Add IssuanceChainStorage PostgreSQL implementation (google#1618)

* Duplicate MySQL files to new PostgreSQL directories, preserving git line history

* Restore MySQL files

* Replace 'MySQL' references with 'PostgreSQL', preserving case of each reference

* Update imports

* Convert schema

* PostgreSQL doesn't have an equivalent of MySQL's strict mode

* Use PostgreSQL parameter placeholder syntax

* Database driver name is 'pgx'

* Adapt duplicated key checking to PostgreSQL

* Remove unused parameter

* DSN URI scheme can be either postgresql:// or postgres://

* Plug PostgreSQL into NewIssuanceChainStorage

* Check PostgreSQL DSN in ValidateLogConfig

* Document PostgreSQL storage connection string format

* Add resetpgctdb.sh

* Comodo -> Sectigo

* Fix tests by escaping dollar signs

* Add postgresql-client to integration Dockerfile

* USER_HOST is not relevant to PostgreSQL

* Add PostgreSQL Cloud Build configuration

* Update CHANGELOG.md

* Correct docker package name

* Use Trillian master branch in Cloud Build tests

* Update log-server and log-signer hostnames in Cloud Build tests

* Run psql directly rather than via docker

* Set POSTGRESQL_HOST before running resetpgctdb.sh

* Add integration and lifecycle test config for PostgreSQL

* Three slashes needed in the PostgreSQL URIs in the integration config

* For pgx, sql.Open expects the whole DSN, not just the part after the ://

* Add hostname and port to the PostgreSQL URIs in the integration config

* Grant INSERT and SELECT privileges on the IssuanceChain table

* Specify correct database for GRANT

* ctx is unused

* 'IdentityHash' values are expected to always be the same length

* Remove k8s related steps

* Revert "Use Trillian master branch in Cloud Build tests"

This reverts commit fa3dbdb.

* Document POSTGRESQL_INSECURE in usage()

Author: robstradling

AUTHORS

@@ -9,7 +9,6 @@
 # Please keep the list sorted.
 
 Alex Cohn <alex@alexcohn.com>
-Comodo CA Limited
 Ed Maste <emaste@freebsd.org>
 Elisha Silas <silaselisha66@gmail.com>
 Fiaz Hossain <fiaz.hossain@salesforce.com>
@@ -24,6 +23,7 @@ Nicholas Galbreath <nickg@client9.com>
 Oliver Weidner <Oliver.Weidner@gmail.com>
 PrimeKey Solutions AB
 Ruslan Kovalov <ruslan.kovalyov@gmail.com>
+Sectigo Limited
 Venafi, Inc.
 Vladimir Rutsky <vladimir@rutsky.org>
 Ximin Luo <infinity0@gmx.com>

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ## HEAD
 
+### CTFE Storage Saving: Extra Data Issuance Chain Deduplication
+
+This feature now supports PostgreSQL, in addition to the support for MySQL/MariaDB that was added in [v1.2.0](#v1.2.0).
+
+Log operators can choose to enable this feature for new PostgreSQL-based CT logs by adding new CTFE configs in the [LogMultiConfig](trillian/ctfe/configpb/config.proto) and importing the [database schema](trillian/ctfe/storage/postgresql/schema.sql). The other available options are documented in the [v1.2.0](#v1.2.0) changelog entry.
+
+This change is tested in Cloud Build tests using the `postgres:17` Docker image as of the time of writing.
+
+* Add IssuanceChainStorage PostgreSQL implementation by @robstradling in https://github.com/google/certificate-transparency-go/pull/1618
+
 ## v1.2.2
 
 * Recommended Go version for development: 1.22

CONTRIBUTORS

@@ -52,7 +52,7 @@ Paul Lietar <lietar@google.com>
 Pavel Kalinnikov <pkalinnikov@google.com> <pavelkalinnikov@gmail.com>
 Pierre Phaneuf <pphaneuf@google.com>
 Rob Percival <robpercival@google.com>
-Rob Stradling <rob@comodo.com>
+Rob Stradling <rob@sectigo.com>
 Roger Ng <rogerng@google.com> <roger2hk@gmail.com>
 Roland Shoemaker <roland@letsencrypt.org>
 Ruslan Kovalov <ruslan.kovalyov@gmail.com>

cloudbuild_postgresql.yaml

@@ -1,3 +1,8 @@
+#############################################################################
+## This file is based on cloudbuild.yaml, but targets PostgreSQL instead of
+## MySQL.
+#############################################################################
+
 timeout: 1200s
 options:
   machineType: N1_HIGHCPU_32
@@ -17,5 +22,140 @@ substitutions:
 logsBucket: 'gs://trillian-cloudbuild-logs'
 
