gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
certctl/internal/connector/issuer/interface.go
T
shankar0123 21aeed4f4e legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) 
Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-05-13 21:23:35 +00:00

136 lines
5.5 KiB
Go
Raw Permalink Blame History

// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
package issuer
import (
"context"
"encoding/json"
"math/big"
"time"
)
// Connector defines the interface for certificate issuance operations.
type Connector interface {
// ValidateConfig validates the issuer configuration.
ValidateConfig(ctx context.Context, config json.RawMessage) error
// IssueCertificate issues a new certificate.
IssueCertificate(ctx context.Context, request IssuanceRequest) (*IssuanceResult, error)
// RenewCertificate renews an existing certificate.
RenewCertificate(ctx context.Context, request RenewalRequest) (*IssuanceResult, error)
// RevokeCertificate revokes a certificate.
RevokeCertificate(ctx context.Context, request RevocationRequest) error
// GetOrderStatus retrieves the status of an issuance or renewal order.
GetOrderStatus(ctx context.Context, orderID string) (*OrderStatus, error)
// GenerateCRL generates a DER-encoded X.509 CRL signed by this issuer.
// Returns nil if the issuer does not support CRL generation (e.g., ACME).
GenerateCRL(ctx context.Context, revokedCerts []RevokedCertEntry) ([]byte, error)
// SignOCSPResponse signs an OCSP response for the given certificate serial.
// Returns nil if the issuer does not support OCSP (e.g., ACME).
SignOCSPResponse(ctx context.Context, req OCSPSignRequest) ([]byte, error)
// GetCACertPEM returns the PEM-encoded CA certificate chain for this issuer.
// Used by the EST /cacerts endpoint. Returns empty string if not available.
GetCACertPEM(ctx context.Context) (string, error)
// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9773 for a certificate.
// certPEM is the PEM-encoded certificate. Returns nil, nil if the CA does not support ARI.
GetRenewalInfo(ctx context.Context, certPEM string) (*RenewalInfoResult, error)
}
// RenewalInfoResult holds the ACME ARI response from a CA.
type RenewalInfoResult struct {
SuggestedWindowStart time.Time
SuggestedWindowEnd time.Time
RetryAfter time.Time
ExplanationURL string
}
// IssuanceRequest contains the parameters for issuing a new certificate.
type IssuanceRequest struct {
CommonName string `json:"common_name"`
SANs []string `json:"sans"`
CSRPEM string `json:"csr_pem"`
EKUs []string `json:"ekus,omitempty"` // e.g., "serverAuth", "clientAuth", "emailProtection"
MaxTTLSeconds int `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
// MustStaple, when true, instructs the issuer to add the RFC 7633
// must-staple extension (id-pe-tlsfeature) to the issued cert.
// Plumbed from CertificateProfile.MustStaple at the service layer.
// Issuers that don't support extension injection (Vault, EJBCA, etc.)
// silently ignore this — must-staple is a local-issuer-only feature
// in V2 since upstream connectors enforce their own extension policy.
MustStaple bool `json:"must_staple,omitempty"`
}
// IssuanceResult contains the result of a successful certificate issuance.
type IssuanceResult struct {
CertPEM string `json:"cert_pem"`
ChainPEM string `json:"chain_pem"`
Serial string `json:"serial"`
NotBefore time.Time `json:"not_before"`
NotAfter time.Time `json:"not_after"`
OrderID string `json:"order_id"`
}
// RenewalRequest contains the parameters for renewing a certificate.
type RenewalRequest struct {
CommonName string `json:"common_name"`
SANs []string `json:"sans"`
CSRPEM string `json:"csr_pem"`
EKUs []string `json:"ekus,omitempty"` // e.g., "serverAuth", "clientAuth", "emailProtection"
MaxTTLSeconds int `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
OrderID *string `json:"order_id,omitempty"`
// MustStaple — same semantics as IssuanceRequest.MustStaple. The
// renewal pipeline plumbs through the same CertificateProfile.MustStaple
// field so renewed certs match their initial-issuance extension set.
MustStaple bool `json:"must_staple,omitempty"`
}
// RevocationRequest contains the parameters for revoking a certificate.
type RevocationRequest struct {
Serial string `json:"serial"`
Reason *string `json:"reason,omitempty"`
}
// OrderStatus contains the status of a pending issuance or renewal order.
type OrderStatus struct {
OrderID string `json:"order_id"`
Status string `json:"status"`
Message *string `json:"message,omitempty"`
CertPEM *string `json:"cert_pem,omitempty"`
ChainPEM *string `json:"chain_pem,omitempty"`
Serial *string `json:"serial,omitempty"`
NotBefore *time.Time `json:"not_before,omitempty"`
NotAfter *time.Time `json:"not_after,omitempty"`
UpdatedAt time.Time `json:"updated_at"`
}
// RevokedCertEntry represents a revoked certificate for CRL generation.
type RevokedCertEntry struct {
SerialNumber *big.Int
RevokedAt time.Time
ReasonCode int
}
// OCSPSignRequest contains the parameters for signing an OCSP response.
type OCSPSignRequest struct {
CertSerial *big.Int
CertStatus int // 0=good, 1=revoked, 2=unknown
RevokedAt time.Time
RevocationReason int
ThisUpdate time.Time
NextUpdate time.Time
// Nonce — RFC 6960 §4.4.1 OCSP-nonce extension echo. When non-nil,
// the responder MUST include this value in the response's
// singleExtensions field. When nil, the response MUST NOT carry
// a nonce extension (back-compat with relying parties that don't
// understand it). Production hardening II Phase 1.
Nonce []byte
}
Reference in New Issue View Git Blame Copy Permalink