CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m24s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m15s
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m16s
* test: add CRL unit tests and CrlAwareVerifier construction tests (PR 6 of 6)
* fix(ci): rename fmt job to match required status check context
---------
Co-authored-by: git-echo <git-echo@moon-dragon.us>
Implements agent-side CRL consumption for mTLS certificate revocation
checking, as specified in issue #20.
Changes:
- NEW: src/auth/crl.rs - CRL loading, parsing, signature verification,
in-memory revoked serial index (HashSet), 24h background refresh task
- MODIFY: src/auth/mtls.rs - CrlAwareVerifier wrapping WebPkiClientVerifier
with post-chain CRL serial lookup; fails closed on invalid signature,
degrades gracefully when CRL is missing
- MODIFY: src/auth/mod.rs - Register crl module, re-export CrlState/CrlStatus
- MODIFY: src/config/loader.rs - Add crl_path field to TlsConfig
- MODIFY: src/main.rs - Load CRL on startup, spawn refresh task, wire
SharedCrlState into server and health endpoint
- MODIFY: src/api/handlers/system.rs - Add crl_status and crl_age_seconds
to health check response
- MODIFY: Cargo.toml - Add arc-swap, base64 deps; enable x509-parser
verify feature for CRL signature verification
Design decisions:
- ArcSwap for lock-free atomic CRL state swaps on the hot path
- O(1) serial lookup via HashSet<String> of hex-encoded serials
- Stale CRL = continue serving + warn + health reports degraded
- Invalid CRL signature = refuse to start (fail-closed)
- Missing CRL = fall back to WebPKI-only (backward compatible)
Companion to PR #26 in linux-patch-manager (manager-side CRL generation)
Refs: #20
- Fix ServerConfig::builder() to builder_with_provider() for TLS 1.3 enforcement
- Add aws_lc_rs feature to rustls in Cargo.toml
- Fix clippy unnecessary_map_or -> is_some_and in packages/mod.rs
