feat: add CRL support in generation and validation#987
Open
Manuthor wants to merge 10 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands PKI support across server, CLI, Web UI, and tests by adding CRL generation + public CRL distribution, strengthening CRL-based validation behavior, and updating related KMIP/TTLV and export paths (including PQC Raw export support).
Changes:
- Add CRL generation (authenticated) and public CRL distribution point endpoint (unauthenticated), plus auto-injection of CDP into issued certificates when
kms_public_urlis set. - Strengthen certificate validation around CRLs (freshness checks, signature handling) and persist revocation reasons needed for CRL entries; fix TTLV normalization for structured
RevocationReason. - Add PQC key export as
KeyFormatType::Raw(non-FIPS) plus new vectors/tests and related documentation/CORS behavior updates.
Reviewed changes
Copilot reviewed 37 out of 38 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/src/menuItems.tsx | Adds a new “Generate CRL” menu entry under Certificates. |
| ui/src/App.tsx | Registers a new React route for the Generate CRL form. |
| ui/src/actions/Certificates/CertificateGenerateCrl.tsx | New UI form that calls the CRL REST endpoint and downloads DER/PEM. |
| documentation/docs/use_cases/pki.md | Documents CRL generation and clarifies unsupported Delta CRLs. |
| documentation/docs/configuration/tls.md | Adds ANSSI TLS recommendations note. |
| documentation/docs/configuration/server_configuration_file.md | Clarifies CORS defaults and interaction with kms_public_url. |
| crate/test_kms_server/src/vector_runner.rs | Extends vector runner with {{hex:...}}, AllocTempFile, and GenerateCrl steps; adds new vector tests. |
| crate/test_kms_server/src/pqc_export_tests.rs | New non-FIPS PQC export-as-Raw roundtrip tests. |
| crate/test_kms_server/src/lib.rs | Wires in new CRL and PQC export test modules. |
| crate/test_kms_server/src/crl_tests.rs | New integration tests covering CRL generation and CRL-based validation lifecycle. |
| crate/test_kms_server/README.md | Updates vector counts and lists new vectors. |
| crate/test_kms_server/Cargo.toml | Adds deps needed by new tests/vector-runner capabilities. |
| crate/server/src/start_kms_server.rs | Registers CRL routes (authenticated + public) in Actix app/scope. |
| crate/server/src/routes/mod.rs | Adds the new crl routes module. |
| crate/server/src/routes/crl.rs | Implements authenticated CRL generation and public cached CRL serving. |
| crate/server/src/core/operations/validate.rs | Tightens CRL validation handling (freshness checks, signature rules, file:// handling, soft-fail for unreachable CRLs). |
| crate/server/src/core/operations/revoke.rs | Persists revocation reasons/metadata needed for CRL generation. |
| crate/server/src/core/operations/mod.rs | Exposes the new generate_crl operation module. |
| crate/server/src/core/operations/generate_crl.rs | Implements CRL generation, selection of revoked certs, and in-memory caching for public serving. |
| crate/server/src/core/operations/export_get.rs | Adds non-FIPS PQC PKCS#8/SPKI → Raw conversion during export. |
| crate/server/src/core/operations/certify/subject.rs | Adds detection of existing CDP extension to avoid injecting duplicates. |
| crate/server/src/core/operations/certify/certify_op.rs | Passes kms_public_url into certificate building for CDP injection. |
| crate/server/src/core/operations/certify/build_certificate.rs | Injects server CDP extension when appropriate; adds DER length helper. |
| crate/server/src/config/params/server_params.rs | Automatically includes kms_public_url in default CORS allow-list when cors_allowed_origins is unset + adds unit tests. |
| crate/server/documentation/openapi.yaml | Documents new CRL endpoints in OpenAPI. |
| crate/kmip/src/ttlv/normalize.rs | Fixes AttributeValue normalization to preserve structured types; adds regression tests. |
| crate/kmip/src/kmip_0/kmip_types.rs | Adds vendor-extension revocation reason codes required for CRL completeness. |
| crate/crypto/src/openssl/mod.rs | Exposes new OpenSSL CRL module. |
| crate/crypto/src/openssl/crl.rs | New OpenSSL-sys based CRL builder implementation + unit tests. |
| crate/crypto/src/crypto/pqc/mod.rs | Adds PKCS#8/SPKI → Raw extraction helpers + tests for conversion roundtrips. |
