mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-10 12:38:56 +00:00
shankar0123
fefa5a5fd7
Closes the #7 acquisition-readiness blocker from the 2026-05-01 issuer coverage audit. Pre-fix, ACME RevokeCertificate at acme.go:L519-L529 returned the literal error "ACME revocation by serial not supported in V1; provide certificate DER". RFC 8555 §7.6 genuinely requires the cert DER bytes (not just the serial), but a CLM platform's job is to abstract over that limitation. Operators routinely have only the serial in hand: lost PEM, rotated key, GUI revoke action driven by a row in the certs list. This commit: - Adds CertificateLookupRepo interface at the ACME connector boundary (connector boundary, NOT a service/repository import — the connector accepts whatever satisfies the shape). Production wiring in cmd/server/main.go injects the postgres CertificateRepository; tests inject a fake. - Adds CertificateRepository.GetVersionBySerial(ctx, issuerID, serial) + interface declaration in repository/interfaces.go, returning the certificate_versions row whose SerialNumber matches, scoped to the issuer via JOIN on managed_certificates. Mirrors the existing GetByIssuerAndSerial shape but returns the version (where PEMChain lives). Per RFC 5280 §5.2.3 the issuer scope is required for determinism. - Adds SetCertificateLookup + SetIssuerID setters on *acme.Connector. Mirror the pattern local.Connector already uses for OCSP responder wiring. Both must be wired before serial-only revoke works; unwired state falls back to a more actionable error pointing at the wiring requirement (the historical "not supported" wording is retired). - Rewrites RevokeCertificate end-to-end: lookup → empty-PEM check → pem.Decode → block.Type == "CERTIFICATE" check → ensureClient → golang.org/x/crypto/acme.Client.RevokeCert(ctx, accountKey, der, reasonCode). RFC 8555 §7.6 case 1 (revocation request signed with account key) — the same account key issued the cert, so authority is intrinsic. The not-found path returns an actionable operator- facing error pointing at the local-store requirement. - Adds mapRevocationReason translating RFC 5280 §5.3.1 reason strings (unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise) into golang.org/x/crypto/acme. CRLReasonCode. Accepts canonical camelCase + underscore_lower + ALL_CAPS_UNDERSCORE. Nil reason → 0 (unspecified). Unknown reason errors rather than silently demoting (operators rely on the reason for compliance reporting). - Wiring update in service/issuer_registry.go: SetACMECertLookup setter on the registry; Rebuild type-asserts *acme.Connector and calls SetCertificateLookup + SetIssuerID, mirroring the existing *local.Connector branch. cmd/server/main.go calls issuerRegistry.SetACMECertLookup(certificateRepo) immediately after SetIssuanceMetrics — the postgres repo satisfies the interface via GetVersionBySerial. - Tests: * acme_revoke_test.go (new): TestRevokeCertificate_NoCertLookupWired, TestRevokeCertificate_NoIssuerIDWired, TestRevokeCertificate_LookupReturnsNotFound (operator-facing "may not have been issued through certctl" hint pinned), TestRevokeCertificate_LookupArbitraryError, TestRevokeCertificate_VersionPEMEmpty (corrupt-row guard), TestRevokeCertificate_PEMMalformed_NoBlock, TestRevokeCertificate_PEMMalformed_WrongType (PRIVATE KEY block rejected as not a CERTIFICATE). * TestMapRevocationReason_TableDriven: full RFC 5280 reason set plus camelCase / underscore / ALL-CAPS variants plus nil-reason and unknown-reason cases. * acme_failure_test.go: renamed TestRevokeCertificate_AlwaysError → TestRevokeCertificate_UnwiredCertLookupFallback; the test still exercises the same backward-compat branch but now asserts the new "CertificateLookup wiring" error wording. - Mock-repo updates (3 sites): mockCertificateRepository in internal/integration/lifecycle_test.go, mockCertRepo in internal/service/testutil_test.go, mockCertRepoWithGetError in internal/service/shortlived_test.go each gain a GetVersionBySerial implementation that mirrors the GetByIssuerAndSerial logic but returns the version row. - docs/connectors.md ACME section: new "Revocation by serial number" subsection covering the workflow, the local-store requirement (cert was issued through certctl, not imported), the reason-code mapping with the three accepted spelling variants, and a pointer to the audit reference. Out of scope (intentional, per spec): - Recovering the DER from outside the local cert store (CT logs, CSR + signature reconstruction). If the cert wasn't issued through certctl, revoke-by-serial via certctl isn't possible. - Revocation via the cert's private key (RFC 8555 §7.6 case 2). The account-key path covers all certctl-issued certs because the same account key issued them. - Pebble-backed integration test for the happy path. Pebble integration is the right home for that — the unit tests in this commit pin all failure-mode branches before the network call, and the wiring branch in Rebuild is exercised by the existing TestIssuerRegistryRebuild paths. Verified locally: - gofmt -l . clean - go vet ./... clean - staticcheck ./... clean - go test -short -count=1 across connector, service, repository, integration, api/middleware, api/handler: green Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #7.
