add overriding of ARI response (#501)

Fixes #486 This moves the GetCertificateBySerial call earlier, which means that call needs to succeed even for revoked certificates. So this also follows up on #252 by keeping revoked certs in the primary certificatesByID map (while still adding them to the revokedCertificatesByID map).
2025-06-05 16:15:11 -07:00 · 2025-06-05 16:15:11 -07:00 · d52948ce25
parent 39dbb64e14
commit d52948ce25
3 changed files with 79 additions and 9 deletions
--- a/core/types.go
+++ b/core/types.go
@ -149,6 +149,8 @@ type Certificate struct {
 	DER          []byte
 	IssuerChains [][]*Certificate
 	AccountID    string
 	// When non-empty, this is the ARI response sent for this certificate.
 	ARIResponse string
 }
 func (c Certificate) PEM() []byte {
--- a/db/memorystore.go
+++ b/db/memorystore.go
@ -413,7 +413,6 @@ func (m *MemoryStore) RevokeCertificate(cert *core.RevokedCertificate) {
 	m.Lock()
 	defer m.Unlock()
 	m.revokedCertificatesByID[cert.Certificate.ID] = cert
 	delete(m.certificatesByID, cert.Certificate.ID)
 }
 /*
@ -549,3 +548,19 @@ func (m *MemoryStore) IsDomainBlocked(name string) bool {
 	return false
 }
 // SetARIResponse looks up a certificate by serial number and sets its ARI response field
 func (m *MemoryStore) SetARIResponse(serial *big.Int, ariResponse string) error {
 	m.Lock()
 	defer m.Unlock()
 	for _, cert := range m.certificatesByID {
 		if cert.Cert.SerialNumber.Cmp(serial) == 0 {
 			cert.ARIResponse = ariResponse
 			return nil
 		}
 	}
 	// Certificate not found
 	return fmt.Errorf("certificate with serial number %s not found", serial.String())
 }
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@ -57,7 +57,7 @@ const (
 	// Draft or likely-to-change paths
 	renewalInfoPath = "/draft-ietf-acme-ari-03/renewalInfo/"
-	// Theses entrypoints are not a part of the standard ACME endpoints,
+	// These entrypoints are not a part of the standard ACME endpoints,
 	// and are exposed by Pebble as an integration test tool. We export
 	// RootCertPath so that the pebble binary can reference it.
 	RootCertPath         = "/roots/"
@ -65,6 +65,10 @@ const (
 	intermediateCertPath = "/intermediates/"
 	intermediateKeyPath  = "/intermediate-keys/"
 	certStatusBySerial   = "/cert-status-by-serial/"
 	// Post certificate PEM and desired literal response for renewal info
 	// (the renewal info response is not validated so may be intentionally
 	// malformed).
 	setRenewalInfoPath = "/set-renewal-info/"
 	// How long do pending authorizations last before expiring?
 	pendingAuthzExpire = time.Hour
@ -542,6 +546,9 @@ func (wfe *WebFrontEndImpl) ManagementHandler() http.Handler {
 	wfe.HandleManagementFunc(m, intermediateCertPath, wfe.handleCert(wfe.ca.GetIntermediateCert, intermediateCertPath))
 	wfe.HandleManagementFunc(m, intermediateKeyPath, wfe.handleKey(wfe.ca.GetIntermediateKey, intermediateKeyPath))
 	wfe.HandleManagementFunc(m, certStatusBySerial, wfe.handleCertStatusBySerial)
 	// POST only handlers
 	wfe.HandleFunc(m, setRenewalInfoPath, wfe.SetRenewalInfo, http.MethodPost)
 	return m
 }
@ -1903,7 +1910,18 @@ func (wfe *WebFrontEndImpl) RenewalInfo(_ context.Context, response http.Respons
 		return
 	}
-	renewalInfo, err := wfe.determineARIWindow(certID)
+	cert := wfe.db.GetCertificateBySerial(certID.SerialNumber)
 	if cert == nil {
 		wfe.sendError(acme.NotFoundProblem("failed to retrieve existing certificate serial"), response)
 		return
 	}
 	if cert.ARIResponse != "" {
 		_, _ = response.Write([]byte(cert.ARIResponse))
 		return
 	}
 	renewalInfo, err := wfe.determineARIWindow(certID, cert)
 	if err != nil {
 		wfe.sendError(acme.InternalErrorProblem(fmt.Sprintf("Error determining renewal window: %s", err)), response)
 		return
@ -1917,7 +1935,47 @@ func (wfe *WebFrontEndImpl) RenewalInfo(_ context.Context, response http.Respons
 	}
 }
-func (wfe *WebFrontEndImpl) determineARIWindow(id *core.CertID) (*core.RenewalInfo, error) {
+// SetRenewalInfo overrides the default ARI response for a certificate.
 func (wfe *WebFrontEndImpl) SetRenewalInfo(_ context.Context, response http.ResponseWriter, request *http.Request) {
 	body, err := io.ReadAll(request.Body)
 	if err != nil {
 		wfe.sendError(acme.InternalErrorProblem("Error reading body"), response)
 	}
 	var reqJSON struct {
 		Certificate string // in PEM form
 		ARIResponse string // can be anything, even malformed JSON, so that users can test client response to malformed data
 	}
 	err = json.Unmarshal(body, &reqJSON)
 	if err != nil {
 		wfe.sendError(acme.MalformedProblem("Error unmarshaling request body"), response)
 		return
 	}
 	// Decode and parse the PEM certificate
 	block, _ := pem.Decode([]byte(reqJSON.Certificate))
 	if block == nil || block.Type != "CERTIFICATE" {
 		wfe.sendError(acme.MalformedProblem("Error decoding certificate PEM"), response)
 		return
 	}
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		wfe.sendError(acme.MalformedProblem("Error parsing certificate"), response)
 		return
 	}
 	// Look up certificate by serial number and update response
 	err = wfe.db.SetARIResponse(cert.SerialNumber, reqJSON.ARIResponse)
 	if err != nil {
 		wfe.sendError(acme.NotFoundProblem(err.Error()), response)
 		return
 	}
 	response.WriteHeader(http.StatusOK)
 }
 func (wfe *WebFrontEndImpl) determineARIWindow(id *core.CertID, cert *core.Certificate) (*core.RenewalInfo, error) {
 	if id == nil {
 		return nil, errors.New("CertID was nil")
 	}
@ -1928,11 +1986,6 @@ func (wfe *WebFrontEndImpl) determineARIWindow(id *core.CertID) (*core.RenewalIn
 		return core.RenewalInfoImmediate(time.Now().In(time.UTC)), nil
 	}
 	cert := wfe.db.GetCertificateBySerial(id.SerialNumber)
 	if cert == nil {
 		return nil, errors.New("failed to retrieve existing certificate serial")
 	}
 	return core.RenewalInfoSimple(cert.Cert.NotBefore, cert.Cert.NotAfter), nil
 }