certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:41:30 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	8b75e0311b	chore: rename Go module path to github.com/certctl-io/certctl Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol sub-module's go.mod, every Go file's import path (361 files), and a rebuild of the checked-in f5-mock-icontrol binary so its embedded build-info reflects the new module path. No behavior change. Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A (keep module path declared as github.com/shankar0123/certctl regardless of repo URL) shipped on the day of the org transfer (2026-05-03) since we had no external Go consumers; this commit closes that deferral. Backward-compat: GitHub HTTP redirects continue to forward github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL level, but Go's module proxy uses the path declared in go.mod as the canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...` hit a "module path mismatch" error because go.mod said github.com/shankar0123/certctl and the URL they fetched it from said certctl-io/certctl. Post-fix, the canonical name and the URL agree, so go get / go install / external Go consumers / Go-tooling integrations work cleanly via either the new path (preferred) or the old path (which redirects and Go follows the redirect for source fetch). Anyone still importing the old path inside their own code keeps working provided they update their go.mod's `require` line to match — the module path declared in their consumer's go.sum / go.mod is the authoritative import name, so a mass sed across their import statements is the migration on the consumer side. No external consumers exist today. Diff shape: 361 *.go files — import path replacement only 2 go.mod — module declaration replacement only 1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt so embedded build-info reflects the new path (8618965 vs 8618933 bytes; 32-byte diff is the build-info change) Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure mechanical substitution. Verification: gofmt: 17 files needed re-alignment after sed (the new path is one char shorter than the old, so column-aligned import groups drifted). Applied `gofmt -w` to fix. go mod tidy: clean exit on both modules. go vet ./...: clean exit. go build ./...: clean exit. go test -short -count=1 on representative packages: all green (internal/domain, internal/validation, internal/crypto, internal/crypto/signer, cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...` confirming the module path resolves correctly. binary: f5-mock-icontrol rebuilt; `strings \| grep shankar0123` returns nothing; `strings \| grep certctl-io/certctl` shows the new module path embedded in build-info. Files intentionally NOT touched in this commit: README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io URLs in commit `0729ee4` (the post-transfer URL refresh). This commit is purely the Go-tooling layer. Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account namespace, not a Go import or GitHub repo URL. Stays. This is a non-blocking, non-customer-impacting change. Operators pulling container images, running `make verify`, hitting the API, or installing the agent see no functional difference. Only Go-tooling consumers (none today) are affected, and they're enabled — not broken — by this commit.	2026-05-04 00:30:29 +00:00
shankar0123	4dc8d3fa5b	acme-server: key rollover + revocation + ARI (Phase 4/7) Closes the RFC 8555 + RFC 9773 surface beyond the issuance happy-path: - POST /acme/profile/<id>/key-change (RFC 8555 §7.3.5) - POST /acme/profile/<id>/revoke-cert (RFC 8555 §7.6) - GET /acme/profile/<id>/renewal-info/<cert-id> (RFC 9773 ARI) After this commit, ACME clients can rotate account keys, revoke certs through the ACME surface (rather than only via the certctl GUI/API), and fetch ARI for proactive renewal scheduling. Architecture: - Key rollover: outer JWS verified against the registered account key (existing kid path); the inner JWS — embedded as the outer's payload — verified against the embedded NEW jwk in a new dedicated routine (ParseAndVerifyKeyChangeInner) that enforces RFC 8555 §7.3.5 inner-only invariants: MUST use jwk + MUST NOT use kid, payload .account == outer.kid, payload.oldKey thumbprint-equals registered. A single WithinTx swaps the stored thumbprint+pem and writes the audit row. Concurrent-rollover safety via SELECT…FOR UPDATE on the conflicting account row in UpdateAccountJWKWithTx; the loser observes the winner's new thumbprint and is told to retry (409). - Revocation: two auth paths. kid → AccountOwnsCertificate single- indexed COUNT lookup over acme_orders. jwk → constant-time RFC 7638 thumbprint compare against the cert's pubkey. Both paths route through service.RevocationSvc.RevokeCertificateWithActor so the existing CRL/OCSP refresh + audit + metrics pipeline applies. RFC 5280 §5.3.1 numeric reason codes clamp to certctl's domain.ValidRevocationReasons; codes 8 (removeFromCRL) + 10 (aACompromise) clamp to 'unspecified' since they aren't in the set. - ARI is GET-only and unauth per RFC 9773 §4. Cert-id wire shape is base64url(AKI).base64url(serial); ParseARICertID strict-decodes, SerialHex emits the canonical certctl-shape lowercase-no-leading- zeros hex used in certificate_versions.serial_number. ComputeRenewalWindow has 3 branches: bound RenewalPolicy → [notAfter - days, notAfter - days/2]; no policy → last 33% of validity; past expiry → [now, now + 1d] (renew immediately). Retry-After honors CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL. What ships: - internal/api/acme/{keychange,ari}.go (+ phase4_test.go: 15 tests). - internal/api/acme/order.go: RevokeCertRequest wire shape. - internal/api/handler/acme.go: KeyChange, RevokeCert, RenewalInfo + 11 new writeServiceError mappings. - internal/repository/postgres/acme.go: UpdateAccountJWKWithTx (FOR UPDATE + expectedOldThumbprint precondition; ErrACMEAccountKey- ConcurrentUpdate sentinel) + AccountOwnsCertificate. - internal/service/acme.go: RotateAccountKey + RevokeCert + RenewalInfo; CertificateRevoker + RenewalPolicyLookup interfaces; SetRevocationDelegate + SetRenewalPolicyLookup wiring; 11 new sentinels; 6 new metrics. - internal/service/acme_phase4_test.go: service-layer tests for RotateAccountKey (happy + duplicate-key) + RevokeCert (kid mismatch + jwk mismatch + jwk happy + already-revoked + reason-clamping) + RenewalInfo (disabled + bad cert-id). - internal/api/router/router.go: 6 new register calls (3 per-profile + 3 shorthand). Router parity exceptions extended in lockstep (in-tree SpecParityExceptions + CI-only openapi-handler-exceptions .yaml). - cmd/server/main.go: SetRevocationDelegate(revocationSvc) + SetRenewalPolicyLookup(renewalPolicyRepo) at startup. - internal/config/config.go: CERTCTL_ACME_SERVER_ARI_ENABLED (default true) + CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL (default 6h); BuildDirectory's ariEnabled flag now flips on under cfg.ARIEnabled. - docs/acme-server.md: phase status flipped to Phase 4; endpoints table grows 6 rows (3 per-profile + 3 shorthand); FAQ section appended explaining how to rotate keys, revoke certs, and consume ARI. Tests: - 'go vet ./...' clean across the repo. - 'go test -short -count=1 ./...' green across every package. - phase4_test.go covers: keychange happy-path + 5 negatives + MapKeyChangeErrorToProblem coverage; ARI cert-id round-trip + 6 malformed cases + BuildARICertID from a generated cert; window- math 3 branches. - service-layer tests confirm: RotateAccountKey atomically swaps the thumbprint (verifies persisted state) and rejects duplicate keys; RevokeCert routes through the stub RevocationSvc with the right actor string + reason on the jwk path, rejects mismatched keys, rejects already-revoked certs, clamps reason codes correctly; RenewalInfo respects ARIEnabled + cert-id format. Engineering history: cowork/WORKSPACE-CHANGELOG.md 'ACME-Server-4'.	2026-05-03 16:51:06 +00:00

