ftw-pki-unpacker 0.0.3a2

A secure extraction utility for unpacking encrypted and signed PKI certificate bundles.

ftw-pki-unpacker

[]

The secure ingestion, validation, and decryption gateway of the ftw-pki suite. This repository provides the ftwpkiunpacker utility.

🛠 Why do we need an Unpacker?

In high-security PKI environments, signing entities (especially Root and Intermediate CAs) often operate in restricted or offline environments. They should never be directly exposed to raw, unvalidated input from the network.

The Unpacker acts as a "buffer, filter, and delivery endpoint":

1. Ingestion & Sanitization: It collects Certificate Signing Requests (CSRs) and pre-validates them against defined security policies before they ever reach the signing tools.
2. Security Boundary: It ensures that only well-formed and authorized requests are passed forward, protecting the sensitive signing infrastructure from malformed data or injection attacks.
3. Secure Decryption: Signed certificates are returned encrypted with the sender's public key. The Receiver uses the corresponding private key to decrypt the payload, making the certificate available to the end-user.

✨ Features

• Automated Configuration: On its first run, the tool automatically initializes the necessary configuration files in the user's config directory (e.g., ~/.config/ftwpki/).
• Integrity Checks: Verifies the cryptographic signatures of incoming CSRs to ensure they haven't been tampered with during transit.
• Minimalist CLI: Designed to be as simple as possible to minimize the attack surface, requiring only essential positional arguments.

📖 Documentation

• Technical Manual: Detailed information on validation rules and security handshakes is available in the doc/source/ directory.
• User Config: If you need to adjust policies, refer to the config file automatically created in your user profile.

📄 License

This project is licensed under the LGPL v2.1 (or later).

---

© 2026 ftw-pki Contributors