diff --git a/README.md b/README.md index 58c98bb..669d56b 100644 --- a/README.md +++ b/README.md @@ -386,7 +386,7 @@ flaskpaste/ │ └── api/ │ ├── __init__.py # Blueprint setup │ └── routes.py # API endpoints -├── tests/ # Test suite (283 tests) +├── tests/ # Test suite (337 tests) ├── data/ # SQLite database ├── run.py # Development server ├── wsgi.py # Production WSGI entry diff --git a/documentation/pki.md b/documentation/pki.md index e09a967..7047a91 100644 --- a/documentation/pki.md +++ b/documentation/pki.md @@ -18,13 +18,14 @@ The PKI system provides: # Download CLI curl -o fpaste https://paste.example.com/client && chmod +x fpaste -# Configure server -./fpaste config server https://paste.example.com +# Configure server (environment or config file) +export FLASKPASTE_SERVER="https://paste.example.com" +# Or: echo "server = https://paste.example.com" >> ~/.config/fpaste/config -# Register (requires PKI password if set on server) +# Register and auto-configure ./fpaste register --configure -# Creates ~/.config/fpaste/{client.key, client.crt} and updates config +# Creates ~/.config/fpaste/{client.key, client.crt, client.p12} and updates config ``` ### 2. Use Authenticated Requests @@ -45,11 +46,12 @@ echo "secret data" | ./fpaste create ### Enable PKI ```bash -# Set PKI password (required for certificate operations) -export FLASKPASTE_PKI_PASSWORD="your-secure-password" +# Enable PKI and set CA password (required for certificate operations) +export FLASKPASTE_PKI_ENABLED=1 +export FLASKPASTE_PKI_CA_PASSWORD="your-secure-password" -# Optional: enable public registration -export FLASKPASTE_REGISTRATION_ENABLED=true +# Optional: set certificate validity period (default: 365 days) +export FLASKPASTE_PKI_CERT_DAYS=365 # Start server python run.py @@ -75,12 +77,13 @@ curl -X POST https://paste.example.com/pki/ca \ Output: ``` -PKI Status - CA initialized: yes - CA fingerprint: a1b2c3d4e5f6... - CA expires: 2034-12-25 - Issued certs: 5 - Revoked: 1 +pki enabled: True +ca exists: True +common name: FlaskPaste CA +fingerprint: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 +created: 2024-12-25T10:30:00Z +expires: 2034-12-25T10:30:00Z +download: https://paste.example.com/pki/ca.crt ``` ### Download CA Certificate @@ -100,11 +103,17 @@ PKI Status ./fpaste pki issue -n "alice" -o ./alice-certs/ --configure ``` -### Revoke Certificate (Admin) +### Revoke Certificate (API) + +Certificate revocation is done via the API: ```bash -./fpaste pki status # Get serial number -./fpaste pki revoke +# Get certificate serial from /pki/certs +curl -H "X-SSL-Client-SHA1: " https://paste.example.com/pki/certs + +# Revoke by serial number +curl -X POST -H "X-SSL-Client-SHA1: " \ + https://paste.example.com/pki/revoke/ ``` ## Self-Signed Certificate (Offline) @@ -167,11 +176,11 @@ backend flaskpaste ## Security Considerations -- Store PKI password securely (environment variable, secrets manager) -- Protect CA private key (encrypted with AES-256-GCM) -- Use strong proxy secret for header trust validation -- Revoke compromised certificates promptly -- Monitor audit logs for AUTH_FAILURE events +- Store `FLASKPASTE_PKI_CA_PASSWORD` securely (environment variable, secrets manager) +- CA private key is encrypted with AES-256-GCM using the password +- Use strong `FLASKPASTE_PROXY_SECRET` for header trust validation +- Revoke compromised certificates promptly via the API +- Monitor audit logs for `AUTH_FAILURE` events (revoked/expired certificates) ## API Reference