 steps:
-- name: 'bash'
-- name: 'bash'
+# First build a "ct_testbase" docker image which contains most of the tools we need for the later steps:
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/$PROJECT_ID/ct_testbase:latest || exit 0']
+- name: 'gcr.io/cloud-builders/docker'
+  args: [
+    'build',
+    '-t', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '--cache-from', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '-f', './integration/Dockerfile',
+    '.'
+  ]
+
+# prepare spins up an ephemeral trillian instance for testing use.
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  entrypoint: 'bash'
+  id: 'prepare'
+  args:
+  - '-exc'
+  - |
+    # Use latest versions of Trillian docker images built by the Trillian CI cloudbuilders.
+    docker pull gcr.io/$PROJECT_ID/log_server:latest
+    docker tag gcr.io/$PROJECT_ID/log_server:latest postgresql_trillian-log-server
+    docker pull gcr.io/$PROJECT_ID/log_signer:latest
+    docker tag gcr.io/$PROJECT_ID/log_signer:latest postgresql_trillian-log-signer
+
+    # Bring up an ephemeral trillian instance using the docker-compose config in the Trillian repo:
+    export TRILLIAN_LOCATION="$$(go list -f '{{.Dir}}' github.com/google/trillian)"
+
+    # We need to fix up Trillian's docker-compose to connect to the CloudBuild network to that tests can use it:
+    echo -e "networks:\n      default:\n        external:\n          name: cloudbuild" >> $${TRILLIAN_LOCATION}/examples/deployment/postgresql/docker-compose.yml
+
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/postgresql/docker-compose.yml pull postgresql trillian-log-server trillian-log-signer
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/postgresql/docker-compose.yml up -d postgresql trillian-log-server trillian-log-signer
+
+# Install proto related bits and block on Trillian being ready
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci-ready'
+  entrypoint: 'bash'
+  args:
+    - '-ec'
+    - |
+      go install \
+        github.com/golang/protobuf/proto \
+        github.com/golang/protobuf/protoc-gen-go \
+        github.com/golang/mock/mockgen \
+        go.etcd.io/etcd/v3 go.etcd.io/etcd/etcdctl/v3 \
+        github.com/fullstorydev/grpcurl/cmd/grpcurl
+
+      # Generate all protoc and mockgen files
+      go generate -run="protoc" ./...
+      go generate -run="mockgen" ./...
+
+      # Cache all the modules we'll need too
+      go mod download
+      go test ./...
+
+      # Wait for trillian logserver to be up
+      until nc -z postgresql_trillian-log-server_1 8090; do echo .; sleep 5; done
+
+      # Reset the CT test database
+      export CT_GO_PATH="$$(go list -f '{{.Dir}}' github.com/google/certificate-transparency-go)"
+      export POSTGRESQL_HOST="postgresql"
+      yes | bash "$${CT_GO_PATH}/scripts/resetpgctdb.sh" --verbose
+  waitFor: ['prepare']
+
+# Run the presubmit tests
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'default_test'
+  env:
+    - 'GOFLAGS='
+    - 'PRESUBMIT_OPTS=--no-linters --no-generate'
+    - 'TRILLIAN_LOG_SERVERS=postgresql_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=postgresql_trillian-log-server_1:8090'
+    - 'CONFIG_SUBDIR=/postgresql'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'race_detection'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters --no-generate'
+    - 'TRILLIAN_LOG_SERVERS=postgresql_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=postgresql_trillian-log-server_1:8090'
+    - 'CONFIG_SUBDIR=/postgresql'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_coverage'
+  env:
+    - 'GOFLAGS='
+    - 'PRESUBMIT_OPTS=--no-linters --no-generate --coverage'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=postgresql_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=postgresql_trillian-log-server_1:8090'
+    - 'CONFIG_SUBDIR=/postgresql'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_race'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters --no-generate'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=postgresql_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=postgresql_trillian-log-server_1:8090'
+    - 'CONFIG_SUBDIR=/postgresql'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'with_pkcs11_and_race'
+  env:
+    - 'GOFLAGS=-race --tags=pkcs11'
+    - 'PRESUBMIT_OPTS=--no-linters --no-generate'
+    - 'WITH_PKCS11=true'
+    - 'TRILLIAN_LOG_SERVERS=postgresql_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=postgresql_trillian-log-server_1:8090'
+    - 'CONFIG_SUBDIR=/postgresql'
+  waitFor: ['ci-ready']
+
+# Collect and submit codecoverage reports
+- name: 'gcr.io/cloud-builders/curl'
+  id: 'codecov.io'
+  entrypoint: bash
+  args: ['-c', 'bash <(curl -s https://codecov.io/bash)']
+  env:
+  - 'VCS_COMMIT_ID=$COMMIT_SHA'
+  - 'VCS_BRANCH_NAME=$BRANCH_NAME'
+  - 'VCS_PULL_REQUEST=$_PR_NUMBER'
+  - 'CI_BUILD_ID=$BUILD_ID'
+  - 'CODECOV_TOKEN=$_CODECOV_TOKEN' # _CODECOV_TOKEN is specified in the cloud build trigger
+  waitFor: ['etcd_with_coverage']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci_complete'
+  entrypoint: /bin/true
+  waitFor: ['codecov.io', 'default_test', 'race_detection', 'etcd_with_coverage', 'etcd_with_race', 'with_pkcs11_and_race']

