letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Unwrap SA Get[Pre]Certificate methods (#5588) 

Make the gRPC wrappers for sa.GetCertificate and
sa.GetPrecertificate bare passthroughs. The latter of
these already took and returned appropriate protobufs,
so this change mostly just makes the former look like the
latter.

Part of #5532
This commit is contained in:
Aaron Gable 2021-08-19 15:43:48 -07:00 committed by GitHub
parent 7ff6828583
commit f454892dd1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 103 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ca/ca.go
View File

@ -43,7 +43,7 @@ const (
type certificateStorage interface {
AddCertificate(context.Context, []byte, int64, []byte, *time.Time) (string, error)
GetCertificate(context.Context, string) (core.Certificate, error)
GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)
AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*emptypb.Empty, error)
}
@ -323,7 +323,7 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
}
serialHex := core.SerialToString(precert.SerialNumber)
if _, err = ca.sa.GetCertificate(ctx, serialHex); err == nil {
if _, err = ca.sa.GetCertificate(ctx, &sapb.Serial{Serial: serialHex}); err == nil {
err = berrors.InternalServerError("issuance of duplicate final certificate requested: %s", serialHex)
ca.log.AuditErr(err.Error())
return nil, err

13
ca/ca_test.go
View File

@ -29,6 +29,7 @@ import (
capb "github.com/letsencrypt/boulder/ca/proto"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/features"
"github.com/letsencrypt/boulder/goodkey"
@ -162,8 +163,8 @@ func (m *mockSA) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*em
return &emptypb.Empty{}, nil
}
func (m *mockSA) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
return core.Certificate{}, berrors.NotFoundError("cannot find the cert")
func (m *mockSA) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
return nil, berrors.NotFoundError("cannot find the cert")
}
var caKey crypto.Signer
@ -809,8 +810,8 @@ type dupeSA struct {
mockSA
}
func (m *dupeSA) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
return core.Certificate{}, nil
func (m *dupeSA) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
return nil, nil
}
// getCertErrorSA always returns an error for GetCertificate
@ -818,8 +819,8 @@ type getCertErrorSA struct {
mockSA
}
func (m *getCertErrorSA) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
return core.Certificate{}, fmt.Errorf("i don't like it")
func (m *getCertErrorSA) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
return nil, fmt.Errorf("i don't like it")
}
func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {

6
cmd/orphan-finder/main.go
View File

@ -63,8 +63,8 @@ type config struct {
type certificateStorage interface {
AddCertificate(context.Context, []byte, int64, []byte, *time.Time) (string, error)
AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)
GetCertificate(ctx context.Context, serial string) (core.Certificate, error)
GetPrecertificate(ctx context.Context, reqSerial *sapb.Serial) (*corepb.Certificate, error)
GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
GetPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
}
type ocspGenerator interface {
@ -148,7 +148,7 @@ func checkDER(sai certificateStorage, der []byte) (*x509.Certificate, orphanType
switch orphanTyp {
case certOrphan:
_, err = sai.GetCertificate(ctx, orphanSerial)
_, err = sai.GetCertificate(ctx, &sapb.Serial{Serial: orphanSerial})
case precertOrphan:
_, err = sai.GetPrecertificate(ctx, &sapb.Serial{Serial: orphanSerial})
default:

