gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
db71b47c24159adac1b53d3b3df6e137c1534443
certctl/internal
T
History
shankar0123 db71b47c24 main: wire CRL/OCSP responder services into runtime 
Activates the CRL/OCSP responder pipeline that landed dormant in
phases 1-4 (commits 30765ba, a0b7f7d, dc32694, dc1e0bf):

  * IssuerRegistry gains SetLocalIssuerDeps + LocalIssuerDeps struct.
    Rebuild type-asserts each constructed connector to *local.Connector
    and injects ocspResponderRepo + signerDriver + IssuerID + key dir
    + (optional) rotation-grace + validity overrides. Non-local
    connectors are unaffected (the type-assert fails silently). Adapter
    pattern preserved: callers still see service.IssuerConnector.

  * cmd/server/main.go:
    - constructs CRLCacheRepository + OCSPResponderRepository from db
    - constructs signer.FileDriver (default; PKCS#11 driver plugs in
      later via the same Driver interface, no main.go changes needed)
    - calls issuerRegistry.SetLocalIssuerDeps(...) BEFORE BuildRegistry
      so the deps are in place when local connectors are constructed
    - wires CRLCacheService into CertificateService via SetCRLCacheSvc
      (Phase 4 cache-aware GenerateDERCRL path now active)
    - calls scheduler.SetCRLCacheService + SetCRLGenerationInterval
      after sched is constructed; logs the interval at startup

  * config: new OCSPResponderConfig struct + Scheduler.CRLGenerationInterval
    field. Three new env vars:
      CERTCTL_OCSP_RESPONDER_KEY_DIR (no default; operator MUST set in prod)
      CERTCTL_OCSP_RESPONDER_ROTATION_GRACE (default 7d)
      CERTCTL_OCSP_RESPONDER_VALIDITY (default 30d)
      CERTCTL_CRL_GENERATION_INTERVAL (default 1h)

Backward compat: when env vars are unset, the responder bootstrap path
still activates (with default rotation grace + validity, key dir = cwd
which is fine for tests), and the CRL cache pre-populates on the
1h interval. Operators not running the local issuer see no behavior
change.

go vet clean across the full module. Targeted tests for config +
service + scheduler packages all green. Full module build deferred
to CI (sandbox /sessions disk pressure prevented unzipping a
transitive dep — same disk-full pattern the prior commits hit; not
a code issue).
2026-04-29 01:48:23 +00:00
..
api
crl/ocsp: POST OCSP endpoint (RFC 6960 §A.1.1) + cache integration
2026-04-29 00:07:27 +00:00
cli
D-1: correct certctl-cli status endpoint path (/api/v1/health -> /health)
2026-04-20 19:40:58 +00:00
config
main: wire CRL/OCSP responder services into runtime
2026-04-29 01:48:23 +00:00
connector
ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6)
2026-04-28 23:55:52 +00:00
crypto
crypto/signer: fix QF1008 staticcheck — drop redundant .Curve selector
2026-04-28 22:09:49 +00:00
domain
ocsp/responder: dedicated OCSP responder cert per issuer (RFC 6960 §2.6)
2026-04-28 23:55:52 +00:00
integration
Bundle C tail: integration mock stub for ListJobsWithOfflineAgents
2026-04-27 00:27:33 +00:00
mcp
Bundle K (Coverage Audit Closure): MCP per-tool coverage — C-002 closed
2026-04-27 16:47:38 +00:00
pkcs7
Bundle Q (Coverage Audit Closure): property-based pilot + hygiene — L-001/L-002/L-003/L-004/I-001 closed
2026-04-27 18:36:47 +00:00
repository
crl/cache: fix contextcheck lint on test helper
2026-04-29 01:38:58 +00:00
scheduler
scheduler/service: crlGenerationLoop + CRLCacheService with singleflight
2026-04-29 00:02:01 +00:00
service
main: wire CRL/OCSP responder services into runtime
2026-04-29 01:48:23 +00:00
tlsprobe
Bundle D: Documentation & transparency sweep — 8 findings closed
2026-04-27 00:47:15 +00:00
validation
Bundle O (Coverage Audit Closure): test hygiene + FSM coverage tables — M-004 + M-005 + M-006 closed
2026-04-27 18:06:06 +00:00