go.mod

@@ -11,6 +11,8 @@ require (
 	github.com/google/trillian v1.7.0
 	github.com/gorilla/mux v1.8.1
 	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438
+	github.com/jackc/pgx/v5 v5.7.1
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/prometheus/client_golang v1.20.5
@@ -74,6 +76,9 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jhump/protoreflect v1.16.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/jonboulle/clockwork v0.4.0 // indirect

go.sum

@@ -147,6 +147,16 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438 h1:Dj0L5fhJ9F82ZJyVOmBx6msDp/kfd1t9GRfny/mfJA0=
+github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs=
+github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg=
 github.com/jhump/protoreflect v1.16.0/go.mod h1:oYPd7nPvcBw/5wlDfm/AVmU9zH9BgqGCI469pGxfj/8=
 github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=

integration/Dockerfile

@@ -7,7 +7,7 @@ WORKDIR /testbase
 ARG GOFLAGS=""
 ENV GOFLAGS=$GOFLAGS
 
-RUN apt-get update && apt-get -y install build-essential curl docker-compose lsof mariadb-client netcat-openbsd unzip wget xxd
+RUN apt-get update && apt-get -y install build-essential curl docker-compose lsof mariadb-client netcat-openbsd postgresql-client unzip wget xxd
 
 RUN cd /usr/bin && curl -L -O https://github.com/jqlang/jq/releases/download/jq-1.7/jq-linux64 && mv jq-linux64 /usr/bin/jq && chmod +x /usr/bin/jq
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.55.1

scripts/resetpgctdb.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+
+set -e
+
+usage() {
+  cat <<EOF
+$(basename $0) [--force] [--verbose] ...
+All unrecognised arguments will be passed through to the 'psql' command.
+Accepts environment variables:
+- POSTGRESQL_ROOT_USER: A user with sufficient rights to create/reset the CT
+  database (default: root).
+- POSTGRESQL_ROOT_PASSWORD: The password for \$POSTGRESQL_ROOT_USER (default: none).
+- POSTGRESQL_HOST: The hostname of the PostgreSQL server (default: localhost).
+- POSTGRESQL_PORT: The port the PostgreSQL server is listening on (default: 5432).
+- POSTGRESQL_DATABASE: The name to give to the new CT user and database
+  (default: defaultctdb).
+- POSTGRESQL_USER: The name to give to the new CT user (default: cttest).
+- POSTGRESQL_PASSWORD: The password to use for the new CT user
+  (default: beeblebrox).
+- POSTGRESQL_INSECURE: If set, the script will not set a password for the new CT
+  user (default: true).
+- POSTGRESQL_IN_CONTAINER: If set, the script will assume it is running in a Docker
+  container and will exec into the container to operate (default: false).
+- POSTGRESQL_CONTAINER_NAME: The name of the Docker container to exec into (default:
+  pgsql).
+EOF
+}
+
+die() {
+  echo "$*" > /dev/stderr
+  exit 1
+}
+
+collect_vars() {
+  # set unset environment variables to defaults
+  [ -z ${POSTGRESQL_ROOT_USER+x} ] && POSTGRESQL_ROOT_USER="postgres"
+  [ -z ${POSTGRESQL_HOST+x} ] && POSTGRESQL_HOST="localhost"
+  [ -z ${POSTGRESQL_PORT+x} ] && POSTGRESQL_PORT="5432"
+  [ -z ${POSTGRESQL_DATABASE+x} ] && POSTGRESQL_DATABASE="defaultctdb"
+  [ -z ${POSTGRESQL_USER+x} ] && POSTGRESQL_USER="cttest"
+  [ -z ${POSTGRESQL_PASSWORD+x} ] && POSTGRESQL_PASSWORD="beeblebrox"
+  [ -z ${POSTGRESQL_INSECURE+x} ] && POSTGRESQL_INSECURE="true"
+  [ -z ${POSTGRESQL_IN_CONTAINER+x} ] && POSTGRESQL_IN_CONTAINER="false"
+  [ -z ${POSTGRESQL_CONTAINER_NAME+x} ] && POSTGRESQL_CONTAINER_NAME="pgsql"
+  FLAGS=()
+
+  # handle flags
+  FORCE=false
+  VERBOSE=false
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --force) FORCE=true ;;
+      --verbose) VERBOSE=true ;;
+      --help) usage; exit ;;
+      *) FLAGS+=("$1")
+    esac
+    shift 1
+  done
+
+  FLAGS+=(-U "${POSTGRESQL_ROOT_USER}")
+  FLAGS+=(--host "${POSTGRESQL_HOST}")
+  FLAGS+=(--port "${POSTGRESQL_PORT}")
+
+  # Useful for debugging
+  FLAGS+=(--echo-all)
+
+  # Optionally print flags (before appending password)
+  [[ ${VERBOSE} = 'true' ]] && echo "- Using PostgreSQL Flags: ${FLAGS[@]}"
+
+  # append password if supplied
+  [ -z ${POSTGRESQL_ROOT_PASSWORD+x} ] || FLAGS+=(-p"${POSTGRESQL_ROOT_PASSWORD}")
+
+  if [[ ${POSTGRESQL_IN_CONTAINER} = 'true' ]]; then
+    CMD="docker exec -i ${POSTGRESQL_CONTAINER_NAME} psql"
+  else
+    CMD="psql"
+  fi
+}
+
+main() {
+  collect_vars "$@"
+
+  readonly CT_GO_PATH=$(go list -f '{{.Dir}}' github.com/google/certificate-transparency-go)
+
+  echo "Warning: about to destroy and reset database '${POSTGRESQL_DATABASE}'"
+
+  [[ ${FORCE} = true ]] || read -p "Are you sure? [Y/N]: " -n 1 -r
+  echo # Print newline following the above prompt
+
+  if [ -z ${REPLY+x} ] || [[ $REPLY =~ ^[Yy]$ ]]
+  then
+      echo "Resetting DB..."
+      set -eux
+      $CMD "${FLAGS[@]}" -c "DROP DATABASE IF EXISTS ${POSTGRESQL_DATABASE};" || \
+        die "Error: Failed to drop database '${POSTGRESQL_DATABASE}'."
+      $CMD "${FLAGS[@]}" -c "CREATE DATABASE ${POSTGRESQL_DATABASE};" || \
+        die "Error: Failed to create database '${POSTGRESQL_DATABASE}'."
+      if [[ ${POSTGRESQL_INSECURE} = 'true' ]]; then
+        $CMD "${FLAGS[@]}" -c "CREATE USER ${POSTGRESQL_USER};" || \
+          die "Error: Failed to create user '${POSTGRESQL_USER}'."
+      else
+        $CMD "${FLAGS[@]}" -c "CREATE USER ${POSTGRESQL_USER} WITH PASSWORD '${POSTGRESQL_PASSWORD}';" || \
+          die "Error: Failed to create user '${POSTGRESQL_USER}'."
+      fi
+      $CMD "${FLAGS[@]}" -c "GRANT ALL PRIVILEGES ON DATABASE ${POSTGRESQL_DATABASE} TO ${POSTGRESQL_USER} WITH GRANT OPTION;" || \
+        die "Error: Failed to grant '${POSTGRESQL_USER}' user all privileges on '${POSTGRESQL_DATABASE}'."
+      $CMD "${FLAGS[@]}" -d ${POSTGRESQL_DATABASE} < ${CT_GO_PATH}/trillian/ctfe/storage/postgresql/schema.sql || \
+        die "Error: Failed to create tables in '${POSTGRESQL_DATABASE}' database."
+      $CMD "${FLAGS[@]}" -d ${POSTGRESQL_DATABASE} -c "GRANT INSERT, SELECT ON IssuanceChain TO ${POSTGRESQL_USER};" || \
+        die "Error: Failed to grant '${POSTGRESQL_USER}' INSERT and SELECT privileges on IssuanceChain in '${POSTGRESQL_DATABASE}' database."
+      echo "Reset Complete"
+  fi
+}
+
+main "$@"

