mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:11:29 +00:00
feat(ocsp): pre-signed response cache + invalidate-on-revoke (Phase 2)
Production hardening II Phase 2 — closes the per-request live-signing
bottleneck for OCSP. Mirrors the existing crl_cache pattern (migration
000019 / internal/service/crl_cache.go) but per (issuer_id, serial_hex)
instead of per-issuer.
LOAD-BEARING SECURITY INVARIANT: a revoked cert MUST NOT continue to
return the stale 'good' cached response after revocation. The
RevocationSvc.RevokeCertificateWithActor flow now calls
OCSPResponseCacheService.InvalidateOnRevoke after a successful revoke
so the next OCSP fetch falls through to live signing and returns the
revoked status. Pinned by TestOCSPCache_InvalidateOnRevoke_NextFetchReturnsRevoked.
NEW migrations/000024_ocsp_response_cache.{up,down}.sql with composite
PK (issuer_id, serial_hex), nullable revocation_reason / revoked_at,
next_update index for the scheduler refresh loop, issuer_id index for
admin observability.
NEW internal/domain/ocsp_response_cache.go::OCSPResponseCacheEntry +
IsStale helper.
NEW internal/repository/postgres/ocsp_response_cache.go implementing
repository.OCSPResponseCacheRepository (Get / Put / Delete /
CountByIssuer). Interface defined in internal/repository/interfaces.go.
NEW internal/service/ocsp_response_cache.go::OCSPResponseCacheService
with read-through facade + sync.Map singleflight + InvalidateOnRevoke.
On cache miss, calls caOperationsSvc.LiveSignOCSPResponse(nil) — the
NEW bypass-cache entry point — to break the cyclic dependency between
cache and CAOps.
REFACTORED internal/service/ca_operations.go:
- GetOCSPResponseWithNonce now dispatches: nil-nonce + cache wired
→ cacheSvc.Get (cache); nonce != nil OR cache nil → live-sign.
- LiveSignOCSPResponse is the new exported bypass-cache entry point;
contains the body of what was previously the GetOCSPResponse-
With-Nonce path.
- SetOCSPCacheSvc + new OCSPResponseCacher interface (cyclic-dep
break + test-injectable).
The cache stores nil-nonce blobs by design. Nonce-bearing requests
always live-sign because re-signing to add a nonce defeats caching;
this is a deliberate tradeoff — most relying parties don't send
nonces (Apple Push, Microsoft Edge SmartScreen, Firefox), and the
minority that do already accept the extra round-trip cost for replay
protection.
WIRED in cmd/server/main.go alongside the existing CRL cache wire:
ocspResponseCacheRepo + ocspResponseCacheService + SetOCSPCacheSvc +
SetOCSPCacheInvalidator. Existing deploys see no behavior change
(cache is consulted but on every cold-start the first fetch lands
through the live-sign + write-back path).
NOT YET WIRED in this commit (deferred to next phase commit to keep
this one shippable):
- Scheduler ocspCacheRefreshLoop (the warm-on-startup + N-hourly
refresh loop). The cache works without it; entries just live-sign
on miss + cache hit thereafter, so cold caches warm up
organically as relying parties query.
- Admin observability endpoint /api/v1/admin/ocsp/cache.
- CERTCTL_OCSP_CACHE_REFRESH_INTERVAL env var.
These three are the visible-but-not-load-bearing wires; the security
invariant (no stale-good-after-revoke) is fully shipped here.
7 new tests in internal/service/ocsp_response_cache_test.go pin every
documented invariant, with TestOCSPCache_InvalidateOnRevoke_NextFetch
ReturnsRevoked called out as the load-bearing security test.
Pre-commit verification: go build ./... clean; go test -short -count=1
green for service/ + handler/ + connector/issuer/local/.
This commit is contained in:
shankar0123
@@ -116,6 +116,38 @@ type CRLCacheRepository interface {
|
||||
ListGenerationEvents(ctx context.Context, issuerID string, limit int) ([]*domain.CRLGenerationEvent, error)
|
||||
}
|
||||
|
||||
// OCSPResponseCacheRepository persists pre-signed OCSP responses so the
|
||||
// /.well-known/pki/ocsp/{issuer_id}/{serial_hex} endpoint can serve
|
||||
// from cache rather than triggering a fresh signature per request.
|
||||
// Populated by the scheduler's ocspCacheRefreshLoop and read by the
|
||||
// OCSPResponseCacheService (internal/service/ocsp_response_cache.go) on
|
||||
// every OCSP fetch via a read-through facade.
|
||||
//
|
||||
// Schema lives in migrations/000024_ocsp_response_cache.up.sql.
|
||||
// Production hardening II Phase 2.
|
||||
type OCSPResponseCacheRepository interface {
|
||||
// Get returns the cached response for (issuer, serial), or
|
||||
// (nil, nil) on miss so the caller falls through to live signing.
|
||||
Get(ctx context.Context, issuerID, serialHex string) (*domain.OCSPResponseCacheEntry, error)
|
||||
|
||||
// Put upserts the cache row. ON CONFLICT replaces every field so
|
||||
// a re-sign atomically swaps without a window where the row is
|
||||
// stale.
|
||||
Put(ctx context.Context, entry *domain.OCSPResponseCacheEntry) error
|
||||
|
||||
// Delete removes a single cache row. Called by
|
||||
// InvalidateOnRevoke after a successful revocation so the next
|
||||
// fetch triggers a fresh signature with the updated status. The
|
||||
// load-bearing security wire — without it, a revoked cert keeps
|
||||
// returning the stale "good" cached response until the next
|
||||
// scheduler tick.
|
||||
Delete(ctx context.Context, issuerID, serialHex string) error
|
||||
|
||||
// CountByIssuer returns the per-issuer cached entry count for the
|
||||
// admin observability endpoint.
|
||||
CountByIssuer(ctx context.Context) (map[string]int, error)
|
||||
}
|
||||
|
||||
// OCSPResponderRepository persists per-issuer OCSP-responder cert + key
|
||||
// pointers for the dedicated-responder-cert flow (RFC 6960 §2.6 +
|
||||
// §4.2.2.2). One row per issuer; rotation overwrites in place.
|
||||
|
||||
Reference in New Issue
Block a user