Reland "Use GetRevocationStatus instead of GetCertificateStatus" #8428
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table. In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked. Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions. This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed. Part of #8322 (cherry picked from commit a5cf372)
aarongable
force-pushed
the
reland-8402
branch
from
1a27cb1 to
0e2dce0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a reland of #8402
This is a revert of #8426
In the SA, change the implementation of GetRevocationStatus to read from the revokedCertificates table instead of reading from the certificateStatus table.
In the WFE, switch to calling GetRevocationStatus when computing ARI windows. Similarly, in the RA, make the same switch when checking if a to-be-revoked certificate is already revoked.
Across all three locations, use new core constants to represent "good" and "revoked", to avoid references to OCSP and unwieldy string/int conversions.
This paves the way for removing sa.GetCertificateStatus, which now has only one remaining caller which is not quite so easily changed.
Part of #8322
IN-11835 tracks the corresponding production config changes
Warning
Do not merge before #8427Do not merge before IN-11835 is complete