chore: bump version to 1.3.2

* fix: extract DER from PEM-encoded CA cert before CRL signature verification

* chore: bump version to 1.3.2

---------

Co-authored-by: git-echo <git-echo@moon-dragon.us>
Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>

Cargo.lock

@@ -1931,7 +1931,7 @@ dependencies = [
 
 [[package]]
 name = "linux-patch-api"
-version = "1.2.0"
+version = "1.3.1"
 dependencies = [
  "actix",
  "actix-rt",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "1.3.0"
+version = "1.3.2"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"

src/auth/crl.rs

@@ -165,7 +165,16 @@ pub fn load_crl(crl_path: &Path, ca_cert_der: &[u8]) -> CrlState {
     };
 
     // Verify CRL signature against CA
-    let (_, ca_cert) = match x509_parser::parse_x509_certificate(ca_cert_der) {
+    // Extract DER from PEM if the CA cert is PEM-encoded
+    let ca_der = match extract_pem_cert_der(ca_cert_der) {
+        Some(der) => der,
+        None => {
+            // Not PEM — assume it's already DER
+            ca_cert_der.to_vec()
+        }
+    };
+
+    let (_, ca_cert) = match x509_parser::parse_x509_certificate(&ca_der) {
         Ok(r) => r,
         Err(e) => {
             error!(error = %e, "Failed to parse CA cert for CRL signature verification");
@@ -220,6 +229,29 @@ pub fn load_crl(crl_path: &Path, ca_cert_der: &[u8]) -> CrlState {
     }
 }
 
+/// Extract DER bytes from a PEM-encoded certificate.
+/// Looks for `-----BEGIN CERTIFICATE-----` / `-----END CERTIFICATE-----` markers
+/// and base64-decodes the content between them.
+pub fn extract_pem_cert_der(pem_bytes: &[u8]) -> Option<Vec<u8>> {
+    let pem_str = String::from_utf8_lossy(pem_bytes);
+    let begin_marker = "-----BEGIN CERTIFICATE-----";
+    let end_marker = "-----END CERTIFICATE-----";
+
+    let begin_idx = pem_str.find(begin_marker)?;
+    let after_begin = begin_idx + begin_marker.len();
+    let end_idx = pem_str[after_begin..].find(end_marker)?;
+    // Strip all whitespace (including newlines) from the base64 block
+    // before decoding, since PEM format wraps lines at 64 characters.
+    let b64_block: String = pem_str[after_begin..after_begin + end_idx]
+        .split_whitespace()
+        .collect();
+
+    use base64::Engine;
+    base64::engine::general_purpose::STANDARD
+        .decode(&b64_block)
+        .ok()
+}
+
 /// Extract DER bytes from a PEM-encoded CRL.
 /// Looks for `-----BEGIN X509 CRL-----` / `-----END X509 CRL-----` blocks.
 fn extract_pem_crl_der(pem_bytes: &[u8]) -> Option<Vec<u8>> {
@@ -688,4 +720,47 @@ mod tests {
             "Invalid CRL should not match any serial"
         );
     }
+
+    #[test]
+    fn test_extract_pem_cert_der_invalid() {
+        // Not PEM
+        assert!(extract_pem_cert_der(b"not pem").is_none());
+        // PEM but wrong type (CRL instead of CERTIFICATE)
+        assert!(
+            extract_pem_cert_der(b"-----BEGIN X509 CRL-----\nAA==\n-----END X509 CRL-----")
+                .is_none()
+        );
+    }
+
+    #[test]
+    fn test_extract_pem_cert_der_valid() {
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+        let (_, ca_cert) = generate_test_ca();
+        let cert_pem = ca_cert.pem();
+
+        // Verify PEM extraction succeeds
+        let der = extract_pem_cert_der(cert_pem.as_bytes());
+        assert!(
+            der.is_some(),
+            "PEM extraction should succeed for valid certificate PEM"
+        );
+
+        // Verify the DER can be parsed as an X.509 certificate
+        let der_bytes = der.unwrap();
+        let parsed = x509_parser::parse_x509_certificate(&der_bytes);
+        assert!(
+            parsed.is_ok(),
+            "DER should parse as a valid X.509 certificate"
+        );
+    }
+
+    #[test]
+    fn test_extract_pem_cert_der_rejects_crl_pem() {
+        // CERTIFICATE extraction should reject CRL PEM
+        let crl_pem = "-----BEGIN X509 CRL-----\nAA==\n-----END X509 CRL-----";
+        assert!(
+            extract_pem_cert_der(crl_pem.as_bytes()).is_none(),
+            "CRL PEM should not extract as CERTIFICATE"
+        );
+    }
 }

src/enroll/client.rs

@@ -38,8 +38,12 @@ pub enum EnrollmentStatusResponse {
     Pending,
     Approved {
         ca_crt: String,
+        #[serde(default)]
+        ca_chain: String,
         server_crt: String,
         server_key: String,
+        #[serde(default)]
+        crl_pem: String,
     },
     Denied,
     NotFound,
@@ -49,8 +53,10 @@ pub enum EnrollmentStatusResponse {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PkiBundle {
     pub ca_crt: String,
+    pub ca_chain: String,
     pub server_crt: String,
     pub server_key: String,
+    pub crl_pem: String,
 }
 
