sa: truncate all timestamps to seconds

As described in #7075, go-sql-driver/mysql v1.5.0 truncates timestamps to
microseconds, while v1.6.0 and above does not. That means upon upgrading to
v1.6.0, timestamps are written to the database with a resolution of nanoseconds,
and SELECT statements also use a resolution of nanoseconds. We believe this is
the cause of performance problems we observed when upgrading to v1.6.0 and
above.

To fix that, apply rounding in the application code. Rather than just rounding
to microseconds, round to seconds since that is the resolution we care about.
Using seconds rather than microseconds may also allow some of our indexes to
grow more slowly over time.

Author: jsha

cmd/bad-key-revoker/main.go

@@ -141,7 +141,7 @@ func (bkr *badKeyRevoker) findUnrevoked(ctx context.Context, unchecked unchecked
 			"SELECT id, certSerial FROM keyHashToSerial WHERE keyHash = ? AND id > ? AND certNotAfter > ? ORDER BY id LIMIT ?",
 			unchecked.KeyHash,
 			initialID,
-			bkr.clk.Now(),
+			bkr.clk.Now().Truncate(time.Second),
 			bkr.serialBatchSize,
 		)
 		if err != nil {

sa/model.go

@@ -304,7 +304,7 @@ func registrationPbToModel(reg *corepb.Registration) (*regModel, error) {
 
 	var createdAt time.Time
 	if !core.IsAnyNilOrZero(reg.CreatedAt) {
-		createdAt = reg.CreatedAt.AsTime()
+		createdAt = reg.CreatedAt.AsTime().Truncate(time.Second)
 	}
 
 	return &regModel{
@@ -411,8 +411,8 @@ func orderToModelv1(order *corepb.Order) (*orderModelv1, error) {
 	om := &orderModelv1{
 		ID:                order.Id,
 		RegistrationID:    order.RegistrationID,
-		Expires:           order.Expires.AsTime(),
-		Created:           order.Created.AsTime(),
+		Expires:           order.Expires.AsTime().Truncate(time.Second),
+		Created:           order.Created.AsTime().Truncate(time.Second),
 		BeganProcessing:   order.BeganProcessing,
 		CertificateSerial: order.CertificateSerial,
 	}
@@ -458,8 +458,8 @@ func orderToModelv2(order *corepb.Order) (*orderModelv2, error) {
 	om := &orderModelv2{
 		ID:                     order.Id,
 		RegistrationID:         order.RegistrationID,
-		Expires:                order.Expires.AsTime(),
-		Created:                order.Created.AsTime(),
+		Expires:                order.Expires.AsTime().Truncate(time.Second),
+		Created:                order.Created.AsTime().Truncate(time.Second),
 		BeganProcessing:        order.BeganProcessing,
 		CertificateSerial:      order.CertificateSerial,
 		CertificateProfileName: order.CertificateProfileName,
@@ -695,7 +695,7 @@ func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {
 		IdentifierValue: authz.Identifier,
 		RegistrationID:  authz.RegistrationID,
 		Status:          statusToUint[core.AcmeStatus(authz.Status)],
-		Expires:         authz.Expires.AsTime(),
+		Expires:         authz.Expires.AsTime().Truncate(time.Second),
 	}
 	if authz.Id != "" {
 		// The v1 internal authorization objects use a string for the ID, the v2
@@ -734,7 +734,7 @@ func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {
 			// If validated Unix timestamp is zero then keep the core.Challenge Validated object nil.
 			var validated *time.Time
 			if !core.IsAnyNilOrZero(chall.Validated) {
-				val := chall.Validated.AsTime()
+				val := chall.Validated.AsTime().Truncate(time.Second)
 				validated = &val
 			}
 			am.AttemptedAt = validated

sa/sa.go

@@ -105,7 +105,7 @@ func (ssa *SQLStorageAuthority) NewRegistration(ctx context.Context, req *corepb
 		return nil, err
 	}
 
