fix: remove committed private keys and add runtime cert generation (closes #12)

- Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>
2026-06-06 13:20:43 -05:00
parent d0c0790cbf
commit efaac33c47
18 changed files with 256 additions and 85 deletions
--- a/SECURITY_CONTROLS_MATRIX.md
+++ b/SECURITY_CONTROLS_MATRIX.md
@ -41,7 +41,7 @@
 | **SPEC.md Reference** | Lines 132-138 |
 | **Requirement** | Internal self-hosted CA for certificate issuance |
 | **Implementation** | OpenSSL CA infrastructure with 4096-bit RSA keys |
-| **Evidence** | `configs/CA_SETUP.md`, `configs/certs/ca.pem`, `configs/certs/ca.key.pem` |
+| **Evidence** | `configs/CA_SETUP.md`, `scripts/generate-dev-certs.sh` (private keys generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - CA properly signs server and client certificates |
 | **Compliance Status** | ✅ COMPLIANT |

@ -52,7 +52,7 @@
 | **SPEC.md Reference** | Line 136 |
 | **Requirement** | Unique certificate per client (no shared certs) |
 | **Implementation** | Per-client certificate generation with unique CN |
-| **Evidence** | `configs/certs/client001.pem`, `SECURITY.md` line 65 |
+| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - Each client has distinct certificate |
 | **Compliance Status** | ✅ COMPLIANT |

@ -63,7 +63,7 @@
 | **SPEC.md Reference** | Line 135 |
 | **Requirement** | 1 year standard certificate expiration |
 | **Implementation** | Certificates generated with `-days 365` parameter |
-| **Evidence** | `configs/certs/` certificate files, `openssl x509 -in cert.pem -noout -dates` |
+| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - Expired certificates properly rejected (FUZZ_TEST_REPORT.md Test 3.2) |
 | **Compliance Status** | ✅ COMPLIANT |

@ -137,7 +137,7 @@
 | **SPEC.md Reference** | Lines 86-89 |
 | **Requirement** | Private key permissions 600 (owner read/write only) |
 | **Implementation** | File permissions set during certificate deployment |
-| **Evidence** | `configs/certs/*.key.pem` (chmod 600), `DEPLOYMENT_SECURITY_GUIDE.md` Section 1 |
+| **Evidence** | Private keys generated at runtime with `chmod 600` by `scripts/generate-dev-certs.sh`, not committed to repository |
 | **Test Result** | ✅ PASS - Key files properly protected |
 | **Compliance Status** | ✅ COMPLIANT |