Skip to content

Commit

Permalink
sa: document the storage of linting certificates (letsencrypt#7772)
Browse files Browse the repository at this point in the history
The naming of our `precertificates` table (now used to store linting
certificates) is definitely confusing, so add some more comments in
various places explaining. See letsencrypt#6807.
  • Loading branch information
jsha authored Oct 28, 2024
1 parent 6e6c8fe commit e182d88
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 5 deletions.
5 changes: 5 additions & 0 deletions ca/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,11 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
}

// Note: we write the linting certificate bytes to this table, rather than the precertificate
// (which we audit log but do not put in the database). This is to ensure that even if there is
// an error immediately after signing the precertificate, we have a record in the DB of what we
// intended to sign, and can do revocations based on that. See #6807.
// The name of the SA method ("AddPrecertificate") is a historical artifact.
_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
Der: lintCertBytes,
RegID: issueReq.RegistrationID,
Expand Down
2 changes: 1 addition & 1 deletion sa/database.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ func initTables(dbMap *borp.DbMap) {
dbMap.AddTableWithName(authzModel{}, "authz2").SetKeys(true, "ID")
dbMap.AddTableWithName(orderToAuthzModel{}, "orderToAuthz2").SetKeys(false, "OrderID", "AuthzID")
dbMap.AddTableWithName(recordedSerialModel{}, "serials").SetKeys(true, "ID")
dbMap.AddTableWithName(precertificateModel{}, "precertificates").SetKeys(true, "ID")
dbMap.AddTableWithName(lintingCertModel{}, "precertificates").SetKeys(true, "ID")
dbMap.AddTableWithName(keyHashModel{}, "keyHashToSerial").SetKeys(true, "ID")
dbMap.AddTableWithName(incidentModel{}, "incidents").SetKeys(true, "ID")
dbMap.AddTable(incidentSerialModel{})
Expand Down
3 changes: 3 additions & 0 deletions sa/db/boulder_sa/20230419000000_CombinedSchema.sql
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,9 @@ CREATE TABLE `orders` (
PARTITION BY RANGE(id)
(PARTITION p_start VALUES LESS THAN (MAXVALUE));

-- Note: This table's name is a historical artifact and it is now
-- used to store linting certificates, not precertificates.
-- See #6807.
CREATE TABLE `precertificates` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`registrationID` bigint(20) NOT NULL,
Expand Down
4 changes: 2 additions & 2 deletions sa/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ const precertFields = "registrationID, serial, der, issued, expires"
// SelectPrecertificate selects all fields of one precertificate object
// identified by serial.
func SelectPrecertificate(ctx context.Context, s db.OneSelector, serial string) (core.Certificate, error) {
var model precertificateModel
var model lintingCertModel
err := s.SelectOne(
ctx,
&model,
Expand Down Expand Up @@ -384,7 +384,7 @@ type recordedSerialModel struct {
Expires time.Time
}

type precertificateModel struct {
type lintingCertModel struct {
ID int64
Serial string
RegistrationID int64
Expand Down
8 changes: 6 additions & 2 deletions sa/sa.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,11 @@ func (ssa *SQLStorageAuthority) SetCertificateStatusReady(ctx context.Context, r
return &emptypb.Empty{}, nil
}

// AddPrecertificate writes a record of a precertificate generation to the DB.
// AddPrecertificate writes a record of a linting certificate to the database.
//
// Note: The name "AddPrecertificate" is a historical artifact, and this is now
// always called with a linting certificate. See #6807.
//
// Note: this is not idempotent: it does not protect against inserting the same
// certificate multiple times. Calling code needs to first insert the cert's
// serial into the Serials table to ensure uniqueness.
Expand All @@ -221,7 +225,7 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
}
serialHex := core.SerialToString(parsed.SerialNumber)

preCertModel := &precertificateModel{
preCertModel := &lintingCertModel{
Serial: serialHex,
RegistrationID: req.RegID,
DER: req.Der,
Expand Down

0 comments on commit e182d88

Please sign in to comment.