openxpki Plugin

Purpose

The openxpki plugin for libstrongswan allows direct access to the OpenXPKI MySQL/MariaDB database which is used by the pki --ocsp command to retrieve the online certificate status and return it in an OCSP response.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-openxpki

Also required is support for MySQL/MariaDB

--enable-mysql

which builds and loads the mysql plugin.

Implementation

The openxpki plugin directly accesses the certificate database table:

+--------------------------+------------------------------+------+-----+---------+
| Field                    | Type                         | Null | Key | Default |
+--------------------------+------------------------------+------+-----+---------+
| pki_realm                | varchar(255)                 | YES  | MUL | NULL    |
| issuer_dn                | varchar(1000)                | YES  |     | NULL    |
| cert_key                 | decimal(49,0)                | NO   | PRI | NULL    |
| issuer_identifier        | varchar(64)                  | NO   | PRI | NULL    |
| identifier               | varchar(64)                  | YES  | UNI | NULL    |
| subject                  | varchar(1000)                | YES  | MUL | NULL    |
| status                   | enum('ISSUED','HOLD'         | YES  | MUL | UNKNOWN |
|                          |      'CRL_ISSUANCE_PENDING', |      |     |         |
|                          |      'REVOKED','UNKNOWN')    |      |     |         |
| subject_key_identifier   | varchar(255)                 | YES  |     | NULL    |
| authority_key_identifier | varchar(255)                 | YES  |     | NULL    |
| notbefore                | int(10) unsigned             | YES  | MUL | NULL    |
| notafter                 | int(10) unsigned             | YES  | MUL | NULL    |
| revocation_time          | int(10) unsigned             | YES  | MUL | NULL    |
| invalidity_time          | int(10) unsigned             | YES  | MUL | NULL    |
| reason_code              | varchar(50)                  | YES  | MUL | NULL    |
| hold_instruction_code    | varchar(50)                  | YES  | MUL | NULL    |
| revocation_id            | int(11)                      | YES  | UNI | NULL    |
| req_key                  | bigint(20) unsigned          | YES  | MUL | NULL    |
| data                     | longtext                     | YES  |     | NULL    |
+--------------------------+------------------------------+------+-----+---------+

Configuration

The sql plugin is configured using the following options in the charon.plugins.openxpki section of strongswan.conf:

Key	Default	Description
database		OpenXPKI MySQL/MariaDB URI. If it contains a password, make sure to adjust the permissions of the config file accordingly

Key

Default

Description

database

OpenXPKI MySQL/MariaDB URI. If it contains a password, make sure to adjust the permissions of the config file accordingly

Example

libstrongswan {
  plugins {
    openxpki {
      database = "mysql://openxpki:openxpki@localhost/openxpki"
    }
}