b557d870c7
This avoids needing to send the entire certificate in OCSP generation RPCs. Ended up including a few cleanups that made the implementation easier. Initially I was struggling with how to derive the issuer identification info. We could just stick the full SPKI hash in certificateStatus, but that takes a significant amount of space, we could configure unique issuer IDs in the CA config, but that would require being very careful about keeping the IDs constant, and never reusing an ID, or we could store issuers in a table in the database and use that as a lookup table, but that requires figuring out how to get that info into the table etc. Instead I've just gone with what I found to be the easiest solution, deriving a stable ID from the cert hash. This means we don't need to remember to configure anything special and the CA config stays the same as it is now. Fixes #4469. |
||
|---|---|---|
| .. | ||
| creds | ||
| test_proto | ||
| balancer.go | ||
| balancer_test.go | ||
| ca-wrappers.go | ||
| client.go | ||
| errors.go | ||
| errors_test.go | ||
| interceptors.go | ||
| interceptors_test.go | ||
| pb-marshalling.go | ||
| pb-marshalling_test.go | ||
| publisher-wrappers.go | ||
| ra-wrappers.go | ||
| sa-wrappers.go | ||
| server.go | ||
| va-wrappers.go | ||