git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

feat(crl): add CRL consumption and custom verifier for mTLS revocation enforcement

Browse Source 
Implements agent-side CRL consumption for mTLS certificate revocation
checking, as specified in issue #20.

Changes:
- NEW: src/auth/crl.rs - CRL loading, parsing, signature verification,
  in-memory revoked serial index (HashSet), 24h background refresh task
- MODIFY: src/auth/mtls.rs - CrlAwareVerifier wrapping WebPkiClientVerifier
  with post-chain CRL serial lookup; fails closed on invalid signature,
  degrades gracefully when CRL is missing
- MODIFY: src/auth/mod.rs - Register crl module, re-export CrlState/CrlStatus
- MODIFY: src/config/loader.rs - Add crl_path field to TlsConfig
- MODIFY: src/main.rs - Load CRL on startup, spawn refresh task, wire
  SharedCrlState into server and health endpoint
- MODIFY: src/api/handlers/system.rs - Add crl_status and crl_age_seconds
  to health check response
- MODIFY: Cargo.toml - Add arc-swap, base64 deps; enable x509-parser
  verify feature for CRL signature verification

Design decisions:
- ArcSwap for lock-free atomic CRL state swaps on the hot path
- O(1) serial lookup via HashSet<String> of hex-encoded serials
- Stale CRL = continue serving + warn + health reports degraded
- Invalid CRL signature = refuse to start (fail-closed)
- Missing CRL = fall back to WebPKI-only (backward compatible)

Companion to PR #26 in linux-patch-manager (manager-side CRL generation)

Refs: #20
This commit is contained in:
git-echo
2026-06-05 13:42:35 -05:00
parent 734b55b292
commit fe9bdce3c1
8 changed files with 650 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Cargo.toml
View File

@ -23,7 +23,7 @@ tokio = { version = "1", features = ["full"] }
rustls = { version = "0.23", features = ["aws_lc_rs"] }
rustls-pemfile = "2"
tokio-rustls = "0.26"
x509-parser = "0.16"
x509-parser = { version = "0.16", features = ["verify"] }
# WebSocket support (actix-web-actors provides WebSocket for Actix-web)
tokio-tungstenite = "0.21"
@ -83,6 +83,12 @@ socket2 = { version = "0.5", features = ["all"] }
# File locking for concurrent-safe whitelist modifications
fs2 = "0.4"
# Atomic swapping for CRL state updates without rebuilding ServerConfig
arc-swap = "1"
# Base64 decoding for PEM CRL parsing
base64 = "0.22"
[dev-dependencies]
actix-rt = "2"
tokio-test = "0.4"