func (a *API) submissionHandler(w http.ResponseWriter, r *http.Request) {
	a.stats.Inc("submission.http.rate", 1, 1.0)
	start := time.Now()
	defer func() {
		a.stats.TimingDuration("submission.http.latency", time.Since(start), 1.0)
	}()
	// XXX: Debugging statements
	fmt.Println("REQUEST!")
	err := r.ParseForm()
	if err != nil {
		a.stats.Inc("submission.http.error-rate", 1, 1.0)
		fmt.Println(err)
		return
	}
	sr, err := formToRequest(r.Form)
	if err != nil {
		a.stats.Inc("submission.http.error-rate", 1, 1.0)
		fmt.Println(err)
		return
	}
	a.stats.Inc("submission.http.certificates.rate", int64(len(sr.Certs)), 1.0)
	sr.ClientIP = net.ParseIP(r.RemoteAddr)

	// Check if cert has been revoked
	var revocationInfo []revocationDescription
	for _, c := range sr.Certs {
		if revoked, reason, err := a.db.IsRevoked(core.Fingerprint(c.Raw)); revoked {
			// Send message to client but don't skip submission
			revocationInfo = append(revocationInfo, revocationDescription{
				Serial: core.BigIntToString(c.SerialNumber),
				Reason: reason,
			})
		} else if err != nil {
			// BAD, but continue on our way...
			a.stats.Inc("submission.http.error-rate", 1, 1.0)
			fmt.Println(err)
		}
	}

	// ...I know it's not reading but channels allow concurrent writes so this is
	// still safe
	a.sMu.RLock()
	defer a.sMu.RUnlock()
	// Add submission to channel for workers to process
	a.submissions <- sr

	if len(revocationInfo) > 0 {
		a.stats.Inc("submission.http.revoked-certificates-seen", int64(len(revocationInfo)), 1.0)
		revokedJSON, err := json.Marshal(revocationInfo)
		if err != nil {
			a.stats.Inc("submission.http.error-rate", 1, 1.0)
			// BAD
			fmt.Println(err)
			fmt.Fprintf(w, "Couldn't marshal revocation information: %s", err)
			return
		}
		// Set specific error code?
		fmt.Fprint(w, string(revokedJSON))
	}
}
func (a *API) addCertificate(chainMeta *db.CertificateChainMeta, cert *x509.Certificate, valid, leaf bool, asnNum int, now time.Time, serverIP net.IP) error {
	// Check if certificate has already been added, if so no need to do work intensive
	// decomposition
	fingerprint := core.Fingerprint(cert.Raw)

	keyDER, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
	if err != nil {
		return err
	}
	keyFingerprint := core.Fingerprint(keyDER)

	certModel := &db.Certificate{
		Size:                   len(cert.Raw),
		Fingerprint:            fingerprint,
		KeyFingerprint:         keyFingerprint,
		PublicKeyAlg:           uint8(cert.PublicKeyAlgorithm),
		Valid:                  valid,
		CertVersion:            uint8(cert.Version),
		Root:                   cert.IsCA,
		Expired:                time.Now().After(cert.NotAfter),
		BasicConstraints:       cert.BasicConstraintsValid,
		MaxPathLen:             cert.MaxPathLen,
		MaxPathLenZero:         cert.MaxPathLenZero,
		SignatureAlg:           uint8(cert.SignatureAlgorithm),
		Signature:              cert.Signature,
		NotBefore:              cert.NotBefore,
		NotAfter:               cert.NotAfter,
		SubjectKeyIdentifier:   cert.SubjectKeyId,
		AuthorityKeyIdentifier: cert.AuthorityKeyId,
		KeyUsage:               uint8(cert.KeyUsage),
		CommonName:             cert.Subject.CommonName,
		Serial:                 fmt.Sprintf("%X", cert.SerialNumber),
		IssuerCommonName:       cert.Issuer.CommonName,
		Country:                strings.Join(cert.Subject.Country, "; "),
		Province:               strings.Join(cert.Subject.Province, "; "),
		Locality:               strings.Join(cert.Subject.Locality, "; "),
		Organization:           strings.Join(cert.Subject.Organization, "; "),
		OrganizationalUnit:     strings.Join(cert.Subject.OrganizationalUnit, "; "),
	}

	exists, err := a.db.CertificateExists(fingerprint)
	if err != nil {
		return err
	}
	// Decompsoe certificate into all the different bits we want
	err = a.db.AddCertificate(certModel)
	if err != nil {
		return err
	}
	if exists {
		a.stats.Inc("submission.parsing.certificates.previously-seen", 1.0, 1)
		return nil
	}

