Use a unique index and duplicate detection

aarongable · aarongable · commit d444864a96d8 · 2025-10-21T17:56:34.000-07:00
diff --git a/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql b/sa/db-next/boulder_sa/20251002000000_AddRevokedSerialsIndex.sql
diff --git a/sa/db-next/boulder_sa/20251021000000_AddRevokedSerialsIndex.sql b/sa/db-next/boulder_sa/20251021000000_AddRevokedSerialsIndex.sql
@@ -0,0 +1,12 @@
+-- +migrate Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+ALTER TABLE `revokedCertificates` REMOVE PARTITIONING;
+ALTER TABLE `revokedCertificates` ADD UNIQUE INDEX `serial` (`serial`);
+
+-- +migrate Down
+-- SQL section 'Down' is executed when this migration is rolled back
+
+ALTER TABLE `revokedCertificates` DROP UNIQUE INDEX `serial`;
+ALTER TABLE `revokedCertificates` PARTITION BY RANGE(id)
+(PARTITION p_start VALUES LESS THAN (MAXVALUE));
diff --git a/sa/sa.go b/sa/sa.go
@@ -786,34 +786,15 @@ func addRevokedCertificate(ctx context.Context, tx db.Executor, req *sapb.Revoke
 		return errors.New("cannot add revoked certificate with shard index 0")
 	}
 
-	// If this serial already exists in the revokedCertificates table, then the
-	// certificate has already been revoked. The RA has special logic for that
-	// case, so return the specific error that the RA is looking for.
-	var row struct {
-		Count int64
-	}
-	err := tx.SelectOne(ctx, &row, "SELECT COUNT(*) as count FROM revokedCertificates WHERE serial = ? FOR UPDATE", req.Serial)
-	if err != nil {
-		return fmt.Errorf("checking if certificate is already revoked: %w", err)
-	}
-	if row.Count > 0 {
-		return berrors.AlreadyRevokedError("serial %s already in revokedCertificates table", req.Serial)
-	}
-
-	// The revokedCertificates table includes each cert's notAfter to make it easy
-	// for crl-updater to stop including entries after they've expired, so we need
-	// to look up that value.
 	var serial struct {
 		Expires time.Time
 	}
-	err = tx.SelectOne(ctx, &serial, `SELECT expires FROM serials WHERE serial = ?`, req.Serial)
+	err := tx.SelectOne(
+		ctx, &serial, `SELECT expires FROM serials WHERE serial = ?`, req.Serial)
 	if err != nil {
 		return fmt.Errorf("retrieving revoked certificate expiration: %w", err)
 	}
 
-	// We're guaranteed that this won't be a duplicate insert because we've
-	// already checked for existence of a row with the same serial above, using
-	// a FOR UPDATE select in this same transaction.
 	err = tx.Insert(ctx, &revokedCertModel{
 		IssuerID:      req.IssuerID,
 		Serial:        req.Serial,
@@ -825,6 +806,12 @@ func addRevokedCertificate(ctx context.Context, tx db.Executor, req *sapb.Revoke
 		NotAfterHour: serial.Expires.Add(time.Hour).Truncate(time.Hour),
 	})
 	if err != nil {
+		if db.IsDuplicate(err) {
+			// An attempted duplicate insert means that this certificate was already
+			// revoked. The RA has special logic for that case, so use the specific
+			// error for it.
+			return berrors.AlreadyRevokedError("certificate with serial %s already in revokedCertificates table", req.Serial)
+		}
 		return fmt.Errorf("inserting revoked certificate row: %w", err)
 	}
 