276 lines
9.9 KiB
Go
276 lines
9.9 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/issuer/acme"
|
|
"github.com/shankar0123/certctl/internal/connector/issuer/local"
|
|
"github.com/shankar0123/certctl/internal/connector/issuerfactory"
|
|
"github.com/shankar0123/certctl/internal/crypto"
|
|
"github.com/shankar0123/certctl/internal/crypto/signer"
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
"github.com/shankar0123/certctl/internal/repository"
|
|
)
|
|
|
|
// IssuerRegistry is a thread-safe registry of issuer connectors.
|
|
// It replaces the static map[string]IssuerConnector that was built at startup.
|
|
// Consumers call Get() to look up a connector by issuer ID.
|
|
type IssuerRegistry struct {
|
|
mu sync.RWMutex
|
|
issuers map[string]IssuerConnector
|
|
logger *slog.Logger
|
|
|
|
// localDeps, when set, is injected into every *local.Connector
|
|
// constructed by Rebuild via SetOCSPResponderRepo + SetSignerDriver
|
|
// + SetIssuerID + SetOCSPResponderKeyDir. Wires the dedicated OCSP
|
|
// responder cert flow (RFC 6960 §2.6); see Bundle CRL/OCSP-Responder
|
|
// Phase 2. When unset, local connectors fall back to signing OCSP
|
|
// with the CA key directly (the historical behaviour, preserved for
|
|
// callers that don't supply these deps).
|
|
localDeps *LocalIssuerDeps
|
|
|
|
// metrics — when set, every adapter constructed by Rebuild is
|
|
// wired with SetMetrics so issuance / renewal calls flow through
|
|
// the per-issuer-type counter + histogram + failure tables.
|
|
// Closes the #4 audit-readiness blocker (per-issuer-type metrics).
|
|
metrics *IssuanceMetrics
|
|
|
|
// acmeCertLookup — when set, every freshly-constructed
|
|
// *acme.Connector is wired with SetCertificateLookup + SetIssuerID
|
|
// so its serial-only revoke path can recover the leaf-cert DER
|
|
// from the local cert store. Closes the #7 audit-readiness blocker.
|
|
// Nil leaves the legacy "ACME revocation by serial requires
|
|
// CertificateLookup wiring" error in place for old wiring paths.
|
|
acmeCertLookup acme.CertificateLookupRepo
|
|
}
|
|
|
|
// LocalIssuerDeps groups the optional dependencies that the local
|
|
// issuer needs for the dedicated OCSP responder cert flow. All fields
|
|
// are required when localDeps is set on the registry; nil-checking
|
|
// individual fields would partially-initialize the responder path
|
|
// which is worse than the all-or-nothing fallback to direct CA-key
|
|
// signing.
|
|
type LocalIssuerDeps struct {
|
|
OCSPResponderRepo repository.OCSPResponderRepository
|
|
SignerDriver signer.Driver
|
|
KeyDir string // where FileDriver-backed responder keys land
|
|
RotationGrace time.Duration // optional override; default 7d if zero
|
|
Validity time.Duration // optional override; default 30d if zero
|
|
}
|
|
|
|
// NewIssuerRegistry creates a new empty issuer registry.
|
|
func NewIssuerRegistry(logger *slog.Logger) *IssuerRegistry {
|
|
return &IssuerRegistry{
|
|
issuers: make(map[string]IssuerConnector),
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
// SetLocalIssuerDeps configures the per-local-connector dependencies
|
|
// applied by Rebuild. Must be called before BuildRegistry / Rebuild
|
|
// so the deps are in place when local connectors are constructed.
|
|
//
|
|
// Bundle CRL/OCSP-Responder Phase 2.