32
cmd/orphan-finder/main_test.go
View File

@ -28,7 +28,7 @@ import (
)
type mockSA struct {
certificates []core.Certificate
certificates []*corepb.Certificate
precertificates []core.Certificate
clk clock.FakeClock
}
@ -38,30 +38,30 @@ func (m *mockSA) AddCertificate(ctx context.Context, der []byte, regID int64, _
if err != nil {
return "", err
}
cert := core.Certificate{
DER: der,
cert := &corepb.Certificate{
Der: der,
RegistrationID: regID,
Serial: core.SerialToString(parsed.SerialNumber),
}
if issued == nil {
cert.Issued = m.clk.Now()
cert.Issued = m.clk.Now().UnixNano()
} else {
cert.Issued = *issued
cert.Issued = issued.UnixNano()
}
m.certificates = append(m.certificates, cert)
return "", nil
}
func (m *mockSA) GetCertificate(ctx context.Context, s string) (core.Certificate, error) {
func (m *mockSA) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
if len(m.certificates) == 0 {
return core.Certificate{}, berrors.NotFoundError("no certs stored")
return nil, berrors.NotFoundError("no certs stored")
}
for _, cert := range m.certificates {
if cert.Serial == s {
if cert.Serial == req.Serial {
return cert, nil
}
}
return core.Certificate{}, berrors.NotFoundError("no cert stored for requested serial")
return nil, berrors.NotFoundError("no cert stored for requested serial")
}
func (m *mockSA) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error) {
@ -264,15 +264,13 @@ func TestParseLine(t *testing.T) {
testCertSerial := core.SerialToString(testCert.SerialNumber)
// Fetch the precert/cert using the correct mock SA function
var storedCert core.Certificate
var storedCert *corepb.Certificate
switch typ {
case precertOrphan:
resp, err := opf.sa.GetPrecertificate(ctx, &sapb.Serial{Serial: testCertSerial})
storedCert, err = opf.sa.GetPrecertificate(ctx, &sapb.Serial{Serial: testCertSerial})
test.AssertNotError(t, err, "Error getting test precert serial from SA")
storedCert, err = bgrpc.PBToCert(resp)
test.AssertNotError(t, err, "Error getting test precert from GetPrecertificate pb response")
case certOrphan:
storedCert, err = opf.sa.GetCertificate(ctx, testCertSerial)
storedCert, err = opf.sa.GetCertificate(ctx, &sapb.Serial{Serial: testCertSerial})
test.AssertNotError(t, err, "Error getting test cert serial from SA")
default:
t.Fatalf("unknown orphan type returned: %s", typ)
@ -280,10 +278,8 @@ func TestParseLine(t *testing.T) {
// The orphan should have been added with the correct registration ID from the log line
test.AssertEquals(t, storedCert.RegistrationID, int64(tc.ExpectRegID))
// The Issued timestamp should be the certificate's NotBefore timestamp offset by the backdate
expectedIssued := testCert.NotBefore.Add(opf.backdate)
test.Assert(t, storedCert.Issued.Equal(expectedIssued),
fmt.Sprintf("stored cert issued date (%s) was not equal to expected (%s)",
storedCert.Issued, expectedIssued))
expectedIssued := testCert.NotBefore.Add(opf.backdate).UnixNano()
test.AssertEquals(t, storedCert.Issued, expectedIssued)
}
})
}

2
core/interfaces.go
View File

@ -99,7 +99,7 @@ type PolicyAuthority interface {
type StorageGetter interface {
GetRegistration(ctx context.Context, req *sapb.RegistrationID) (*corepb.Registration, error)
GetRegistrationByKey(ctx context.Context, req *sapb.JSONWebKey) (*corepb.Registration, error)
GetCertificate(ctx context.Context, serial string) (Certificate, error)
GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
GetPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
GetCertificateStatus(ctx context.Context, serial string) (CertificateStatus, error)
CountCertificatesByNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)

34
grpc/sa-wrappers.go
View File

@ -35,26 +35,12 @@ func (sac StorageAuthorityClientWrapper) GetRegistrationByKey(ctx context.Contex
return sac.inner.GetRegistrationByKey(ctx, req)
}
func (sac StorageAuthorityClientWrapper) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
response, err := sac.inner.GetCertificate(ctx, &sapb.Serial{Serial: serial})
if err != nil {
return core.Certificate{}, err
}
if response == nil || response.RegistrationID == 0 || response.Serial == "" || response.Digest == "" || len(response.Der) == 0 || response.Issued == 0 || response.Expires == 0 {
return core.Certificate{}, errIncompleteResponse
}
return PBToCert(response)
func (sac StorageAuthorityClientWrapper) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
return sac.inner.GetCertificate(ctx, req)
}
func (sac StorageAuthorityClientWrapper) GetPrecertificate(ctx context.Context, serial *sapb.Serial) (*corepb.Certificate, error) {
resp, err := sac.inner.GetPrecertificate(ctx, serial)
if err != nil {
return nil, err
}
if resp == nil {
return nil, errIncompleteResponse
}
return resp, nil
return sac.inner.GetPrecertificate(ctx, serial)
}
func (sac StorageAuthorityClientWrapper) GetCertificateStatus(ctx context.Context, serial string) (core.CertificateStatus, error) {
@ -463,22 +449,10 @@ func (sas StorageAuthorityServerWrapper) GetRegistrationByKey(ctx context.Contex
}
func (sas StorageAuthorityServerWrapper) GetCertificate(ctx context.Context, request *sapb.Serial) (*corepb.Certificate, error) {
if core.IsAnyNilOrZero(request, request.Serial) {
return nil, errIncompleteRequest
}
cert, err := sas.inner.GetCertificate(ctx, request.Serial)
if err != nil {
return nil, err
}
return CertToPB(cert), nil
return sas.inner.GetCertificate(ctx, request)
}
func (sas StorageAuthorityServerWrapper) GetPrecertificate(ctx context.Context, request *sapb.Serial) (*corepb.Certificate, error) {
if core.IsAnyNilOrZero(request, request.Serial) {
return nil, errIncompleteRequest
}
return sas.inner.GetPrecertificate(ctx, request)
}

