Project

General

Profile

DB Design » History » Version 2

Felix Tiede, 11/26/2011 08:55 AM
Converted formatting to redmine wiki format

1 1 Felix Tiede
h1. Database structure
2
3
{{>toc}}
4
5 2 Felix Tiede
kCA relies on a SQL database backend to store information on known certification authorities, issued certificates and some settings. It is the responsibility of the user to make sure database access rights are only granted to those allowed to perform certain operations. kCA authorizes some operations by asking for an authority's key, but if the user has the key, he is able to do any operation, whether he should or not.
6 1 Felix Tiede
7 2 Felix Tiede
In any case source:doc/db-schema.txt is authoritative. This wiki page is only for additional documentation purposes.
8 1 Felix Tiede
9
*Currently only SQLite backend is supported!*
10
11
Following are the table structures required by kCA.
12
13
h2. Settings
14
15
Contains information general information which is not associated with any other information in the database.
16
17 2 Felix Tiede
Table name: @
18
Settings@
19 1 Felix Tiede
|*Name*|*Type*|*Comment*|
20
|@name@|Varchar|Name of stored setting|
21
|@value@|Varchar|Stored value|
22
23 2 Felix Tiede
Currently this table is used solely for the purpose of preventing damage to the database by mismatch between application and database structure (see #78).
24 1 Felix Tiede
25
h2(#Authorities). Certification Authorities
26
27
Contains main information about certification authorities, basically the heart of the application.
28
29 2 Felix Tiede
Table name: @Authorities@
30
|*Name*|*Type*|*Comment*|
31
|@id@|Int (Auto-Increment, Unique)|Unique CA ID|
32
|@hash@|Long Int Unique|Subject hash of CA, used for identification throughout application|
33
|@name@|Varchar|Friendly name for display in GUI, also reported via D-Bus property @authorities@|
34
|@policy@|Foreign Key (@policies.id@)|Id of [[DB_Design#Policies|policy]] to use while signing requests|
35
|@certificatedays@|Int|Default validity timespan of new certificates in days|
36
|@crlnumber@|Int|Number of last issued CRL, incremented each time a CRL is issued|
37
n|@crldays@|Int|Validity timespan of issued CRLs|
38
|@digest@|Int|Digest used in all signing operations performed by authority|
39
|@certificate@|Blob|PEM-encoded raw data of authority certificate, used in every signing operation|
40
|@key@|Blob|Filename to authority's private key or PEM-encoded raw data of authority's private key, possibly passphrase protected|
41 1 Felix Tiede
42
The following indexes are used:
43 2 Felix Tiede
|@UNIQUE (id)@|
44
|@UNIQUE (hash)@|
45
|@INDEX (name ASC)@|
46 1 Felix Tiede
47
h2. Policies
48
49
Contains all policies to use at request signing to simplify authority configuration. Allows for just selecting another name instead of setting all values.
50
A policy decides whether a specific part of a request's subject must match the related part of the signing authority's subject to allow signing, must be just supplied (allows for any value except blank) or is entirely optional (allows also blank values). Capitalized letters of field names show the key of the subject part in question.
51
52 2 Felix Tiede
Table name: @Policies@
53
r
54
|*Name*|*Type*|*Comment*|
55
|@id@|Int (Auto-Increment, Unique)|Unique policy ID|
56
|@name@|Varchar (Unique)|Friendly name for display in authority configuration|
57
|@Country@|Enum(match, supplied, optional)||
58
|@STate@|Enum(match, supplied, optional)||
59
|@Location@|Enum(match, supplied, optional)||
60
|@Organization@|Enum(match, supplied, optional)||
61
|@OrganizationalUnit@|Enum(match, supplied, optional)||
62
|@CommonName@|Enum(match, supplied, optional)||
63
