Skip to content

Commit

Permalink
Add cert metadata to table schema.
Browse files Browse the repository at this point in the history 
Also restructure table init to DRY it.
  • Loading branch information
@jsha
jsha committed Apr 24, 2015
1 parent 3814c95 commit 4d592ee
Showing 1 changed file with 51 additions and 21 deletions.
72 changes: 51 additions & 21 deletions sa/storage-authority.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,32 +61,62 @@ func (ssa *SQLStorageAuthority) InitTables() (err error) {
return
}

statements := []string{

// Create registrations table
_, err = tx.Exec("CREATE TABLE IF NOT EXISTS registrations (id TEXT, thumbprint TEXT, value TEXT);")
if err != nil {
tx.Rollback()
return
}
`CREATE TABLE IF NOT EXISTS registrations (
id TEXT,
thumbprint TEXT,
value TEXT
);`,

// Create pending authorizations table
_, err = tx.Exec("CREATE TABLE IF NOT EXISTS pending_authz (id TEXT, value BLOB);")
if err != nil {
tx.Rollback()
return
}
`CREATE TABLE IF NOT EXISTS pending_authz (
id TEXT,
value BLOB
);`,

// Create finalized authorizations table
_, err = tx.Exec("CREATE TABLE IF NOT EXISTS authz (sequence INTEGER, id TEXT, digest TEXT, value BLOB);")
if err != nil {
tx.Rollback()
return
}

// Create certificates table
_, err = tx.Exec("CREATE TABLE IF NOT EXISTS certificates (serial STRING, digest TEXT, value BLOB);")
if err != nil {
tx.Rollback()
return
`CREATE TABLE IF NOT EXISTS authz (
sequence INTEGER,
id TEXT,
digest TEXT,
value BLOB
);`,

// Create certificates table. This should be effectively append-only, enforced
// by DB permissions.
`CREATE TABLE IF NOT EXISTS certificates (
serial STRING,
digest TEXT,
value BLOB,
issued DATETIME,
notAfter DATETIME
);`,

// Create certificate status table. This provides metadata about a certificate
// that can change over its lifetime, and rows are updateable unlike the
// certificates table. The serial number primary key matches up with the one
// on certificates.
// subscriberAccepted: true iff the subscriber has posted back to the server
// that they accept the certificate.
// status: 'good', 'revoked', or 'expired'.
// ocspLastUpdated: The date and time of the last time we generated an OCSP
// update.
`CREATE TABLE IF NOT EXISTS certificateStatus (
serial STRING,
subscriberApproved DATETIME,
status STRING,
ocspLastUpdated DATETIME
);`,
}

This comment has been minimized.

Sign in to view

Copy link
@rolandshoemaker

rolandshoemaker Apr 24, 2015

Contributor

Depending on how the OCSP signer / expiration mailer ends up working (independent / integrated) this table should perhaps also contain a BOOL or such that indicates if expiration emails for the certificate have been sent already.

This comment has been minimized.

Sign in to view

Copy link
@jsha

jsha Apr 24, 2015

Author Contributor

Good call, thanks! Will add.
for _, statement := range statements {
_, err = tx.Exec(statement)
if err != nil {
tx.Rollback()
return
}
}

err = tx.Commit()
Expand Down

2 comments on commit 4d592ee

@rmhrisk
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider an integer; nag is good for such a critical thing.

@jsha
Copy link
Contributor Author

@jsha jsha commented on 4d592ee Apr 24, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. We're hoping the email notifications will not be critical because most people will be using automated renewal, but if wishes were fishes...

I filed a bug for this: #110. I'm going to leave it out of the change I'm working on right now to avoid letting it spiral out of control.

Please sign in to comment.