certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 14:08:53 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	a0b7f7da9d	ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6) Phase 2 of the CRL/OCSP responder bundle. Stops signing OCSP responses with the CA private key directly; the local issuer now bootstraps a dedicated responder cert + key per issuer, persists them, and rotates within a grace window before expiry. Why this matters: - Every relying-party OCSP poll today triggers a CA-key signing op. With this change those polls hit a cheap responder key; the CA key only signs at responder bootstrap / rotation (rare). - When the CA key lives on an HSM (PKCS#11 driver, V3-Pro item 3), the dedicated responder removes the per-poll-HSM-op pressure. - Carries id-pkix-ocsp-nocheck (RFC 6960 §4.2.2.2.1) so OCSP clients do NOT recursively check the responder cert's revocation status. What landed: * migration 000020_ocsp_responder.up.sql (+down) — ocsp_responders table keyed by issuer_id; rotated_from records the prior cert serial for audit; not_after index drives the rotation scheduler query * internal/domain/ocsp_responder.go — OCSPResponder type + NeedsRotation helper (configurable grace window; default 7 days before expiry) * internal/repository/postgres/ocsp_responder.go — Postgres impl with upsert-on-Put + ListExpiring for the future rotation scheduler * internal/repository/interfaces.go — OCSPResponderRepository interface * internal/connector/issuer/local/ocsp_responder.go — bootstrap + rotation logic; under c.mu so concurrent first-call OCSP requests don't double-bootstrap; recovers gracefully from corrupt key ref or corrupt cert PEM rather than failing the OCSP request * internal/connector/issuer/local/local.go: - Connector struct gains optional dependencies (ocspResponderRepo, signerDriver, issuerID, rotation grace, validity, key dir) - Set() helpers for each dep matching the existing SCEPService pattern (SetProfileRepo / SetProfileID) - SignOCSPResponse refactored: ensureOCSPResponder dispatches on whether deps are wired; fallback path (deps unset) preserves pre-Phase-2 behavior of signing with CA key directly internal/connector/issuer/local/ocsp_responder_test.go — bootstrap happy path; reuse-across-calls; fallback (no deps wired); rotation on grace window; corrupt-key-ref recovery; corrupt-cert-PEM recovery; SetOCSPResponderKeyDir setter Coverage: local issuer 86.3% (above CI floor of 86; was 86.5% before Phase 2 added ~140 LoC of new code). The recovered-from-drop tests are real behavior tests of the new error paths I introduced, not coverage-game artifacts. Backward compat: unchanged for any caller that doesn't wire the responder deps. The factory at internal/connector/issuerfactory/factory.go still calls local.New(&cfg, logger) with no responder wiring; OCSP responses continue to be signed by the CA key directly until the operator wires the deps. cmd/server/main.go wiring lands in Phase 3 alongside the CRL cache service.	2026-04-28 23:55:52 +00:00

Author

SHA1

Message

Date

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

a0b7f7da9d

ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6)

Phase 2 of the CRL/OCSP responder bundle. Stops signing OCSP responses
with the CA private key directly; the local issuer now bootstraps a
dedicated responder cert + key per issuer, persists them, and rotates
within a grace window before expiry.

Why this matters:

  - Every relying-party OCSP poll today triggers a CA-key signing op.
    With this change those polls hit a cheap responder key; the CA key
    only signs at responder bootstrap / rotation (rare).
  - When the CA key lives on an HSM (PKCS#11 driver, V3-Pro item 3),
    the dedicated responder removes the per-poll-HSM-op pressure.
  - Carries id-pkix-ocsp-nocheck (RFC 6960 §4.2.2.2.1) so OCSP clients
    do NOT recursively check the responder cert's revocation status.

What landed:

  * migration 000020_ocsp_responder.up.sql (+down) — ocsp_responders table
    keyed by issuer_id; rotated_from records the prior cert serial for
    audit; not_after index drives the rotation scheduler query
  * internal/domain/ocsp_responder.go — OCSPResponder type + NeedsRotation
    helper (configurable grace window; default 7 days before expiry)
  * internal/repository/postgres/ocsp_responder.go — Postgres impl with
    upsert-on-Put + ListExpiring for the future rotation scheduler
  * internal/repository/interfaces.go — OCSPResponderRepository interface
  * internal/connector/issuer/local/ocsp_responder.go — bootstrap +
    rotation logic; under c.mu so concurrent first-call OCSP requests
    don't double-bootstrap; recovers gracefully from corrupt key ref
    or corrupt cert PEM rather than failing the OCSP request
  * internal/connector/issuer/local/local.go:
    - Connector struct gains optional dependencies (ocspResponderRepo,
      signerDriver, issuerID, rotation grace, validity, key dir)
    - Set*() helpers for each dep matching the existing SCEPService
      pattern (SetProfileRepo / SetProfileID)
    - SignOCSPResponse refactored: ensureOCSPResponder dispatches on
      whether deps are wired; fallback path (deps unset) preserves
      pre-Phase-2 behavior of signing with CA key directly
  * internal/connector/issuer/local/ocsp_responder_test.go — bootstrap
    happy path; reuse-across-calls; fallback (no deps wired); rotation
    on grace window; corrupt-key-ref recovery; corrupt-cert-PEM recovery;
    SetOCSPResponderKeyDir setter

Coverage: local issuer 86.3% (above CI floor of 86; was 86.5% before
Phase 2 added ~140 LoC of new code). The recovered-from-drop tests are
real behavior tests of the new error paths I introduced, not
coverage-game artifacts.

Backward compat: unchanged for any caller that doesn't wire the
responder deps. The factory at internal/connector/issuerfactory/factory.go
still calls local.New(&cfg, logger) with no responder wiring; OCSP
responses continue to be signed by the CA key directly until the
operator wires the deps. cmd/server/main.go wiring lands in Phase 3
alongside the CRL cache service.

2026-04-28 23:55:52 +00:00

2 Commits