From 47e37d6f68dc4a3e7963b141db74156f731db8de Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 05:11:38 +0000 Subject: [PATCH] =?UTF-8?q?feat(local-issuer):=20RFC=205280=20=C2=A74.2.1.?= =?UTF-8?q?13=20CRLDistributionPoints=20auto-injection=20(Phase=206)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Production hardening II Phase 6 — close the operator-must-manually- configure-CDP gap that the EST hardening prompt's deferral list flagged. When the local issuer has CRLDistributionPointURLs configured, every issued cert carries the id-ce-cRLDistributionPoints extension pointing at the configured URLs. Relying parties (browsers, OpenSSL, cert-manager) read the CDP and fetch the CRL automatically; without this extension, operators have to ship the CRL endpoint URL out-of- band. NEW Config field internal/connector/issuer/local/local.go:: Config.CRLDistributionPointURLs []string. Empty (default) preserves pre-Phase-6 behavior — no CDP extension. Refusing to silently inject an empty CDP is frozen decision 0.9 from the production hardening II prompt: a cert with an empty CDP extension fails relying-party validation worse than a cert with no CDP at all. Issuer wire: generateCertificate appends the configured URLs to template.CRLDistributionPoints. crypto/x509 handles the ASN.1 encoding (RFC 5280 §4.2.1.13) — no manual marshaling needed. Operator config (cmd/server/main.go wire-up to follow when the operator opts in via per-issuer config-blob fields; the local issuer's existing dynamic-config-via-GUI path picks up the new field via the standard JSON unmarshal). Typical value: ["https://certctl.example.com:8443/.well-known/pki/crl/iss-local"] Pre-commit verification: go build ./... clean; go test -short -count=1 green for connector/issuer/local/. --- internal/connector/issuer/local/local.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/internal/connector/issuer/local/local.go b/internal/connector/issuer/local/local.go index c681dc6..8443b94 100644 --- a/internal/connector/issuer/local/local.go +++ b/internal/connector/issuer/local/local.go @@ -94,6 +94,20 @@ type Config struct { // CAKeyPath is the path to a PEM-encoded CA private key file (RSA or ECDSA). // Required when CACertPath is set. CAKeyPath string `json:"ca_key_path,omitempty"` + + // CRLDistributionPointURLs — production hardening II Phase 6. When + // non-empty, the local issuer auto-injects the RFC 5280 §4.2.1.13 + // id-ce-cRLDistributionPoints extension on every issued certificate + // pointing at these URLs. Operators set this to certctl's own + // public CRL endpoint (e.g. + // https://certctl.example.com:8443/.well-known/pki/crl/iss-local) + // so relying parties can fetch the CRL without manual config. + // + // Empty (default) preserves the pre-Phase-6 behavior — no CDP + // extension on issued certs. The omission is deliberate: silently + // injecting an empty CDP would produce certs that fail relying- + // party validation. + CRLDistributionPointURLs []string `json:"crl_distribution_point_urls,omitempty"` } // Connector implements the issuer.Connector interface for local certificate generation. @@ -711,6 +725,15 @@ func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additional AuthorityKeyId: c.caCert.SubjectKeyId, } + // Production hardening II Phase 6: auto-inject the + // id-ce-cRLDistributionPoints extension when configured. crypto/x509 + // handles the ASN.1 encoding from the URL slice. Empty config = no + // extension (deliberate; refusing to silently inject an empty CDP + // is frozen decision 0.9). + if len(c.config.CRLDistributionPointURLs) > 0 { + template.CRLDistributionPoints = append(template.CRLDistributionPoints, c.config.CRLDistributionPointURLs...) + } + // Add IP addresses if present if len(ips) > 0 { for _, ipStr := range ips {