feat(pki): add CRL generation, distribution endpoint, and enrollment bundle extension (#26)
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 6s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Successful in 1m10s
CI Pipeline / Security Audit (push) Successful in 1m26s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 6s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Successful in 1m10s
CI Pipeline / Security Audit (push) Successful in 1m26s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
* feat(pki): add CRL generation, distribution endpoint, and enrollment bundle extension Implements manager-side CRL infrastructure for issue #7: - Add CertAuthority::generate_crl() using rcgen 0.13 - Add GET /api/v1/pki/crl.pem public endpoint - Extend PkiBundle with ca_chain and crl_pem fields - Update enrollment route to include CRL in bundle - Mount pki route as public endpoint - Add proptest dev-dependency * style: fix cargo fmt in enrollment.rs --------- Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
This commit is contained in:
Draco-Lunaris-Echo
committed by
GitHub
GitHub
parent
80ffb6b62f
commit
5aec9e629c
@ -175,9 +175,33 @@ pub enum EnrollmentStatusResponse {
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
pub struct PkiBundle {
|
||||
/// PEM-encoded CA certificate (leaf-most cert in the chain).
|
||||
/// For root mode, this is the self-signed root CA.
|
||||
/// For sub-CA mode, this is the intermediate CA cert.
|
||||
pub ca_crt: String,
|
||||
/// PEM-encoded full CA certificate chain (concatenated intermediates + root).
|
||||
/// For root mode, this contains just the root CA cert (same as ca_crt).
|
||||
/// For sub-CA mode, this contains the intermediate cert followed by the
|
||||
/// external root cert, enabling the agent to verify the full chain up to
|
||||
/// the trust anchor.
|
||||
///
|
||||
/// This field was added for CRL support (issue #7): the agent needs the
|
||||
/// full chain to verify CRL signatures that chain up to the root CA.
|
||||
#[serde(default)]
|
||||
pub ca_chain: String,
|
||||
/// PEM-encoded agent server certificate.
|
||||
pub server_crt: String,
|
||||
/// PEM-encoded agent server private key (PKCS#8).
|
||||
pub server_key: String,
|
||||
/// PEM-encoded Certificate Revocation List (CRL) signed by the CA.
|
||||
/// The agent uses this to reject revoked client certificates during mTLS
|
||||
/// handshakes. If CRL generation fails during enrollment, this field will
|
||||
/// be an empty string and the agent should fall back to WebPKI-only
|
||||
/// verification (degraded mode).
|
||||
///
|
||||
/// Added for CRL support (issue #7).
|
||||
#[serde(default)]
|
||||
pub crl_pem: String,
|
||||
}
|
||||
|
||||
/// Time-to-live for approved enrollment PKI bundles (10 minutes).
|
||||
|
||||
Reference in New Issue
Block a user