feat: M15b — OCSP responder, DER CRL, short-lived exemption, revocation GUI

Backend: - Embedded OCSP responder: GET /api/v1/ocsp/{issuer_id}/{serial} returns signed OCSP responses (good/revoked/unknown) using CA key - DER-encoded X.509 CRL: GET /api/v1/crl/{issuer_id} returns proper DER CRL signed by issuing CA with 24h validity window - Short-lived cert exemption: certs with profile TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation for ephemeral workloads) - Extended issuer connector interface with GenerateCRL and SignOCSPResponse - Local CA implements full CRL/OCSP signing; ACME and step-ca return appropriate "use native endpoint" errors - IssuerConnectorAdapter bridges new methods between layers Frontend: - Revoke button on certificate detail page with RFC 5280 reason modal - Revocation banner with reason display and timestamp - Revocation status indicators in lifecycle section - "Revoked" filter option in certificates list - API client: revokeCertificate() function and Certificate type extensions Tests: ~31 new tests across connector, service, handler, and adapter layers Docs: milestones renumbered (M13-M14, M16-M18), M15b marked complete Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-10 06:18:51 +00:00 · 2026-03-22 14:39:10 -04:00
parent 12e6150219
commit 762c523d59
22 changed files with 1470 additions and 15 deletions
@@ -26,6 +26,8 @@ type MockCertificateService struct {
 	TriggerDeploymentFn      func(certID string, targetID string) error
 	RevokeCertificateFn      func(certID string, reason string) error
 	GetRevokedCertificatesFn func() ([]*domain.CertificateRevocation, error)
+	GenerateDERCRLFn         func(issuerID string) ([]byte, error)
+	GetOCSPResponseFn        func(issuerID string, serialHex string) ([]byte, error)
 }

 func (m *MockCertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
@@ -98,6 +100,20 @@ func (m *MockCertificateService) GetRevokedCertificates() ([]*domain.Certificate
 	return nil, nil
 }

+func (m *MockCertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+	if m.GenerateDERCRLFn != nil {
+		return m.GenerateDERCRLFn(issuerID)
+	}
+	return nil, nil
+}
+
+func (m *MockCertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+	if m.GetOCSPResponseFn != nil {
+		return m.GetOCSPResponseFn(issuerID, serialHex)
+	}
+	return nil, nil
+}
+
 // Helper function to create context with request ID.
 func contextWithRequestID() context.Context {
 	return context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-123")
@@ -1042,3 +1058,181 @@ func TestGetCRL_MethodNotAllowed(t *testing.T) {
 		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
 	}
 }
+
+// M15b: DER CRL and OCSP Handler Tests
+
+func TestGetDERCRL_Success(t *testing.T) {
+	derCRLData := []byte{0x30, 0x82, 0x01, 0x00} // Mock DER CRL bytes
+	mock := &MockCertificateService{
+		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+			if issuerID == "iss-local" {
+				return derCRLData, nil
+			}
+			return nil, fmt.Errorf("issuer not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-local/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetDERCRL(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+
+	// Verify response is DER data
+	responseBody := w.Body.Bytes()
+	if len(responseBody) == 0 {
+		t.Error("expected non-empty response body")
+	}
+}
+
+func TestGetDERCRL_IssuerNotFound(t *testing.T) {
+	mock := &MockCertificateService{
+		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+			return nil, fmt.Errorf("issuer not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/nonexistent/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetDERCRL(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
+	}
+}
+
+func TestGetDERCRL_NotSupported(t *testing.T) {
+	mock := &MockCertificateService{
+		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+			return nil, fmt.Errorf("issuer does not support CRL generation")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-acme/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetDERCRL(w, req)
+
+	// Service should return an error; handler routes to appropriate status
+	if w.Code == http.StatusOK {
+		t.Errorf("expected error status, got %d", w.Code)
+	}
+}
+
+func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers/iss-local/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetDERCRL(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
+	}
+}
+
+func TestHandleOCSP_Success(t *testing.T) {
+	ocspResponseBytes := []byte{0x30, 0x82, 0x02, 0x00} // Mock OCSP response
+	mock := &MockCertificateService{
+		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+			if issuerID == "iss-local" && serialHex == "12345" {
+				return ocspResponseBytes, nil
+			}
+			return nil, fmt.Errorf("certificate not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-local/ocsp?serial=12345", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.HandleOCSP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+
+	responseBody := w.Body.Bytes()
+	if len(responseBody) == 0 {
+		t.Error("expected non-empty OCSP response body")
+	}
+}
+
+func TestHandleOCSP_MissingSerial(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-local/ocsp", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.HandleOCSP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestHandleOCSP_IssuerNotFound(t *testing.T) {
+	mock := &MockCertificateService{
+		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+			return nil, fmt.Errorf("issuer not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/nonexistent/ocsp?serial=ABC123", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.HandleOCSP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
+	}
+}
+
+func TestHandleOCSP_CertNotFound(t *testing.T) {
+	mock := &MockCertificateService{
+		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+			return nil, fmt.Errorf("certificate not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-local/ocsp?serial=UNKNOWN", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.HandleOCSP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
+	}
+}
+
+func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers/iss-local/ocsp?serial=12345", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.HandleOCSP(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
+	}
+}