File: /src/gateway/mtls.rs
Category: Gateway / Security
Description: The build_mtls_acceptor function loads a single CA certificate file for client verification. This does not support multiple independent trust anchors for different meter manufacturers, certificate authority hierarchies (intermediate CAs), or certificate revocation via OCSP stapling. Additionally, there is no support for hardware security module (HSM) key storage for the server certificate.
Parameters:
- Trust anchors: 10+ meter manufacturer CAs
- Certificate chain depth: up to 3 (root → intermediate → device)
- OCSP stapling: required for real-time revocation checking
- Server key storage: PKCS#11 URI for HSM
Codebase Navigation:
src/gateway/mtls.rs:8 — build_mtls_acceptor — single CA cert supportsrc/gateway/mtls.rs:20 — RootCertStore::add — no intermediate CA chain handling
Resolution Blueprint:
- Extend
build_mtls_acceptor to accept a directory of CA certificates; load all PEM files and add each to the root store
- Implement intermediate CA chain building: when a client presents a certificate signed by an intermediate, validate the full chain up to a configured root anchor
- Add OCSP stapling support: when a client certificate is received, check its OCSP responder URL (from Authority Information Access extension) and staple the OCSP response
- Add HSM support for the server private key: use
pkcs11-uri to reference the key in an HSM instead of a file path
- Implement certificate policy enforcement: validate X.509 certificate policies extension against a whitelist of accepted policies (e.g., manufacturer-specific OIDs)
- Expose
GET /api/v1/gateway/tls/status showing current certificate chain, expiry dates, and OCSP response status
Acceptance Criteria:
File:
/src/gateway/mtls.rsCategory: Gateway / Security
Description: The
build_mtls_acceptorfunction loads a single CA certificate file for client verification. This does not support multiple independent trust anchors for different meter manufacturers, certificate authority hierarchies (intermediate CAs), or certificate revocation via OCSP stapling. Additionally, there is no support for hardware security module (HSM) key storage for the server certificate.Parameters:
Codebase Navigation:
src/gateway/mtls.rs:8—build_mtls_acceptor— single CA cert supportsrc/gateway/mtls.rs:20—RootCertStore::add— no intermediate CA chain handlingResolution Blueprint:
build_mtls_acceptorto accept a directory of CA certificates; load all PEM files and add each to the root storepkcs11-urito reference the key in an HSM instead of a file pathGET /api/v1/gateway/tls/statusshowing current certificate chain, expiry dates, and OCSP response statusAcceptance Criteria: