mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 23:18:55 +00:00
shankar0123
7d14635a72
Implement Enrollment over Secure Transport protocol with 4 endpoints under /.well-known/est/ — cacerts (CA chain distribution), simpleenroll (initial enrollment), simplereenroll (certificate renewal), and csrattrs (CSR attributes). PKCS#7 certs-only wire format with hand-rolled ASN.1, accepts both PEM and base64-encoded DER CSRs, configurable issuer and profile binding, full audit trail. 28 new tests (18 handler + 10 service). Also includes: - GetCACertPEM added to issuer connector interface (all 4 issuers updated) - EST integration tests wired into e2e test suite (13 test cases) - QA testing guide Part 26 (15 manual EST test cases) - All docs updated: README, features, architecture, concepts, connectors, quickstart, demo-advanced (endpoint counts, MCP wording, agent IDs, issuer interface, resource lists, OpenSSL status) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
100 lines
3.4 KiB
Go
100 lines
3.4 KiB
Go
package issuer
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"math/big"
|
|
"time"
|
|
)
|
|
|
|
// Connector defines the interface for certificate issuance operations.
|
|
type Connector interface {
|
|
// ValidateConfig validates the issuer configuration.
|
|
ValidateConfig(ctx context.Context, config json.RawMessage) error
|
|
|
|
// IssueCertificate issues a new certificate.
|
|
IssueCertificate(ctx context.Context, request IssuanceRequest) (*IssuanceResult, error)
|
|
|
|
// RenewCertificate renews an existing certificate.
|
|
RenewCertificate(ctx context.Context, request RenewalRequest) (*IssuanceResult, error)
|
|
|
|
// RevokeCertificate revokes a certificate.
|
|
RevokeCertificate(ctx context.Context, request RevocationRequest) error
|
|
|
|
// GetOrderStatus retrieves the status of an issuance or renewal order.
|
|
GetOrderStatus(ctx context.Context, orderID string) (*OrderStatus, error)
|
|
|
|
// GenerateCRL generates a DER-encoded X.509 CRL signed by this issuer.
|
|
// Returns nil if the issuer does not support CRL generation (e.g., ACME).
|
|
GenerateCRL(ctx context.Context, revokedCerts []RevokedCertEntry) ([]byte, error)
|
|
|
|
// SignOCSPResponse signs an OCSP response for the given certificate serial.
|
|
// Returns nil if the issuer does not support OCSP (e.g., ACME).
|
|
SignOCSPResponse(ctx context.Context, req OCSPSignRequest) ([]byte, error)
|
|
|
|
// GetCACertPEM returns the PEM-encoded CA certificate chain for this issuer.
|
|
// Used by the EST /cacerts endpoint. Returns empty string if not available.
|
|
GetCACertPEM(ctx context.Context) (string, error)
|
|
}
|
|
|
|
// IssuanceRequest contains the parameters for issuing a new certificate.
|
|
type IssuanceRequest struct {
|
|
CommonName string `json:"common_name"`
|
|
SANs []string `json:"sans"`
|
|
CSRPEM string `json:"csr_pem"`
|
|
}
|
|
|
|
// IssuanceResult contains the result of a successful certificate issuance.
|
|
type IssuanceResult struct {
|
|
CertPEM string `json:"cert_pem"`
|
|
ChainPEM string `json:"chain_pem"`
|
|
Serial string `json:"serial"`
|
|
NotBefore time.Time `json:"not_before"`
|
|
NotAfter time.Time `json:"not_after"`
|
|
OrderID string `json:"order_id"`
|
|
}
|
|
|
|
// RenewalRequest contains the parameters for renewing a certificate.
|
|
type RenewalRequest struct {
|
|
CommonName string `json:"common_name"`
|
|
SANs []string `json:"sans"`
|
|
CSRPEM string `json:"csr_pem"`
|
|
OrderID *string `json:"order_id,omitempty"`
|
|
}
|
|
|
|
// RevocationRequest contains the parameters for revoking a certificate.
|
|
type RevocationRequest struct {
|
|
Serial string `json:"serial"`
|
|
Reason *string `json:"reason,omitempty"`
|
|
}
|
|
|
|
// OrderStatus contains the status of a pending issuance or renewal order.
|
|
type OrderStatus struct {
|
|
OrderID string `json:"order_id"`
|
|
Status string `json:"status"`
|
|
Message *string `json:"message,omitempty"`
|
|
CertPEM *string `json:"cert_pem,omitempty"`
|
|
ChainPEM *string `json:"chain_pem,omitempty"`
|
|
Serial *string `json:"serial,omitempty"`
|
|
NotBefore *time.Time `json:"not_before,omitempty"`
|
|
NotAfter *time.Time `json:"not_after,omitempty"`
|
|
UpdatedAt time.Time `json:"updated_at"`
|
|
}
|
|
|
|
// RevokedCertEntry represents a revoked certificate for CRL generation.
|
|
type RevokedCertEntry struct {
|
|
SerialNumber *big.Int
|
|
RevokedAt time.Time
|
|
ReasonCode int
|
|
}
|
|
|
|
// OCSPSignRequest contains the parameters for signing an OCSP response.
|
|
type OCSPSignRequest struct {
|
|
CertSerial *big.Int
|
|
CertStatus int // 0=good, 1=revoked, 2=unknown
|
|
RevokedAt time.Time
|
|
RevocationReason int
|
|
ThisUpdate time.Time
|
|
NextUpdate time.Time
|
|
}
|