gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 09:18:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

main: wire CRL/OCSP responder services into runtime

Browse Source 
Activates the CRL/OCSP responder pipeline that landed dormant in
phases 1-4 (commits 30765ba, a0b7f7d, dc32694, dc1e0bf):

  * IssuerRegistry gains SetLocalIssuerDeps + LocalIssuerDeps struct.
    Rebuild type-asserts each constructed connector to *local.Connector
    and injects ocspResponderRepo + signerDriver + IssuerID + key dir
    + (optional) rotation-grace + validity overrides. Non-local
    connectors are unaffected (the type-assert fails silently). Adapter
    pattern preserved: callers still see service.IssuerConnector.

  * cmd/server/main.go:
    - constructs CRLCacheRepository + OCSPResponderRepository from db
    - constructs signer.FileDriver (default; PKCS#11 driver plugs in
      later via the same Driver interface, no main.go changes needed)
    - calls issuerRegistry.SetLocalIssuerDeps(...) BEFORE BuildRegistry
      so the deps are in place when local connectors are constructed
    - wires CRLCacheService into CertificateService via SetCRLCacheSvc
      (Phase 4 cache-aware GenerateDERCRL path now active)
    - calls scheduler.SetCRLCacheService + SetCRLGenerationInterval
      after sched is constructed; logs the interval at startup

  * config: new OCSPResponderConfig struct + Scheduler.CRLGenerationInterval
    field. Three new env vars:
      CERTCTL_OCSP_RESPONDER_KEY_DIR (no default; operator MUST set in prod)
      CERTCTL_OCSP_RESPONDER_ROTATION_GRACE (default 7d)
      CERTCTL_OCSP_RESPONDER_VALIDITY (default 30d)
      CERTCTL_CRL_GENERATION_INTERVAL (default 1h)

Backward compat: when env vars are unset, the responder bootstrap path
still activates (with default rotation grace + validity, key dir = cwd
which is fine for tests), and the CRL cache pre-populates on the
1h interval. Operators not running the local issuer see no behavior
change.