	if time.Now().After(cert.NotAfter) {
		a.stats.Inc("submission.parsing.certificates.expired", 1, 1.0)
	}
	if valid {
		a.stats.Inc("submission.parsing.certificates.valid", 1, 1.0)
	} else {
		a.stats.Inc("submission.parsing.certificates.invalid", 1, 1.0)
	}

	if cert.IsCA && valid {
		a.stats.Inc("submission.parsing.certificates.roots.rate", 1, 1.0)
	}

	if sig, ok := core.SignatureAlgorithms[cert.SignatureAlgorithm]; ok {
		a.stats.Inc(fmt.Sprintf("submission.parsing.certificates.signature-algorithm.%s", sig), 1, 1.0)
	}

	// XXX: All of the db.Add... operations below could be run concurrently to
	//      improve performance somewhat (MySQL might not like this too much,
	//      but my gut says InnoDB should be able to handle it).

	// Raw certificate because why not
	err = a.db.AddRawCertificate(&db.RawCertificate{
		CertificateFingerprint: fingerprint,
		DER: cert.Raw,
	})
	if err != nil {
		// Continue
		fmt.Println(err)
	}

	// Public key
	keyExists, err := a.db.KeyExists(keyFingerprint)
	if err != nil {
		return err
	}
	key := &db.Key{
		Fingerprint: keyFingerprint,
		Valid:       valid,
	}
	switch t := cert.PublicKey.(type) {
	case *rsa.PublicKey:
		a.stats.Inc("submission.parsing.certificates.key-types.RSA", 1, 1.0)
		key.Type = uint8(x509.RSA)
		key.RSAModulusSize = int64(t.N.BitLen())
		key.RSAModulus = t.N.Bytes()
		key.RSAExponent = int64(t.E)
	case *dsa.PublicKey:
		a.stats.Inc("submission.parsing.certificates.key-types.DSA", 1, 1.0)
		key.Type = uint8(x509.DSA)
		key.DSAP = t.P.Bytes()
		key.DSAQ = t.Q.Bytes()
		key.DSAG = t.G.Bytes()
		key.DSAY = t.Y.Bytes()
	case *ecdsa.PublicKey:
		a.stats.Inc("submission.parsing.certificates.key-types.ECDSA", 1, 1.0)
		key.Type = uint8(x509.ECDSA)
		key.ECDSACurve = t.Params().Name
		key.ECDSAX = t.X.Bytes()
		key.ECDSAY = t.Y.Bytes()
	}
	err = a.db.AddPublicKey(key)
	if err != nil {
		return err
	}
	if !keyExists {
		err = a.db.AddRawKey(&db.RawKey{
			KeyFingerprint: keyFingerprint,
			DER:            keyDER,
		})
		if err != nil {
			// Continue...
			fmt.Println(err)
		}
	}

	// Names sections
	err = a.db.AddDNSNames(fingerprint, cert.DNSNames)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddIPAddresses(fingerprint, cert.IPAddresses)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddEmailAddresses(fingerprint, cert.EmailAddresses)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddConstrainedDNSNames(fingerprint, cert.PermittedDNSDomains)
	if err != nil {
		// Continue
		fmt.Println(err)
	}

	// Remote revocation services
	err = a.db.AddOCSPEndpoints(fingerprint, cert.OCSPServer)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddCRLEndpoints(fingerprint, cert.CRLDistributionPoints)
	if err != nil {
		// Continue
		fmt.Println(err)
	}

	// Extra subject sections
	err = a.db.AddSubjectExtensions(fingerprint, cert.Subject.Names)
	if err != nil {
		// Continue
		fmt.Println(err)
	}

	// Various identifiers and extensions
	err = a.db.AddPolicyIdentifiers(fingerprint, cert.PolicyIdentifiers)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddCertificateExtensions(fingerprint, cert.Extensions)
	if err != nil {
		// Continue
		fmt.Println(err)
	}
	err = a.db.AddIssuingCertificateURL(fingerprint, cert.IssuingCertificateURL)
	if err != nil {
		// Continue
		fmt.Println(err)
	}

	// Add report
	err = a.db.AddReport(&db.Report{
		Source:                 0,  // XXX: fix this...
		Domain:                 "", // XXX: fix this...
		ServerIP:               serverIP.String(),
		CertificateFingerprint: fingerprint,
		ChainFingerprint:       chainMeta.Fingerprint,
		Leaf:                   leaf,
		ASNNumber:              asnNum,
		Submitted:              now,
	})
	if err != nil {
		return err
	}
	return nil
}