24
mocks/mocks.go
View File

@ -229,28 +229,28 @@ func (sa *StorageAuthority) GetAuthorization(_ context.Context, id string) (core
}
// GetCertificate is a mock
func (sa *StorageAuthority) GetCertificate(_ context.Context, serial string) (core.Certificate, error) {
func (sa *StorageAuthority) GetCertificate(_ context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
// Serial ee == 238.crt
if serial == "0000000000000000000000000000000000ee" {
if req.Serial == "0000000000000000000000000000000000ee" {
certPemBytes, _ := ioutil.ReadFile("test/238.crt")
certBlock, _ := pem.Decode(certPemBytes)
return core.Certificate{
return &corepb.Certificate{
RegistrationID: 1,
DER: certBlock.Bytes,
Issued: sa.clk.Now().Add(-1 * time.Hour),
Der: certBlock.Bytes,
Issued: sa.clk.Now().Add(-1 * time.Hour).UnixNano(),
}, nil
} else if serial == "0000000000000000000000000000000000b2" {
} else if req.Serial == "0000000000000000000000000000000000b2" {
certPemBytes, _ := ioutil.ReadFile("test/178.crt")
certBlock, _ := pem.Decode(certPemBytes)
return core.Certificate{
return &corepb.Certificate{
RegistrationID: 1,
DER: certBlock.Bytes,
Issued: sa.clk.Now().Add(-1 * time.Hour),
Der: certBlock.Bytes,
Issued: sa.clk.Now().Add(-1 * time.Hour).UnixNano(),
}, nil
} else if serial == "000000000000000000000000000000626164" {
return core.Certificate{}, errors.New("bad")
} else if req.Serial == "000000000000000000000000000000626164" {
return nil, errors.New("bad")
} else {
return core.Certificate{}, berrors.NotFoundError("No cert")
return nil, berrors.NotFoundError("No cert")
}
}

14
sa/precertificates.go
View File

@ -134,17 +134,19 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
// GetPrecertificate takes a serial number and returns the corresponding
// precertificate, or error if it does not exist.
func (ssa *SQLStorageAuthority) GetPrecertificate(ctx context.Context, reqSerial *sapb.Serial) (*corepb.Certificate, error) {
if !core.ValidSerial(reqSerial.Serial) {
return nil,
fmt.Errorf("Invalid precertificate serial %q", reqSerial.Serial)
func (ssa *SQLStorageAuthority) GetPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
if req == nil || req.Serial == "" {
return nil, errIncompleteRequest
}
cert, err := SelectPrecertificate(ssa.dbMap.WithContext(ctx), reqSerial.Serial)
if !core.ValidSerial(req.Serial) {
return nil, fmt.Errorf("Invalid precertificate serial %q", req.Serial)
}
cert, err := SelectPrecertificate(ssa.dbMap.WithContext(ctx), req.Serial)
if err != nil {
if db.IsNoRows(err) {
return nil, berrors.NotFoundError(
"precertificate with serial %q not found",
reqSerial.Serial)
req.Serial)
}
return nil, err
}

18
sa/sa.go
View File

@ -318,20 +318,22 @@ func ReverseName(domain string) string {
// GetCertificate takes a serial number and returns the corresponding
// certificate, or error if it does not exist.
func (ssa *SQLStorageAuthority) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
if !core.ValidSerial(serial) {
err := fmt.Errorf("Invalid certificate serial %s", serial)
return core.Certificate{}, err
func (ssa *SQLStorageAuthority) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
if req == nil || req.Serial == "" {
return nil, errIncompleteRequest
}
if !core.ValidSerial(req.Serial) {
return nil, fmt.Errorf("Invalid certificate serial %s", req.Serial)
}
cert, err := SelectCertificate(ssa.dbMap.WithContext(ctx), serial)
cert, err := SelectCertificate(ssa.dbMap.WithContext(ctx), req.Serial)
if db.IsNoRows(err) {
return core.Certificate{}, berrors.NotFoundError("certificate with serial %q not found", serial)
return nil, berrors.NotFoundError("certificate with serial %q not found", req.Serial)
}
if err != nil {
return core.Certificate{}, err
return nil, err
}
return cert, err
return bgrpc.CertToPB(cert), nil
}
// GetCertificateStatus takes a hexadecimal string representing the full 128-bit serial

12
sa/sa_test.go
View File

@ -195,12 +195,12 @@ func TestAddCertificate(t *testing.T) {
test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo")
retrievedCert, err := sa.GetCertificate(ctx, "000000000000000000000000000000021bd4")
retrievedCert, err := sa.GetCertificate(ctx, &sapb.Serial{Serial: "000000000000000000000000000000021bd4"})
test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial")
test.AssertByteEquals(t, certDER, retrievedCert.DER)
test.AssertByteEquals(t, certDER, retrievedCert.Der)
// Because nil was provided as the Issued time we expect the cert was stored
// with an issued time equal to now
test.AssertEquals(t, retrievedCert.Issued, clk.Now())
test.AssertEquals(t, retrievedCert.Issued, clk.Now().UnixNano())
// Test cert generated locally by Boulder / CFSSL, names [example.com,
// www.example.com, admin.example.com]
@ -214,12 +214,12 @@ func TestAddCertificate(t *testing.T) {
test.AssertNotError(t, err, "Couldn't add test-cert.der")
test.AssertEquals(t, digest2, "vrlPN5wIPME1D2PPsCy-fGnTWh8dMyyYQcXPRkjHAQI")
retrievedCert2, err := sa.GetCertificate(ctx, serial)
retrievedCert2, err := sa.GetCertificate(ctx, &sapb.Serial{Serial: serial})
test.AssertNotError(t, err, "Couldn't get test-cert.der")
test.AssertByteEquals(t, certDER2, retrievedCert2.DER)
test.AssertByteEquals(t, certDER2, retrievedCert2.Der)
// The cert should have been added with the specific issued time we provided
// as the issued field.
test.AssertEquals(t, retrievedCert2.Issued, issuedTime)
test.AssertEquals(t, retrievedCert2.Issued, issuedTime.UnixNano())
// Test adding OCSP response with cert
certDER3, err := ioutil.ReadFile("test-cert2.der")

10
wfe/wfe.go
View File

@ -883,7 +883,7 @@ func (wfe *WebFrontEndImpl) RevokeCertificate(ctx context.Context, logEvent *web
serial := core.SerialToString(providedCert.SerialNumber)
logEvent.Extra["ProvidedCertificateSerial"] = serial
cert, err := wfe.SA.GetCertificate(ctx, serial)
cert, err := wfe.SA.GetCertificate(ctx, &sapb.Serial{Serial: serial})
if err != nil {
if errors.Is(err, berrors.NotFound) {
wfe.sendError(response, logEvent, probs.NotFound("No such certificate"), err)
@ -892,11 +892,11 @@ func (wfe *WebFrontEndImpl) RevokeCertificate(ctx context.Context, logEvent *web
wfe.sendError(response, logEvent, probs.ServerInternal("Failed to retrieve certificate"), err)
return
}
if !bytes.Equal(cert.DER, revokeRequest.CertificateDER) {
if !bytes.Equal(cert.Der, revokeRequest.CertificateDER) {
wfe.sendError(response, logEvent, probs.NotFound("No such certificate"), err)
return
}
parsedCertificate, err := x509.ParseCertificate(cert.DER)
parsedCertificate, err := x509.ParseCertificate(cert.Der)
if err != nil {
// InternalServerError because this is a failure to decode from our DB.
wfe.sendError(response, logEvent, probs.ServerInternal("invalid parse of stored certificate"), err)
@ -1531,7 +1531,7 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.Reque
}
logEvent.Extra["RequestedSerial"] = serial
cert, err := wfe.SA.GetCertificate(ctx, serial)
cert, err := wfe.SA.GetCertificate(ctx, &sapb.Serial{Serial: serial})
if err != nil {
ierr := fmt.Errorf("unable to get certificate by serial id %#v: %s", serial, err)
if strings.HasPrefix(err.Error(), "gorp: multiple rows returned") {
@ -1549,7 +1549,7 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.Reque
relativeIssuerPath := web.RelativeEndpoint(request, issuerPath)
response.Header().Add("Link", link(relativeIssuerPath, "up"))
response.WriteHeader(http.StatusOK)
if _, err = response.Write(cert.DER); err != nil {
if _, err = response.Write(cert.Der); err != nil {
wfe.log.Warningf("Could not write response: %s", err)
}
}

