sa: remove Update from UpdateRevokedCertificate (#8631)

Replace it with a plain `UPDATE`.

At the same time, remove a fallback that is no longer relevant (insert
into revokedCertificates if the row doesn't exist).

Part of #8630

Author: jsha

sa/sa.go

@@ -910,37 +910,31 @@ func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, re
 			return nil, berrors.InternalServerError("no certificate with serial %s and revoked reason other than keyCompromise", req.Serial)
 		}
 
-		var rcm revokedCertModel
 		// Note: this query MUST be updated to enforce the same preconditions as
 		// the "UPDATE certificateStatus SET revokedReason..." above if this
 		// query ever becomes the first or only query in this transaction. We are
 		// currently relying on the query above to exit early if the certificate
 		// does not have an appropriate status and revocation reason.
-		err = tx.SelectOne(
-			ctx, &rcm, `SELECT * FROM revokedCertificates WHERE serial = ?`, req.Serial)
-		if db.IsNoRows(err) {
-			// TODO: Remove this fallback codepath once we know that all unexpired
-			// certs marked as revoked in the certificateStatus table have
-			// corresponding rows in the revokedCertificates table. That should be
-			// 90+ days after the RA starts sending ShardIdx in its
-			// RevokeCertificateRequest messages.
-			err = addRevokedCertificate(ctx, tx, req, revokedDate)
-			if err != nil {
-				return nil, err
-			}
-			return nil, nil
-		} else if err != nil {
-			return nil, fmt.Errorf("retrieving revoked certificate row: %w", err)
-		}
-
-		if rcm.ShardIdx != req.ShardIdx {
-			return nil, berrors.InternalServerError("mismatched shard index %d != %d", req.ShardIdx, rcm.ShardIdx)
+		res, err = tx.ExecContext(ctx,
+			`UPDATE revokedCertificates
+			 SET revokedReason = ?
+			 WHERE serial = ?
+			 AND shardIdx = ?`,
+			revocation.KeyCompromise,
+			req.Serial,
+			req.ShardIdx)
+		if err != nil {
+			return nil, fmt.Errorf("updating revoked certificate row: %w", err)
 		}
 
-		rcm.RevokedReason = revocation.KeyCompromise
-		_, err = tx.Update(ctx, &rcm)
+		rows, err = res.RowsAffected()
 		if err != nil {
-			return nil, fmt.Errorf("updating revoked certificate row: %w", err)
+			return nil, err
+		}
+		if rows == 0 {
+			// InternalServerError because we expected this serial / shardIdx to exist.
+			return nil, berrors.InternalServerError("no certificate with serial %s in CRL shard %d",
+				req.Serial, req.ShardIdx)
 		}
 
 		return nil, nil
@@ -1245,7 +1239,7 @@ func (ssa *SQLStorageAuthority) UpdateCRLShard(ctx context.Context, req *sapb.Up
 
 		rowsAffected, err := res.RowsAffected()
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("confirming update of selected shard: %w", err)
 		}
 		if rowsAffected == 0 {
 			return nil, fmt.Errorf("unable to update shard %d for issuer %d; possibly because shard exists", req.ShardIdx, req.IssuerNameID)

sa/sa_test.go

@@ -2038,7 +2038,7 @@ func TestUpdateRevokedCertificate(t *testing.T) {
 		ShardIdx: 2,
 	})
 	test.AssertError(t, err, "UpdateRevokedCertificate should have failed")
-	test.AssertContains(t, err.Error(), "mismatched shard index")
+	test.AssertContains(t, err.Error(), "no certificate with")
 
 	// Try to update its revocation info correctly
 	_, err = sa.UpdateRevokedCertificate(context.Background(), &sapb.RevokeCertificateRequest{