gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 09:48:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: M15b — OCSP responder, DER CRL, short-lived exemption, revocation GUI

Browse Source 
Backend:
- Embedded OCSP responder: GET /api/v1/ocsp/{issuer_id}/{serial} returns
  signed OCSP responses (good/revoked/unknown) using CA key
- DER-encoded X.509 CRL: GET /api/v1/crl/{issuer_id} returns proper DER CRL
  signed by issuing CA with 24h validity window
- Short-lived cert exemption: certs with profile TTL < 1 hour skip CRL/OCSP
  (expiry is sufficient revocation for ephemeral workloads)
- Extended issuer connector interface with GenerateCRL and SignOCSPResponse
- Local CA implements full CRL/OCSP signing; ACME and step-ca return
  appropriate "use native endpoint" errors
- IssuerConnectorAdapter bridges new methods between layers

Frontend:
- Revoke button on certificate detail page with RFC 5280 reason modal
- Revocation banner with reason display and timestamp
- Revocation status indicators in lifecycle section
- "Revoked" filter option in certificates list
- API client: revokeCertificate() function and Certificate type extensions

Tests: ~31 new tests across connector, service, handler, and adapter layers
Docs: milestones renumbered (M13-M14, M16-M18), M15b marked complete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-03-22 14:39:10 -04:00
parent c2cd48c38b
commit 458a8c2740
22 changed files with 1470 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/interface.go
+26
View File
@@ -3,6 +3,7 @@ package issuer
import (
"context"
"encoding/json"
"math/big"
"time"
)
@@ -22,6 +23,14 @@ type Connector interface {
// GetOrderStatus retrieves the status of an issuance or renewal order.
GetOrderStatus(ctx context.Context, orderID string) (*OrderStatus, error)
// GenerateCRL generates a DER-encoded X.509 CRL signed by this issuer.
// Returns nil if the issuer does not support CRL generation (e.g., ACME).
GenerateCRL(ctx context.Context, revokedCerts []RevokedCertEntry) ([]byte, error)
// SignOCSPResponse signs an OCSP response for the given certificate serial.
// Returns nil if the issuer does not support OCSP (e.g., ACME).
SignOCSPResponse(ctx context.Context, req OCSPSignRequest) ([]byte, error)
}
// IssuanceRequest contains the parameters for issuing a new certificate.
@@ -67,3 +76,20 @@ type OrderStatus struct {
NotAfter *time.Time `json:"not_after,omitempty"`
UpdatedAt time.Time `json:"updated_at"`
}
// RevokedCertEntry represents a revoked certificate for CRL generation.
type RevokedCertEntry struct {
SerialNumber *big.Int
RevokedAt time.Time
ReasonCode int
}
// OCSPSignRequest contains the parameters for signing an OCSP response.
type OCSPSignRequest struct {
CertSerial *big.Int
CertStatus int // 0=good, 1=revoked, 2=unknown
RevokedAt time.Time
RevocationReason int
ThisUpdate time.Time
NextUpdate time.Time
}