-
-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate status support #112
Conversation
Also restructure table init to DRY it.
Also improve test tools.
Conflicts: sa/storage-authority.go
@rolandshoemaker @pde could you give this a review? Note the certificateStatus table is not final, it's just enough to get us started on basic revocation. |
// Create certificates table. This should be effectively append-only, enforced | ||
// by DB permissions. | ||
`CREATE TABLE IF NOT EXISTS certificates ( | ||
serial STRING NOT NULL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be TEXT
not STRING
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked into TEXT vs VARCHAR vs STRING, and it sounds like it's a big complicated, but VARCHAR is probably what we want: https://stackoverflow.com/questions/6628660/text-vs-varchar-in-innodb-mysql-5-5-when-to-use-each-one.
I'm going to use VARCHAR(255) as a default for now since (a) it doesn't affect storage size, (b) it gives us a bit of flexibility in the contents of these fields, and (c) it won't truncate if we go over, so we can find erroneous entries rather than having them truncated into "looks ok."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, note VARCHAR
will use an extra byte of storage for the length header than CHAR
, but trading that with native truncation errors seems more than worth it!
Apart from my comments about |
This adds a new table and method in the storage authority to store status information about certificates. This will be used to support OCSP signing, revocation, and confirming that subscribers have accepted certificates (letsencrypt/acme-spec#106). It will also support keeping track of whether expiration reminders have been sent, but I plan to include those fields in future change.
This doesn't yet support updating the status information, or iterating through entries with certain status bits, which will be required for the final implementation.