trillian/ctfe/config.go

@@ -26,6 +26,7 @@ import (
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/trillian/ctfe/configpb"
 	"github.com/google/certificate-transparency-go/x509"
+	"github.com/jackc/pgx/v5/pgconn"
 	"google.golang.org/protobuf/encoding/prototext"
 	"google.golang.org/protobuf/proto"
 	"k8s.io/klog/v2"
@@ -221,12 +222,17 @@ func ValidateLogConfig(cfg *configpb.LogConfig) (*ValidatedLogConfig, error) {
 			return nil, errors.New("missing ctfe_storage_connection_string when issuance chain storage backend is CTFE")
 		}
 		// Validate CTFEStorageConnectionString
-		if !strings.HasPrefix(cfg.CtfeStorageConnectionString, "mysql") {
+		if strings.HasPrefix(cfg.CtfeStorageConnectionString, "mysql") {
+			if _, err := mysql.ParseDSN(strings.Split(cfg.CtfeStorageConnectionString, "://")[1]); err != nil {
+				return nil, errors.New("failed to parse ctfe_storage_connection_string for mysql driver")
+			}
+		} else if strings.HasPrefix(cfg.CtfeStorageConnectionString, "postgres") {
+			if _, err := pgconn.ParseConfig(cfg.CtfeStorageConnectionString); err != nil {
+				return nil, errors.New("failed to parse ctfe_storage_connection_string for postgresql pgx driver")
+			}
+		} else {
 			return nil, errors.New("unsupported driver in ctfe_storage_connection_string")
 		}
-		if _, err := mysql.ParseDSN(strings.Split(cfg.CtfeStorageConnectionString, "://")[1]); err != nil {
-			return nil, errors.New("failed to parse ctfe_storage_connection_string for mysql driver")
-		}
 		vCfg.CTFEStorageConnectionString = cfg.CtfeStorageConnectionString
 	case configpb.LogConfig_ISSUANCE_CHAIN_STORAGE_BACKEND_TRILLIAN_GRPC:
 		// Nothing to validate for Trillian gRPC

