certdb

package

v1.6.5 Latest Latest Go to latest Published: Mar 5, 2024 License: BSD-2-Clause Imports: 4 Imported by: 160

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cloudflare/cfssl

Links

Open Source Insights

README ¶

certdb usage

Using a database enables additional functionality for existing commands when a db config is provided:

sign and gencert add a certificate to the certdb after signing it
serve enables database functionality for the sign and revoke endpoints

A database is required for the following:

revoke marks certificates revoked in the database with an optional reason
ocsprefresh refreshes the table of cached OCSP responses
ocspdump outputs cached OCSP responses in a concatenated base64-encoded format

Setup/Migration

This directory stores goose db migration scripts for various DB backends. Currently supported:

MySQL in mysql
PostgreSQL in pg
SQLite in sqlite

Get goose

go get bitbucket.org/liamstask/goose/cmd/goose

Use goose to start and terminate a MySQL DB

To start a MySQL using goose:

goose -path certdb/mysql up

To tear down a MySQL DB using goose

goose -path certdb/mysql down

Note: the administration of MySQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a PostgreSQL DB

To start a PostgreSQL using goose:

goose -path certdb/pg up

To tear down a PostgreSQL DB using goose

goose -path certdb/pg down

Note: the administration of PostgreSQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a SQLite DB

To start a SQLite DB using goose:

goose -path certdb/sqlite up

To tear down a SQLite DB using goose

goose -path certdb/sqlite down

CFSSL Configuration

Several cfssl commands take a -db-config flag. Create a file with a JSON dictionary:

{"driver":"sqlite3","data_source":"certs.db"}

or

{"driver":"postgres","data_source":"postgres://user:password@host/db"}

or

{"driver":"mysql","data_source":"user:password@tcp(hostname:3306)/db?parseTime=true"}

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Accessor ¶

type Accessor interface {
	InsertCertificate(cr CertificateRecord) error
	GetCertificate(serial, aki string) ([]CertificateRecord, error)
	GetUnexpiredCertificates() ([]CertificateRecord, error)
	GetRevokedAndUnexpiredCertificates() ([]CertificateRecord, error)
	GetUnexpiredCertificatesByLabel(labels []string) (crs []CertificateRecord, err error)
	GetRevokedAndUnexpiredCertificatesByLabel(label string) ([]CertificateRecord, error)
	GetRevokedAndUnexpiredCertificatesByLabelSelectColumns(label string) ([]CertificateRecord, error)
	RevokeCertificate(serial, aki string, reasonCode int) error
	InsertOCSP(rr OCSPRecord) error
	GetOCSP(serial, aki string) ([]OCSPRecord, error)
	GetUnexpiredOCSPs() ([]OCSPRecord, error)
	UpdateOCSP(serial, aki, body string, expiry time.Time) error
	UpsertOCSP(serial, aki, body string, expiry time.Time) error
}

Accessor abstracts the CRUD of certdb objects from a DB.

type CertificateRecord ¶

type CertificateRecord struct {
	Serial    string    `db:"serial_number"`
	AKI       string    `db:"authority_key_identifier"`
	CALabel   string    `db:"ca_label"`
	Status    string    `db:"status"`
	Reason    int       `db:"reason"`
	Expiry    time.Time `db:"expiry"`
	RevokedAt time.Time `db:"revoked_at"`
	PEM       string    `db:"pem"`
	// the following fields will be empty for data inserted before migrate 002 has been run.
	IssuedAt     *time.Time     `db:"issued_at"`
	NotBefore    *time.Time     `db:"not_before"`
	MetadataJSON types.JSONText `db:"metadata"`
	SANsJSON     types.JSONText `db:"sans"`
	CommonName   sql.NullString `db:"common_name"`
}

CertificateRecord encodes a certificate and its metadata that will be recorded in a database.

func (*CertificateRecord) GetMetadata ¶ added in v1.5.0

func (c *CertificateRecord) GetMetadata() (map[string]interface{}, error)

GetMetadata returns the json metadata

func (*CertificateRecord) GetSANs ¶ added in v1.5.0

func (c *CertificateRecord) GetSANs() ([]string, error)

GetSANs returns the json SANs

func (*CertificateRecord) SetMetadata ¶ added in v1.5.0

func (c *CertificateRecord) SetMetadata(meta map[string]interface{}) error

SetMetadata sets the metadata json

func (*CertificateRecord) SetSANs ¶ added in v1.5.0

func (c *CertificateRecord) SetSANs(meta []string) error

SetSANs sets the list of sans

type OCSPRecord ¶

type OCSPRecord struct {
	Serial string    `db:"serial_number"`
	AKI    string    `db:"authority_key_identifier"`
	Body   string    `db:"body"`
	Expiry time.Time `db:"expiry"`
}

OCSPRecord encodes a OCSP response body and its metadata that will be recorded in a database.

Source Files ¶

View all Source files

certdb.go

Directories ¶

Path	Synopsis
dbconf
ocspstapling Package ocspstapling implements OCSP stapling of Signed Certificate Timestamps (SCTs) into OCSP responses in a database.	Package ocspstapling implements OCSP stapling of Signed Certificate Timestamps (SCTs) into OCSP responses in a database.
sql
testdb

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL