mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:51:30 +00:00
shankar0123
21aeed4f4e
Phase 0 closure (Path B2, post-rewrite):
addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:
// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).
Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.
Generated via:
addlicense -c "certctl LLC" -y 2026 \
-f cowork/legal/copyright-header.tpl \
-ignore '**/testdata/**' -ignore '**/*_test.go' \
cmd/ internal/
Verification:
find cmd internal -name '*.go' -not -name '*_test.go' \
-not -path '*/testdata/*' \
-exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l
Returns: 0
gofmt clean. Header additions are comments only, no compile impact.
Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
34 lines
1.5 KiB
Go
34 lines
1.5 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package domain
|
|
|
|
import "time"
|
|
|
|
// OCSPResponseCacheEntry is one row in the ocsp_response_cache table —
|
|
// a pre-signed OCSP response for a specific (issuer_id, serial_hex)
|
|
// pair. The HTTP handler at /.well-known/pki/ocsp/{issuer_id}/...
|
|
// reads from this cache rather than triggering a fresh signature per
|
|
// request. Production hardening II Phase 2.
|
|
//
|
|
// Schema lives in migrations/000024_ocsp_response_cache.up.sql.
|
|
type OCSPResponseCacheEntry struct {
|
|
IssuerID string `json:"issuer_id"`
|
|
SerialHex string `json:"serial_hex"`
|
|
ResponseDER []byte `json:"-"` // raw DER, omitted from admin JSON to keep responses lean
|
|
CertStatus string `json:"cert_status"` // "good" | "revoked" | "unknown"
|
|
RevocationReason int `json:"revocation_reason,omitempty"` // only set when CertStatus == "revoked"
|
|
RevokedAt time.Time `json:"revoked_at,omitempty"` // only set when CertStatus == "revoked"
|
|
ThisUpdate time.Time `json:"this_update"`
|
|
NextUpdate time.Time `json:"next_update"`
|
|
GeneratedAt time.Time `json:"generated_at"`
|
|
}
|
|
|
|
// IsStale returns true when next_update is at or before now — the
|
|
// cached response's promised validity window has elapsed. Callers fall
|
|
// through to live signing on stale + write the fresh response back to
|
|
// cache (read-through facade).
|
|
func (e *OCSPResponseCacheEntry) IsStale(now time.Time) bool {
|
|
return !now.Before(e.NextUpdate)
|
|
}
|