Implements agent-side CRL consumption for mTLS certificate revocation
checking, as specified in issue #20.
Changes:
- NEW: src/auth/crl.rs - CRL loading, parsing, signature verification,
in-memory revoked serial index (HashSet), 24h background refresh task
- MODIFY: src/auth/mtls.rs - CrlAwareVerifier wrapping WebPkiClientVerifier
with post-chain CRL serial lookup; fails closed on invalid signature,
degrades gracefully when CRL is missing
- MODIFY: src/auth/mod.rs - Register crl module, re-export CrlState/CrlStatus
- MODIFY: src/config/loader.rs - Add crl_path field to TlsConfig
- MODIFY: src/main.rs - Load CRL on startup, spawn refresh task, wire
SharedCrlState into server and health endpoint
- MODIFY: src/api/handlers/system.rs - Add crl_status and crl_age_seconds
to health check response
- MODIFY: Cargo.toml - Add arc-swap, base64 deps; enable x509-parser
verify feature for CRL signature verification
Design decisions:
- ArcSwap for lock-free atomic CRL state swaps on the hot path
- O(1) serial lookup via HashSet<String> of hex-encoded serials
- Stale CRL = continue serving + warn + health reports degraded
- Invalid CRL signature = refuse to start (fail-closed)
- Missing CRL = fall back to WebPKI-only (backward compatible)
Companion to PR #26 in linux-patch-manager (manager-side CRL generation)
Refs: #20
- Auto-enrollment on startup when certs are missing/invalid and enrollment.manager_url configured
- Certificate validation (existence, parse, expiry, key match, CA trust)
- --enroll exits after completion (no port conflict with systemd service)
- --renew-certs flag for manual cert renewal
- SO_REUSEADDR on TcpListener::bind (prevents Address already in use)
- Polling token persistence for enrollment resume after restart
- Exit code strategy (0=clean, 1=error, 2=enrollment in progress)
- HTTP 409 (host already exists) handling during enrollment
- Move 'Listening on' log after actual bind
- Increase RestartSec to 10s and add StartLimitBurst=5
- Postinst checks for certs and enrollment URL, prints guidance
- EnrollmentConfig.manager_url changed to Option<String>
- cert_renewal_threshold_days and polling_token config fields
- Updated SPEC.md and DEPLOYMENT_GUIDE.md with new workflow
- RCA document for crash loop root cause analysis
- Version bumped to 1.2.0
- New src/packages/cache.rs module with PackageCacheState, stale detection,
state persistence, 404 retry logic
- Add refresh_package_cache() and last_cache_update() to PackageManagerBackend
trait, implemented on all 5 backends (APT, DNF, YUM, APK, Pacman)
- Health check now reports last_cache_update and cache_status fields,
triggers cache refresh if stale (>4h), returns degraded on failure
- Patch apply jobs now force cache refresh before applying patches,
with 404/fetch error retry (1 retry after cache refresh)
- Cache state persists to /var/lib/linux_patch_api/state/cache.json
- Version bump to 1.1.17
- Update ARCHITECTURE.md and REQUIREMENTS.md (FR-007)
Closes: #2
- Add rustls::crypto::aws_lc_rs::default_provider().install_default()
in main() before any TLS operations to prevent startup panic
- Bump version from 1.1.5 to 1.1.6
- Update debian/changelog with 1.1.6-1 entry
Resolved 22 compilation errors:
- Fixed lib.rs re-exports to use correct submodule paths
- Added missing submodule declarations to module files
- Created stub files for referenced submodules
- Fixed main.rs imports to use lib.rs re-exports
Project now compiles successfully with only 2 expected warnings:
- dead_code warning for jobs field in JobManager
- unused_variable warning for job_manager in main
Both warnings are expected for scaffolding phase.
