sa: GetRevokedCerts returns explicit shards too

Change GetRevokedCerts to return a combined list of certs for a given shard, calculating shard membership temporally _and_ by explicit assignment to a shard in the revokedCertificates table. This functionality is gated on the ShardIdx field of GetRevokedCertsRequest. If it is zero, revoked certs will only be returned from a given temporal shard (and we assume that no certs have been assigned to any explicit shard yet). After we start sending the ShardIdx field, and also start writing entries to the revokedCertificates table, this will result in CRL sizes doubling for several months until we retire the temporal sharding code, since most revoked certificates will be included in one shard based on their entry in revokedCertificates, and a different shard based on their issuance time.
letsencrypt · Jan 7, 2025 · e46e0b8 · e46e0b8
1 parent 9b3c882
commit e46e0b8
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/sa/saro.go b/sa/saro.go
@@ -1053,18 +1053,26 @@ func (ssa *SQLStorageAuthorityRO) SerialsForIncident(req *sapb.SerialsForInciden
 	})
 }
 
-// GetRevokedCerts gets a request specifying an issuer and a period of time,
-// and writes to the output stream the set of all certificates issued by that
-// issuer which expire during that period of time and which have been revoked.
+// GetRevokedCerts returns a stream of revoked certificates for a single CRL shard.
+//
+// If ShardIdx is zero, GetRevokedCerts calculates shard membership based
+// solely on temporal sharding.
+//
+// If ShardIdx is nonzero, GetRevokedCerts calculates shard membership based
+// on temporal sharding _and_ explicit sharding (that is, sharding based on
+// the shardIdx field of the revokedCertificates table).
+//
 // The starting timestamp is treated as inclusive (certs with exactly that
 // notAfter date are included), but the ending timestamp is exclusive (certs
 // with exactly that notAfter date are *not* included).
 func (ssa *SQLStorageAuthorityRO) GetRevokedCerts(req *sapb.GetRevokedCertsRequest, stream grpc.ServerStreamingServer[corepb.CRLEntry]) error {
 	if req.ShardIdx != 0 {
-		return ssa.getRevokedCertsFromRevokedCertificatesTable(req, stream)
-	} else {
-		return ssa.getRevokedCertsFromCertificateStatusTable(req, stream)
+		err := ssa.getRevokedCertsFromRevokedCertificatesTable(req, stream)
+		if err != nil {
+			return err
+		}
 	}
+	return ssa.getRevokedCertsFromCertificateStatusTable(req, stream)
 }
 
 // getRevokedCertsFromRevokedCertificatesTable uses the new revokedCertificates