wfe: add /get/certinfo (#8323)

This provides NotAfter for any serial number allocated, which includes
precertificates that did not have a corresponding final certificate
issued.

Fixes #8287

Author: jsha

wfe2/wfe.go

@@ -69,8 +69,9 @@ const (
 	renewalInfoPath   = "/acme/renewal-info/"
 
 	// Non-ACME paths.
-	getCertPath = "/get/cert/"
-	buildIDPath = "/build"
+	getCertPath     = "/get/cert/"
+	getCertInfoPath = "/get/certinfo/"
+	buildIDPath     = "/build"
 )
 
 const (
@@ -423,6 +424,7 @@ func (wfe *WebFrontEndImpl) Handler(stats prometheus.Registerer, oTelHTTPOptions
 
 	// Boulder specific endpoints
 	wfe.HandleFunc(m, getCertPath, wfe.Certificate, "GET")
+	wfe.HandleFunc(m, getCertInfoPath, wfe.CertificateInfo, "GET")
 	wfe.HandleFunc(m, buildIDPath, wfe.BuildID, "GET")
 
 	// Endpoint for draft-ietf-acme-ari
@@ -1627,6 +1629,34 @@ func (wfe *WebFrontEndImpl) Authorization(
 	}
 }
 
+// CertificateInfo is a Boulder-specific endpoint to return notAfter, even for serials
+// which only appear in a precertificate and don't have a corresponding final cert.
+//
+// This is used by our CRL monitoring infrastructure to determine when it is acceptable
+// for a serial to be removed from a CRL.
+func (wfe *WebFrontEndImpl) CertificateInfo(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {
+	serial := request.URL.Path
+	if !core.ValidSerial(serial) {
+		wfe.sendError(response, logEvent, probs.NotFound("Certificate not found"), nil)
+		return
+	}
+	metadata, err := wfe.sa.GetSerialMetadata(ctx, &sapb.Serial{Serial: serial})
+	if err != nil {
+		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Error getting certificate metadata"), err)
+		return
+	}
+	certInfoStruct := struct {
+		NotAfter time.Time `json:"notAfter"`
+	}{
+		NotAfter: metadata.Expires.AsTime(),
+	}
+	err = wfe.writeJsonResponse(response, logEvent, http.StatusOK, certInfoStruct)
+	if err != nil {
+		wfe.sendError(response, logEvent, probs.ServerInternal("Error marshalling certInfoStruct"), err)
+		return
+	}
+}
+
 // Certificate is used by clients to request a copy of their current certificate, or to
 // request a reissuance of the certificate.
 func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {

wfe2/wfe_test.go

@@ -2129,6 +2129,37 @@ func (sa *mockSAWithIncident) IncidentsForSerial(_ context.Context, req *sapb.Se
 	return &sapb.Incidents{}, nil
 }
 
+type mockSAWithSerialMetadata struct {
+	sapb.StorageAuthorityReadOnlyClient
+}
+
+func (sa *mockSAWithSerialMetadata) GetSerialMetadata(ctx context.Context, serial *sapb.Serial, _ ...grpc.CallOption) (*sapb.SerialMetadata, error) {
+	return &sapb.SerialMetadata{
+		Expires: timestamppb.New(time.Date(2025, 7, 29, 0, 0, 0, 0, time.UTC)),
+	}, nil
+}
+
+func TestGetCertInfo(t *testing.T) {
+	wfe, _, _ := setupWFE(t)
+	wfe.sa = &mockSAWithSerialMetadata{}
+	responseWriter := httptest.NewRecorder()
+
+	wfe.CertificateInfo(context.Background(), newRequestEvent(), responseWriter, &http.Request{
+		Method: "GET",
+		URL:    &url.URL{Path: "aabbccddeeffaabbccddeeff000102030405"},
+	})
+
+	if responseWriter.Code != http.StatusOK {
+		t.Errorf("got HTTP status code %d, want %d", responseWriter.Code, http.StatusOK)
+	}
+	expected := `{
+  "notAfter": "2025-07-29T00:00:00Z"
+}`
+	if responseWriter.Body.String() != expected {
+		t.Errorf("got response body %q, want %q", responseWriter.Body.String(), expected)
+	}
+}
+
 func TestGetCertificate(t *testing.T) {
 	wfe, _, signer := setupWFE(t)
 	wfe.sa = newMockSAWithCert(t, wfe.sa)