go vet clean across the full module. Targeted tests for config +
service + scheduler packages all green. Full module build deferred
to CI (sandbox /sessions disk pressure prevented unzipping a
transitive dep — same disk-full pattern the prior commits hit; not
a code issue).
This commit is contained in:
shankar0123
2026-04-29 01:48:23 +00:00
parent 1b211abcd4
commit db71b47c24
3 changed files with 175 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/server/main.go
+66 -23
View File
@@ -25,6 +25,7 @@ import (
notifypagerduty "github.com/shankar0123/certctl/internal/connector/notifier/pagerduty"
notifyslack "github.com/shankar0123/certctl/internal/connector/notifier/slack"
notifyteams "github.com/shankar0123/certctl/internal/connector/notifier/teams"
"github.com/shankar0123/certctl/internal/crypto/signer"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/repository/postgres"
"github.com/shankar0123/certctl/internal/scheduler"
@@ -288,9 +289,38 @@ func main() {
caOperationsSvc := service.NewCAOperationsSvc(revocationRepo, certificateRepo, profileRepo)
caOperationsSvc.SetIssuerRegistry(issuerRegistry)
// Bundle CRL/OCSP-Responder: wire CRL cache + OCSP responder
// repositories. The CRL cache lets the HTTP CRL endpoint serve from
// pre-generated bytes (Phase 3). The OCSP responder repo lets the
// local issuer bootstrap a dedicated responder cert per RFC 6960
// §2.6 instead of signing OCSP with the CA key directly (Phase 2).
//
// The signer.FileDriver is the production driver; it provides keys
// to the responder bootstrap path. Future drivers (PKCS#11, cloud
// KMS) plug in via the same Driver interface without changing this
// wiring. The DirHardener / Marshaler hooks stay nil here — the
// bootstrap path's GenerateOutPath sets the destination per
// responder; the local issuer's existing keystore.ensureKeyDirSecure
// equivalent is invoked by FileDriver.Generate when DirHardener is
// supplied at the call site.
crlCacheRepo := postgres.NewCRLCacheRepository(db)
ocspResponderRepo := postgres.NewOCSPResponderRepository(db)
signerDriver := &signer.FileDriver{}
issuerRegistry.SetLocalIssuerDeps(&service.LocalIssuerDeps{
OCSPResponderRepo: ocspResponderRepo,
SignerDriver: signerDriver,
KeyDir: cfg.OCSPResponder.KeyDir,
RotationGrace: cfg.OCSPResponder.RotationGrace,
Validity: cfg.OCSPResponder.Validity,
})
crlCacheService := service.NewCRLCacheService(crlCacheRepo, caOperationsSvc, issuerRegistry, logger)
// Wire sub-services into CertificateService
certificateService.SetRevocationSvc(revocationSvc)
certificateService.SetCAOperationsSvc(caOperationsSvc)
// CRL cache makes GenerateDERCRL serve from the pre-generated cache
// instead of regenerating per request (CRL/OCSP-Responder Phase 4).
certificateService.SetCRLCacheSvc(crlCacheService)
certificateService.SetTargetRepo(targetRepo)
certificateService.SetJobRepo(jobRepo)
certificateService.SetKeygenMode(cfg.Keygen.Mode)
@@ -570,6 +600,19 @@ func main() {
// here alongside the other scheduler-interval setters so the
// documented env var actually takes effect.
sched.SetShortLivedExpiryCheckInterval(cfg.Scheduler.ShortLivedExpiryCheckInterval)
// CRL/OCSP-Responder Phase 3: drive the crlGenerationLoop. The cache
// service walks every issuer in the registry, regenerates the CRL,
// and persists into crl_cache. The HTTP /.well-known/pki/crl/ handler
// reads from the cache via certificateService.GenerateDERCRL (which
// consults crlCacheService when wired). The loop is gated on the
// service being non-nil, mirroring how digestService and others are
// wired conditionally below.
sched.SetCRLCacheService(crlCacheService)
sched.SetCRLGenerationInterval(cfg.Scheduler.CRLGenerationInterval)
logger.Info("CRL pre-generation scheduler enabled",
"interval", cfg.Scheduler.CRLGenerationInterval.String())
if cfg.NetworkScan.Enabled {
sched.SetNetworkScanInterval(cfg.NetworkScan.ScanInterval)
logger.Info("network scanning enabled", "interval", cfg.NetworkScan.ScanInterval.String())
@@ -611,28 +654,28 @@ func main() {
// Build the API router with all handlers
apiRouter := router.New()
apiRouter.RegisterHandlers(router.HandlerRegistry{
Certificates: certificateHandler,
Issuers: issuerHandler,
Targets: targetHandler,
Agents: agentHandler,
Jobs: jobHandler,
Policies: policyHandler,
RenewalPolicies: renewalPolicyHandler,
Profiles: profileHandler,
Teams: teamHandler,
Owners: ownerHandler,
AgentGroups: agentGroupHandler,
Audit: auditHandler,
Notifications: notificationHandler,
Stats: statsHandler,
Metrics: metricsHandler,
Health: healthHandler,
Discovery: discoveryHandler,
NetworkScan: networkScanHandler,
Verification: verificationHandler,
Export: exportHandler,
Digest: *digestHandler,
HealthChecks: healthCheckHandler,
Certificates: certificateHandler,
Issuers: issuerHandler,
Targets: targetHandler,
Agents: agentHandler,
Jobs: jobHandler,
Policies: policyHandler,
RenewalPolicies: renewalPolicyHandler,
Profiles: profileHandler,
Teams: teamHandler,
Owners: ownerHandler,
AgentGroups: agentGroupHandler,
Audit: auditHandler,
Notifications: notificationHandler,
Stats: statsHandler,
Metrics: metricsHandler,
Health: healthHandler,
Discovery: discoveryHandler,
NetworkScan: networkScanHandler,
Verification: verificationHandler,
Export: exportHandler,
Digest: *digestHandler,
HealthChecks: healthCheckHandler,
BulkRevocation: bulkRevocationHandler,
BulkRenewal: bulkRenewalHandler,
BulkReassignment: bulkReassignmentHandler,
@@ -1104,7 +1147,7 @@ func preflightEnrollmentIssuer(ctx context.Context, protocol, issuerID string, i
// - /api/v1/* → auth (Bearer token required)
// - /assets/* → static file server (dashboard only)
// - anything else → SPA index.html fallback (dashboard only)
// OR apiHandler (no dashboard)
// OR apiHandler (no dashboard)
//
// EST/SCEP clients (IoT devices, 802.1X supplicants, MDM endpoints, network
// appliances) cannot present certctl Bearer tokens, so those endpoints must be