| crate/crypto/Cargo.toml | Adds deps needed by new OpenSSL CRL builder module. |
| crate/clients/client/src/kms_rest_client.rs | Adds get_bytes() helper for non-JSON REST responses (DER/PEM). |
| crate/clients/client/src/http_client/login.rs | Fixes OAuth callback server startup race by pre-binding the callback port. |
| crate/clients/clap/src/actions/certificates/mod.rs | Registers new ckms certificates generate-crl command. |
| crate/clients/clap/src/actions/certificates/generate_crl.rs | Implements CLI action calling REST CRL endpoint and writing output file. |
| crate/clients/ckms/src/tests/certificates/certify.rs | Updates test expectations for CDP URL fixture. |
| CHANGELOG/fix_put_kms_public_url_in_allowed_cors_by_default.md | Adds branch-specific changelog entries covering CRL, PQC export, CORS, and related changes. |
| Cargo.lock | Updates lockfile for newly added dependencies. |
Manuthor
added a commit
that referenced
this pull request
Jun 7, 2026
Manuthor
added a commit
that referenced
this pull request
Jun 8, 2026
Manuthor
force-pushed
the
fix/put_kms_public_url_in_allowed_cors_by_default
branch
from
acfb590 to
8f2ebff
Compare
- crl.rs: validate format parameter; reject non-'der'/'pem' values with 400 - crl.rs: fix Last-Modified header to use IMF-fixdate format (RFC 7231) - validate.rs: fix misleading comment about CRL soft-fail behavior - build_certificate.rs: encode_der_length now errors on len > 65535 instead of truncating - generate_crl.rs: use atomic monotonic counter for unique CRL Number per KMIP spec - attributes/set.rs, modify.rs: improve error message for read-only State attribute - test_data: update recertify vectors (KMIP 1.4 op); add rekey_deactivated_fails vectors
…otal) - Update vector count: 332 → 368 - Fix access_control entry: owner_full_access → owner_full_permissions - Add Serialization category (5 vectors): attributes_preservation, create_locate_roundtrip, create_encrypt_decrypt_roundtrip, import_destroy_reimport, rsa_sign_verify_roundtrip - Add KMIP Operations: batch_create_get, batch_hash_query - Add KMIP Operations: recertify_self_signed, recertify_chain, recertify_with_links, recertify_with_offset - Add KMIP Operations: rekey_with_offset_state, rekey_keypair_with_offset_state - Add non-FIPS: rekey_keypair_covercrypt - Add Integrations: fortigate_locate_no_match, fortigate_locate_multi_tunnel, fortigate_locate_many_similar_names - Add HSM Aggregate: hsm_resident_encrypt, hsm_resident_sign - Add spec-level Negative vectors (55 new entries across all operations)
Add 7 new tests in crl_tests.rs covering all normative RFC 5280 §5 CRL requirements: - test_crl_partial_revocation_exact_count: 5 certs, 3 revoked -> count=3 - test_crl_cross_ca_isolation: revoked cert from CA-B absent from CA-A CRL - test_crl_all_revocation_reason_codes: all 7 RFC 5280 §5.3.1 reason codes - test_crl_deactivated_and_compromised_states: both KMIP states included - test_crl_incremental_generation_unique_crls: CRL Number increments each call - test_crl_validity_period: nextUpdate = thisUpdate + validity_days (1 day tol) - test_crl_required_extensions_aki_and_number: AKI (2.5.29.35) and CRL Number (2.5.29.20) per RFC 5280 §5.2.1 and §5.2.3 Add x509-parser dep to test_kms_server for DER-level extension inspection. Ignore RUSTSEC-2026-0173 in deny.toml (proc-macro-error2 unmaintained, transitive via mysql_async, no safe upgrade available).
X509V3_EXT_nconf_nid with 'keyid'/'keyid:always' internally calls EVP_sha1() when the issuer certificate has no subjectKeyIdentifier extension. Under the OpenSSL FIPS provider (FIPS 140-3 boundary) SHA-1 is not approved for new use, so that call fails and CRL generation returns a 500 Internal Server Error. Replace the X509V3_EXT_nconf_nid call with a manual AKI DER construction: - If the issuer cert carries a subjectKeyIdentifier extension, reuse its value. - Otherwise compute SHA-1 of the issuer's SubjectPublicKeyInfo DER using openssl::sha::Sha1 (low-level C API, bypasses the provider mechanism). Encode the resulting AuthorityKeyIdentifier SEQUENCE directly and attach it via X509_CRL_add_ext. This fixes test_crl_required_extensions_aki_and_number which was failing on all FIPS DB backends (sqlite/mysql/psql/percona/mariadb) in CI.
Manuthor
force-pushed
the
fix/put_kms_public_url_in_allowed_cors_by_default
branch
from
629b34d to
1c7fd8d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.