feat(pki): add CRL generation, distribution endpoint, and enrollment bundle extension (#26)

* feat(pki): add CRL generation, distribution endpoint, and enrollment bundle extension Implements manager-side CRL infrastructure for issue #7: - Add CertAuthority::generate_crl() using rcgen 0.13 - Add GET /api/v1/pki/crl.pem public endpoint - Extend PkiBundle with ca_chain and crl_pem fields - Update enrollment route to include CRL in bundle - Mount pki route as public endpoint - Add proptest dev-dependency * style: fix cargo fmt in enrollment.rs --------- Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
2026-06-05 12:54:14 -05:00
parent 80ffb6b62f
commit 5aec9e629c
11 changed files with 871 additions and 4 deletions
--- a/crates/pm-web/src/routes/enrollment.rs
+++ b/crates/pm-web/src/routes/enrollment.rs
@ -303,10 +303,17 @@ async fn approve_enrollment(
    // server memory beyond the signing operation.
    //
    // See: https://github.com/Draco-Lunaris/Linux-Patch-Manager/issues/9
+    //
+    // Include the full CA chain (for root mode, same as ca_crt; for sub-CA,
+    // includes intermediate + root) and the current CRL.
+    let ca_chain = issued.ca_root_pem.clone(); // Root mode: chain is just the root cert
+    let crl_pem = state.ca.generate_crl(&state.db).await.unwrap_or_default(); // Empty string on failure: agent falls back to WebPKI-only
    let pki = PkiBundle {
        ca_crt: issued.ca_root_pem,
+        ca_chain,
        server_crt: issued.server_cert_pem,
        server_key: issued.server_key_pem,
+        crl_pem,
    };
    state.approved_enrollments.insert(
        enrollment_request.polling_token.clone(),