ff6eca7a29
Adds a new service, Publisher, which exists to submit issued certificates to various Certificate Transparency logs. Once submitted the Publisher will also parse and store the returned SCT (Signed Certificate Timestamp) receipts that are used to prove inclusion in a specific log in the SA database. A SA migration adds the new SCT receipt table. The Publisher only exposes one method, SubmitToCT, which is called in a goroutine by ca.IssueCertificate as to not block any other issuance operations. This method will iterate through all of the configured logs attempting to submit the certificate, and any required intermediate certificates, to them. If a submission to a log fails it will be retried the pre-configured number of times and will either use a back-off set in a Retry-After header or a pre-configured back-off between submission attempts. This changeset is the first of a number of changes ending with serving SCT receipts in OCSP responses and purposefully leaves out the following pieces for follow-up PRs. * A fake CT server for integration testing * A external tool to search the database for certificates lacking a full set of SCT receipts * A method to construct X.509 v3 extensions containing receipts for the OCSP responder * Returned SCT signature verification (beyond just checking that the signature is of the correct type so we aren't just serving arbitrary binary blobs to clients) Resolves #95. |
||
|---|---|---|
| .. | ||
| activity-monitor | ||
| admin-revoker | ||
| boulder-ca | ||
| boulder-publisher | ||
| boulder-ra | ||
| boulder-sa | ||
| boulder-va | ||
| boulder-wfe | ||
| cert-checker | ||
| expiration-mailer | ||
| external-cert-importer | ||
| ocsp-responder | ||
| ocsp-updater | ||
| policy-loader | ||
| single-ocsp | ||
| shell.go | ||