-	reg.CreatedAt = ssa.clk.Now()
+	reg.CreatedAt = ssa.clk.Now().Truncate(time.Second)
 
 	err = ssa.dbMap.Insert(ctx, reg)
 	if err != nil {
@@ -166,8 +166,8 @@ func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSeri
 	err := ssa.dbMap.Insert(ctx, &recordedSerialModel{
 		Serial:         req.Serial,
 		RegistrationID: req.RegID,
-		Created:        req.Created.AsTime(),
-		Expires:        req.Expires.AsTime(),
+		Created:        req.Created.AsTime().Truncate(time.Second),
+		Expires:        req.Expires.AsTime().Truncate(time.Second),
 	})
 	if err != nil {
 		return nil, err
@@ -220,7 +220,7 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
 		Serial:         serialHex,
 		RegistrationID: req.RegID,
 		DER:            req.Der,
-		Issued:         req.Issued.AsTime(),
+		Issued:         req.Issued.AsTime().Truncate(time.Second),
 		Expires:        parsed.NotAfter,
 	}
 
@@ -249,13 +249,15 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
 		cs := &core.CertificateStatus{
 			Serial:                serialHex,
 			Status:                status,
-			OCSPLastUpdated:       ssa.clk.Now(),
+			OCSPLastUpdated:       ssa.clk.Now().Truncate(time.Second),
 			RevokedDate:           time.Time{},
 			RevokedReason:         0,
 			LastExpirationNagSent: time.Time{},
-			NotAfter:              parsed.NotAfter,
-			IsExpired:             false,
-			IssuerNameID:          req.IssuerNameID,
+			// No need to truncate because it's already truncated to encode
+			// per https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5.1
+			NotAfter:     parsed.NotAfter,
+			IsExpired:    false,
+			IssuerNameID: req.IssuerNameID,
 		}
 		err = ssa.dbMap.Insert(ctx, cs)
 		if err != nil {
@@ -314,7 +316,7 @@ func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.Ad
 		Serial:         serial,
 		Digest:         digest,
 		DER:            req.Der,
-		Issued:         req.Issued.AsTime(),
+		Issued:         req.Issued.AsTime().Truncate(time.Second),
 		Expires:        parsedCertificate.NotAfter,
 	}
 
@@ -500,11 +502,11 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 		// Second, insert the new order.
 		var orderID int64
 		var err error
-		created := ssa.clk.Now()
+		created := ssa.clk.Now().Truncate(time.Second)
 		if features.Get().MultipleCertificateProfiles {
 			omv2 := orderModelv2{
 				RegistrationID:         req.NewOrder.RegistrationID,
-				Expires:                req.NewOrder.Expires.AsTime(),
+				Expires:                req.NewOrder.Expires.AsTime().Truncate(time.Second),
 				Created:                created,
 				CertificateProfileName: req.NewOrder.CertificateProfileName,
 			}
@@ -513,7 +515,7 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 		} else {
 			omv1 := orderModelv1{
 				RegistrationID: req.NewOrder.RegistrationID,
-				Expires:        req.NewOrder.Expires.AsTime(),
+				Expires:        req.NewOrder.Expires.AsTime().Truncate(time.Second),
 				Created:        created,
 			}
 			err = tx.Insert(ctx, &omv1)
@@ -563,7 +565,13 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 		}
 
 		// Fifth, insert the FQDNSet entry for the order.
-		err = addOrderFQDNSet(ctx, tx, req.NewOrder.Names, orderID, req.NewOrder.RegistrationID, req.NewOrder.Expires.AsTime())
+		err = addOrderFQDNSet(ctx,
+			tx,
+			req.NewOrder.Names,
+			orderID,
+			req.NewOrder.RegistrationID,
+			req.NewOrder.Expires.AsTime().Truncate(time.Second),
+		)
 		if err != nil {
 			return nil, err
 		}
@@ -590,7 +598,12 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 		if req.NewOrder.ReplacesSerial != "" {
 			// Update the replacementOrders table to indicate that this order
 			// replaces the provided certificate serial.
-			err := addReplacementOrder(ctx, tx, req.NewOrder.ReplacesSerial, orderID, req.NewOrder.Expires.AsTime())
+			err := addReplacementOrder(ctx,
+				tx,
+				req.NewOrder.ReplacesSerial,
+				orderID,
+				req.NewOrder.Expires.AsTime().Truncate(time.Second),
+			)
 			if err != nil {
 				return nil, err
 			}
@@ -803,7 +816,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
 	// database attemptedAt field Null instead of 1970-01-01 00:00:00.
 	var attemptedTime *time.Time
 	if !core.IsAnyNilOrZero(req.AttemptedAt) {
-		val := req.AttemptedAt.AsTime()
+		val := req.AttemptedAt.AsTime().Truncate(time.Second)
 		attemptedTime = &val
 	}
 	params := map[string]interface{}{
@@ -813,7 +826,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
 		"validationRecord": vrJSON,
 		"id":               req.Id,
 		"pending":          statusUint(core.StatusPending),
-		"expires":          req.Expires.AsTime(),
+		"expires":          req.Expires.AsTime().Truncate(time.Second),
 		// if req.ValidationError is nil veJSON should also be nil
 		// which should result in a NULL field
 		"validationError": veJSON,
@@ -881,7 +894,7 @@ func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb
 	}
 
