Skip to main content

kipuka_dogtag/
lib.rs

1//! Dogtag PKI CA REST API client for kipuka EST server.
2//!
3//! Provides a Rust client for the Dogtag Certificate Authority REST API,
4//! enabling kipuka to use RHCS/Dogtag PKI as its CA backend for certificate
5//! enrollment, revocation, and management.
6//!
7//! # Architecture
8//!
9//! The client communicates with Dogtag CA over HTTPS using mutual TLS (mTLS)
10//! with an agent certificate. All operations are async and use `reqwest` for
11//! HTTP transport.
12//!
13//! # Supported Operations
14//!
15//! - **Enrollment**: PKCS#10 profile-based certificate issuance via `/ca/rest/certrequests`
16//! - **Certificate management**: Retrieval, listing, and revocation via `/ca/rest/certs`
17//! - **Profiles**: Profile enumeration and constraint extraction via `/ca/rest/profiles`
18//! - **Full CMC**: CMC request passthrough via `/ca/ee/ca/profileSubmitCMCFull`
19//! - **KRA**: Server-side key generation and archival via `/kra/rest/agent/keys`
20//! - **HA**: Multi-CA connection pooling with health-based routing
21
22pub mod certs;
23pub mod client;
24pub mod cmc;
25pub mod config;
26pub mod enroll;
27pub mod kra;
28pub mod pool;
29pub mod profiles;
30
31pub use certs::{CertFilter, CertInfo, RevocationReason};
32pub use client::DogtagClient;
33pub use cmc::CmcClient;
34pub use config::DogtagConfig;
35pub use enroll::{EnrollResult, EnrollStatus};
36pub use kra::KraClient;
37pub use pool::DogtagPool;
38pub use profiles::{ProfileConstraints, ProfileDetail, ProfileInfo};
39
40use thiserror::Error;
41
42/// Errors from Dogtag PKI REST API operations.
43#[derive(Debug, Error)]
44pub enum DogtagError {
45    /// HTTP request failed.
46    #[error("HTTP request failed: {0}")]
47    Http(#[from] reqwest::Error),
48
49    /// Dogtag returned a non-success HTTP status.
50    #[error("Dogtag returned HTTP {status}: {body}")]
51    ApiError {
52        /// HTTP status code.
53        status: u16,
54        /// Response body text.
55        body: String,
56    },
57
58    /// Failed to parse Dogtag response JSON.
59    #[error("Failed to parse response: {0}")]
60    ParseError(String),
61
62    /// Invalid configuration.
63    #[error("Invalid configuration: {0}")]
64    ConfigError(String),
65
66    /// TLS or certificate error.
67    #[error("TLS error: {0}")]
68    TlsError(String),
69
70    /// I/O error reading certificate or key files.
71    #[error("I/O error: {0}")]
72    IoError(#[from] std::io::Error),
73
74    /// No healthy CA backend available.
75    #[error("No healthy CA backend available")]
76    NoHealthyBackend,
77
78    /// Enrollment request was rejected by the CA.
79    #[error("Enrollment rejected: {reason}")]
80    EnrollmentRejected {
81        /// Rejection reason from the CA.
82        reason: String,
83    },
84
85    /// Enrollment request is pending approval.
86    #[error("Enrollment pending: request_id={request_id}")]
87    EnrollmentPending {
88        /// The request ID to poll for status.
89        request_id: String,
90    },
91
92    /// KRA operation failed.
93    #[error("KRA error: {0}")]
94    KraError(String),
95}
96
97/// Result type alias for Dogtag operations.
98pub type DogtagResult<T> = Result<T, DogtagError>;