 impl From<EnrollmentStatusResponse> for Option<PkiBundle> {
@@ -58,12 +64,16 @@ impl From<EnrollmentStatusResponse> for Option<PkiBundle> {
         match response {
             EnrollmentStatusResponse::Approved {
                 ca_crt,
+                ca_chain,
                 server_crt,
                 server_key,
+                crl_pem,
             } => Some(PkiBundle {
                 ca_crt,
+                ca_chain,
                 server_crt,
                 server_key,
+                crl_pem,
             }),
             _ => None,
         }
@@ -451,8 +461,10 @@ impl EnrollmentClient {
                 }
                 EnrollmentStatusResponse::Approved {
                     ca_crt,
+                    ca_chain,
                     server_crt,
                     server_key,
+                    crl_pem,
                 } => {
                     tracing::info!(
                         elapsed_seconds = start.elapsed().as_secs(),
@@ -461,8 +473,10 @@ impl EnrollmentClient {
                     );
                     return Ok(PkiBundle {
                         ca_crt,
+                        ca_chain,
                         server_crt,
                         server_key,
+                        crl_pem,
                     });
                 }
                 EnrollmentStatusResponse::Denied => {
@@ -566,8 +580,10 @@ mod tests {
     fn approved_to_pki_bundle() {
         let status = EnrollmentStatusResponse::Approved {
             ca_crt: "ca".into(),
+            ca_chain: String::new(),
             server_crt: "crt".into(),
             server_key: "key".into(),
+            crl_pem: String::new(),
         };
         let bundle: Option<PkiBundle> = status.into();
         assert!(bundle.is_some());

src/enroll/mod.rs

@@ -160,8 +160,10 @@ pub async fn run_enrollment(
     // Write certificates to configured paths (or defaults)
     provision::provision_pki_bundle(
         &pki_bundle.ca_crt,
+        &pki_bundle.ca_chain,
         &pki_bundle.server_crt,
         &pki_bundle.server_key,
+        &pki_bundle.crl_pem,
         config.tls_config(),
     )
     .await?;

src/enroll/provision.rs

@@ -16,6 +16,8 @@ const DEFAULT_CA_CERT: &str = "/etc/linux_patch_api/certs/ca.pem";
 const DEFAULT_SERVER_CERT: &str = "/etc/linux_patch_api/certs/server.pem";
 /// Default server key path.
 const DEFAULT_SERVER_KEY: &str = "/etc/linux_patch_api/certs/server.key.pem";
+/// Default CRL path.
+const DEFAULT_CRL_PATH: &str = "/etc/linux_patch_api/certs/crl.pem";
 
 /// Validate that a PEM string has proper format (BEGIN/END markers present).
 ///
@@ -128,12 +130,14 @@ pub fn write_pem_file(path: &str, pem_data: &str, is_key: bool) -> Result<()> {
 
 /// Provision the full PKI bundle from an approved enrollment response.
 ///
-/// Writes CA cert, server cert, and server key to configured paths.
+/// Writes CA cert, CA chain, server cert, server key, and CRL to configured paths.
 /// Paths are read from TLS config if available, otherwise defaults are used.
 pub async fn provision_pki_bundle(
     ca_crt: &str,
+    _ca_chain: &str,
     server_crt: &str,
     server_key: &str,
+    crl_pem: &str,
     tls_config: Option<&super::super::config::loader::TlsConfig>,
 ) -> Result<()> {
     // Determine target paths from config or defaults
@@ -173,6 +177,19 @@ pub async fn provision_pki_bundle(
 
     write_pem_file(&key_path, server_key, true).context("Failed to write server key")?;
 
+    // Write CRL if provided (non-empty)
+    let crl_path = if let Some(tls) = tls_config {
+        tls.crl_path.clone()
+    } else {
+        DEFAULT_CRL_PATH.to_string()
+    };
+    if !crl_pem.trim().is_empty() {
+        write_pem_file(&crl_path, crl_pem, false).context("Failed to write CRL")?;
+        tracing::info!(path = %crl_path, "CRL written from enrollment bundle");
+    } else {
+        tracing::info!("No CRL in enrollment bundle — agent will fetch on refresh cycle");
+    }
+
     // 3. Log successful provisioning with structured fields
     tracing::info!(
         ca_cert = %ca_path,

tests/e2e/test_enrollment_e2e.rs

@@ -178,8 +178,10 @@ async fn test_full_enrollment_flow_happy_path() {
     let tls_config = build_tls_config(cert_dir.path());
     provision::provision_pki_bundle(
         &bundle.ca_crt,
+        &bundle.ca_chain,
         &bundle.server_crt,
         &bundle.server_key,
+        &bundle.crl_pem,
         Some(&tls_config),
     )
     .await
@@ -445,8 +447,10 @@ async fn test_certificate_permission_verification() {
     let tls_config = build_tls_config(cert_dir.path());
     provision::provision_pki_bundle(
         &bundle.ca_crt,
+        &bundle.ca_chain,
         &bundle.server_crt,
         &bundle.server_key,
+        &bundle.crl_pem,
         Some(&tls_config),
     )
     .await