Skip to content

feat(pki): add AWS ACM Public CA support #6069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
saifsmailbox98 merged 19 commits into from
Apr 21, 2026

Merge remote-tracking branch 'origin/main' into saif/pki-75-infisical…

32a58bf
Select commit
Loading
Failed to load commit list.
Merged

feat(pki): add AWS ACM Public CA support #6069

Merge remote-tracking branch 'origin/main' into saif/pki-75-infisical…
32a58bf
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Apr 17, 2026 in 22m 0s

Code review found 4 potential issues

Found 5 candidates, confirmed 4. See review comments for details.

Details

Severity Count
🔴 Important 0
🟡 Nit 2
🟣 Pre-existing 1
Severity File:Line Issue
🟡 Nit backend/src/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-validators.ts:120-128 Modular bias in generateAcmPassphrase
🟡 Nit frontend/src/pages/cert-manager/CertificateAuthoritiesPage/components/ExternalCaModal.tsx:913-931 AWS Connection FormControl missing isRequired in ExternalCaModal
🟣 Pre-existing backend/src/server/routes/v1/certificate-authority-routers/general-certificate-authority-router.ts:75-88 ListCAs makes 5 sequential DB queries instead of parallel

Annotations

Check warning on line 128 in backend/src/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-validators.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

Modular bias in generateAcmPassphrase 

The passphrase generator in generateAcmPassphrase uses bytes[i] % 62, which introduces modular bias: since 256 % 62 = 8, characters A-H appear with probability 5/256 (~1.95%) while the remaining 54 characters appear at 4/256 (~1.56%). The passphrase is ephemeral (generated, used once for ExportCertificate, then discarded), so the security impact is negligible, but a rejection-sampling approach would eliminate the bias cleanly.

Check warning on line 931 in frontend/src/pages/cert-manager/CertificateAuthoritiesPage/components/ExternalCaModal.tsx

See this annotation in the file changed.

@claude claude / Claude Code Review

AWS Connection FormControl missing isRequired in ExternalCaModal 

The `FormControl` for the 'AWS Connection' field in the `CaType.AWS_ACM_PUBLIC_CA` section of `ExternalCaModal.tsx` is missing the `isRequired` prop. All three sibling fields in the same section — Route 53 Connection, Route 53 Hosted Zone ID, and Region — correctly have `isRequired`, so only the first field lacks the visual asterisk indicating it is mandatory.

Check notice on line 88 in backend/src/server/routes/v1/certificate-authority-routers/general-certificate-authority-router.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

ListCAs makes 5 sequential DB queries instead of parallel 

The ListCAs handler in both the v1 and v2 routers awaits 5 independent DB queries sequentially instead of running them in parallel with `Promise.all()`. This PR extends the pre-existing 4-query sequential pattern by adding a 5th await for `awsAcmPublicCas`, serializing what could be a concurrent round-trip.
View more details on Claude