fix: remove committed private keys and add runtime cert generation (closes #12)

- Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>
2026-06-06 13:20:43 -05:00
parent d0c0790cbf
commit efaac33c47
18 changed files with 256 additions and 85 deletions
--- a/scripts/generate-dev-certs.sh
+++ b/scripts/generate-dev-certs.sh
@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# Generate development/test certificates for Linux Patch API.
+#
+# This script creates a self-signed CA, server certificate, and client
+# certificate suitable for local development and testing.  It is NOT
+# intended for production use.
+#
+# Usage:
+#   ./scripts/generate-dev-certs.sh [OUTPUT_DIR]
+#
+# If OUTPUT_DIR is omitted, certificates are written to configs/certs/
+# relative to the repository root.  The e2e Python test certs are also
+# regenerated under tests/e2e/certs/.
+#
+# Private keys (*.key, *.key.pem) are excluded from git via .gitignore
+# and must NEVER be committed to version control.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+OUTPUT_DIR="${1:-$REPO_ROOT/configs/certs}"
+E2E_DIR="$REPO_ROOT/tests/e2e/certs"
+
+DAYS_CA=3650
+DAYS_CERT=365
+
+echo "Generating development certificates..."
+echo "  Output dir: $OUTPUT_DIR"
+echo "  E2E dir:    $E2E_DIR"
+
+mkdir -p "$OUTPUT_DIR"
+mkdir -p "$E2E_DIR"
+
+# CA
+echo "[1/6] Generating CA key and certificate..."
+openssl genrsa -out "$OUTPUT_DIR/ca.key.pem" 4096 2>/dev/null
+chmod 600 "$OUTPUT_DIR/ca.key.pem"
+openssl req -x509 -new -nodes -key "$OUTPUT_DIR/ca.key.pem" -sha256 -days "$DAYS_CA" -out "$OUTPUT_DIR/ca.pem" -subj "/CN=LinuxPatchAPI Dev CA/O=Internal/C=US"
+
+# Server certificate
+echo "[2/6] Generating server key and certificate..."
+openssl genrsa -out "$OUTPUT_DIR/server.key.pem" 2048 2>/dev/null
+chmod 600 "$OUTPUT_DIR/server.key.pem"
+openssl req -new -key "$OUTPUT_DIR/server.key.pem" -out "$OUTPUT_DIR/server.csr.pem" -subj "/CN=localhost/O=Internal/C=US"
+openssl x509 -req -in "$OUTPUT_DIR/server.csr.pem" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$OUTPUT_DIR/server.pem" -days "$DAYS_CERT" -sha256
+
+# Client certificate
+echo "[3/6] Generating client key and certificate..."
+openssl genrsa -out "$OUTPUT_DIR/client001.key.pem" 2048 2>/dev/null
+chmod 600 "$OUTPUT_DIR/client001.key.pem"
+openssl req -new -key "$OUTPUT_DIR/client001.key.pem" -out "$OUTPUT_DIR/client001.csr.pem" -subj "/CN=client001/O=Internal/C=US"
+openssl x509 -req -in "$OUTPUT_DIR/client001.csr.pem" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$OUTPUT_DIR/client001.pem" -days "$DAYS_CERT" -sha256
+
+# E2E test certificates
+echo "[4/6] Generating e2e test CA certificate..."
+cp "$OUTPUT_DIR/ca.pem" "$E2E_DIR/ca.crt"
+
+echo "[5/6] Generating e2e test client certificate..."
+openssl genrsa -out "$E2E_DIR/client.key" 2048 2>/dev/null
+chmod 600 "$E2E_DIR/client.key"
+openssl req -new -key "$E2E_DIR/client.key" -out "$E2E_DIR/client.csr" -subj "/CN=e2e-test-client/O=Internal/C=US"
+openssl x509 -req -in "$E2E_DIR/client.csr" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$E2E_DIR/client.crt" -days "$DAYS_CERT" -sha256
+
+# Cleanup CSR files
+echo "[6/6] Cleaning up CSR files..."
+rm -f "$OUTPUT_DIR/server.csr.pem" "$OUTPUT_DIR/client001.csr.pem" "$E2E_DIR/client.csr"
+
+echo
+echo "Development certificates generated successfully."
+echo "  CA cert:         $OUTPUT_DIR/ca.pem"
+echo "  Server cert:     $OUTPUT_DIR/server.pem"
+echo "  Server key:      $OUTPUT_DIR/server.key.pem"
+echo "  Client cert:     $OUTPUT_DIR/client001.pem"
+echo "  Client key:      $OUTPUT_DIR/client001.key.pem"
+echo "  E2E CA cert:     $E2E_DIR/ca.crt"
+echo "  E2E client cert: $E2E_DIR/client.crt"
+echo "  E2E client key:  $E2E_DIR/client.key"
+echo
+echo "⚠  WARNING: These are development-only certificates. Do NOT use in production."
+echo "⚠  Private keys (*.key, *.key.pem) are excluded from git via .gitignore."