var (
Store = subCommand{"store", "for each filename on command line, read the file as an OCSP response and store it in Redis",
func(ctx context.Context, cl client, _ Config, args []string) error {
err := cl.storeResponsesFromFiles(ctx, flag.Args()[1:])
if err != nil {
return err
}
return nil
},
}
Get = subCommand{
"get",
"for each serial on command line, fetch that serial's response and pretty-print it",
func(ctx context.Context, cl client, _ Config, args []string) error {
for _, serial := range flag.Args()[1:] {
resp, err := cl.redis.GetResponse(ctx, serial)
if err != nil {
return err
}
parsed, err := ocsp.ParseResponse(resp, nil)
if err != nil {
fmt.Fprintf(os.Stderr, "parsing error on %x: %s", resp, err)
continue
} else {
fmt.Printf("%s\n", helper.PrettyResponse(parsed))
}
}
return nil
},
}
GetPEM = subCommand{"get-pem", "for each serial on command line, fetch that serial's response and print it PEM-encoded",
func(ctx context.Context, cl client, _ Config, args []string) error {
for _, serial := range flag.Args()[1:] {
resp, err := cl.redis.GetResponse(ctx, serial)
if err != nil {
return err
}
block := pem.Block{
Bytes: resp,
Type: "OCSP RESPONSE",
}
err = pem.Encode(os.Stdout, &block)
if err != nil {
return err
}
}
return nil
},
}
LoadFromDB = subCommand{"load-from-db", "scan the database for all OCSP entries for unexpired certificates, and store in Redis",
func(ctx context.Context, cl client, c Config, args []string) error {
if c.ROCSPTool.LoadFromDB == nil {
return fmt.Errorf("config field LoadFromDB was missing")
}
err := cl.loadFromDB(ctx, c.ROCSPTool.LoadFromDB.Speed, *startFromID)
if err != nil {
return fmt.Errorf("loading OCSP responses from DB: %w", err)
}
return nil
},
}
ScanResponses = subCommand{"scan-responses", "scan Redis for OCSP response entries. For each entry, print the serial and base64-encoded response",
func(ctx context.Context, cl client, _ Config, args []string) error {
results := cl.redis.ScanResponses(ctx, "*")
for r := range results {
if r.Err != nil {
return r.Err
}
fmt.Printf("%s: %s\n", r.Serial, base64.StdEncoding.EncodeToString(r.Body))
}
return nil
},
}
)
type Config struct {
ROCSPTool struct {
DebugAddr string `validate:"required,hostname_port"`
Redis rocsp_config.RedisConfig
// If using load-from-db, this provides credentials to connect to the DB
// and the CA. Otherwise, it's optional.
LoadFromDB *LoadFromDBConfig
}
Syslog cmd.SyslogConfig
OpenTelemetry cmd.OpenTelemetryConfig
}
LoadFromDBConfig provides the credentials and configuration needed to load data from the certificateStatuses table in the DB and get it signed.
type LoadFromDBConfig struct {
// Credentials to connect to the DB.
DB cmd.DBConfig
// Credentials to request OCSP signatures from the CA.
GRPCTLS cmd.TLSConfig
// Timeouts and hostnames for the CA.
OCSPGeneratorService cmd.GRPCClientConfig
// How fast to process rows.
Speed ProcessingSpeed
}
type ProcessingSpeed struct {
// If using load-from-db, this limits how many items per second we
// scan from the DB. We might go slower than this depending on how fast
// we read rows from the DB, but we won't go faster. Defaults to 2000.
RowsPerSecond int `validate:"min=0"`
// If using load-from-db, this controls how many parallel requests to
// boulder-ca for OCSP signing we can make. Defaults to 100.
ParallelSigns int `validate:"min=0"`
// If using load-from-db, the LIMIT on our scanning queries. We have to
// apply a limit because MariaDB will cut off our response at some
// threshold of total bytes transferred (1 GB by default). Defaults to 10000.
ScanBatchSize int `validate:"min=0"`
}