From 792675c8c51f3a843f23f25a36576524fcb212e4 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Wed, 30 Nov 2022 20:21:51 +0100
Subject: [PATCH] Improve CRL fetching

- improve client data structures
- do not fetch CRLs for root CA certificates
---
 internal/client/client.go   | 17 ++++++++++++-----
 internal/handler/handler.go |  7 +++++--
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/internal/client/client.go b/internal/client/client.go
index d5fbc31..dafc527 100644
--- a/internal/client/client.go
+++ b/internal/client/client.go
@@ -48,10 +48,15 @@ type Profile struct {
 	UseFor string
 }
 
+type CertInfo struct {
+	Name     string
+	FetchCRL bool
+}
+
 type SignerInfo struct {
 	SignerHealth   bool
 	SignerVersion  string
-	CACertificates []string
+	CACertificates []CertInfo
 	UsableProfiles map[string][]Profile
 }
 
@@ -237,12 +242,14 @@ func (c *Client) buildCRLInfo() []CRLInfo {
 		return nil
 	}
 
-	infos := make([]CRLInfo, len(c.signerInfo.CACertificates))
+	infos := make([]CRLInfo, 0)
 
-	for i, caName := range c.signerInfo.CACertificates {
-		lastKnown := c.lastKnownCRL(caName)
+	for _, caInfo := range c.signerInfo.CACertificates {
+		if caInfo.FetchCRL {
+			lastKnown := c.lastKnownCRL(caInfo.Name)
 
-		infos[i] = CRLInfo{Name: caName, LastKnown: lastKnown}
+			infos = append(infos, CRLInfo{Name: caInfo.Name, LastKnown: lastKnown})
+		}
 	}
 
 	return infos
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
index ba97525..4ca1a24 100644
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@@ -160,7 +160,7 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
 
 		switch item.Source {
 		case "HSM":
-			signerInfo.CACertificates = make([]string, 0)
+			signerInfo.CACertificates = make([]client.CertInfo, 0)
 			signerInfo.UsableProfiles = make(map[string][]client.Profile)
 
 			for certName, value := range item.MoreInfo {
@@ -179,7 +179,10 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
 					"valid-until": certInfo.ValidUntil,
 				}).Trace("certificate info")
 
-				signerInfo.CACertificates = append(signerInfo.CACertificates, certName)
+				signerInfo.CACertificates = append(
+					signerInfo.CACertificates,
+					client.CertInfo{Name: certName, FetchCRL: certInfo.Signing},
+				)
 
 				if certInfo.Signing {
 					for _, profile := range certInfo.Profiles {