4
wfe2/stale.go
View File

@ -29,8 +29,8 @@ func (wfe *WebFrontEndImpl) staleEnoughToGETOrder(order *corepb.Order) *probs.Pr
// staleEnoughToGETCert checks if the given cert was issued long enough in the
// past to be acceptably stale for accessing via the Boulder specific GET API.
func (wfe *WebFrontEndImpl) staleEnoughToGETCert(cert core.Certificate) *probs.ProblemDetails {
return wfe.staleEnoughToGET("Certificate", cert.Issued)
func (wfe *WebFrontEndImpl) staleEnoughToGETCert(cert *corepb.Certificate) *probs.ProblemDetails {
return wfe.staleEnoughToGET("Certificate", time.Unix(0, cert.Issued))
}
// staleEnoughToGETAuthz checks if the given authorization was created long

14
wfe2/wfe.go
View File

@ -914,11 +914,11 @@ func (wfe *WebFrontEndImpl) revokeCertByKeyID(
authorizedToRevoke := func(parsedCertificate *x509.Certificate) *probs.ProblemDetails {
// Try to find a stored final certificate for the serial number
serial := core.SerialToString(parsedCertificate.SerialNumber)
cert, err := wfe.SA.GetCertificate(ctx, serial)
cert, err := wfe.SA.GetCertificate(ctx, &sapb.Serial{Serial: serial})
if errors.Is(err, berrors.NotFound) {
// If there was an error and it was a not found error, then maybe they're
// trying to revoke via the precertificate. Try to find that instead.
pbCert, err := wfe.SA.GetPrecertificate(ctx, &sapb.Serial{Serial: serial})
cert, err = wfe.SA.GetPrecertificate(ctx, &sapb.Serial{Serial: serial})
if errors.Is(err, berrors.NotFound) {
// If looking up a precert also returned a not found error then return
// a not found problem.
@ -928,10 +928,6 @@ func (wfe *WebFrontEndImpl) revokeCertByKeyID(
// a server internal problem.
return probs.ServerInternal("Failed to retrieve certificate")
}
cert, err = bgrpc.PBToCert(pbCert)
if err != nil {
return probs.ServerInternal("Failed to unmarshal protobuf certificate")
}
} else if err != nil {
// Otherwise if the err was not nil and not a not found error, return
// a server internal problem.
@ -1647,7 +1643,7 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.Reque
logEvent.Extra["RequestedSerial"] = serial
beeline.AddFieldToTrace(ctx, "request.serial", serial)
cert, err := wfe.SA.GetCertificate(ctx, serial)
cert, err := wfe.SA.GetCertificate(ctx, &sapb.Serial{Serial: serial})
if err != nil {
ierr := fmt.Errorf("unable to get certificate by serial id %#v: %s", serial, err)
if strings.HasPrefix(err.Error(), "gorp: multiple rows returned") {
@ -1678,10 +1674,10 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.Reque
responsePEM, prob := func() ([]byte, *probs.ProblemDetails) {
leafPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert.DER,
Bytes: cert.Der,
})
parsedCert, err := x509.ParseCertificate(cert.DER)
parsedCert, err := x509.ParseCertificate(cert.Der)
if err != nil {
// If we can't parse one of our own certs there's a serious problem
return nil, probs.ServerInternal(

