certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:32:02 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	9039cef390	crypto/signer: introduce Signer interface; refactor local issuer to use it This is a load-bearing internal refactor with no user-visible behavior change. The new internal/crypto/signer package abstracts CA private-key signing behind a Signer interface (embeds stdlib crypto.Signer + adds Algorithm()). The local issuer now consumes this interface; the historical c.caKey crypto.Signer field is renamed c.caSigner signer.Signer. What landed: * internal/crypto/signer/ — new stdlib-only package - Signer interface: crypto.Signer + Algorithm() - Algorithm enum: RSA-2048, RSA-3072, RSA-4096, ECDSA-P256, ECDSA-P384 - Driver interface: Load / Generate / Name - FileDriver: production driver, wraps file-on-disk PEM, hooks for DirHardener + Marshaler so the local package can inject Bundle 9 keystore.ensureKeyDirSecure + keymem.marshalPrivateKeyAndZeroize - MemoryDriver: in-memory test driver; safe for concurrent use - parse.go: ParsePrivateKey moved here from local.go (PKCS#1, SEC 1, PKCS#8) - 91.6% coverage (gate ≥85) * internal/connector/issuer/local/local.go — refactor - Rename c.caKey crypto.Signer → c.caSigner signer.Signer - Rewire 4 signing call sites: leaf cert (line ~613), CRL (~849), OCSP response (~887), CA bootstrap (~482) — all access the interface; the bootstrap also switches to interface-level Public() + Signer - Wrap freshly-generated and freshly-loaded keys; reject Ed25519 and other unsupported algorithms at load time (was silently accepted before, would have failed at first sign) - Delete the duplicated parsePrivateKey helper (single source of truth now lives in the signer package) - Update the L-014 threat-model comment block (lines 1-29) with a forward-reference paragraph: file-on-disk caveats apply only to FileDriver-backed signers; alternative drivers close that leg - Coverage 86.7 → 86.5 (above CI floor of 86); the 0.2pp drop is mechanical from deleting parsePrivateKey, partially recovered by a new test pinning the Wrap error path * internal/crypto/signer/equivalence_test.go — Phase 3 safety net - RSA byte-strict equality for leaf certs / CRLs / OCSP responses (PKCS#1 v1.5 is deterministic) - ECDSA TBS-strict equality (signature differs because of random k) - Both signatures independently validate against the CA - Negative sentinel proves the equivalence checker isn't trivially- passing * docs/architecture.md — new 'CA Signing Abstraction' section under Security Model, with ASCII diagram of FileDriver / MemoryDriver / future PKCS11Driver / future CloudKMSDriver * Test file mechanical edits (only): - bundle9_coverage_test.go: parsePrivateKey → signer.ParsePrivateKey (function moved, not behavior changed) - local_test.go: append one targeted test (TestSubCA_LoadCAFromDisk_RejectsUnsupportedKeyAlgorithm) that pins the new Wrap error path I introduced — recovers coverage cost of the deletion above What did NOT change (verified empty diffs): * api/openapi.yaml * migrations/ * internal/connector/issuer/interface.go * go.mod / go.sum (no new dependencies; stdlib only) This refactor is the prerequisite for three downstream items: - PKCS#11/HSM driver (V3-Pro) - CRL/OCSP responder (V2) - SSH CA lifecycle (V2) Each of those adds a new signing call site. Doing the abstraction now costs once; deferring would cost three times.	2026-04-28 22:03:55 +00:00

Author

SHA1

Message

Date

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

9039cef390

crypto/signer: introduce Signer interface; refactor local issuer to use it

This is a load-bearing internal refactor with no user-visible behavior
change. The new internal/crypto/signer package abstracts CA private-key
signing behind a Signer interface (embeds stdlib crypto.Signer + adds
Algorithm()). The local issuer now consumes this interface; the
historical c.caKey crypto.Signer field is renamed c.caSigner signer.Signer.

What landed:

  * internal/crypto/signer/ — new stdlib-only package
    - Signer interface: crypto.Signer + Algorithm()
    - Algorithm enum: RSA-2048, RSA-3072, RSA-4096, ECDSA-P256, ECDSA-P384
    - Driver interface: Load / Generate / Name
    - FileDriver: production driver, wraps file-on-disk PEM, hooks for
      DirHardener + Marshaler so the local package can inject Bundle 9
      keystore.ensureKeyDirSecure + keymem.marshalPrivateKeyAndZeroize
    - MemoryDriver: in-memory test driver; safe for concurrent use
    - parse.go: ParsePrivateKey moved here from local.go (PKCS#1, SEC 1, PKCS#8)
    - 91.6% coverage (gate ≥85)

  * internal/connector/issuer/local/local.go — refactor
    - Rename c.caKey crypto.Signer → c.caSigner signer.Signer
    - Rewire 4 signing call sites: leaf cert (line ~613), CRL (~849),
      OCSP response (~887), CA bootstrap (~482) — all access the
      interface; the bootstrap also switches to interface-level
      Public() + Signer
    - Wrap freshly-generated and freshly-loaded keys; reject Ed25519
      and other unsupported algorithms at load time (was silently
      accepted before, would have failed at first sign)
    - Delete the duplicated parsePrivateKey helper (single source of
      truth now lives in the signer package)
    - Update the L-014 threat-model comment block (lines 1-29) with a
      forward-reference paragraph: file-on-disk caveats apply only to
      FileDriver-backed signers; alternative drivers close that leg
    - Coverage 86.7 → 86.5 (above CI floor of 86); the 0.2pp drop is
      mechanical from deleting parsePrivateKey, partially recovered by
      a new test pinning the Wrap error path

  * internal/crypto/signer/equivalence_test.go — Phase 3 safety net
    - RSA byte-strict equality for leaf certs / CRLs / OCSP responses
      (PKCS#1 v1.5 is deterministic)
    - ECDSA TBS-strict equality (signature differs because of random k)
    - Both signatures independently validate against the CA
    - Negative sentinel proves the equivalence checker isn't trivially-
      passing

  * docs/architecture.md — new 'CA Signing Abstraction' section under
    Security Model, with ASCII diagram of FileDriver / MemoryDriver /
    future PKCS11Driver / future CloudKMSDriver

  * Test file mechanical edits (only):
    - bundle9_coverage_test.go: parsePrivateKey → signer.ParsePrivateKey
      (function moved, not behavior changed)
    - local_test.go: append one targeted test
      (TestSubCA_LoadCAFromDisk_RejectsUnsupportedKeyAlgorithm) that
      pins the new Wrap error path I introduced — recovers coverage
      cost of the deletion above

What did NOT change (verified empty diffs):
  * api/openapi.yaml
  * migrations/
  * internal/connector/issuer/interface.go
  * go.mod / go.sum (no new dependencies; stdlib only)

This refactor is the prerequisite for three downstream items:
  - PKCS#11/HSM driver (V3-Pro)
  - CRL/OCSP responder (V2)
  - SSH CA lifecycle (V2)

Each of those adds a new signing call site. Doing the abstraction now
costs once; deferring would cost three times.

2026-04-28 22:03:55 +00:00

2 Commits