Fetch intermediates if configured

Author: ctz

upki/src/intermediates.rs

@@ -1,5 +1,34 @@
+use std::process::ExitCode;
+
 use serde::{Deserialize, Serialize};
 
+use crate::Config;
+use crate::data::{MANIFEST_JSON, Manifest, fetch_inner};
+use crate::revocation::Error;
+
+/// Update the local intermediates cache by fetching updates over the network.
+///
+/// `dry_run` means this call fetches the new manifest, but does not fetch any
+/// required files; but the necessary files are printed to stdout.  Therefore
+/// such a call is not completely "dry" -- perhaps "moist".
+pub async fn fetch(dry_run: bool, config: &Config) -> Result<ExitCode, Error> {
+    let Some(intermediates) = &config.intermediates else {
+        return Ok(ExitCode::SUCCESS);
+    };
+    let mut manifest_path = config.intermediates_cache_dir();
+    manifest_path.push(MANIFEST_JSON);
+    let old_manifest = Manifest::from_file(&manifest_path).ok();
+    let manifest_url = format!("{}{MANIFEST_JSON}", intermediates.fetch_url);
+    fetch_inner(
+        dry_run,
+        &intermediates.fetch_url,
+        manifest_url,
+        &old_manifest,
+        config.intermediates_cache_dir(),
+    )
+    .await
+}
+
 /// Details about intermediate preloading.
 #[derive(Debug, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case", deny_unknown_fields)]
@@ -14,7 +43,7 @@ impl Default for IntermediatesConfig {
     fn default() -> Self {
         Self {
             enabled: false,
-            fetch_url: "https://upki.rustls.dev/".into(),
+            fetch_url: "https://upki.rustls.dev/intermediates/".into(),
         }
     }
 }

upki/src/lib.rs

@@ -61,6 +61,10 @@ impl Config {
     pub(crate) fn revocation_cache_dir(&self) -> PathBuf {
         self.cache_dir.join("revocation")
     }
+
+    fn intermediates_cache_dir(&self) -> PathBuf {
+        self.cache_dir.join("intermediates")
+    }
 }
 
 /// How the path to a configuration file was decided upon.

upki/src/main.rs

@@ -8,8 +8,8 @@ use clap::{Parser, Subcommand};
 use eyre::{Context, Report};
 use rustls_pki_types::CertificateDer;
 use rustls_pki_types::pem::PemObject;
-use upki::revocation::{Index, Manifest, RevocationCheckInput, fetch};
-use upki::{Config, ConfigPath};
+use upki::revocation::{Index, Manifest, RevocationCheckInput};
+use upki::{Config, ConfigPath, intermediates, revocation};
 
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> Result<ExitCode, Report> {
@@ -33,7 +33,15 @@ async fn main() -> Result<ExitCode, Report> {
     let config = Config::from_file_or_default(&config_path)?;
 
     Ok(match args.command {
-        Command::Fetch { dry_run } => fetch(dry_run, &config).await?,
+        Command::Fetch { dry_run } => {
+            match (
+                revocation::fetch(dry_run, &config).await?,
+                intermediates::fetch(dry_run, &config).await?,
+            ) {
+                (ExitCode::SUCCESS, ExitCode::SUCCESS) => ExitCode::SUCCESS,
+                (..) => ExitCode::FAILURE,
+            }
+        }
         Command::Verify => Manifest::from_config(&config)?.verify(&config)?,
         Command::ShowConfigPath => unreachable!(),
         Command::ShowConfig => {