ID %d", orderID)), err)