Conversation
* fix: harden parsing and issuer/key selection correctness * docs(changelog): reference PR for unreleased parsing fixes * fix: prevent parser fallback and JKS identity regressions * fix(inspect): preserve valid keys when PEM bundle has malformed blocks * fix: address remaining PR 107 review feedback * fix(jks): surface skipped-entry reasons in debug logs
* fix(scan): keep traversal bounded and restore export summaries * fix(scan): fail fast on walker processing errors * fix(scan): use typed max-size errors in read paths * fix(scan): reject invalid export formats consistently * fix(scan): keep export destination off stdout
…timeout (#108) * fix(network): harden revocation fetch SSRF checks and connect timeout defaults * fix(network): propagate SSRF validation deadlines and unblock inspect AIA opt-in * fix(bundle): restore private-network opt-in for AIA chain fetches * fix(network): address remaining PR feedback for inspect AIA handling * fix(wasm): keep AIA resolution working without DNS lookups
|
Review loop pass started for this PR. I’m actively monitoring and will address incoming review feedback quickly, including code updates and follow-up replies in-thread. |
There was a problem hiding this comment.
Pull request overview
Merges develop into main, bringing in the latest hardened parsing/ingestion, SSRF protections, CLI/JSON normalization, and related test/Docs/Changelog updates across the Go library, CLI, WASM build, and web proxy/UI.
Changes:
- Harden network fetch + SSRF validation (AIA/OCSP/CRL) with explicit
--allow-private-networkopt-in across CLI/WASM/web. - Improve container/parsing behavior (malformed PEM tolerance, DER private key handling, JKS key-entry alias/chain pairing) and add targeted regression tests.
- Normalize CLI outputs/semantics (JSON schema keys, export password requirements, scan text summaries) and update docs/changelog accordingly.
Reviewed changes
Copilot reviewed 61 out of 61 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| web/public/index.html | Add private-network opt-in checkboxes in scan/inspect UI |
| web/public/app.js | Add AIA fetch timeout handling + export retry UX + pass allow-private flag into WASM |
| web/functions/api/fetch.ts | Add upstream timeout/abort handling and cleanup in AIA proxy |
| web/functions/api/fetch.test.ts | Add tests for upstream abort/timeout behaviors |
| sign.go | Add CA cert/key mismatch validation during CSR signing |
| sign_test.go | Add test coverage for CA cert/key mismatch behavior |
| ocsp.go | Thread allow-private-network option through OCSP validation/redirect handling |
| ocsp_test.go | Update tests for new allow-private behavior + blocked-by-default case |
| jks.go | Add DecodeJKSKeyEntries preserving alias/key/chain pairing + debug logs |
| jks_test.go | Add tests asserting alias/chain pairing preservation |
| internal/verify.go | Add allow-private flag; rename diagnoses→diagnostics; adjust status semantics |
| internal/verify_test.go | Update diagnoses expectations + add JSON schema regression test |
| internal/testhelpers_test.go | Add symlink creation helper for portable tests |
| internal/scanwalk.go | Introduce bounded scan walker with symlink/root boundary enforcement |
| internal/scanwalk_test.go | Add walker tests (symlink boundary, size checks, error propagation) |
| internal/io.go | Introduce sentinel size-limit errors + exported ReadFileLimited |
| internal/io_test.go | Update tests to assert stable wrapped size-limit errors |
| internal/inspect.go | Harden PEM/DER inspection (malformed blocks, DER key parsing) + AIA options |
| internal/inspect_test.go | Add tests for malformed+valid PEM mixes and DER key inputs |
| internal/format.go | Add shared scan text summary formatter |
| internal/format_test.go | Add tests for scan text summary formatting |
| internal/exporter_test.go | Ensure YAML bundle outputs are treated as sensitive |
| internal/certstore/memstore.go | Adjust missing-AKI identity dedup to include issuer+serial behavior |
| internal/certstore/memstore_test.go | Add tests for missing-AKI issuer identity dedup behavior |
| internal/certstore/sqlite.go | Persist missing-AKI authority identity to avoid cross-issuer collisions |
| internal/certstore/sqlite_test.go | Add SQLite round-trip test for missing-AKI identity preservation |
