Add backends for managing certificates, CA bundles, and fingerprints.

Review Request #13163 — Created July 28, 2023 and submitted — Latest diff uploaded


Review Board


This introduces support for storage backends for certificate-related
data. Backends are responsible for adding, deleting, fetching, and
iterating through SSL/TLS certificates, CA bundles, and verified
certificate fingerprints, along with providing stats on the data stored.

These can all be tied to a specific Local Site or to the global site.
Each object has an ID specific to the backend, which can be used for
lookup or deletions. IDs must be set by the backend, and consumers of
the backends must take care not to allow user-provided input to be used
without validation.

Backends are given a space within the site's data directory where they
can store files. Most libraries and tools expect a file path to PEMs, so
the backend is responsible for ensuring that those files exist when

Each object type being managed has a "stored" counterpart class. These
are subclassed by the backend and used to associate any necessary
information needed to identify or place the object somewhere in a
storage system.

By default, we ship a file-based storage backend. This is designed for
most single-server or managed-sitedir needs. All data is managed on the
filesystem, using known paths and filenames. These files can be
hand-added to the correct directory, so long as they follow the correct
naming and file format schemes.

For most standard deployments, this will more than suffice. However,
we'll be providing a database-managed solution in Power Pack, for
handling very large numbers of certificates across unlimited numbers of
Local Sites in a manner that allows for synchronizing across servers.

For Review Board 6.0.0, we may not include any UI for interfacing with
storage, but rather can provide documentation for file-based storage. UI
would come in a follow-up release.

Unit tests pass.