feat: adjust logging; implement pem crl endpoint; add crl entries metric; lock on UseCrl

internal/metrics/metrics.go

@@ -16,19 +16,26 @@ var (
 	}, []string{labelPath})
 
 	responseStatus = prometheus.NewCounterVec(prometheus.CounterOpts{
-		Name: "response_status",
+		Name: "http_response_status",
 		Help: "Status of HTTP response",
 	}, []string{labelPath, labelStatus})
 
 	httpDuration = prometheus.NewHistogramVec(prometheus.HistogramOpts{
 		Name:    "http_response_time_seconds",
 		Help:    "Duration of HTTP requests.",
-		Buckets: prometheus.DefBuckets,
+		Buckets: prometheus.ExponentialBuckets(0.0001, 2, 10),
 	}, []string{labelPath})
+
+	CrlEntries = prometheus.NewGauge(prometheus.GaugeOpts{
+		Namespace: "ocspcrl",
+		Name:      "crl_entries_total",
+		Help:      "Number of entries in the CRL",
+	})
 )
 
 func init() {
 	prometheus.MustRegister(totalRequests)
 	prometheus.MustRegister(responseStatus)
 	prometheus.MustRegister(httpDuration)
+	prometheus.MustRegister(CrlEntries)
 }

internal/ocsp_source/source.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"math/big"
 	"net/http"
+	"sync"
 	"time"
 
 	"golang.org/x/crypto/ocsp"
@@ -16,6 +17,7 @@ type CrlSource struct {
 	responderCertificate *x509.Certificate
 	responderKey         crypto.Signer
 	crl                  *x509.RevocationList
+	crlMutex             sync.Mutex
 }
 
 func NewCrlSource(caCertificate *x509.Certificate, responderKeyPair tls.Certificate) *CrlSource {
@@ -26,8 +28,10 @@ func NewCrlSource(caCertificate *x509.Certificate, responderKeyPair tls.Certific
 	}
 }
 
-func (source *CrlSource) UseCrl(crl *x509.RevocationList) {
+func (source *CrlSource) UseCrl(crl x509.RevocationList) {
-	source.crl = crl
+	source.crlMutex.Lock()
+	defer source.crlMutex.Unlock()
+	source.crl = &crl
 }
 
 func (source *CrlSource) Response(request *ocsp.Request) ([]byte, http.Header, error) {

main.go

@@ -91,7 +91,8 @@ func main() {
 	if loadCrlError != nil {
 		log.Fatalf("failed to load crl: %v", loadCrlError)
 	}
-	source.UseCrl(crl)
+	metrics.CrlEntries.Set(float64(len(crl.RevokedCertificateEntries)))
+	source.UseCrl(*crl)
 
 	signalChan := make(chan os.Signal, 1)
 	signal.Notify(signalChan, os.Interrupt, syscall.SIGTERM)
@@ -102,6 +103,10 @@ func main() {
 		w.Header().Set("Content-Type", "application/pkix-crl")
 		w.Write(crl.Raw)
 	})
+	applicationRouter.HandleFunc("/crl.pem", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/pkix-crl")
+		pem.Encode(w, &pem.Block{Type: "X509 CRL", Bytes: crl.Raw})
+	})
 
 	applicationServer := &http.Server{Addr: config.applicationListenAddress, Handler: metrics.Middleware(applicationRouter)}
 	metricsSever := &http.Server{Addr: config.metricsListenAddress, Handler: promhttp.Handler()}
@@ -109,14 +114,14 @@ func main() {
 	applicationServerClosed := make(chan any)
 	metricsServerClosed := make(chan any)
 	go func() {
-		log.Printf("starting application server on %s", config.applicationListenAddress)
+		log.Printf("starting application server on %+q", config.applicationListenAddress)
 		if listenError := applicationServer.ListenAndServe(); listenError != nil {
 			log.Printf("application error: %v", listenError)
 		}
 		close(applicationServerClosed)
 	}()
 	go func() {
-		log.Printf("starting metrics server on %s", config.metricsListenAddress)
+		log.Printf("starting metrics server on %+q", config.metricsListenAddress)
 		if listenError := metricsSever.ListenAndServe(); listenError != nil {
 			log.Printf("metrics error: %v", listenError)
 		}