|
|
func (r *IssuerRegistry) SetLocalIssuerDeps(deps *LocalIssuerDeps) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
r.localDeps = deps
|
|
}
|
|
|
|
// SetIssuanceMetrics wires per-issuer-type issuance metrics. Every
|
|
// adapter constructed by Rebuild after this call records issuance /
|
|
// renewal calls into the supplied metrics tables. Closes the #4
|
|
// audit-readiness blocker (per-issuer-type metrics).
|
|
func (r *IssuerRegistry) SetIssuanceMetrics(m *IssuanceMetrics) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
r.metrics = m
|
|
}
|
|
|
|
// SetACMECertLookup wires the cert-version lookup repo for every
|
|
// *acme.Connector constructed by Rebuild. The lookup is used by the
|
|
// serial-only revoke path (RevokeCertificate) to recover the leaf-
|
|
// cert DER bytes from the local cert store; without it, ACME
|
|
// RevokeCertificate falls back to the legacy V1 "not supported"
|
|
// error. Closes the #7 audit-readiness blocker.
|
|
//
|
|
// Wire on the registry, not per-call: the registry already owns the
|
|
// post-factory wiring step (mirrors SetLocalIssuerDeps), and the same
|
|
// repo serves every ACME connector regardless of issuer ID — the
|
|
// connector scopes its own lookups via the issuer ID injected by
|
|
// SetIssuerID inside Rebuild.
|
|
func (r *IssuerRegistry) SetACMECertLookup(repo acme.CertificateLookupRepo) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
r.acmeCertLookup = repo
|
|
}
|
|
|
|
// Get returns the issuer connector for the given ID and whether it exists.
|
|
func (r *IssuerRegistry) Get(id string) (IssuerConnector, bool) {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
conn, ok := r.issuers[id]
|
|
return conn, ok
|
|
}
|
|
|
|
// Set adds or replaces an issuer connector in the registry.
|
|
func (r *IssuerRegistry) Set(id string, conn IssuerConnector) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
r.issuers[id] = conn
|
|
}
|
|
|
|
// Remove removes an issuer connector from the registry.
|
|
func (r *IssuerRegistry) Remove(id string) {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
delete(r.issuers, id)
|
|
}
|
|
|
|
// List returns a copy of all registered issuers.
|
|
func (r *IssuerRegistry) List() map[string]IssuerConnector {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
result := make(map[string]IssuerConnector, len(r.issuers))
|
|
for k, v := range r.issuers {
|
|
result[k] = v
|
|
}
|
|
return result
|
|
}
|
|
|
|
// Len returns the number of registered issuers.
|
|
func (r *IssuerRegistry) Len() int {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
return len(r.issuers)
|
|
}
|
|
|
|
// Rebuild reconstructs the registry from a list of issuer configs.
|
|
// For each enabled issuer, it decrypts the config (if encryption key is set),
|
|
// instantiates a connector via the factory, wraps it in an adapter, and
|
|
// atomically swaps the entire map.
|
|
//
|
|
// The encryption passphrase is passed as a string; per-ciphertext salt derivation
|
|
// for v2 blobs is performed inside [crypto.DecryptIfKeySet]. Empty passphrase
|
|
// fails closed via [crypto.ErrEncryptionKeyRequired] when encrypted configs
|
|
// are encountered. See M-8 in certctl-audit-report.md.
|
|
func (r *IssuerRegistry) Rebuild(ctx context.Context, configs []*domain.Issuer, encryptionKey string) error {
|
|
newIssuers := make(map[string]IssuerConnector)
|
|
var errors []string
|
|
|
|
for _, cfg := range configs {
|
|
if !cfg.Enabled {
|
|
r.logger.Debug("skipping disabled issuer", "id", cfg.ID, "type", cfg.Type)
|
|
continue
|
|
}
|
|
|
|
// Determine the config JSON to use for connector instantiation.
|
|
// Prefer encrypted_config (decrypted) if available; fall back to config.