| internal/certstore/export.go | Require explicit PKCS#12 password; mark .yaml outputs sensitive |
| internal/certstore/export_test.go | Add tests for required P12 password + YAML sensitivity |
| internal/certstore/container.go | Improve container parsing (JKS pairing, DER key-only handling) |
| internal/certstore/container_test.go | Add tests for DER key-only + JKS pairing selection |
| internal/certstore/aia.go | Thread allow-private-network into AIA URL validation |
| internal/certstore/aia_test.go | Update AIA resolution tests for allow-private-network option |
| crl.go | Add CRL size cap enforcement + ReadCRLFile helper |
| crl_test.go | Add/adjust tests for SSRF + size limit behavior |
| connect.go | Add default connect timeout when ctx has no deadline + allow-private plumbing |
| connect_test.go | Add test for connect-timeout fallback + allow-private updates |
| cmd/wasm/main.go | Add bounded WASM ingestion limits + allow-private + export retry signaling |
| cmd/wasm/inspect.go | Add bounded WASM inspect ingestion + allow-private AIA resolution |
| cmd/wasm/export.go | Require explicit verified export; support explicit unverified retry |
| cmd/wasm/aia.go | Propagate timeouts/cancellation to JS fetch + release callbacks reliably |
| cmd/certkit/root.go | Add --insecure-default-password global flag |
| cmd/certkit/verify.go | Add --allow-private-network + rename diagnoses→diagnostics |
| cmd/certkit/connect.go | Add --allow-private-network and plumb to library |
| cmd/certkit/scan.go | Use bounded walker; add allow-private flag; improve export text summary |
| cmd/certkit/inspect.go | Add allow-private flag and normalize expired filtering to validation error |
| cmd/certkit/ocsp.go | Add allow-private flag; issuer auto-selection improvements; JSON key normalization |
| cmd/certkit/crl.go | Use certkit.ReadCRLFile for local CRLs |
| cmd/certkit/bundle.go | Normalize JSON payload schema + explicit export password requirement |
| cmd/certkit/convert.go | Normalize JSON payload schema + explicit export password requirement |
| cmd/certkit/convert_test.go | Add CLI-level regression for PKCS#12 multi-match error semantics |
| cmd/certkit/payload_json.go | Introduce shared payload JSON struct for bundle/convert |
| cmd/certkit/cli_semantics_test.go | Add JSON schema consistency regression tests |
| certkit.go | Harden PEM parsing (skip malformed blocks; scan multiple blocks) + issuer selection helper |
| certkit_test.go | Add tests for malformed PEM tolerance + issuer selection + CSR parsing improvements |
| bundle.go | Add DNS-resolution SSRF validation + allow-private option plumbing |
| bundle_test.go | Update AIA fetch test for allow-private behavior |
| bundle_lookup_default.go | Provide default DNS lookup for SSRF validation (non-js builds) |
| bundle_lookup_js.go | Disable DNS resolution on js builds safely |
| README.md | Update flags/docs for SSRF opt-in, password requirements, formats, outputs |
| EXAMPLES.md | Update examples for explicit export password requirement |
| CHANGELOG.md | Document security/behavior changes and breaking JSON schema changes |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b64a1db0ae
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
This comment has been minimized.
This comment has been minimized.
|
Addressed review feedback in on :\n\n- fixed WASM marshal-error rejection to use a real object ()\n- updated test guidance to explicitly allow scoped CLI command-surface tests under \n- restored AIA HTTP client reuse in scan path by caching one client per private-network mode ()\n- renamed TS type alias to PascalCase () in web proxy fetch code\n- stopped logging trusted JKS entries as non-private-key by continuing after trusted-cert handling ()\n- corrected changelog reference for explicit PKCS#12/JKS password requirement from to ()\n\nAlso reran no commit to main........................................................Passed |
|
Addressed review feedback in
Also reran |
|
Review loop pass complete: there are no unresolved actionable reviewer/bot threads or comments at this time. Waiting for new feedback. |
|
test |
|
Removing test comment |
|
test2 |
|
removing placeholder |
Code review5 issues found (all MUST-severity CLAUDE.md violations). 1. ERR-5:
|
Summary
developintomainmainwith the latest validated changes