From 7f01cd6ebd9aec81dcef2b952c182ebb489f49e7 Mon Sep 17 00:00:00 2001
From: Cadey Dodrill <me@christine.website>
Date: Wed, 25 Jan 2017 20:25:05 -0800
Subject: [PATCH] certcache: decrypt certs as they are read

---
 database/certcache.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/database/certcache.go b/database/certcache.go
index 5cc5057..3570042 100644
--- a/database/certcache.go
+++ b/database/certcache.go
@@ -1,6 +1,7 @@
 package database
 
 import (
+	"errors"
 	"log"
 
 	r "github.com/GoRethink/gorethink"
@@ -57,6 +58,15 @@ func (c *CertCache) Get(ctx context.Context, key string) ([]byte, error) {
 	switch cert.CryptoLevel {
 	case CryptoLevelNone:
 		body = cert.Body
+	case CryptoLevelSecretbox:
+		if c.SimpleBox == nil {
+			return nil, errors.New("can't read this cert, no key in memory")
+		}
+
+		body, err = c.SimpleBox.Decrypt(cert.Body)
+		if err != nil {
+			return nil, autocert.ErrCacheMiss
+		}
 	}
 
 	log.Printf("certcache: fetched: %s", key)