|@Email@|Enum(match, supplied, optional)|Relates to subject key '@emailAddress@'|
64 1 Felix Tiede
65
The following indexes are used:
66 2 Felix Tiede
|@UNIQUE (id)@|
67
|@UNIQUE (name)@|
68
|@UNIQUE (Country, STate, Location, Organization, OrganizationalUnit, CommonName, Email)@|
69
|@INDEX (name ASC)@|
70 1 Felix Tiede
71
h2. Extensions
72
73
Extensions are added to certificates and CRLs on creation by a certification authority. This table contains all available extensions in use.
74
75 2 Felix Tiede
Table name: @Extensions@
76
|*Name*|*Type*|*Comment*|
77
|@id@|Long Int (Auto-Increment, 
78
Unique)|Unique extension ID|
79
|@type@|Enum(cert, crl)|Whether an extension is to be used for certificates or CRLs|
80
|@critical@|Bool|
81
|@oid@|Varchar|Numerical object ID of extension|
82
|@value@|Varchar|Text value of extension|
83 1 Felix Tiede
84
The following indexes are used:
85 2 Felix Tiede
|@UNIQUE (id)@|
86
|@UNIQUE (type, oid, value)@|
87
|@INDEX (oid)@|
88 1 Felix Tiede
89
h2(#CAExtensions). Authority Extensions
90
91
Connects extensions to authorities. Since one authority uses an arbitrary number of extensions, this table is needed.
92
93 2 Felix Tiede
Table name: @CAExtensions@
94
|*Name*|*Type*|*Comment*|
95
|@id@|Long Int (Auto-Increment, Unique)|Unique connection ID|
96
|@authority@|Foreign Key (@authorities.id@)|ID of [[DB_Design#Authorities|authority]] to connect to an extension|
97
|@extension@|Foreign Key (@extensions.id@)|ID of [[DB_Design#Extensions|extension]] to connect to an authority|
98 1 Felix Tiede
99 2 Felix Tiede
The following indexes are used:
100
|@UNIQUE (id)@|
101
|@UNIQUE (authority, extension)@|
102
|@INDEX (authority)@|
103
|@INDEX (extension)@|
104
n
105 1 Felix Tiede
h2. Certificates
106
107
Stores every certificate issued by a managed certification authority and additional information.
108
109 2 Felix Tiede
Table name: @Certificates@
110
|*Name*|*Type*|*Comment*|
111
|@id@|Long Int (Auto-Increment, Unique)|Unique certificate ID|
112
|@serial@|Unsigned Long Long Int|64 bit serial number of certificate|
113
|@fingerprint@|Char(64) (Unique)|Unique fingerprint of certificate lower case without octet separation|
114
|@authority@|Foreign Key (@authorities.hash@)|Subject hash value of [[DB_Design#Authorities|authority]] which issued the certificate|
115
|@subject@|Varchar|Certificate subject|
116
|@issued@|Datetime|Timestamp when certificate was issued, not necessarily identical to @validfrom@|
117
|@validfrom@|Datetime|Timestamp when certificate becomes valid, can not be before @issued@|
118
|@expiration@|Datetime|Timestamp when certificate becomes expired, can not be before @validfrom@|
119
|@owner@|Varchar|Owner identifier from !Akonadi to connect certificate with an !Akonadi contact|
120
|@
121
state@|Enum(valid, expired, revoked)|
122
|@revocation@|Datetime|Timestamp of revocation of certificate, can not be before @issued@ or after @expiration@|
123
|@reason@|Short Int|Reason of revocation|
124
|@certificate@|Blob|PEM-encoded raw certificate data for documentary purposes and later re-export if needed|
125 1 Felix Tiede
126
The following indexes are used:
127 2 Felix Tiede
|@UNIQUE (id)@|
128
|@UNIQUE (fingerprint)@|
129
|@UNIQUE (authority, serial)@|
130
|@INDEX (authority)@|
131
|@INDEX (status ASC, expiration ASC)@|
132
|@INDEX (status ASC, id)@|
133 1 Felix Tiede
134
h2. Triggers
135
136 2 Felix Tiede
The database should - if somehow possible - auto-expire certificates. This should set a certificate's @state@ to @expired@, if it is not revoked but the timestamp in @expiration@ is in the past. Only exception should be certificates revoked by @CertificateOnHold@, which should also be auto-expired. At best it should do so on any database operation.