|
|
var configJSON json.RawMessage
|
|
if len(cfg.EncryptedConfig) > 0 {
|
|
decrypted, err := crypto.DecryptIfKeySet(cfg.EncryptedConfig, encryptionKey)
|
|
if err != nil {
|
|
errors = append(errors, fmt.Sprintf("issuer %s: decrypt failed: %v", cfg.ID, err))
|
|
continue
|
|
}
|
|
configJSON = json.RawMessage(decrypted)
|
|
} else if len(cfg.Config) > 0 {
|
|
configJSON = cfg.Config
|
|
} else {
|
|
configJSON = json.RawMessage("{}")
|
|
}
|
|
|
|
connector, err := issuerfactory.NewFromConfig(ctx, string(cfg.Type), configJSON, r.logger)
|
|
if err != nil {
|
|
errors = append(errors, fmt.Sprintf("issuer %s: factory error: %v", cfg.ID, err))
|
|
continue
|
|
}
|
|
|
|
// Bundle CRL/OCSP-Responder Phase 2: when local deps are
|
|
// configured on the registry, inject them into every freshly-
|
|
// constructed *local.Connector so its SignOCSPResponse takes
|
|
// the dedicated responder cert path. Type-assert is the
|
|
// pragmatic seam — the factory returns issuer.Connector so
|
|
// this is the only place that knows what concrete type was
|
|
// just built.
|
|
if localConn, ok := connector.(*local.Connector); ok && r.localDeps != nil {
|
|
localConn.SetIssuerID(cfg.ID)
|
|
localConn.SetOCSPResponderRepo(r.localDeps.OCSPResponderRepo)
|
|
localConn.SetSignerDriver(r.localDeps.SignerDriver)
|
|
if r.localDeps.KeyDir != "" {
|
|
localConn.SetOCSPResponderKeyDir(r.localDeps.KeyDir)
|
|
}
|
|
if r.localDeps.RotationGrace > 0 {
|
|
localConn.SetOCSPResponderRotationGrace(r.localDeps.RotationGrace)
|
|
}
|
|
if r.localDeps.Validity > 0 {
|
|
localConn.SetOCSPResponderValidity(r.localDeps.Validity)
|
|
}
|
|
r.logger.Info("local issuer wired with dedicated OCSP responder deps",
|
|
"id", cfg.ID,
|
|
"key_dir", r.localDeps.KeyDir)
|
|
}
|
|
|
|
// Audit fix #7: when the cert-version lookup is configured on
|
|
// the registry, inject it into every freshly-constructed
|
|
// *acme.Connector so its serial-only revoke path can recover
|
|
// the leaf-cert DER bytes. SetIssuerID is paired so the lookup
|
|
// can scope by issuer per RFC 5280 §5.2.3.
|
|
if acmeConn, ok := connector.(*acme.Connector); ok && r.acmeCertLookup != nil {
|
|
acmeConn.SetIssuerID(cfg.ID)
|
|
acmeConn.SetCertificateLookup(r.acmeCertLookup)
|
|
r.logger.Info("ACME issuer wired with cert-version lookup for serial-only revoke",
|
|
"id", cfg.ID)
|
|
}
|
|
|
|
adapter := NewIssuerConnectorAdapter(connector)
|
|
// Wire per-issuer-type metrics (audit fix #4) when SetIssuanceMetrics
|
|
// was called. The adapter is the IssuerConnector interface; type-
|
|
// assert to the concrete *IssuerConnectorAdapter so we can call
|
|
// SetMetrics. Tests that hand-construct adapters via the bare
|
|
// NewIssuerConnectorAdapter constructor get nil metrics — the
|
|
// adapter no-ops the recording in that case.
|
|
if r.metrics != nil {
|
|
if a, ok := adapter.(*IssuerConnectorAdapter); ok {
|
|
a.SetMetrics(string(cfg.Type), r.metrics)
|
|
}
|
|
}
|
|
newIssuers[cfg.ID] = adapter
|
|
r.logger.Info("issuer loaded into registry", "id", cfg.ID, "type", cfg.Type)
|
|
}
|
|
|
|
// Atomic swap
|
|
r.mu.Lock()
|
|
old := r.issuers
|
|
r.issuers = newIssuers
|
|
r.mu.Unlock()
|
|
|
|
// Log changes
|
|
for id := range newIssuers {
|
|
if _, existed := old[id]; !existed {
|
|
r.logger.Info("issuer added to registry", "id", id)
|
|
}
|
|
}
|
|
for id := range old {
|
|
if _, exists := newIssuers[id]; !exists {
|
|
r.logger.Info("issuer removed from registry", "id", id)
|
|
}
|
|
}
|
|
|
|
r.logger.Info("issuer registry rebuilt", "loaded", len(newIssuers), "failed", len(errors))
|
|
|
|
if len(errors) > 0 {
|
|
for _, e := range errors {
|
|
r.logger.Warn("issuer load failure", "detail", e)
|
|
}
|
|
return fmt.Errorf("%d issuer(s) failed to load: %s", len(errors), errors[0])
|
|
}
|
|
|
|
return nil
|
|
}
|