Add certificate status support #112
Conversation
Also restructure table init to DRY it.
Also improve test tools.
Conflicts: sa/storage-authority.go
|
@rolandshoemaker @pde could you give this a review? Note the certificateStatus table is not final, it's just enough to get us started on basic revocation. |
| // Create certificates table. This should be effectively append-only, enforced | ||
| // by DB permissions. | ||
| `CREATE TABLE IF NOT EXISTS certificates ( | ||
| serial STRING NOT NULL, |
There was a problem hiding this comment.
This should probably be TEXT not STRING.
There was a problem hiding this comment.
I looked into TEXT vs VARCHAR vs STRING, and it sounds like it's a big complicated, but VARCHAR is probably what we want: https://stackoverflow.com/questions/6628660/text-vs-varchar-in-innodb-mysql-5-5-when-to-use-each-one.
I'm going to use VARCHAR(255) as a default for now since (a) it doesn't affect storage size, (b) it gives us a bit of flexibility in the contents of these fields, and (c) it won't truncate if we go over, so we can find erroneous entries rather than having them truncated into "looks ok."
There was a problem hiding this comment.
Sounds good, note VARCHAR will use an extra byte of storage for the length header than CHAR, but trading that with native truncation errors seems more than worth it!
|
Apart from my comments about |
This adds a new table and method in the storage authority to store status information about certificates. This will be used to support OCSP signing, revocation, and confirming that subscribers have accepted certificates (letsencrypt/acme-spec#106). It will also support keeping track of whether expiration reminders have been sent, but I plan to include those fields in future change.
This doesn't yet support updating the status information, or iterating through entries with certain status bits, which will be required for the final implementation.