shankar0123

8b75e0311b

chore: rename Go module path to github.com/certctl-io/certctl

Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.

Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.

Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).

Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.

Diff shape:
  361 *.go files  — import path replacement only
    2 go.mod     — module declaration replacement only
    1 binary     — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
                   so embedded build-info reflects the new path (8618965 vs
                   8618933 bytes; 32-byte diff is the build-info change)

  Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
  mechanical substitution.

Verification:
  gofmt: 17 files needed re-alignment after sed (the new path is one char
    shorter than the old, so column-aligned import groups drifted). Applied
    `gofmt -w` to fix.
  go mod tidy: clean exit on both modules.
  go vet ./...: clean exit.
  go build ./...: clean exit.
  go test -short -count=1 on representative packages: all green
    (internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
    cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
    confirming the module path resolves correctly.
  binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
    nothing; `strings | grep certctl-io/certctl` shows the new module path
    embedded in build-info.

Files intentionally NOT touched in this commit:
  README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
    URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
    purely the Go-tooling layer.
  Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
    namespace, not a Go import or GitHub repo URL. Stays.

This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.

2026-05-04 00:30:29 +00:00

shankar0123

4dc8d3fa5b

acme-server: key rollover + revocation + ARI (Phase 4/7)

Closes the RFC 8555 + RFC 9773 surface beyond the issuance happy-path:
  - POST /acme/profile/<id>/key-change   (RFC 8555 §7.3.5)
  - POST /acme/profile/<id>/revoke-cert  (RFC 8555 §7.6)
  - GET  /acme/profile/<id>/renewal-info/<cert-id>  (RFC 9773 ARI)

After this commit, ACME clients can rotate account keys, revoke certs
through the ACME surface (rather than only via the certctl GUI/API),
and fetch ARI for proactive renewal scheduling.

