Allow to use an alternative interface to store renewed certs.

This can be useful to know if a certificate has been renewed and link one certificate with the 'parent'.
2021-04-29 15:55:22 -07:00 · 2021-04-29 15:55:22 -07:00 · 2cbaee9c1d
commit 2cbaee9c1d
parent 582d6b161d
1 changed files with 14 additions and 1 deletions
--- a/authority/tls.go
+++ b/authority/tls.go
@ -263,7 +263,7 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
 	}

 	fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...)
-	if err = a.storeCertificate(fullchain); err != nil {
+	if err = a.storeRenewedCertificate(oldCert, fullchain); err != nil {
 		if err != db.ErrNotImplemented {
 			return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Rekey; error storing certificate in db", opts...)
 		}
@ -287,6 +287,19 @@ func (a *Authority) storeCertificate(fullchain []*x509.Certificate) error {
 	return a.db.StoreCertificate(fullchain[0])
 }

+// storeRenewedCertificate allows to use an extension of the db.AuthDB interface
+// that can log if a certificate has been renewed or rekeyed.
+//
+// TODO: at some point we should implement this in the standard implementation.
+func (a *Authority) storeRenewedCertificate(oldCert *x509.Certificate, fullchain []*x509.Certificate) error {
+	if s, ok := a.db.(interface {
+		StoreRenewedCertificate(*x509.Certificate, ...*x509.Certificate) error
+	}); ok {
+		return s.StoreRenewedCertificate(oldCert, fullchain...)
+	}
+	return a.db.StoreCertificate(fullchain[0])
+}
+
 // RevokeOptions are the options for the Revoke API.
 type RevokeOptions struct {
 	Serial      string