Use GetRevocationStatus instead of GetCertificateStatus #8402
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f7a894c to
a86d88a
Compare
a86d88a to
973cf7d
Compare
jprenken
previously approved these changes
Sep 24, 2025
beautifulentropy
requested changes
Sep 24, 2025
Member
beautifulentropy
left a comment
There was a problem hiding this comment.
We're preserving the behavior where SQLStorageAuthorityRO.GetRevocationStatus() returns NotFound for serials that do not match a known certificate, which is great. We should update the method doc comment to indicate that this is part of its API contract.
Similarly, we're depending on SQLStorageAuthorityRO.GetSerialMetadata() to return NotFound so that we meet this contract, we should update the doc comment for that as well.
Otherwise, the change looks great and makes perfect sense. I'm a little sad to see us take an extra query hit, but it keeps this method safe.
jprenken
previously approved these changes
Sep 24, 2025
jsha
requested changes
Sep 25, 2025
jprenken
approved these changes
Sep 25, 2025
jsha
approved these changes
Sep 25, 2025
beautifulentropy
approved these changes
Sep 25, 2025
aarongable
added a commit
that referenced
this pull request
Oct 2, 2025
This reverts commit a5cf372.
aarongable
added a commit
that referenced
this pull request
Oct 2, 2025
This reverts #8402 The revokedCertificates table does not have an index on the `serial` column, unlike the certificateStatus table. This means that these highly-targeted, single-certificate lookups are actually very inefficient, and led to performance problems in the database. This revert will be followed by a schema change to add an index to the revokedCertificates table, and then by a reland of the original PR. Part of #8322
aarongable
added a commit
that referenced
this pull request
Oct 2, 2025
In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table. In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked. Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions. This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed. Part of #8322 (cherry picked from commit a5cf372)
aarongable
added a commit
that referenced
this pull request
Oct 2, 2025
In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table. In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked. Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions. This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed. Part of #8322 (cherry picked from commit a5cf372)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table.
In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked.
Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions.
This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed.
Part of #8322
Warning
Do not merge before #8400