gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 06:28:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata

Browse Source 
Enforce certificate profile crypto constraints across all 5 issuance paths
(renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs
with key algorithm/size that don't match profile rules. MaxTTL enforcement
caps certificate validity per issuer connector (Local CA, Vault, step-ca
enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and
size are now persisted in certificate_versions for audit compliance.

16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded
version number from GUI sidebar. Documentation updated across architecture,
features, connectors, and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-04-15 21:05:14 -04:00
parent f16a9c767a
commit f2e60b93a3
22 changed files with 779 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/stepca/stepca.go
+15 -5
View File
@@ -201,10 +201,19 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
CsrPEM: request.CSRPEM,
OTT: ott,
}
if c.config.ValidityDays > 0 {
if c.config.ValidityDays > 0 || request.MaxTTLSeconds > 0 {
now := time.Now()
signReq.NotBefore = now
signReq.NotAfter = now.AddDate(0, 0, c.config.ValidityDays)
if c.config.ValidityDays > 0 {
signReq.NotAfter = now.AddDate(0, 0, c.config.ValidityDays)
}
// Cap validity to MaxTTLSeconds if profile specifies a maximum
if request.MaxTTLSeconds > 0 {
maxNotAfter := now.Add(time.Duration(request.MaxTTLSeconds) * time.Second)
if signReq.NotAfter.IsZero() || maxNotAfter.Before(signReq.NotAfter) {
signReq.NotAfter = maxNotAfter
}
}
}
body, err := json.Marshal(signReq)
@@ -266,9 +275,10 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
"san_count", len(request.SANs))
return c.IssueCertificate(ctx, issuer.IssuanceRequest{
CommonName: request.CommonName,
SANs: request.SANs,
CSRPEM: request.CSRPEM,
CommonName: request.CommonName,
SANs: request.SANs,
CSRPEM: request.CSRPEM,
MaxTTLSeconds: request.MaxTTLSeconds,
})
}