race condition between bad-key-revoker and orphan queue

[jsha]

bad-key-revoker loops through the blockedKeys table periodically looking for any key that have been newly added (extantCertificatesChecked = false). It then searches the database for all certificates with that key and sets extantCertificatesChecked = true so it doesn't have to look at the same key multiple times.

However, it's possible for an orphaned certificate to be in the queue waiting to be integrated into the database. If an orphaned certificate had a key in the blockedKeys table, and bad-key-revoker processed that key while that certificate was in the queue, it would not get revoked.

One solution to this would be: when processing the orphaned certificates queue, check the blocked keys table. If a certificate's key is blocked, revoke it immediately upon inserting it into the database. This will be slightly simpler in the ROCSP world because we don't have to re-generate OCSP at insertion time. The ocsp-responder will handle it.