Architecture:
  - Key rollover: outer JWS verified against the registered account key
    (existing kid path); the inner JWS — embedded as the outer's payload
    — verified against the embedded NEW jwk in a new dedicated routine
    (ParseAndVerifyKeyChangeInner) that enforces RFC 8555 §7.3.5
    inner-only invariants: MUST use jwk + MUST NOT use kid, payload
    .account == outer.kid, payload.oldKey thumbprint-equals registered.
    A single WithinTx swaps the stored thumbprint+pem and writes the
    audit row. Concurrent-rollover safety via SELECT…FOR UPDATE on the
    conflicting account row in UpdateAccountJWKWithTx; the loser
    observes the winner's new thumbprint and is told to retry (409).
  - Revocation: two auth paths. kid → AccountOwnsCertificate single-
    indexed COUNT lookup over acme_orders. jwk → constant-time RFC 7638
    thumbprint compare against the cert's pubkey. Both paths route
    through service.RevocationSvc.RevokeCertificateWithActor so the
    existing CRL/OCSP refresh + audit + metrics pipeline applies. RFC
    5280 §5.3.1 numeric reason codes clamp to certctl's
    domain.ValidRevocationReasons; codes 8 (removeFromCRL) + 10
    (aACompromise) clamp to 'unspecified' since they aren't in the set.
  - ARI is GET-only and unauth per RFC 9773 §4. Cert-id wire shape is
    base64url(AKI).base64url(serial); ParseARICertID strict-decodes,
    SerialHex emits the canonical certctl-shape lowercase-no-leading-
    zeros hex used in certificate_versions.serial_number.
    ComputeRenewalWindow has 3 branches: bound RenewalPolicy →
    [notAfter - days, notAfter - days/2]; no policy → last 33% of
    validity; past expiry → [now, now + 1d] (renew immediately).
    Retry-After honors CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL.

What ships:
  - internal/api/acme/{keychange,ari}.go (+ phase4_test.go: 15 tests).
  - internal/api/acme/order.go: RevokeCertRequest wire shape.
  - internal/api/handler/acme.go: KeyChange, RevokeCert, RenewalInfo
    + 11 new writeServiceError mappings.
  - internal/repository/postgres/acme.go: UpdateAccountJWKWithTx (FOR
    UPDATE + expectedOldThumbprint precondition; ErrACMEAccountKey-
    ConcurrentUpdate sentinel) + AccountOwnsCertificate.
  - internal/service/acme.go: RotateAccountKey + RevokeCert +
    RenewalInfo; CertificateRevoker + RenewalPolicyLookup interfaces;
    SetRevocationDelegate + SetRenewalPolicyLookup wiring; 11 new
    sentinels; 6 new metrics.
  - internal/service/acme_phase4_test.go: service-layer tests for
    RotateAccountKey (happy + duplicate-key) + RevokeCert (kid mismatch
    + jwk mismatch + jwk happy + already-revoked + reason-clamping) +
    RenewalInfo (disabled + bad cert-id).
  - internal/api/router/router.go: 6 new register calls (3 per-profile
    + 3 shorthand). Router parity exceptions extended in lockstep
    (in-tree SpecParityExceptions + CI-only openapi-handler-exceptions
    .yaml).
  - cmd/server/main.go: SetRevocationDelegate(revocationSvc) +
    SetRenewalPolicyLookup(renewalPolicyRepo) at startup.
  - internal/config/config.go: CERTCTL_ACME_SERVER_ARI_ENABLED (default
    true) + CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL (default 6h);
    BuildDirectory's ariEnabled flag now flips on under
    cfg.ARIEnabled.
  - docs/acme-server.md: phase status flipped to Phase 4; endpoints
    table grows 6 rows (3 per-profile + 3 shorthand); FAQ section
    appended explaining how to rotate keys, revoke certs, and consume
    ARI.

Tests:
  - 'go vet ./...' clean across the repo.
  - 'go test -short -count=1 ./...' green across every package.
  - phase4_test.go covers: keychange happy-path + 5 negatives +
    MapKeyChangeErrorToProblem coverage; ARI cert-id round-trip + 6
    malformed cases + BuildARICertID from a generated cert; window-
    math 3 branches.
  - service-layer tests confirm: RotateAccountKey atomically swaps the
    thumbprint (verifies persisted state) and rejects duplicate keys;
    RevokeCert routes through the stub RevocationSvc with the right
    actor string + reason on the jwk path, rejects mismatched keys,
    rejects already-revoked certs, clamps reason codes correctly;
    RenewalInfo respects ARIEnabled + cert-id format.

Engineering history: cowork/WORKSPACE-CHANGELOG.md 'ACME-Server-4'.

2026-05-03 16:51:06 +00:00

2 Commits