gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 19:28:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(crypto): per-ciphertext PBKDF2 salt + v2 versioned format with v1 fallback (M-8)

Browse Source
This commit is contained in:
shankar0123
2026-04-17 05:36:29 +00:00
parent b1df6dab27
commit 5abeeb882b
16 changed files with 580 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/issuer_registry.go
+6 -1
View File
@@ -72,7 +72,12 @@ func (r *IssuerRegistry) Len() int {
// For each enabled issuer, it decrypts the config (if encryption key is set),
// instantiates a connector via the factory, wraps it in an adapter, and
// atomically swaps the entire map.
func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey []byte) error {
//
// The encryption passphrase is passed as a string; per-ciphertext salt derivation
// for v2 blobs is performed inside [crypto.DecryptIfKeySet]. Empty passphrase
// fails closed via [crypto.ErrEncryptionKeyRequired] when encrypted configs
// are encountered. See M-8 in certctl-audit-report.md.
func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey string) error {
newIssuers := make(map[string]IssuerConnector)
var errors []string