42
wfe2/wfe_test.go
View File

@ -1769,15 +1769,18 @@ func newMockSAWithCert(t *testing.T, sa core.StorageGetter, status core.OCSPStat
// GetCertificate returns the mock SA's hard-coded certificate, issued by the
// account with regID 1, if the given serial matches. Otherwise, returns not found.
func (sa *mockSAWithCert) GetCertificate(_ context.Context, serial string) (core.Certificate, error) {
if serial != core.SerialToString(sa.cert.SerialNumber) {
return core.Certificate{}, berrors.NotFoundError("Certificate with serial %q not found", serial)
func (sa *mockSAWithCert) GetCertificate(_ context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
if req.Serial != core.SerialToString(sa.cert.SerialNumber) {
return nil, berrors.NotFoundError("Certificate with serial %q not found", req.Serial)
}
return core.Certificate{
return &corepb.Certificate{
RegistrationID: 1,
Serial: core.SerialToString(sa.cert.SerialNumber),
DER: sa.cert.Raw,
// Just for the sake of TestGetAPIAndMandatoryPOSTAsGET, we set the Issued
// timestamp of this certificate to be very old (the year 0).
Issued: time.Time{}.UnixNano(),
Der: sa.cert.Raw,
}, nil
}
@ -2000,26 +2003,26 @@ type mockSAWithNewCert struct {
clk clock.Clock
}
func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, serial string) (core.Certificate, error) {
func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
issuer, err := core.LoadCert("../test/hierarchy/int-e1.cert.pem")
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to load test issuer cert: %w", err)
return nil, fmt.Errorf("failed to load test issuer cert: %w", err)
}
issuerKeyPem, err := ioutil.ReadFile("../test/hierarchy/int-e1.key.pem")
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to load test issuer key: %w", err)
return nil, fmt.Errorf("failed to load test issuer key: %w", err)
}
issuerKey := loadKey(&testing.T{}, issuerKeyPem)
newKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to create test key: %w", err)
return nil, fmt.Errorf("failed to create test key: %w", err)
}
sn, err := core.StringToSerial(serial)
sn, err := core.StringToSerial(req.Serial)
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to parse test serial: %w", err)
return nil, fmt.Errorf("failed to parse test serial: %w", err)
}
template := &x509.Certificate{
@ -2029,19 +2032,19 @@ func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, serial string) (c
certDER, err := x509.CreateCertificate(rand.Reader, template, issuer, &newKey.PublicKey, issuerKey)
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to issue test cert: %w", err)
return nil, fmt.Errorf("failed to issue test cert: %w", err)
}
cert, err := x509.ParseCertificate(certDER)
if err != nil {
return core.Certificate{}, fmt.Errorf("failed to parse test cert: %w", err)
return nil, fmt.Errorf("failed to parse test cert: %w", err)
}
return core.Certificate{
return &corepb.Certificate{
RegistrationID: 1,
Serial: core.SerialToString(cert.SerialNumber),
Issued: sa.clk.Now().Add(-1 * time.Second),
DER: cert.Raw,
Issued: sa.clk.Now().Add(-1 * time.Second).UnixNano(),
Der: cert.Raw,
}, nil
}
@ -2185,8 +2188,8 @@ type mockSAWithError struct {
core.StorageGetter
}
func (sa *mockSAWithError) GetCertificate(_ context.Context, serial string) (core.Certificate, error) {
return core.Certificate{}, errors.New("Oops")
func (sa *mockSAWithError) GetCertificate(_ context.Context, req *sapb.Serial) (*corepb.Certificate, error) {
return nil, errors.New("Oops")
}
func TestGetCertificateServerError(t *testing.T) {
@ -3533,6 +3536,9 @@ func TestIndexGet404(t *testing.T) {
test.AssertEquals(t, logEvent.Slug, path[1:])
}
// TestGetAPIAndMandatoryPOSTAsGet that, even when MandatoryPOSTAsGet is on,
// we are still willing to allow a GET request for a certificate that is old
// enough that we're no longer worried about stale info being cached.
func TestGetAPIAndMandatoryPOSTAsGET(t *testing.T) {
wfe, _ := setupWFE(t)
wfe.SA = newMockSAWithCert(t, wfe.SA, core.OCSPStatusGood)