reusePrivateKey looks for a private key for domain in storage in the configured issuers paths. For the first private key it finds, it returns that key both decoded and PEM-encoded, as well as the reordered list of issuers to use instead of cfg.Issuers (because if a key is found, that issuer should b
(ctx context.Context, domain string)
| 757 | // is found, that issuer should be tried first, so it is moved to the front in a copy of |
| 758 | // cfg.Issuers). |
| 759 | func (cfg *Config) reusePrivateKey(ctx context.Context, domain string) (privKey crypto.PrivateKey, privKeyPEM []byte, issuers []Issuer, err error) { |
| 760 | // make a copy of cfg.Issuers so that if we have to reorder elements, we don't |
| 761 | // inadvertently mutate the configured issuers (see append calls below) |
| 762 | issuers = make([]Issuer, len(cfg.Issuers)) |
| 763 | copy(issuers, cfg.Issuers) |
| 764 | |
| 765 | for i, issuer := range issuers { |
| 766 | // see if this issuer location in storage has a private key for the domain |
| 767 | privateKeyStorageKey := StorageKeys.SitePrivateKey(issuer.IssuerKey(), domain) |
| 768 | privKeyPEM, err = cfg.Storage.Load(ctx, privateKeyStorageKey) |
| 769 | if errors.Is(err, fs.ErrNotExist) { |
| 770 | err = nil // obviously, it's OK to not have a private key; so don't prevent obtaining a cert |
| 771 | continue |
| 772 | } |
| 773 | if err != nil { |
| 774 | return nil, nil, nil, fmt.Errorf("loading existing private key for reuse with issuer %s: %v", issuer.IssuerKey(), err) |
| 775 | } |
| 776 | |
| 777 | // we loaded a private key; try decoding it so we can use it |
| 778 | privKey, err = PEMDecodePrivateKey(privKeyPEM) |
| 779 | if err != nil { |
| 780 | return nil, nil, nil, err |
| 781 | } |
| 782 | |
| 783 | // since the private key was found in storage for this issuer, move it |
| 784 | // to the front of the list so we prefer this issuer first |
| 785 | issuers = append([]Issuer{issuer}, append(issuers[:i], issuers[i+1:]...)...) |
| 786 | break |
| 787 | } |
| 788 | |
| 789 | return |
| 790 | } |
| 791 | |
| 792 | // storageHasCertResourcesAnyIssuer returns true if storage has all the |
| 793 | // certificate resources in storage from any configured issuer. It checks |
no test coverage detected