Add import-cert: register externally-issued certificates in the inventory#115
Open
bootc wants to merge 2 commits into
Open
Add import-cert: register externally-issued certificates in the inventory#115bootc wants to merge 2 commits into
bootc wants to merge 2 commits into
Conversation
…tory
Certificates issued outside this CA's normal Sign/Generate flow (e.g.
migrated from a legacy CA sharing this CA's key) previously had no way
to enter the inventory, so they were invisible to listing, expiry
cleanup, and by-subject revocation even though they were genuinely
signed by this CA.
Adds PUT /certificate/{subject} (admin-only) and the openvox-ca-ctl
import-cert CLI command to import such a certificate: the signature
must verify against this CA's key, the certificate's CN or a DNS SAN
must match the path subject, and CA certificates are rejected. Import
is idempotent on an identical resubmission, rejects a serial already
tracked anywhere in the inventory, and rejects (or evicts, if revoked)
an existing active certificate for the subject.
Also hardens AppendInventory to reject a duplicate serial atomically
on every storage backend (previously only the SQL backend enforced
this via its unique index), closing a race the import feature's
conflict checks otherwise relied on.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
AppendInventory now validates and enforces serial uniqueness on every backend (see previous commit), which correctly rejects the "line 1" / "line 2" placeholder strings this test previously relied on. Switch to well-formed, distinct-serial canonical inventory lines, matching the fix already applied to the equivalent Redis smoke test. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Certificates issued outside this CA's normal
Sign/Generateflow (e.g. migrated from a legacy CA sharing this CA's key) previously had no way to enter the inventory, so they were invisible to listing, expiry cleanup, and by-subject revocation, even though they were genuinely signed by this CA.This adds
PUT /certificate/{subject}(admin-only, sharing its path with the existing publicGET /certificate/{subject}) and anopenvox-ca-ctl import-cert --certname --cert-fileCLI command to import such a certificate:CheckSignatureFrom, so an already-expired legacy certificate is still accepted for record-keeping).{subject}must match the certificate's CN or one of its DNS SANs.IsCA: true) are rejected — useopenvox-ca-ctl importfor CA bundle import instead.409); (3) an existing active certificate for the subject is rejected (409), or evicted if it's revoked.Once imported, the certificate is tracked exactly like a normally-issued one: it shows up in listings, gets cleaned up by the expiry sweep, and can be revoked via the normal
PUT /certificate_status/{subject}(desired_state: "revoked") mechanism.Also hardens
AppendInventoryto reject a duplicate serial atomically on every storage backend — previously only the SQL backend enforced this, via its DB-level unique index; filesystem/etcd/redis backends had no equivalent check at all. This benefits normal certificate issuance too, not just the new import path, and is what the import feature's serial-conflict check ultimately relies on for race-safety (a separate best-effort pre-check exists only to get error precedence right in the common, non-racing case).Co-Authored-By: Claude Sonnet 5 noreply@anthropic.com