Improve CRL fetching

- improve client data structures
- do not fetch CRLs for root CA certificates

internal/client/client.go

@@ -48,10 +48,15 @@ type Profile struct {
 	UseFor string
 }
 
+type CertInfo struct {
+	Name     string
+	FetchCRL bool
+}
+
 type SignerInfo struct {
 	SignerHealth   bool
 	SignerVersion  string
-	CACertificates []string
+	CACertificates []CertInfo
 	UsableProfiles map[string][]Profile
 }
 
@@ -237,12 +242,14 @@ func (c *Client) buildCRLInfo() []CRLInfo {
 		return nil
 	}
 
-	infos := make([]CRLInfo, len(c.signerInfo.CACertificates))
+	infos := make([]CRLInfo, 0)
 
-	for i, caName := range c.signerInfo.CACertificates {
+	for _, caInfo := range c.signerInfo.CACertificates {
-		lastKnown := c.lastKnownCRL(caName)
+		if caInfo.FetchCRL {
+			lastKnown := c.lastKnownCRL(caInfo.Name)
 
-		infos[i] = CRLInfo{Name: caName, LastKnown: lastKnown}
+			infos = append(infos, CRLInfo{Name: caInfo.Name, LastKnown: lastKnown})
+		}
 	}
 
 	return infos

internal/handler/handler.go

@@ -160,7 +160,7 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
 
 		switch item.Source {
 		case "HSM":
-			signerInfo.CACertificates = make([]string, 0)
+			signerInfo.CACertificates = make([]client.CertInfo, 0)
 			signerInfo.UsableProfiles = make(map[string][]client.Profile)
 
 			for certName, value := range item.MoreInfo {
@@ -179,7 +179,10 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
 					"valid-until": certInfo.ValidUntil,
 				}).Trace("certificate info")
 
-				signerInfo.CACertificates = append(signerInfo.CACertificates, certName)
+				signerInfo.CACertificates = append(
+					signerInfo.CACertificates,
+					client.CertInfo{Name: certName, FetchCRL: certInfo.Signing},
+				)
 
 				if certInfo.Signing {
 					for _, profile := range certInfo.Profiles {