Module issuance 

Cert issuance for /v1/enroll and /v1/agent/renew.

Structs

FileCaSigner

File-backed CA signer (current default; agenix-encrypted PEM on disk).

TpmCaSigner

TPM-backed CA. Holds uncompressed SEC1 P-256 pubkey (0x04 || X || Y, 65 bytes - rcgen’s ECDSA shape) + the tpm-sign-<keyname> wrapper path. Issuer cert is self-signed via TPM once at construction; the real CA signature (by the offline fleet root) lives on disk and rcgen never reads it (only DN + pubkey), so the re-self-sign is sound.

TpmRemoteSigner 🔒

Shells out to the keyslot’s tpm-sign-<keyname> (file in, raw R||S out); der_encode_ecdsa_p256_sig rewraps to the DER form rcgen expects.

Enums

AuditContext

TrustVerifyError

Stage-typed error so axum handlers map each phase to the right StatusCode.

Constants

AGENT_CERT_VALIDITY

30 days; agents self-pace renewal at 50% via /v1/agent/renew.

DEFAULT_AGENT_CN_SUFFIX

Example suffix for canonical agent CNs (agent-<machineId>.<suffix>). Used as a stand-in by ServerState::default() / ServeFlags::default() in tests; NOT a production fallback. Production gets the suffix from --agent-cn-suffix via clap, which is a required argument with no default - the binary refuses to start if it’s unset.

Traits

CaSigner

CA signer abstraction over file-backed + TPM-backed paths. issuer() caches the cert at construction; make_key_pair() produces a fresh signer per issuance so operator key rotations apply without restart.

Functions

audit_log

Best-effort append; write failure warns but doesn’t fail issuance.

build_signer_from_args

Builds a CaSigner from a flag triple. TPM (pub_raw + wrapper) wins over file (fleet_ca_key); both absent -> None (enroll/renew will 500).

canonical_agent_cn

Build the canonical CN for an agent cert: agent-<machineId>.<suffix>.

der_encode_ecdsa_p256_sig 🔒

Convert raw R || S (64 bytes for P-256) to DER Ecdsa-Sig-Value SEQUENCE { r INTEGER, s INTEGER } - what rcgen expects from a RemoteKeyPair::sign for ECDSA P-256.

der_encode_int 🔒

Big-endian unsigned int -> DER INTEGER. Strips leading zeros + pads if MSB set.

extract_machine_id

Idempotent: passes through bare CNs unchanged, strips canonical wrapper.

extract_private_key_pem_block

Extract the first private-key PEM block. Strips OpenSSL preambles (EC PARAMETERS) that rcgen’s KeyPair::from_pem can’t read.

fingerprint

Base64(SHA-256(bytes)).

invoke_tpm_sign 🔒

Write msg to a tempfile, invoke the tpm-sign wrapper, return stdout.

issue_cert

Issues an agent cert: clientAuth EKU + canonical CN agent-<machineId>.<suffix>

validate_csr_against_fleet_host

Bind agent identity to the host’s declared SSH host pubkey. Fail-closed: no pubkey in fleet.nix ⇒ enrollment refused (declarative-enrollment policy, no permissive fallback).

validate_token_claims

Validates expiry, hostname-vs-CN, and pubkey fingerprint; caller verifies signature/replay.

verify_bootstrap_token_against_trust

Re-reads trust.json per call (key rotations apply without restart). ed25519-only. now enables the successor overlap window.

verify_token_signature

Cryptographic signature only; caller handles replay/hostname/fingerprint/expiry.