certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:51:32 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	a0b7f7da9d	ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6) Phase 2 of the CRL/OCSP responder bundle. Stops signing OCSP responses with the CA private key directly; the local issuer now bootstraps a dedicated responder cert + key per issuer, persists them, and rotates within a grace window before expiry. Why this matters: - Every relying-party OCSP poll today triggers a CA-key signing op. With this change those polls hit a cheap responder key; the CA key only signs at responder bootstrap / rotation (rare). - When the CA key lives on an HSM (PKCS#11 driver, V3-Pro item 3), the dedicated responder removes the per-poll-HSM-op pressure. - Carries id-pkix-ocsp-nocheck (RFC 6960 §4.2.2.2.1) so OCSP clients do NOT recursively check the responder cert's revocation status. What landed: * migration 000020_ocsp_responder.up.sql (+down) — ocsp_responders table keyed by issuer_id; rotated_from records the prior cert serial for audit; not_after index drives the rotation scheduler query * internal/domain/ocsp_responder.go — OCSPResponder type + NeedsRotation helper (configurable grace window; default 7 days before expiry) * internal/repository/postgres/ocsp_responder.go — Postgres impl with upsert-on-Put + ListExpiring for the future rotation scheduler * internal/repository/interfaces.go — OCSPResponderRepository interface * internal/connector/issuer/local/ocsp_responder.go — bootstrap + rotation logic; under c.mu so concurrent first-call OCSP requests don't double-bootstrap; recovers gracefully from corrupt key ref or corrupt cert PEM rather than failing the OCSP request * internal/connector/issuer/local/local.go: - Connector struct gains optional dependencies (ocspResponderRepo, signerDriver, issuerID, rotation grace, validity, key dir) - Set() helpers for each dep matching the existing SCEPService pattern (SetProfileRepo / SetProfileID) - SignOCSPResponse refactored: ensureOCSPResponder dispatches on whether deps are wired; fallback path (deps unset) preserves pre-Phase-2 behavior of signing with CA key directly internal/connector/issuer/local/ocsp_responder_test.go — bootstrap happy path; reuse-across-calls; fallback (no deps wired); rotation on grace window; corrupt-key-ref recovery; corrupt-cert-PEM recovery; SetOCSPResponderKeyDir setter Coverage: local issuer 86.3% (above CI floor of 86; was 86.5% before Phase 2 added ~140 LoC of new code). The recovered-from-drop tests are real behavior tests of the new error paths I introduced, not coverage-game artifacts. Backward compat: unchanged for any caller that doesn't wire the responder deps. The factory at internal/connector/issuerfactory/factory.go still calls local.New(&cfg, logger) with no responder wiring; OCSP responses continue to be signed by the CA key directly until the operator wires the deps. cmd/server/main.go wiring lands in Phase 3 alongside the CRL cache service.	2026-04-28 23:55:52 +00:00

Author

SHA1

Message

Date

shankar0123

a0b7f7da9d

ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6)

Phase 2 of the CRL/OCSP responder bundle. Stops signing OCSP responses
with the CA private key directly; the local issuer now bootstraps a
dedicated responder cert + key per issuer, persists them, and rotates
within a grace window before expiry.

Why this matters:

  - Every relying-party OCSP poll today triggers a CA-key signing op.
    With this change those polls hit a cheap responder key; the CA key
    only signs at responder bootstrap / rotation (rare).
  - When the CA key lives on an HSM (PKCS#11 driver, V3-Pro item 3),
    the dedicated responder removes the per-poll-HSM-op pressure.
  - Carries id-pkix-ocsp-nocheck (RFC 6960 §4.2.2.2.1) so OCSP clients
    do NOT recursively check the responder cert's revocation status.

What landed:

  * migration 000020_ocsp_responder.up.sql (+down) — ocsp_responders table
    keyed by issuer_id; rotated_from records the prior cert serial for
    audit; not_after index drives the rotation scheduler query
  * internal/domain/ocsp_responder.go — OCSPResponder type + NeedsRotation
    helper (configurable grace window; default 7 days before expiry)
  * internal/repository/postgres/ocsp_responder.go — Postgres impl with
    upsert-on-Put + ListExpiring for the future rotation scheduler
  * internal/repository/interfaces.go — OCSPResponderRepository interface
  * internal/connector/issuer/local/ocsp_responder.go — bootstrap +
    rotation logic; under c.mu so concurrent first-call OCSP requests
    don't double-bootstrap; recovers gracefully from corrupt key ref
    or corrupt cert PEM rather than failing the OCSP request
  * internal/connector/issuer/local/local.go:
    - Connector struct gains optional dependencies (ocspResponderRepo,
      signerDriver, issuerID, rotation grace, validity, key dir)
    - Set*() helpers for each dep matching the existing SCEPService
      pattern (SetProfileRepo / SetProfileID)
    - SignOCSPResponse refactored: ensureOCSPResponder dispatches on
      whether deps are wired; fallback path (deps unset) preserves
      pre-Phase-2 behavior of signing with CA key directly
  * internal/connector/issuer/local/ocsp_responder_test.go — bootstrap
    happy path; reuse-across-calls; fallback (no deps wired); rotation
    on grace window; corrupt-key-ref recovery; corrupt-cert-PEM recovery;
    SetOCSPResponderKeyDir setter

Coverage: local issuer 86.3% (above CI floor of 86; was 86.5% before
Phase 2 added ~140 LoC of new code). The recovered-from-drop tests are
real behavior tests of the new error paths I introduced, not
coverage-game artifacts.

Backward compat: unchanged for any caller that doesn't wire the
responder deps. The factory at internal/connector/issuerfactory/factory.go
still calls local.New(&cfg, logger) with no responder wiring; OCSP
responses continue to be signed by the CA key directly until the
operator wires the deps. cmd/server/main.go wiring lands in Phase 3
alongside the CRL cache service.

2026-04-28 23:55:52 +00:00

1 Commits