 	_, overallError := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) {
-		revokedDate := req.Date.AsTime()
+		revokedDate := req.Date.AsTime().Truncate(time.Second)
 
 		res, err := tx.ExecContext(ctx,
 			`UPDATE certificateStatus SET
@@ -938,8 +951,8 @@ func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, re
 	}
 
 	_, overallError := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) {
-		thisUpdate := req.Date.AsTime()
-		revokedDate := req.Backdate.AsTime()
+		thisUpdate := req.Date.AsTime().Truncate(time.Second)
+		revokedDate := req.Backdate.AsTime().Truncate(time.Second)
 
 		res, err := tx.ExecContext(ctx,
 			`UPDATE certificateStatus SET
@@ -1021,7 +1034,7 @@ func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.Add
 	cols, qs := blockedKeysColumns, "?, ?, ?, ?"
 	vals := []interface{}{
 		req.KeyHash,
-		req.Added.AsTime(),
+		req.Added.AsTime().Truncate(time.Second),
 		sourceInt,
 		req.Comment,
 	}
@@ -1143,7 +1156,7 @@ func (ssa *SQLStorageAuthority) leaseOldestCRLShard(ctx context.Context, req *sa
 					VALUES (?, ?, ?)`,
 				req.IssuerNameID,
 				shardIdx,
-				req.Until.AsTime(),
+				req.Until.AsTime().Truncate(time.Second),
 			)
 			if err != nil {
 				return -1, fmt.Errorf("inserting selected shard: %w", err)
@@ -1155,7 +1168,7 @@ func (ssa *SQLStorageAuthority) leaseOldestCRLShard(ctx context.Context, req *sa
 					WHERE issuerID = ?
 					AND idx = ?
 					LIMIT 1`,
-				req.Until.AsTime(),
+				req.Until.AsTime().Truncate(time.Second),
 				req.IssuerNameID,
 				shardIdx,
 			)
@@ -1211,7 +1224,7 @@ func (ssa *SQLStorageAuthority) leaseSpecificCRLShard(ctx context.Context, req *
 					VALUES (?, ?, ?)`,
 				req.IssuerNameID,
 				req.MinShardIdx,
-				req.Until.AsTime(),
+				req.Until.AsTime().Truncate(time.Second),
 			)
 			if err != nil {
 				return nil, fmt.Errorf("inserting selected shard: %w", err)
@@ -1223,7 +1236,7 @@ func (ssa *SQLStorageAuthority) leaseSpecificCRLShard(ctx context.Context, req *
 					WHERE issuerID = ?
 					AND idx = ?
 					LIMIT 1`,
-				req.Until.AsTime(),
+				req.Until.AsTime().Truncate(time.Second),
 				req.IssuerNameID,
 				req.MinShardIdx,
 			)
@@ -1261,24 +1274,25 @@ func (ssa *SQLStorageAuthority) UpdateCRLShard(ctx context.Context, req *sapb.Up
 	// Only set the nextUpdate if it's actually present in the request message.
 	var nextUpdate *time.Time
 	if req.NextUpdate != nil {
-		nut := req.NextUpdate.AsTime()
+		nut := req.NextUpdate.AsTime().Truncate(time.Second)
 		nextUpdate = &nut
 	}
 
 	_, err := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) {
+		thisUpdate := req.ThisUpdate.AsTime().Truncate(time.Second)
 		res, err := tx.ExecContext(ctx,
 			`UPDATE crlShards
 				SET thisUpdate = ?, nextUpdate = ?, leasedUntil = ?
 				WHERE issuerID = ?
 				AND idx = ?
 				AND (thisUpdate is NULL OR thisUpdate < ?)
 				LIMIT 1`,
-			req.ThisUpdate.AsTime(),
+			thisUpdate,
 			nextUpdate,
-			req.ThisUpdate.AsTime(),
+			thisUpdate,
 			req.IssuerNameID,
 			req.ShardIdx,
-			req.ThisUpdate.AsTime(),
+			thisUpdate,
 		)
 		if err != nil {
 			return nil, err