mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:31:33 +00:00
shankar0123
40fd96a416
Production hardening II Phase 2 — closes the per-request live-signing
bottleneck for OCSP. Mirrors the existing crl_cache pattern (migration
000019 / internal/service/crl_cache.go) but per (issuer_id, serial_hex)
instead of per-issuer.
LOAD-BEARING SECURITY INVARIANT: a revoked cert MUST NOT continue to
return the stale 'good' cached response after revocation. The
RevocationSvc.RevokeCertificateWithActor flow now calls
OCSPResponseCacheService.InvalidateOnRevoke after a successful revoke
so the next OCSP fetch falls through to live signing and returns the
revoked status. Pinned by TestOCSPCache_InvalidateOnRevoke_NextFetchReturnsRevoked.
NEW migrations/000024_ocsp_response_cache.{up,down}.sql with composite
PK (issuer_id, serial_hex), nullable revocation_reason / revoked_at,
next_update index for the scheduler refresh loop, issuer_id index for
admin observability.
NEW internal/domain/ocsp_response_cache.go::OCSPResponseCacheEntry +
IsStale helper.
NEW internal/repository/postgres/ocsp_response_cache.go implementing
repository.OCSPResponseCacheRepository (Get / Put / Delete /
CountByIssuer). Interface defined in internal/repository/interfaces.go.
NEW internal/service/ocsp_response_cache.go::OCSPResponseCacheService
with read-through facade + sync.Map singleflight + InvalidateOnRevoke.
On cache miss, calls caOperationsSvc.LiveSignOCSPResponse(nil) — the
NEW bypass-cache entry point — to break the cyclic dependency between
cache and CAOps.
REFACTORED internal/service/ca_operations.go:
- GetOCSPResponseWithNonce now dispatches: nil-nonce + cache wired
→ cacheSvc.Get (cache); nonce != nil OR cache nil → live-sign.
- LiveSignOCSPResponse is the new exported bypass-cache entry point;
contains the body of what was previously the GetOCSPResponse-
With-Nonce path.
- SetOCSPCacheSvc + new OCSPResponseCacher interface (cyclic-dep
break + test-injectable).
The cache stores nil-nonce blobs by design. Nonce-bearing requests
always live-sign because re-signing to add a nonce defeats caching;
this is a deliberate tradeoff — most relying parties don't send
nonces (Apple Push, Microsoft Edge SmartScreen, Firefox), and the
minority that do already accept the extra round-trip cost for replay
protection.
WIRED in cmd/server/main.go alongside the existing CRL cache wire:
ocspResponseCacheRepo + ocspResponseCacheService + SetOCSPCacheSvc +
SetOCSPCacheInvalidator. Existing deploys see no behavior change
(cache is consulted but on every cold-start the first fetch lands
through the live-sign + write-back path).
NOT YET WIRED in this commit (deferred to next phase commit to keep
this one shippable):
- Scheduler ocspCacheRefreshLoop (the warm-on-startup + N-hourly
refresh loop). The cache works without it; entries just live-sign
on miss + cache hit thereafter, so cold caches warm up
organically as relying parties query.
- Admin observability endpoint /api/v1/admin/ocsp/cache.
- CERTCTL_OCSP_CACHE_REFRESH_INTERVAL env var.
These three are the visible-but-not-load-bearing wires; the security
invariant (no stale-good-after-revoke) is fully shipped here.
7 new tests in internal/service/ocsp_response_cache_test.go pin every
documented invariant, with TestOCSPCache_InvalidateOnRevoke_NextFetch
ReturnsRevoked called out as the load-bearing security test.
Pre-commit verification: go build ./... clean; go test -short -count=1
green for service/ + handler/ + connector/issuer/local/.
31 lines
1.4 KiB
Go
31 lines
1.4 KiB
Go
package domain
|
|
|
|
import "time"
|
|
|
|
// OCSPResponseCacheEntry is one row in the ocsp_response_cache table —
|
|
// a pre-signed OCSP response for a specific (issuer_id, serial_hex)
|
|
// pair. The HTTP handler at /.well-known/pki/ocsp/{issuer_id}/...
|
|
// reads from this cache rather than triggering a fresh signature per
|
|
// request. Production hardening II Phase 2.
|
|
//
|
|
// Schema lives in migrations/000024_ocsp_response_cache.up.sql.
|
|
type OCSPResponseCacheEntry struct {
|
|
IssuerID string `json:"issuer_id"`
|
|
SerialHex string `json:"serial_hex"`
|
|
ResponseDER []byte `json:"-"` // raw DER, omitted from admin JSON to keep responses lean
|
|
CertStatus string `json:"cert_status"` // "good" | "revoked" | "unknown"
|
|
RevocationReason int `json:"revocation_reason,omitempty"` // only set when CertStatus == "revoked"
|
|
RevokedAt time.Time `json:"revoked_at,omitempty"` // only set when CertStatus == "revoked"
|
|
ThisUpdate time.Time `json:"this_update"`
|
|
NextUpdate time.Time `json:"next_update"`
|
|
GeneratedAt time.Time `json:"generated_at"`
|
|
}
|
|
|
|
// IsStale returns true when next_update is at or before now — the
|
|
// cached response's promised validity window has elapsed. Callers fall
|
|
// through to live signing on stale + write the fresh response back to
|
|
// cache (read-through facade).
|
|
func (e *OCSPResponseCacheEntry) IsStale(now time.Time) bool {
|
|
return !now.Before(e.NextUpdate)
|
|
}
|