From d1df8c4f763331273be29495b32d17bafc22d922 Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Thu, 25 Dec 2025 00:26:23 +0100
Subject: [PATCH] fix: validate algorithm parameter in PKI methods

---
 TODO.md    | 2 +-
 app/pki.py | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/TODO.md b/TODO.md
index a639eba..e32802f 100644
--- a/TODO.md
+++ b/TODO.md
@@ -12,11 +12,11 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 - Webhook notifications for paste events
 - Certificate renewal reminder in CLI
 - Admin endpoint for CA key rotation
-- Shell completions (bash, zsh, fish)
 - Clipboard integration (pbcopy/xclip)
 
 ## Observations
 
+- Shell completions already implemented (`fpaste completion --shell bash/zsh/fish`)
 - Mypy type errors fixed: now enforced in CI (was informational)
 - CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
 - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
diff --git a/app/pki.py b/app/pki.py
index c3b56be..f7ac53e 100644
--- a/app/pki.py
+++ b/app/pki.py
@@ -310,6 +310,10 @@ class PKI:
         if self.has_ca():
             raise CAExistsError("CA already exists")
 
+        # Validate algorithm (only EC supported for now)
+        if algorithm != "ec":
+            raise PKIError(f"Unsupported algorithm: {algorithm} (only 'ec' supported)")
+
         # Generate EC key
         curves = {
             "secp256r1": ec.SECP256R1(),
@@ -532,6 +536,10 @@ class PKI:
         if days is None:
             days = self.cert_days
 
+        # Validate algorithm (only EC supported for now)
+        if algorithm != "ec":
+            raise PKIError(f"Unsupported algorithm: {algorithm} (only 'ec' supported)")
+
         ca_key, ca_cert = self._get_signing_key()
         assert self._ca_store is not None  # narrowing for mypy (validated in _get_signing_key)