trillian/ctfe/configpb/config.pb.go

@@ -139,6 +139,9 @@ message LogConfig {
   // MySQL/MariaDB:
   // mysql://[username[:password]@][protocol[(address)]]/dbname[?param1=value1&...&paramN=valueN]
   //
+  // PostgreSQL:
+  // postgresql://[username[:password]@][host][:port][/dbname][?param1=value1&...&paramN=valueN]
+  //
   // This is required when the issuance chain storage backend is CTFE.
   // 
   // Warning: CT log operators are advised not to re-use the same connection 

trillian/ctfe/configpb/config.proto

@@ -0,0 +1,103 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package postgresql defines the IssuanceChainStorage type, which implements IssuanceChainStorage interface with FindByKey and Add methods.
+package postgresql
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/jackc/pgerrcode"
+	"github.com/jackc/pgx/v5/pgconn"
+	_ "github.com/jackc/pgx/v5/stdlib"
+
+	"k8s.io/klog/v2"
+)
+
+const (
+	selectIssuanceChainByKeySQL = "SELECT c.ChainValue FROM IssuanceChain AS c WHERE c.IdentityHash = $1"
+	insertIssuanceChainSQL      = "INSERT INTO IssuanceChain(IdentityHash, ChainValue) VALUES ($1, $2)"
+)
+
+// IssuanceChainStorage is a PostgreSQL implementation of the IssuanceChainStorage interface.
+type IssuanceChainStorage struct {
+	db *sql.DB
+}
+
+// NewIssuanceChainStorage takes the database connection string as the input and return the IssuanceChainStorage.
+func NewIssuanceChainStorage(_ context.Context, dbConn string) *IssuanceChainStorage {
+	db, err := open(dbConn)
+	if err != nil {
+		klog.Exitf(fmt.Sprintf("failed to open database: %v", err))
+	}
+
+	return &IssuanceChainStorage{
+		db: db,
+	}
+}
+
+// FindByKey returns the key-value pair of issuance chain by the key.
+func (s *IssuanceChainStorage) FindByKey(ctx context.Context, key []byte) ([]byte, error) {
+	row := s.db.QueryRowContext(ctx, selectIssuanceChainByKeySQL, key)
+	if err := row.Err(); err != nil {
+		return nil, err
+	}
+
+	var chain []byte
+	if err := row.Scan(&chain); err != nil {
+		return nil, err
+	}
+
+	return chain, nil
+}
+
+// Add inserts the key-value pair of issuance chain.
+func (s *IssuanceChainStorage) Add(ctx context.Context, key []byte, chain []byte) error {
+	_, err := s.db.ExecContext(ctx, insertIssuanceChainSQL, key, chain)
+	if err != nil {
+		// Ignore duplicated key error.
+		var postgresqlErr *pgconn.PgError
+		if errors.As(err, &postgresqlErr) && postgresqlErr.Code == pgerrcode.UniqueViolation {
+			return nil
+		}
+		return err
+	}
+
+	return nil
+}
+
+// open takes the data source name and returns the sql.DB object.
+func open(dataSourceName string) (*sql.DB, error) {
+	// Verify data source name format.
+	conn := strings.Split(dataSourceName, "://")
+	if len(conn) != 2 {
+		return nil, errors.New("could not parse PostgreSQL data source name")
+	}
+	if conn[0] != "postgresql" && conn[0] != "postgres" {
+		return nil, errors.New("expect data source name to start with postgresql or postgres")
+	}
+
+	db, err := sql.Open("pgx", dataSourceName)
+	if err != nil {
+		// Don't log data source name as it could contain credentials.
+		klog.Errorf("could not open PostgreSQL database, check config: %s", err)
+		return nil, err
+	}
+
+	return db, nil
+}

trillian/ctfe/storage/postgresql/postgresql.go

@@ -0,0 +1,121 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package postgresql
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"database/sql"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+)
+
+func TestIssuanceChainFindByKeySuccess(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("an error '%s' was not expected when opening a stub database connection", err)
+	}
+	defer func() {
+		mock.ExpectClose()
+		if err := db.Close(); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	testVal := readTestData(t, "leaf00.chain")
+	testKey := sha256.Sum256(testVal)
+
+	issuanceChainMockRows := sqlmock.NewRows([]string{"ChainValue"}).AddRow(testVal)
+	mock.ExpectQuery(strings.ReplaceAll(selectIssuanceChainByKeySQL, "$", "\\$")).WillReturnRows(issuanceChainMockRows)
+
+	storage := mockIssuanceChainStorage(db)
+	got, err := storage.FindByKey(context.Background(), testKey[:])
+	if err != nil {
+		t.Errorf("issuanceChainStorage.FindByKey: %v", err)
+	}
+	if !bytes.Equal(got, testVal) {
+		t.Errorf("got: %v, want: %v", got, testVal)
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("there were unfulfilled expectations: %s", err)
+	}
+}
+
+func TestIssuanceChainAddSuccess(t *testing.T) {
+	db, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("an error '%s' was not expected when opening a stub database connection", err)
+	}
+	defer func() {
+		mock.ExpectClose()
+		if err := db.Close(); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	tests := setupTestData(t,
+		"leaf00.chain",
+		"leaf01.chain",
+		"leaf02.chain",
+	)
+
+	storage := mockIssuanceChainStorage(db)
+	for k, v := range tests {
+		mock.ExpectExec("INSERT INTO IssuanceChain").WithArgs([]byte(k), v).WillReturnResult(sqlmock.NewResult(1, 1))
+		if err := storage.Add(context.Background(), []byte(k), v); err != nil {
+			t.Errorf("issuanceChainStorage.Add: %v", err)
+		}
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("there were unfulfilled expectations: %s", err)
+	}
+}
+
+func readTestData(t *testing.T, filename string) []byte {
+	t.Helper()
+
+	data, err := os.ReadFile("../../../testdata/" + filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return data
+}
+
+func setupTestData(t *testing.T, filenames ...string) map[string][]byte {
+	t.Helper()
+
+	data := make(map[string][]byte, len(filenames))
+
+	for _, filename := range filenames {
+		val := readTestData(t, filename)
+		key := sha256.Sum256(val)
+		data[string(key[:])] = val
+	}
+
+	return data
+}
+
+func mockIssuanceChainStorage(db *sql.DB) *IssuanceChainStorage {
+	return &IssuanceChainStorage{
+		db: db,
+	}
+}

