mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-23 04:13:20 +02:00
a6852f3ca6
## StrongSwan PKI Modernization - Migrated from shell-based OpenSSL commands to Ansible community.crypto modules - Simplified complex Jinja2 templates while preserving all security properties - Added clear, concise comments explaining security rationale and Apple compatibility ## Enhanced Security Implementation (Issues #75, #153) - **Name constraints**: CA certificates restricted to specific IP/email domains - **EKU role separation**: Server certs (serverAuth only) vs client certs (clientAuth only) - **Domain exclusions**: Blocks public domains (.com, .org, etc.) and private IP ranges - **Apple compatibility**: SAN extensions and PKCS#12 compatibility2022 encryption - **Certificate revocation**: Automated CRL generation for removed users ## Comprehensive Test Suite - **Hybrid testing**: Validates real certificates when available, config validation for CI - **Security validation**: Verifies name constraints, EKU restrictions, role separation - **Apple compatibility**: Tests SAN extensions and PKCS#12 format compliance - **Certificate chain**: Validates CA signing and certificate validity periods - **CI-compatible**: No deployment required, tests Ansible configuration directly ## Configuration Updates - Updated CLAUDE.md: Ansible version rationale (stay current for security/performance) - Streamlined comments: Removed duplicative explanations while preserving technical context - Maintained all Issue #75/#153 security enhancements with modern Ansible approach 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| test_basic_sanity.py | ||
| test_cloud_provider_configs.py | ||
| test_config_validation.py | ||
| test_docker_localhost_deployment.py | ||
| test_generated_configs.py | ||
| test_openssl_compatibility.py | ||
| test_template_rendering.py | ||
| test_user_management.py | ||
| test_wireguard_key_generation.py | ||