chore: bump version to 1.3.2

* fix: extract DER from PEM-encoded CA cert before CRL signature verification * chore: bump version to 1.3.2 --------- Co-authored-by: git-echo <git-echo@moon-dragon.us> Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
fix: extract DER from PEM-encoded CA cert before CRL signature verification
2026-06-06 08:44:34 -05:00 · 2026-06-06 08:31:20 -05:00 · 2026-06-06 00:45:58 -05:00 · 2026-06-06 00:38:43 -05:00 · 2026-06-05 17:41:04 -05:00
7 changed files with 118 additions and 4 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1931,7 +1931,7 @@ dependencies = [

 [[package]]
 name = "linux-patch-api"
-version = "1.2.0"
+version = "1.3.1"
 dependencies = [
 "actix",
 "actix-rt",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "1.2.0"
+version = "1.3.2"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"
--- a/src/auth/crl.rs
+++ b/src/auth/crl.rs
@ -165,7 +165,16 @@ pub fn load_crl(crl_path: &Path, ca_cert_der: &[u8]) -> CrlState {
    };

    // Verify CRL signature against CA
-    let (_, ca_cert) = match x509_parser::parse_x509_certificate(ca_cert_der) {
+    // Extract DER from PEM if the CA cert is PEM-encoded
+    let ca_der = match extract_pem_cert_der(ca_cert_der) {
+        Some(der) => der,
+        None => {
+            // Not PEM — assume it's already DER
+            ca_cert_der.to_vec()
+        }
+    };
+
+    let (_, ca_cert) = match x509_parser::parse_x509_certificate(&ca_der) {
        Ok(r) => r,
        Err(e) => {
            error!(error = %e, "Failed to parse CA cert for CRL signature verification");
@ -220,6 +229,29 @@ pub fn load_crl(crl_path: &Path, ca_cert_der: &[u8]) -> CrlState {
    }
 }

+/// Extract DER bytes from a PEM-encoded certificate.
+/// Looks for `-----BEGIN CERTIFICATE-----` / `-----END CERTIFICATE-----` markers
+/// and base64-decodes the content between them.
+pub fn extract_pem_cert_der(pem_bytes: &[u8]) -> Option<Vec<u8>> {
+    let pem_str = String::from_utf8_lossy(pem_bytes);
+    let begin_marker = "-----BEGIN CERTIFICATE-----";
+    let end_marker = "-----END CERTIFICATE-----";
+
+    let begin_idx = pem_str.find(begin_marker)?;
+    let after_begin = begin_idx + begin_marker.len();
+    let end_idx = pem_str[after_begin..].find(end_marker)?;
+    // Strip all whitespace (including newlines) from the base64 block
+    // before decoding, since PEM format wraps lines at 64 characters.
+    let b64_block: String = pem_str[after_begin..after_begin + end_idx]
+        .split_whitespace()
+        .collect();
+
+    use base64::Engine;
+    base64::engine::general_purpose::STANDARD
+        .decode(&b64_block)
+        .ok()
+}
+
 /// Extract DER bytes from a PEM-encoded CRL.
 /// Looks for `-----BEGIN X509 CRL-----` / `-----END X509 CRL-----` blocks.
 fn extract_pem_crl_der(pem_bytes: &[u8]) -> Option<Vec<u8>> {
@ -688,4 +720,47 @@ mod tests {
            "Invalid CRL should not match any serial"
        );
    }
+
+    #[test]
+    fn test_extract_pem_cert_der_invalid() {
+        // Not PEM
+        assert!(extract_pem_cert_der(b"not pem").is_none());
+        // PEM but wrong type (CRL instead of CERTIFICATE)
+        assert!(
+            extract_pem_cert_der(b"-----BEGIN X509 CRL-----\nAA==\n-----END X509 CRL-----")
+                .is_none()
+        );
+    }
+
+    #[test]
+    fn test_extract_pem_cert_der_valid() {
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+        let (_, ca_cert) = generate_test_ca();
+        let cert_pem = ca_cert.pem();
+
+        // Verify PEM extraction succeeds
+        let der = extract_pem_cert_der(cert_pem.as_bytes());
+        assert!(
+            der.is_some(),
+            "PEM extraction should succeed for valid certificate PEM"
+        );
+
+        // Verify the DER can be parsed as an X.509 certificate
+        let der_bytes = der.unwrap();
+        let parsed = x509_parser::parse_x509_certificate(&der_bytes);
+        assert!(
+            parsed.is_ok(),
+            "DER should parse as a valid X.509 certificate"
+        );
+    }
+
+    #[test]
+    fn test_extract_pem_cert_der_rejects_crl_pem() {
+        // CERTIFICATE extraction should reject CRL PEM
+        let crl_pem = "-----BEGIN X509 CRL-----\nAA==\n-----END X509 CRL-----";
+        assert!(
+            extract_pem_cert_der(crl_pem.as_bytes()).is_none(),
+            "CRL PEM should not extract as CERTIFICATE"
+        );
+    }
 }
--- a/src/enroll/client.rs
+++ b/src/enroll/client.rs
@ -38,8 +38,12 @@ pub enum EnrollmentStatusResponse {
    Pending,
    Approved {
        ca_crt: String,
+        #[serde(default)]
+        ca_chain: String,
        server_crt: String,
        server_key: String,
+        #[serde(default)]
+        crl_pem: String,
    },
    Denied,
    NotFound,
@ -49,8 +53,10 @@ pub enum EnrollmentStatusResponse {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PkiBundle {
    pub ca_crt: String,
+    pub ca_chain: String,
    pub server_crt: String,
    pub server_key: String,
+    pub crl_pem: String,
 }

 impl From<EnrollmentStatusResponse> for Option<PkiBundle> {
@ -58,12 +64,16 @@ impl From<EnrollmentStatusResponse> for Option<PkiBundle> {
        match response {
            EnrollmentStatusResponse::Approved {
                ca_crt,
+                ca_chain,
                server_crt,
                server_key,
+                crl_pem,
            } => Some(PkiBundle {
                ca_crt,
+                ca_chain,
                server_crt,
                server_key,
+                crl_pem,
            }),
            _ => None,
        }
@ -451,8 +461,10 @@ impl EnrollmentClient {
                }
                EnrollmentStatusResponse::Approved {
                    ca_crt,
+                    ca_chain,
                    server_crt,
                    server_key,
+                    crl_pem,
                } => {
                    tracing::info!(
                        elapsed_seconds = start.elapsed().as_secs(),
@ -461,8 +473,10 @@ impl EnrollmentClient {
                    );
                    return Ok(PkiBundle {
                        ca_crt,
+                        ca_chain,
                        server_crt,
                        server_key,
+                        crl_pem,
                    });
                }
                EnrollmentStatusResponse::Denied => {
@ -566,8 +580,10 @@ mod tests {
    fn approved_to_pki_bundle() {
        let status = EnrollmentStatusResponse::Approved {
            ca_crt: "ca".into(),
+            ca_chain: String::new(),
            server_crt: "crt".into(),
            server_key: "key".into(),
+            crl_pem: String::new(),
        };
        let bundle: Option<PkiBundle> = status.into();
        assert!(bundle.is_some());
--- a/src/enroll/mod.rs
+++ b/src/enroll/mod.rs
@ -160,8 +160,10 @@ pub async fn run_enrollment(
    // Write certificates to configured paths (or defaults)
    provision::provision_pki_bundle(
        &pki_bundle.ca_crt,
+        &pki_bundle.ca_chain,
        &pki_bundle.server_crt,
        &pki_bundle.server_key,
+        &pki_bundle.crl_pem,
        config.tls_config(),
    )
    .await?;
--- a/src/enroll/provision.rs
+++ b/src/enroll/provision.rs
@ -16,6 +16,8 @@ const DEFAULT_CA_CERT: &str = "/etc/linux_patch_api/certs/ca.pem";
 const DEFAULT_SERVER_CERT: &str = "/etc/linux_patch_api/certs/server.pem";
 /// Default server key path.
 const DEFAULT_SERVER_KEY: &str = "/etc/linux_patch_api/certs/server.key.pem";
+/// Default CRL path.
+const DEFAULT_CRL_PATH: &str = "/etc/linux_patch_api/certs/crl.pem";

 /// Validate that a PEM string has proper format (BEGIN/END markers present).
 ///
@ -128,12 +130,14 @@ pub fn write_pem_file(path: &str, pem_data: &str, is_key: bool) -> Result<()> {

 /// Provision the full PKI bundle from an approved enrollment response.
 ///
-/// Writes CA cert, server cert, and server key to configured paths.
+/// Writes CA cert, CA chain, server cert, server key, and CRL to configured paths.
 /// Paths are read from TLS config if available, otherwise defaults are used.
 pub async fn provision_pki_bundle(
    ca_crt: &str,
+    _ca_chain: &str,
    server_crt: &str,
    server_key: &str,
+    crl_pem: &str,
    tls_config: Option<&super::super::config::loader::TlsConfig>,
 ) -> Result<()> {
    // Determine target paths from config or defaults
@ -173,6 +177,19 @@ pub async fn provision_pki_bundle(

    write_pem_file(&key_path, server_key, true).context("Failed to write server key")?;

+    // Write CRL if provided (non-empty)
+    let crl_path = if let Some(tls) = tls_config {
+        tls.crl_path.clone()
+    } else {
+        DEFAULT_CRL_PATH.to_string()
+    };
+    if !crl_pem.trim().is_empty() {
+        write_pem_file(&crl_path, crl_pem, false).context("Failed to write CRL")?;
+        tracing::info!(path = %crl_path, "CRL written from enrollment bundle");
+    } else {
+        tracing::info!("No CRL in enrollment bundle — agent will fetch on refresh cycle");
+    }
+
    // 3. Log successful provisioning with structured fields
    tracing::info!(
        ca_cert = %ca_path,
--- a/tests/e2e/test_enrollment_e2e.rs
+++ b/tests/e2e/test_enrollment_e2e.rs
@ -178,8 +178,10 @@ async fn test_full_enrollment_flow_happy_path() {
    let tls_config = build_tls_config(cert_dir.path());
    provision::provision_pki_bundle(
        &bundle.ca_crt,
+        &bundle.ca_chain,
        &bundle.server_crt,
        &bundle.server_key,
+        &bundle.crl_pem,
        Some(&tls_config),
    )
    .await
@ -445,8 +447,10 @@ async fn test_certificate_permission_verification() {
    let tls_config = build_tls_config(cert_dir.path());
    provision::provision_pki_bundle(
        &bundle.ca_crt,
+        &bundle.ca_chain,
        &bundle.server_crt,
        &bundle.server_key,
+        &bundle.crl_pem,
        Some(&tls_config),
    )
    .await
Author	SHA1	Message	Date
Draco-Lunaris-Echo	913d7286e1	chore: bump version to 1.3.2 Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 43s CI/CD Pipeline / All Unit Tests (push) Successful in 2m48s CI/CD Pipeline / Security Audit (push) Successful in 7s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m23s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 5s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 59s CI/CD Pipeline / Build Debian Package (push) Failing after 4s CI/CD Pipeline / Build RPM Package (push) Successful in 2m13s CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s CI/CD Pipeline / Build Alpine Package (push) Failing after 2m58s * fix: extract DER from PEM-encoded CA cert before CRL signature verification * chore: bump version to 1.3.2 --------- Co-authored-by: git-echo <git-echo@moon-dragon.us> Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>	2026-06-06 08:44:34 -05:00
Draco-Lunaris-Echo	3c70b15831	fix: extract DER from PEM-encoded CA cert before CRL signature verification Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 08:31:20 -05:00
Draco-Lunaris-Echo	04a16ab862	chore: bump version to 1.3.1 Some checks failed CI/CD Pipeline / Code Format (push) Successful in 1s CI/CD Pipeline / Clippy Lints (push) Successful in 43s CI/CD Pipeline / All Unit Tests (push) Successful in 1m50s CI/CD Pipeline / Security Audit (push) Successful in 7s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m22s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m1s CI/CD Pipeline / Build Debian Package (push) Failing after 3s CI/CD Pipeline / Build Arch Package (push) Successful in 2m16s CI/CD Pipeline / Build RPM Package (push) Successful in 2m9s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m0s Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 00:45:58 -05:00
Draco-Lunaris-Echo	624f9017b3	fix: add ca_chain and crl_pem to enrollment response and persist CRL to disk Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 00:38:43 -05:00
Draco-Lunaris-Echo	70f2666c2e	chore: bump version to 1.3.0 Some checks failed CI/CD Pipeline / Code Format (push) Successful in 4s CI/CD Pipeline / Clippy Lints (push) Successful in 43s CI/CD Pipeline / All Unit Tests (push) Successful in 1m17s CI/CD Pipeline / Security Audit (push) Successful in 6s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m22s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 5s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s CI/CD Pipeline / Build Debian Package (push) Failing after 4s CI/CD Pipeline / Build Arch Package (push) Successful in 2m19s CI/CD Pipeline / Build RPM Package (push) Successful in 2m13s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m2s Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-05 17:41:04 -05:00