git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

fix(security): harden enrollment PKI bundle retrieval (#12)

Browse Source 
- Add single-retrieval semantics: approved PKI bundles are atomically
  removed from the in-memory cache on first retrieval via DashMap::remove(),
  preventing concurrent requests from obtaining the private key
- Add TTL expiry: ApprovedEntry wraps PkiBundle with approved_at and ttl
  fields; bundles expire after ENROLLMENT_BUNDLE_TTL_SECS (600s / 10 min)
- Replace brute-force clear() purge with TTL-based retain() in background
  task, running every 60s instead of every 600s
- Audit tracing calls: confirm no raw polling token is logged; add security
  comment documenting this policy
- Document CSR-based enrollment as future enhancement in both enrollment.rs
  and SECURITY.md, explaining why server-generated keys are used currently
This commit is contained in:
Draco-Lunaris-Echo
2026-06-02 15:16:44 -05:00
committed by GitHub
parent 59df98504c
commit 8873b2c70c
4 changed files with 112 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
SECURITY.md
View File

@ -41,6 +41,28 @@ This project is a security tool — we hold ourselves to a high standard:
- **CI enforcement**: All PRs require passing CI checks (fmt, clippy, test, audit, build)
- **Dependency auditing**: `cargo audit` runs in CI to catch known vulnerabilities
## Enrollment PKI Design Decisions
### Server-Generated Keys vs CSR-Based Enrollment
Currently, the server generates the agent's private key during enrollment approval and
transmits it over the mTLS-secured polling endpoint. This approach was chosen for
initial implementation simplicity — the agent polls a single endpoint and receives a
complete PKI bundle without an extra round-trip.
**Mitigations in place:**
- The PKI bundle is stored in an in-memory cache with single-retrieval semantics —
it can only be fetched once and is atomically removed on retrieval.
- A 10-minute TTL ensures the bundle expires even if never retrieved.
- The raw polling token is never logged; only its SHA-256 hash is stored.
**Future direction:** A CSR-based enrollment flow should replace server-generated keys.
Under that model, the agent generates its own key pair locally and submits a Certificate
Signing Request, eliminating the need for the server to ever hold or transmit the agent's
private key. This significantly reduces the attack surface.
See: [Issue #9](https://github.com/Draco-Lunaris/Linux-Patch-Manager/issues/9)
## Credit
Contributors who responsibly report vulnerabilities will be credited in the corresponding GitHub Security Advisory.