Commit 3ec60b5
committed
refactor: harden security, fix bugs, and improve architecture
Security:
- Change private key file permissions from 0644 to 0600
- Add domain name validation to prevent path traversal attacks
- Fix RSA private key JSON serialization with PEM-based round-trip
- Use explicit file permissions in saveCertificateChain
Bug fixes:
- AddCustomCert now stores file paths in CertFile/KeyFile, not PEM content
- Parse real certificate expiry from x509 instead of hardcoded 88d/1y
- HTTPHandler now respects Staging flag for ACME directory URL
Architecture:
- Add context.Context support to IssueCert and internal ACME calls
- Add in-memory certificate cache in GetCert with InvalidateCertCache
- Replace log.Printf with optional Logger interface
- Use client.WaitAuthorization instead of manual polling loop
Tests:
- Add domain validation, RSA key round-trip, and file permission tests
- Update AddCustomCert test to use real self-signed certificate1 parent 7032538 commit 3ec60b5
3 files changed
Lines changed: 371 additions & 103 deletions
0 commit comments