trillian/ctfe/storage/postgresql/postgresql_test.go

@@ -0,0 +1,24 @@
+-- Copyright 2024 Google LLC
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- PostgreSQL version of the CTFE database schema
+
+-- "IssuanceChain" table contains the hash and value pairs of the issuance chain.
+CREATE TABLE IF NOT EXISTS IssuanceChain (
+  -- Fixed-length hash of the chain of intermediate certificates and root certificates.
+  IdentityHash bytea NOT NULL,
+  -- Chain data of intermediate certificates and root certificates.
+  ChainValue   bytea NOT NULL,
+  PRIMARY KEY (IdentityHash)
+);

trillian/ctfe/storage/postgresql/schema.sql

@@ -22,6 +22,7 @@ import (
 
 	"github.com/google/certificate-transparency-go/trillian/ctfe/configpb"
 	"github.com/google/certificate-transparency-go/trillian/ctfe/storage/mysql"
+	"github.com/google/certificate-transparency-go/trillian/ctfe/storage/postgresql"
 )
 
 // IssuanceChainStorage is an interface which allows CTFE binaries to use different storage implementations for issuance chains.
@@ -33,14 +34,17 @@ type IssuanceChainStorage interface {
 	Add(ctx context.Context, key []byte, chain []byte) error
 }
 
-// NewIssuanceChainStorage returns nil for Trillian gRPC or mysql.IssuanceChainStorage when MySQL is the prefix in database connection string.
+// NewIssuanceChainStorage returns nil for Trillian gRPC, or mysql.IssuanceChainStorage or postgresql.IssuanceChainStorage
+// when mysql or postgres is the prefix in database connection string.
 func NewIssuanceChainStorage(ctx context.Context, backend configpb.LogConfig_IssuanceChainStorageBackend, dbConn string) (IssuanceChainStorage, error) {
 	switch backend {
 	case configpb.LogConfig_ISSUANCE_CHAIN_STORAGE_BACKEND_TRILLIAN_GRPC:
 		return nil, nil
 	case configpb.LogConfig_ISSUANCE_CHAIN_STORAGE_BACKEND_CTFE:
 		if strings.HasPrefix(dbConn, "mysql") {
 			return mysql.NewIssuanceChainStorage(ctx, dbConn), nil
+		} else if strings.HasPrefix(dbConn, "postgres") {
+			return postgresql.NewIssuanceChainStorage(ctx, dbConn), nil
 		}
 
 		return nil, errors.New("failed to initialise IssuanceChainService due to unsupported driver in CTFE storage connection string")

trillian/ctfe/storage/storage.go

@@ -82,10 +82,10 @@ ct_provision() {
 
   # Build config files with absolute paths
   CT_CFG=$(mktemp ${TMPDIR}/ct-XXXXXX)
-  sed "s!@TESTDATA@!${CT_GO_PATH}/trillian/testdata!" ${CT_GO_PATH}/trillian/integration/ct_integration_test.cfg > "${CT_CFG}"
+  sed "s!@TESTDATA@!${CT_GO_PATH}/trillian/testdata!" ${CT_GO_PATH}/trillian/integration${CONFIG_SUBDIR}/ct_integration_test.cfg > "${CT_CFG}"
 
   CT_LIFECYCLE_CFG=$(mktemp ${TMPDIR}/ct-XXXXXX)
-  sed "s!@TESTDATA@!${CT_GO_PATH}/trillian/testdata!" ${CT_GO_PATH}/trillian/integration/ct_lifecycle_test.cfg > "${CT_LIFECYCLE_CFG}"
+  sed "s!@TESTDATA@!${CT_GO_PATH}/trillian/testdata!" ${CT_GO_PATH}/trillian/integration${CONFIG_SUBDIR}/ct_lifecycle_test.cfg > "${CT_LIFECYCLE_CFG}"
 
   echo 'Building createtree'
   go build github.com/google/trillian/cmd/createtree/

