mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:11:38 +00:00
shankar0123
30765ba1ed
Phase 1 of the CRL/OCSP responder bundle. Adds:
* migration 000019 — crl_cache (one row per issuer; pre-generated CRL DER,
monotonic crl_number per RFC 5280 §5.2.3, this_update/next_update,
generation duration metric, revoked_count) + crl_generation_events
(append-only audit log of every regeneration attempt, succeeded
+ error fields for ops grep)
* internal/domain/crl_cache.go — CRLCacheEntry + IsStale helper +
CRLGenerationEvent (raw DER omitted from JSON to avoid bloating
admin responses; CRLDERBase64 field for explicit transit shaping)
* internal/repository/interfaces.go — CRLCacheRepository interface
(Get / Put / NextCRLNumber / RecordGenerationEvent /
ListGenerationEvents)
* internal/repository/postgres/crl_cache.go — Postgres impl with
SERIALIZABLE-isolated NextCRLNumber to defeat the monotonicity
race between concurrent generations of the same issuer
* internal/repository/postgres/crl_cache_test.go — testcontainers
suite (round-trip, overwrite, monotonicity, event recording,
failure-event-with-error)
No behavior change at the HTTP layer yet — Phase 3 wires the cache into
GetDERCRL via a new CRLCacheService + crlGenerationLoop.
11 lines
380 B
SQL
11 lines
380 B
SQL
-- 000019_crl_cache.down.sql — reverses 000019_crl_cache.up.sql.
|
|
--
|
|
-- Drop in reverse FK order. crl_generation_events has no FK so order
|
|
-- between the two table drops is mechanical only.
|
|
|
|
DROP INDEX IF EXISTS idx_crl_generation_events_issuer_started;
|
|
DROP TABLE IF EXISTS crl_generation_events;
|
|
|
|
DROP INDEX IF EXISTS idx_crl_cache_next_update;
|
|
DROP TABLE IF EXISTS crl_cache;
|