mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:51:41 +00:00
shankar0123
762c523d59
Backend:
- Embedded OCSP responder: GET /api/v1/ocsp/{issuer_id}/{serial} returns
signed OCSP responses (good/revoked/unknown) using CA key
- DER-encoded X.509 CRL: GET /api/v1/crl/{issuer_id} returns proper DER CRL
signed by issuing CA with 24h validity window
- Short-lived cert exemption: certs with profile TTL < 1 hour skip CRL/OCSP
(expiry is sufficient revocation for ephemeral workloads)
- Extended issuer connector interface with GenerateCRL and SignOCSPResponse
- Local CA implements full CRL/OCSP signing; ACME and step-ca return
appropriate "use native endpoint" errors
- IssuerConnectorAdapter bridges new methods between layers
Frontend:
- Revoke button on certificate detail page with RFC 5280 reason modal
- Revocation banner with reason display and timestamp
- Revocation status indicators in lifecycle section
- "Revoked" filter option in certificates list
- API client: revokeCertificate() function and Certificate type extensions
Tests: ~31 new tests across connector, service, handler, and adapter layers
Docs: milestones renumbered (M13-M14, M16-M18), M15b marked complete
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
96 lines
3.2 KiB
Go
96 lines
3.2 KiB
Go
package issuer
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"math/big"
|
|
"time"
|
|
)
|
|
|
|
// Connector defines the interface for certificate issuance operations.
|
|
type Connector interface {
|
|
// ValidateConfig validates the issuer configuration.
|
|
ValidateConfig(ctx context.Context, config json.RawMessage) error
|
|
|
|
// IssueCertificate issues a new certificate.
|
|
IssueCertificate(ctx context.Context, request IssuanceRequest) (*IssuanceResult, error)
|
|
|
|
// RenewCertificate renews an existing certificate.
|
|
RenewCertificate(ctx context.Context, request RenewalRequest) (*IssuanceResult, error)
|
|
|
|
// RevokeCertificate revokes a certificate.
|
|
RevokeCertificate(ctx context.Context, request RevocationRequest) error
|
|
|
|
// GetOrderStatus retrieves the status of an issuance or renewal order.
|
|
GetOrderStatus(ctx context.Context, orderID string) (*OrderStatus, error)
|
|
|
|
// GenerateCRL generates a DER-encoded X.509 CRL signed by this issuer.
|
|
// Returns nil if the issuer does not support CRL generation (e.g., ACME).
|
|
GenerateCRL(ctx context.Context, revokedCerts []RevokedCertEntry) ([]byte, error)
|
|
|
|
// SignOCSPResponse signs an OCSP response for the given certificate serial.
|
|
// Returns nil if the issuer does not support OCSP (e.g., ACME).
|
|
SignOCSPResponse(ctx context.Context, req OCSPSignRequest) ([]byte, error)
|
|
}
|
|
|
|
// IssuanceRequest contains the parameters for issuing a new certificate.
|
|
type IssuanceRequest struct {
|
|
CommonName string `json:"common_name"`
|
|
SANs []string `json:"sans"`
|
|
CSRPEM string `json:"csr_pem"`
|
|
}
|
|
|
|
// IssuanceResult contains the result of a successful certificate issuance.
|
|
type IssuanceResult struct {
|
|
CertPEM string `json:"cert_pem"`
|
|
ChainPEM string `json:"chain_pem"`
|
|
Serial string `json:"serial"`
|
|
NotBefore time.Time `json:"not_before"`
|
|
NotAfter time.Time `json:"not_after"`
|
|
OrderID string `json:"order_id"`
|
|
}
|
|
|
|
// RenewalRequest contains the parameters for renewing a certificate.
|
|
type RenewalRequest struct {
|
|
CommonName string `json:"common_name"`
|
|
SANs []string `json:"sans"`
|
|
CSRPEM string `json:"csr_pem"`
|
|
OrderID *string `json:"order_id,omitempty"`
|
|
}
|
|
|
|
// RevocationRequest contains the parameters for revoking a certificate.
|
|
type RevocationRequest struct {
|
|
Serial string `json:"serial"`
|
|
Reason *string `json:"reason,omitempty"`
|
|
}
|
|
|
|
// OrderStatus contains the status of a pending issuance or renewal order.
|
|
type OrderStatus struct {
|
|
OrderID string `json:"order_id"`
|
|
Status string `json:"status"`
|
|
Message *string `json:"message,omitempty"`
|
|
CertPEM *string `json:"cert_pem,omitempty"`
|
|
ChainPEM *string `json:"chain_pem,omitempty"`
|
|
Serial *string `json:"serial,omitempty"`
|
|
NotBefore *time.Time `json:"not_before,omitempty"`
|
|
NotAfter *time.Time `json:"not_after,omitempty"`
|
|
UpdatedAt time.Time `json:"updated_at"`
|
|
}
|
|
|
|
// RevokedCertEntry represents a revoked certificate for CRL generation.
|
|
type RevokedCertEntry struct {
|
|
SerialNumber *big.Int
|
|
RevokedAt time.Time
|
|
ReasonCode int
|
|
}
|
|
|
|
// OCSPSignRequest contains the parameters for signing an OCSP response.
|
|
type OCSPSignRequest struct {
|
|
CertSerial *big.Int
|
|
CertStatus int // 0=good, 1=revoked, 2=unknown
|
|
RevokedAt time.Time
|
|
RevocationReason int
|
|
ThisUpdate time.Time
|
|
NextUpdate time.Time
|
|
}
|