trillian/integration/ct_functions.sh

@@ -0,0 +1,49 @@
+config {
+	log_id: @TREE_ID@
+	prefix: "athos"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	roots_pem_file: "@TESTDATA@/../../testdata/gossip-root.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2d\x6c\xdc\x30\xf8\x03\x5e\x7f\x0f\x90\x69\xd3\xdf\xcd\xd3\xd3\x82\x45\x7b\x0e\xa2\xcb\xa9\x48\x4c\x97\xad\x3c\xc0\x88\x6f\xdb\xc2\x95\x28\xb6\x62\xa0\x2f\x81\x89\x32\x6e\xc7\xd4\x88\xc1\xf3\xd0\x5c\x54\x64\x74\xdc\x26\xb1\xcf\x74\xc5\x25\xa6\xa1\xeb\x0f"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xc4\x2d\x99\xc7\x9e\x31\x77\x99\xd7\xda\x4c\xab\xdb\xb9\x37\xeb\x95\xde\x6a\x72\x1b\x84\xbd\x0b\xfe\xb3\x4b\x1e\xce\xa8\xbb\x2f\xa1\x44\x03\x42\x00\x04\x2d\x6c\xdc\x30\xf8\x03\x5e\x7f\x0f\x90\x69\xd3\xdf\xcd\xd3\xd3\x82\x45\x7b\x0e\xa2\xcb\xa9\x48\x4c\x97\xad\x3c\xc0\x88\x6f\xdb\xc2\x95\x28\xb6\x62\xa0\x2f\x81\x89\x32\x6e\xc7\xd4\x88\xc1\xf3\xd0\x5c\x54\x64\x74\xdc\x26\xb1\xcf\x74\xc5\x25\xa6\xa1\xeb\x0f"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120 # Note: 120s is unrealistically fast for a real log, but OK for testing.
+}
+config {
+	log_id: @TREE_ID@
+	prefix: "porthos"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xd8\x8a\x49\xa2\x15\x3c\xbe\xb5\xb7\x6c\x63\xdc\xfd\xc0\x36\x64\x24\x88\xc3\x57\x9d\xfa\xd4\xa8\x70\x78\x32\x72\x29\x1a\xb1\x6f\xa1\x44\x03\x42\x00\x04\x44\x6d\x69\x2c\x00\xec\xf3\xc7\xbb\x87\x7e\x57\xea\x04\xc3\x4b\x49\x01\xc4\x9a\x19\xf2\x49\x9b\x4c\x44\x1c\xac\xe0\xff\x27\x11\xce\x94\xa8\x85\xd9\xed\x42\x22\x5c\x54\xf6\x33\x73\xa3\x3d\x8b\xe8\x53\x48\xf5\x57\x50\x61\x96\x30\x5b\xc4\x9b\xa3\x04\xc3\x4b"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120
+	extra_data_issuance_chain_storage_backend: ISSUANCE_CHAIN_STORAGE_BACKEND_TRILLIAN_GRPC
+}
+config {
+	log_id: @TREE_ID@
+	prefix: "aramis"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd6\xaf\x18\x80\x8c\x66\xc2\xcc\xb3\xb8\xd1\x84\x2a\xa7\xd3\x62\xae\x4f\xe3\xa5\x94\x41\x3d\x64\x65\x1c\x86\x63\x57\xc2\x06\x85\x1e\xa6\x3d\xa1\x27\x63\xc6\xcd\xe5\x9f\x41\xd6\x98\x87\x56\x19\x16\x15\x6c\xf8\x15\x35\x53\x1b\x7f\x39\x9a\x99\x38\x50\xba\x7e"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\x97\x94\x1f\x33\xa7\x36\xac\x0b\xcb\x11\x09\x23\x8a\xfb\x73\xc1\x17\xc5\xc5\x23\x5d\xdb\xa8\x8f\x32\x94\xc5\xdd\x67\x4b\xff\x5e\xa1\x44\x03\x42\x00\x04\xd6\xaf\x18\x80\x8c\x66\xc2\xcc\xb3\xb8\xd1\x84\x2a\xa7\xd3\x62\xae\x4f\xe3\xa5\x94\x41\x3d\x64\x65\x1c\x86\x63\x57\xc2\x06\x85\x1e\xa6\x3d\xa1\x27\x63\xc6\xcd\xe5\x9f\x41\xd6\x98\x87\x56\x19\x16\x15\x6c\xf8\x15\x35\x53\x1b\x7f\x39\x9a\x99\x38\x50\xba\x7e"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120
+	ctfe_storage_connection_string: "postgresql://postgresql:5432/defaultctdb?user=cttest&password=beeblebrox"
+	extra_data_issuance_chain_storage_backend: ISSUANCE_CHAIN_STORAGE_BACKEND_CTFE
+}

