feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata

Enforce certificate profile crypto constraints across all 5 issuance paths (renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs with key algorithm/size that don't match profile rules. MaxTTL enforcement caps certificate validity per issuer connector (Local CA, Vault, step-ca enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and size are now persisted in certificate_versions for audit compliance. 16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded version number from GUI sidebar. Documentation updated across architecture, features, connectors, and README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 12:19:05 +00:00 · 2026-04-15 21:05:14 -04:00
parent e8ddd3c327
commit ff223e2586
22 changed files with 779 additions and 70 deletions
@@ -160,11 +160,17 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 		"common_name", request.CommonName,
 		"san_count", len(request.SANs))

+	// Determine TTL — cap to MaxTTLSeconds from profile if specified
+	ttl := c.config.TTL
+	if request.MaxTTLSeconds > 0 {
+		ttl = fmt.Sprintf("%ds", request.MaxTTLSeconds)
+	}
+
 	// Build the sign request body
 	signBody := map[string]interface{}{
 		"csr":         request.CSRPEM,
 		"common_name": request.CommonName,
-		"ttl":         c.config.TTL,
+		"ttl":         ttl,
 	}

 	if len(request.SANs) > 0 {
@@ -267,10 +273,11 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
 		"san_count", len(request.SANs))

 	return c.IssueCertificate(ctx, issuer.IssuanceRequest{
-		CommonName: request.CommonName,
-		SANs:       request.SANs,
-		CSRPEM:     request.CSRPEM,
-		EKUs:       request.EKUs,
+		CommonName:    request.CommonName,
+		SANs:          request.SANs,
+		CSRPEM:        request.CSRPEM,
+		EKUs:          request.EKUs,
+		MaxTTLSeconds: request.MaxTTLSeconds,
 	})
 }