A Go re-write of the SSL Observatory, because Go rules and is perfect for this task, and hey, I'm a masochist I guess...
* MS root pool
* NSS root pool
* Trans root pool * asn finder
^ ^
| |
v v
<-> submission api -> validity checker -> meta generator -> database <-> query api
^ ^
| |
v v
* ocsp checker periodic updater
* crl checker
* database (revocation checking) ^
|
v
* ocsp checker
* crl checker
With a single submission processor on my machine I'm able to attain about ~30 submissions/second, with two processors I can get ~60-70 submissions/second. This is as far as I've tested so far.
- Impl. some kind of proof-of-work (e.g. hashcash) to prevent baddies DOSing us with massive/unparseable certs/chains
- Might want a better way of storing
big.Ints (since using bytes kinda messes up the ability to do most mathmatical operations...) - Switch from SHA 256 to old weird fingerprinting method in order to back-compatible so we can seed the new schema from the old database
- Reject absurdly large chains (if this is submission size based we can avoid the below requirement I think...)
- Add a method to check & truncate certificates if certain fields are too large (and add some bool to the base Certificate model to represent if this has happened) to prevent attacks where someone just constructs insanely massive certificates we have to parse
- YAML config
- Root pool retreival/loading tools
- Basic load from PEM method
- Parsers
- NSS root list retriever/parser/loader (agl has a good ref. tool)
- MS root list retriever/parser/loader (catt has a useful set of scripts here to crib from))
- Trans validity root list (I think this has to be pulled from observed certificates?)
- Dynamic reloading of root pools (RPC?)
- If available use OCSP to check if certificate is revoked (periodically, Jeremy may already be working on this!)
- If available check CRL (periodically)
- Send StatsD metrics somewhere
- Full test suite!
- Create tool to translate/seed new schema from old database
- Compare
gobservatoryperformance to Python Observatory... (was it actually worth it?)
- Database schema
- General index/foreign key/performance review (ask pde/jeremy/jeff/jcj/etc for advice on if the draft schema is viable)
- Report schema
- ASN schema
- Chain schema
- OCSP/CRL certificate revocation schema
- Various certificate schemas
- Basic certificates (still needs work and probably more splitting stuff out...)
- Key usage
- Raw certificates (DER)
- Subject key identifier
- Authority key identifier
- DNS names
- IPs
- Emails
- Subjects (Also split)
- Serial
- Common names
- Countries
- Organizations
- Organizational units
- Localities
- Provinces
- Subject extensions
- x509v3 extensions
- RSA public keys
- DSA public keys
- ECC public keys (only P-224, P-256, P-384, and P-521 curves)
- IssuingCertificateURL
- OCSP endpoints
- CRL endpoints
- Policy OIDs
- DNS name constraints
- Inverse index mapping schemas (names -> certs, some of the cert splitting seems to basically accomplish this for us)
- Create database models for every schema
- Add/Update methods for models
- Add ASN
- Add chain
- Add (split) certificate
- Basic section
- Raw certificate
- Basically everything else...
- Certificate extensions
- Subject extensions
- Add submission report
- Backwards compatibility with previous API (and therefore HTTPS Everywhere and SSL Observatory Funnel)
- HTTP server
- HTTPS server
- Submission handler
- Query for ASN number and name if server IP available
- Generate submission reports
- Support all submission parameters (ASN/opt out/etc)
- Actually do what all the parameters indicate
- Check that none of the certificates have been revoked before responding to client
- Graceful shutdown
- Generate valid chains for different root pools
- Check trans-validity