trillian/integration/postgresql/ct_integration_test.cfg

@@ -0,0 +1,48 @@
+config {
+	log_id: @TREE_ID@
+	prefix: "alpha"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x78\xf4\xe5\xd4\x49\x4e\xf9\xe1\x7e\x28\x5e\x88\xf5\x58\x2d\x6c\xf0\x92\xaf\xd7\xb4\x22\x75\x7b\xc6\xb4\x15\x17\xeb\x59\xad\xd4\x7e\x91\x8c\x92\xbb\x07\xa1\xba\x25\x69\xc7\x38\x04\x9f\x00\x4f\x26\xad\xc8\x54\x3a\x35\x1a\xfe\x67\xf9\x8a\xba\x2a\xdb\x77\x15"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\x6f\x67\x62\x64\x1e\x9e\x4d\xe7\x91\xbe\x2d\xd6\x0c\x9e\xb2\x6d\xc3\x46\xc0\x23\x5b\x4b\x77\x6e\x6e\xa3\xac\x70\x01\xf2\x71\xd2\xa1\x44\x03\x42\x00\x04\x78\xf4\xe5\xd4\x49\x4e\xf9\xe1\x7e\x28\x5e\x88\xf5\x58\x2d\x6c\xf0\x92\xaf\xd7\xb4\x22\x75\x7b\xc6\xb4\x15\x17\xeb\x59\xad\xd4\x7e\x91\x8c\x92\xbb\x07\xa1\xba\x25\x69\xc7\x38\x04\x9f\x00\x4f\x26\xad\xc8\x54\x3a\x35\x1a\xfe\x67\xf9\x8a\xba\x2a\xdb\x77\x15"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120 # Note: 120s is unrealistically fast for a real log, but OK for testing.
+}
+config {
+	log_id: @TREE_ID@
+	prefix: "beta"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x75\x79\x7c\x29\x9e\xbb\x39\x5b\x35\x24\x53\xd9\xfb\x58\x5d\x7f\x55\x02\x29\x7b\x3c\x9e\x7c\x72\x51\xfc\xc4\xe4\x01\x22\x00\xd3\xbc\xa9\x5a\xff\x06\x99\x5e\x55\xc8\xa9\xf9\xf2\x13\x9c\x80\xc3\xf1\x26\x1f\xe9\x55\x53\x2d\x46\xbb\x2f\x10\x85\xf9\x17\xe2\xe8"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\x6b\x0d\xda\x1d\x9f\x23\x43\x94\xea\xa8\xce\x8e\x3b\x05\x71\x6c\xf1\xff\xd5\x0a\x14\xb4\xad\x9a\x9c\x9c\x0a\x64\x29\xb6\xa1\x1d\xa1\x44\x03\x42\x00\x04\x75\x79\x7c\x29\x9e\xbb\x39\x5b\x35\x24\x53\xd9\xfb\x58\x5d\x7f\x55\x02\x29\x7b\x3c\x9e\x7c\x72\x51\xfc\xc4\xe4\x01\x22\x00\xd3\xbc\xa9\x5a\xff\x06\x99\x5e\x55\xc8\xa9\xf9\xf2\x13\x9c\x80\xc3\xf1\x26\x1f\xe9\x55\x53\x2d\x46\xbb\x2f\x10\x85\xf9\x17\xe2\xe8"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120
+	extra_data_issuance_chain_storage_backend: ISSUANCE_CHAIN_STORAGE_BACKEND_TRILLIAN_GRPC
+}
+config {
+	log_id: @TREE_ID@
+	prefix: "gamma"
+	roots_pem_file: "@TESTDATA@/fake-ca.cert"
+	public_key: {
+		der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x55\x32\x88\x34\xe9\x87\x81\x16\x6f\x41\xb3\xd5\x9d\x64\xae\x6c\x24\xbc\x9c\x6a\x21\x41\x0b\xb8\xd6\x0a\xf7\x8f\xc0\x7a\x0a\xc4\x10\xcf\x88\x0e\xa6\x78\xfd\xba\xde\x4f\x1f\x2b\xc7\x06\xec\x71\xed\x77\x34\xb1\xc7\x7d\xe5\x43\xd3\xdc\x15\x6f\x69\x7b\xf0\x56"
+	}
+	private_key: {
+		[type.googleapis.com/keyspb.PrivateKey] {
+			der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\xff\x81\x10\xd0\xb3\x06\x48\xf6\x75\x68\x77\x16\x95\xdd\x34\x80\x4c\x3e\x0f\x60\xc9\x2c\x5a\xf4\xe4\xcf\x07\xc7\x06\x68\xb3\x73\xa1\x44\x03\x42\x00\x04\x55\x32\x88\x34\xe9\x87\x81\x16\x6f\x41\xb3\xd5\x9d\x64\xae\x6c\x24\xbc\x9c\x6a\x21\x41\x0b\xb8\xd6\x0a\xf7\x8f\xc0\x7a\x0a\xc4\x10\xcf\x88\x0e\xa6\x78\xfd\xba\xde\x4f\x1f\x2b\xc7\x06\xec\x71\xed\x77\x34\xb1\xc7\x7d\xe5\x43\xd3\xdc\x15\x6f\x69\x7b\xf0\x56"
+		}
+	}
+	max_merge_delay_sec: 86400
+	expected_merge_delay_sec: 120
+	ctfe_storage_connection_string: "postgresql://postgresql:5432/defaultctdb?user=cttest&password=beeblebrox"
+	extra_data_issuance_chain_storage_backend: ISSUANCE_CHAIN_STORAGE_BACKEND_CTFE
+}