certdb

package
v1.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2021 License: BSD-2-Clause Imports: 4 Imported by: 526

README

certdb usage

Using a database enables additional functionality for existing commands when a db config is provided:

  • sign and gencert add a certificate to the certdb after signing it
  • serve enables database functionality for the sign and revoke endpoints

A database is required for the following:

  • revoke marks certificates revoked in the database with an optional reason
  • ocsprefresh refreshes the table of cached OCSP responses
  • ocspdump outputs cached OCSP responses in a concatenated base64-encoded format

Setup/Migration

This directory stores goose db migration scripts for various DB backends. Currently supported:

  • MySQL in mysql
  • PostgreSQL in pg
  • SQLite in sqlite
Get goose
go get bitbucket.org/liamstask/goose/cmd/goose
Use goose to start and terminate a MySQL DB

To start a MySQL using goose:

goose -path certdb/mysql up

To tear down a MySQL DB using goose

goose -path certdb/mysql down

Note: the administration of MySQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a PostgreSQL DB

To start a PostgreSQL using goose:

goose -path certdb/pg up

To tear down a PostgreSQL DB using goose

goose -path certdb/pg down

Note: the administration of PostgreSQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a SQLite DB

To start a SQLite DB using goose:

goose -path certdb/sqlite up

To tear down a SQLite DB using goose

goose -path certdb/sqlite down

CFSSL Configuration

Several cfssl commands take a -db-config flag. Create a file with a JSON dictionary:

{"driver":"sqlite3","data_source":"certs.db"}

or

{"driver":"postgres","data_source":"postgres://user:password@host/db"}

or

{"driver":"mysql","data_source":"user:password@tcp(hostname:3306)/db?parseTime=true"}

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Accessor

type Accessor interface {
	InsertCertificate(cr CertificateRecord) error
	GetCertificate(serial, aki string) ([]CertificateRecord, error)
	GetUnexpiredCertificates() ([]CertificateRecord, error)
	GetRevokedAndUnexpiredCertificates() ([]CertificateRecord, error)
	GetRevokedAndUnexpiredCertificatesByLabel(label string) ([]CertificateRecord, error)
	GetRevokedAndUnexpiredCertificatesByLabelSelectColumns(label string) ([]CertificateRecord, error)
	RevokeCertificate(serial, aki string, reasonCode int) error
	InsertOCSP(rr OCSPRecord) error
	GetOCSP(serial, aki string) ([]OCSPRecord, error)
	GetUnexpiredOCSPs() ([]OCSPRecord, error)
	UpdateOCSP(serial, aki, body string, expiry time.Time) error
	UpsertOCSP(serial, aki, body string, expiry time.Time) error
}

Accessor abstracts the CRUD of certdb objects from a DB.

type CertificateRecord

type CertificateRecord struct {
	Serial    string    `db:"serial_number"`
	AKI       string    `db:"authority_key_identifier"`
	CALabel   string    `db:"ca_label"`
	Status    string    `db:"status"`
	Reason    int       `db:"reason"`
	Expiry    time.Time `db:"expiry"`
	RevokedAt time.Time `db:"revoked_at"`
	PEM       string    `db:"pem"`
	// the following fields will be empty for data inserted before migrate 002 has been run.
	IssuedAt     *time.Time     `db:"issued_at"`
	NotBefore    *time.Time     `db:"not_before"`
	MetadataJSON types.JSONText `db:"metadata"`
	SANsJSON     types.JSONText `db:"sans"`
	CommonName   sql.NullString `db:"common_name"`
}

CertificateRecord encodes a certificate and its metadata that will be recorded in a database.

func (*CertificateRecord) GetMetadata added in v1.5.0

func (c *CertificateRecord) GetMetadata() (map[string]interface{}, error)

GetMetadata returns the json metadata

func (*CertificateRecord) GetSANs added in v1.5.0

func (c *CertificateRecord) GetSANs() ([]string, error)

GetSANs returns the json SANs

func (*CertificateRecord) SetMetadata added in v1.5.0

func (c *CertificateRecord) SetMetadata(meta map[string]interface{}) error

SetMetadata sets the metadata json

func (*CertificateRecord) SetSANs added in v1.5.0

func (c *CertificateRecord) SetSANs(meta []string) error

SetSANs sets the list of sans

type OCSPRecord

type OCSPRecord struct {
	Serial string    `db:"serial_number"`
	AKI    string    `db:"authority_key_identifier"`
	Body   string    `db:"body"`
	Expiry time.Time `db:"expiry"`
}

OCSPRecord encodes a OCSP response body and its metadata that will be recorded in a database.

Directories

Path Synopsis
Package ocspstapling implements OCSP stapling of Signed Certificate Timestamps (SCTs) into OCSP responses in a database.
Package ocspstapling implements OCSP stapling of Signed Certificate Timestamps (SCTs) into OCSP responses in a database.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL