// Package distribution provides comprehensive security for distributed context operations package distribution import ( "context" "crypto/rand" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/json" "fmt" "math/big" "net" "sync" "time" "chorus/pkg/config" "chorus/pkg/crypto" ) // SecurityManager handles all security aspects of the distributed system type SecurityManager struct { mu sync.RWMutex config *config.Config tlsConfig *TLSConfig authManager *AuthenticationManager authzManager *AuthorizationManager auditLogger *SecurityAuditLogger nodeAuth *NodeAuthentication encryption *DistributionEncryption certificateAuth *CertificateAuthority // Security state trustedNodes map[string]*TrustedNode activeSessions map[string]*SecuritySession securityPolicies map[string]*SecurityPolicy threatDetector *ThreatDetector // Configuration tlsEnabled bool mutualTLSEnabled bool auditingEnabled bool encryptionEnabled bool } // TLSConfig manages TLS configuration for secure communications type TLSConfig struct { ServerConfig *tls.Config ClientConfig *tls.Config CertificatePath string PrivateKeyPath string CAPath string MinTLSVersion uint16 CipherSuites []uint16 CurvePreferences []tls.CurveID ClientAuth tls.ClientAuthType VerifyConnection func(tls.ConnectionState) error } // AuthenticationManager handles node and user authentication type AuthenticationManager struct { mu sync.RWMutex providers map[string]AuthProvider tokenValidator TokenValidator sessionManager *SessionManager multiFactorAuth *MultiFactorAuth credentialStore *CredentialStore loginAttempts map[string]*LoginAttempts authPolicies map[string]*AuthPolicy } // AuthProvider interface for different authentication methods type AuthProvider interface { Authenticate(ctx context.Context, credentials *Credentials) (*AuthResult, error) ValidateToken(ctx context.Context, token string) (*TokenClaims, error) RefreshToken(ctx context.Context, refreshToken string) (*TokenPair, error) Name() string IsEnabled() bool } // Credentials represents authentication credentials type Credentials struct { Type CredentialType `json:"type"` Username string `json:"username,omitempty"` Password string `json:"password,omitempty"` Token string `json:"token,omitempty"` Certificate *x509.Certificate `json:"certificate,omitempty"` Signature []byte `json:"signature,omitempty"` Challenge string `json:"challenge,omitempty"` Metadata map[string]interface{} `json:"metadata,omitempty"` } // CredentialType represents different types of credentials type CredentialType string const ( CredentialTypePassword CredentialType = "password" CredentialTypeToken CredentialType = "token" CredentialTypeCertificate CredentialType = "certificate" CredentialTypeSignature CredentialType = "signature" CredentialTypeMFA CredentialType = "mfa" CredentialTypeAPIKey CredentialType = "api_key" ) // AuthResult represents the result of authentication type AuthResult struct { Success bool `json:"success"` UserID string `json:"user_id"` Roles []string `json:"roles"` Permissions []string `json:"permissions"` TokenPair *TokenPair `json:"token_pair"` SessionID string `json:"session_id"` ExpiresAt time.Time `json:"expires_at"` Metadata map[string]interface{} `json:"metadata"` FailureReason string `json:"failure_reason,omitempty"` } // TokenPair represents access and refresh tokens type TokenPair struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` TokenType string `json:"token_type"` ExpiresIn int64 `json:"expires_in"` IssuedAt time.Time `json:"issued_at"` } // TokenClaims represents JWT token claims type TokenClaims struct { UserID string `json:"user_id"` Roles []string `json:"roles"` Permissions []string `json:"permissions"` Issuer string `json:"issuer"` Subject string `json:"subject"` Audience []string `json:"audience"` ExpiresAt time.Time `json:"expires_at"` IssuedAt time.Time `json:"issued_at"` NotBefore time.Time `json:"not_before"` Claims map[string]interface{} `json:"claims"` } // AuthorizationManager handles authorization and access control type AuthorizationManager struct { mu sync.RWMutex policyEngine PolicyEngine rbacManager *RBACManager aclManager *ACLManager resourceManager *ResourceManager permissionCache *PermissionCache authzPolicies map[string]*AuthorizationPolicy } // PolicyEngine interface for policy evaluation type PolicyEngine interface { Evaluate(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResult, error) LoadPolicies(policies []*AuthorizationPolicy) error ValidatePolicy(policy *AuthorizationPolicy) error } // AuthorizationRequest represents an authorization request type AuthorizationRequest struct { UserID string `json:"user_id"` Roles []string `json:"roles"` Resource string `json:"resource"` Action string `json:"action"` Context map[string]interface{} `json:"context"` RequestTime time.Time `json:"request_time"` } // AuthorizationResult represents the result of authorization type AuthorizationResult struct { Decision AuthorizationDecision `json:"decision"` Reason string `json:"reason"` Policies []string `json:"applied_policies"` Conditions []string `json:"conditions"` TTL time.Duration `json:"ttl"` Metadata map[string]interface{} `json:"metadata"` EvaluationTime time.Duration `json:"evaluation_time"` } // AuthorizationDecision represents authorization decisions type AuthorizationDecision string const ( DecisionAllow AuthorizationDecision = "allow" DecisionDeny AuthorizationDecision = "deny" DecisionUnsure AuthorizationDecision = "unsure" ) // SecurityAuditLogger handles security event logging type SecurityAuditLogger struct { mu sync.RWMutex loggers []SecurityLogger eventBuffer []*SecurityEvent alertManager *SecurityAlertManager compliance *ComplianceManager retention *AuditRetentionPolicy enabled bool } // SecurityLogger interface for security event logging type SecurityLogger interface { Log(ctx context.Context, event *SecurityEvent) error Query(ctx context.Context, criteria *SecurityEventCriteria) ([]*SecurityEvent, error) Name() string } // SecurityEvent represents a security event type SecurityEvent struct { EventID string `json:"event_id"` EventType SecurityEventType `json:"event_type"` Severity SecuritySeverity `json:"severity"` Timestamp time.Time `json:"timestamp"` UserID string `json:"user_id,omitempty"` NodeID string `json:"node_id,omitempty"` Resource string `json:"resource,omitempty"` Action string `json:"action,omitempty"` Result string `json:"result"` Message string `json:"message"` Details map[string]interface{} `json:"details"` IPAddress string `json:"ip_address,omitempty"` UserAgent string `json:"user_agent,omitempty"` SessionID string `json:"session_id,omitempty"` RequestID string `json:"request_id,omitempty"` Fingerprint string `json:"fingerprint"` } // SecurityEventType represents different types of security events type SecurityEventType string const ( EventTypeAuthentication SecurityEventType = "authentication" EventTypeAuthorization SecurityEventType = "authorization" EventTypeDataAccess SecurityEventType = "data_access" EventTypeSystemAccess SecurityEventType = "system_access" EventTypeSecurityViolation SecurityEventType = "security_violation" EventTypeThreats SecurityEventType = "threats" EventTypeCompliance SecurityEventType = "compliance" EventTypeConfiguration SecurityEventType = "configuration" ) // SecuritySeverity represents security event severity levels type SecuritySeverity string const ( SeverityDebug SecuritySeverity = "debug" SeverityInfo SecuritySeverity = "info" SeverityWarning SecuritySeverity = "warning" SeverityError SecuritySeverity = "error" SeverityCritical SecuritySeverity = "critical" SeverityAlert SecuritySeverity = "alert" ) // NodeAuthentication handles node-to-node authentication type NodeAuthentication struct { mu sync.RWMutex certificateAuth *CertificateAuth keyExchange *KeyExchange trustStore *TrustStore nodeRegistry *NodeRegistry challengeManager *ChallengeManager } // TrustedNode represents a trusted node in the network type TrustedNode struct { NodeID string `json:"node_id"` PublicKey []byte `json:"public_key"` Certificate *x509.Certificate `json:"certificate"` Roles []string `json:"roles"` Capabilities []string `json:"capabilities"` TrustLevel TrustLevel `json:"trust_level"` LastSeen time.Time `json:"last_seen"` VerifiedAt time.Time `json:"verified_at"` Metadata map[string]interface{} `json:"metadata"` Status NodeStatus `json:"status"` } // TrustLevel represents the trust level of a node type TrustLevel string const ( TrustLevelNone TrustLevel = "none" TrustLevelLow TrustLevel = "low" TrustLevelMedium TrustLevel = "medium" TrustLevelHigh TrustLevel = "high" TrustLevelCritical TrustLevel = "critical" ) // SecuritySession represents an active security session type SecuritySession struct { SessionID string `json:"session_id"` UserID string `json:"user_id"` NodeID string `json:"node_id"` Roles []string `json:"roles"` Permissions []string `json:"permissions"` CreatedAt time.Time `json:"created_at"` ExpiresAt time.Time `json:"expires_at"` LastActivity time.Time `json:"last_activity"` IPAddress string `json:"ip_address"` UserAgent string `json:"user_agent"` Metadata map[string]interface{} `json:"metadata"` Status SessionStatus `json:"status"` } // SessionStatus represents session status type SessionStatus string const ( SessionStatusActive SessionStatus = "active" SessionStatusExpired SessionStatus = "expired" SessionStatusRevoked SessionStatus = "revoked" SessionStatusSuspended SessionStatus = "suspended" ) // ThreatDetector detects security threats and anomalies type ThreatDetector struct { mu sync.RWMutex detectionRules []*ThreatDetectionRule behaviorAnalyzer *BehaviorAnalyzer anomalyDetector *AnomalyDetector threatIntelligence *ThreatIntelligence activeThreats map[string]*ThreatEvent mitigationStrategies map[ThreatType]*MitigationStrategy } // ThreatDetectionRule represents a threat detection rule type ThreatDetectionRule struct { RuleID string `json:"rule_id"` Name string `json:"name"` Description string `json:"description"` ThreatType ThreatType `json:"threat_type"` Severity SecuritySeverity `json:"severity"` Conditions []*ThreatCondition `json:"conditions"` Actions []*ThreatAction `json:"actions"` Enabled bool `json:"enabled"` CreatedAt time.Time `json:"created_at"` UpdatedAt time.Time `json:"updated_at"` Metadata map[string]interface{} `json:"metadata"` } // ThreatType represents different types of threats type ThreatType string const ( ThreatTypeBruteForce ThreatType = "brute_force" ThreatTypeUnauthorized ThreatType = "unauthorized_access" ThreatTypeDataExfiltration ThreatType = "data_exfiltration" ThreatTypeDoS ThreatType = "denial_of_service" ThreatTypePrivilegeEscalation ThreatType = "privilege_escalation" ThreatTypeAnomalous ThreatType = "anomalous_behavior" ThreatTypeMaliciousCode ThreatType = "malicious_code" ThreatTypeInsiderThreat ThreatType = "insider_threat" ) // CertificateAuthority manages certificate generation and validation type CertificateAuthority struct { mu sync.RWMutex rootCA *x509.Certificate rootKey interface{} intermediateCA *x509.Certificate intermediateKey interface{} certStore *CertificateStore crlManager *CRLManager ocspResponder *OCSPResponder } // DistributionEncryption handles encryption for distributed communications type DistributionEncryption struct { mu sync.RWMutex keyManager *DistributionKeyManager encryptionSuite *EncryptionSuite keyRotationPolicy *KeyRotationPolicy encryptionMetrics *EncryptionMetrics } // NewSecurityManager creates a new security manager func NewSecurityManager(config *config.Config) (*SecurityManager, error) { if config == nil { return nil, fmt.Errorf("config is required") } sm := &SecurityManager{ config: config, trustedNodes: make(map[string]*TrustedNode), activeSessions: make(map[string]*SecuritySession), securityPolicies: make(map[string]*SecurityPolicy), tlsEnabled: true, mutualTLSEnabled: true, auditingEnabled: true, encryptionEnabled: true, } // Initialize components if err := sm.initializeComponents(); err != nil { return nil, fmt.Errorf("failed to initialize security components: %w", err) } return sm, nil } // initializeComponents initializes all security components func (sm *SecurityManager) initializeComponents() error { var err error // Initialize TLS configuration sm.tlsConfig, err = sm.createTLSConfig() if err != nil { return fmt.Errorf("failed to create TLS config: %w", err) } // Initialize Certificate Authority sm.certificateAuth, err = NewCertificateAuthority(sm.config) if err != nil { return fmt.Errorf("failed to create certificate authority: %w", err) } // Initialize authentication manager sm.authManager, err = NewAuthenticationManager(sm.config) if err != nil { return fmt.Errorf("failed to create authentication manager: %w", err) } // Initialize authorization manager sm.authzManager, err = NewAuthorizationManager(sm.config) if err != nil { return fmt.Errorf("failed to create authorization manager: %w", err) } // Initialize audit logger sm.auditLogger, err = NewSecurityAuditLogger(sm.config) if err != nil { return fmt.Errorf("failed to create audit logger: %w", err) } // Initialize node authentication sm.nodeAuth, err = NewNodeAuthentication(sm.config, sm.certificateAuth) if err != nil { return fmt.Errorf("failed to create node authentication: %w", err) } // Initialize encryption sm.encryption, err = NewDistributionEncryption(sm.config) if err != nil { return fmt.Errorf("failed to create distribution encryption: %w", err) } // Initialize threat detector sm.threatDetector, err = NewThreatDetector(sm.config) if err != nil { return fmt.Errorf("failed to create threat detector: %w", err) } return nil } // createTLSConfig creates TLS configuration for secure communications func (sm *SecurityManager) createTLSConfig() (*TLSConfig, error) { config := &TLSConfig{ MinTLSVersion: tls.VersionTLS12, CipherSuites: []uint16{ tls.TLS_AES_256_GCM_SHA384, tls.TLS_AES_128_GCM_SHA256, tls.TLS_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, CurvePreferences: []tls.CurveID{ tls.X25519, tls.CurveP384, tls.CurveP256, }, ClientAuth: tls.RequireAndVerifyClientCert, } // Load certificates cert, err := sm.loadOrGenerateCertificate() if err != nil { return nil, fmt.Errorf("failed to load certificate: %w", err) } // Configure server TLS config.ServerConfig = &tls.Config{ Certificates: []tls.Certificate{*cert}, MinVersion: config.MinTLSVersion, CipherSuites: config.CipherSuites, CurvePreferences: config.CurvePreferences, ClientAuth: config.ClientAuth, ClientCAs: sm.createClientCAPool(), VerifyConnection: sm.verifyTLSConnection, } // Configure client TLS config.ClientConfig = &tls.Config{ Certificates: []tls.Certificate{*cert}, MinVersion: config.MinTLSVersion, CipherSuites: config.CipherSuites, CurvePreferences: config.CurvePreferences, RootCAs: sm.createRootCAPool(), VerifyConnection: sm.verifyTLSConnection, } return config, nil } // Authenticate authenticates a request func (sm *SecurityManager) Authenticate(ctx context.Context, credentials *Credentials) (*AuthResult, error) { // Log authentication attempt sm.logSecurityEvent(ctx, &SecurityEvent{ EventType: EventTypeAuthentication, Severity: SeverityInfo, Action: "authenticate", Message: "Authentication attempt", Details: map[string]interface{}{ "credential_type": credentials.Type, "username": credentials.Username, }, }) return sm.authManager.Authenticate(ctx, credentials) } // Authorize authorizes a request func (sm *SecurityManager) Authorize(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResult, error) { // Log authorization attempt sm.logSecurityEvent(ctx, &SecurityEvent{ EventType: EventTypeAuthorization, Severity: SeverityInfo, UserID: request.UserID, Resource: request.Resource, Action: request.Action, Message: "Authorization attempt", }) return sm.authzManager.Authorize(ctx, request) } // ValidateNodeIdentity validates a node's identity func (sm *SecurityManager) ValidateNodeIdentity(ctx context.Context, nodeID string, certificate *x509.Certificate) error { // Check if node is trusted sm.mu.RLock() trustedNode, exists := sm.trustedNodes[nodeID] sm.mu.RUnlock() if !exists { return fmt.Errorf("node %s is not trusted", nodeID) } // Validate certificate if err := sm.validateCertificate(certificate, trustedNode); err != nil { return fmt.Errorf("certificate validation failed: %w", err) } // Log successful validation sm.logSecurityEvent(ctx, &SecurityEvent{ EventType: EventTypeAuthentication, Severity: SeverityInfo, NodeID: nodeID, Action: "validate_node_identity", Result: "success", Message: "Node identity validated successfully", }) return nil } // EncryptForDistribution encrypts data for distribution func (sm *SecurityManager) EncryptForDistribution(ctx context.Context, data []byte, recipients []string) ([]byte, error) { if !sm.encryptionEnabled { return data, nil } return sm.encryption.Encrypt(ctx, data, recipients) } // DecryptFromDistribution decrypts data from distribution func (sm *SecurityManager) DecryptFromDistribution(ctx context.Context, encryptedData []byte, nodeID string) ([]byte, error) { if !sm.encryptionEnabled { return encryptedData, nil } return sm.encryption.Decrypt(ctx, encryptedData, nodeID) } // GetTLSConfig returns TLS configuration for secure connections func (sm *SecurityManager) GetTLSConfig(isServer bool) *tls.Config { if !sm.tlsEnabled { return nil } if isServer { return sm.tlsConfig.ServerConfig } return sm.tlsConfig.ClientConfig } // AddTrustedNode adds a node to the trusted nodes list func (sm *SecurityManager) AddTrustedNode(ctx context.Context, node *TrustedNode) error { sm.mu.Lock() defer sm.mu.Unlock() // Validate node information if err := sm.validateTrustedNode(node); err != nil { return fmt.Errorf("node validation failed: %w", err) } sm.trustedNodes[node.NodeID] = node // Log node addition sm.logSecurityEvent(ctx, &SecurityEvent{ EventType: EventTypeConfiguration, Severity: SeverityInfo, NodeID: node.NodeID, Action: "add_trusted_node", Result: "success", Message: "Trusted node added", Details: map[string]interface{}{ "trust_level": node.TrustLevel, "roles": node.Roles, }, }) return nil } // DetectThreats analyzes events for potential security threats func (sm *SecurityManager) DetectThreats(ctx context.Context, events []*SecurityEvent) ([]*ThreatEvent, error) { return sm.threatDetector.DetectThreats(ctx, events) } // Helper methods (placeholder implementations) func (sm *SecurityManager) loadOrGenerateCertificate() (*tls.Certificate, error) { // Placeholder implementation // In production, this would load existing certificates or generate new ones cert, key, err := sm.generateSelfSignedCertificate() if err != nil { return nil, err } tlsCert, err := tls.X509KeyPair(cert, key) if err != nil { return nil, err } return &tlsCert, nil } func (sm *SecurityManager) generateSelfSignedCertificate() ([]byte, []byte, error) { // Generate a self-signed certificate for development/testing // In production, use proper CA-signed certificates template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ Organization: []string{"CHORUS SLURP"}, Country: []string{"US"}, Province: []string{""}, Locality: []string{"San Francisco"}, StreetAddress: []string{""}, PostalCode: []string{""}, }, NotBefore: time.Now(), NotAfter: time.Now().Add(365 * 24 * time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, } // This is a simplified implementation // In production, use proper key generation and certificate management return nil, nil, fmt.Errorf("certificate generation not implemented") } func (sm *SecurityManager) createClientCAPool() *x509.CertPool { // Create CA pool for client certificate validation return x509.NewCertPool() } func (sm *SecurityManager) createRootCAPool() *x509.CertPool { // Create root CA pool for server certificate validation return x509.NewCertPool() } func (sm *SecurityManager) verifyTLSConnection(cs tls.ConnectionState) error { // Custom TLS connection verification logic return nil } func (sm *SecurityManager) validateCertificate(cert *x509.Certificate, node *TrustedNode) error { // Validate certificate against trusted node information return nil } func (sm *SecurityManager) validateTrustedNode(node *TrustedNode) error { // Validate trusted node information if node.NodeID == "" { return fmt.Errorf("node ID is required") } if len(node.PublicKey) == 0 { return fmt.Errorf("public key is required") } return nil } func (sm *SecurityManager) logSecurityEvent(ctx context.Context, event *SecurityEvent) { if !sm.auditingEnabled || sm.auditLogger == nil { return } event.EventID = sm.generateEventID() event.Timestamp = time.Now() event.Fingerprint = sm.generateEventFingerprint(event) go func() { if err := sm.auditLogger.LogSecurityEvent(ctx, event); err != nil { // Log error but don't fail the operation } }() } func (sm *SecurityManager) generateEventID() string { return fmt.Sprintf("sec_%d", time.Now().UnixNano()) } func (sm *SecurityManager) generateEventFingerprint(event *SecurityEvent) string { // Generate a fingerprint for event deduplication return fmt.Sprintf("%s_%s_%s", event.EventType, event.Action, event.UserID) } // Component constructor placeholders func NewCertificateAuthority(config *config.Config) (*CertificateAuthority, error) { return &CertificateAuthority{}, nil } func NewAuthenticationManager(config *config.Config) (*AuthenticationManager, error) { return &AuthenticationManager{ providers: make(map[string]AuthProvider), loginAttempts: make(map[string]*LoginAttempts), authPolicies: make(map[string]*AuthPolicy), }, nil } func NewAuthorizationManager(config *config.Config) (*AuthorizationManager, error) { return &AuthorizationManager{ authzPolicies: make(map[string]*AuthorizationPolicy), }, nil } func NewSecurityAuditLogger(config *config.Config) (*SecurityAuditLogger, error) { return &SecurityAuditLogger{ loggers: []SecurityLogger{}, eventBuffer: []*SecurityEvent{}, enabled: true, }, nil } func NewNodeAuthentication(config *config.Config, ca *CertificateAuthority) (*NodeAuthentication, error) { return &NodeAuthentication{}, nil } func NewDistributionEncryption(config *config.Config) (*DistributionEncryption, error) { return &DistributionEncryption{}, nil } func NewThreatDetector(config *config.Config) (*ThreatDetector, error) { return &ThreatDetector{ detectionRules: []*ThreatDetectionRule{}, activeThreats: make(map[string]*ThreatEvent), mitigationStrategies: make(map[ThreatType]*MitigationStrategy), }, nil } // Method implementations for components (placeholders) func (am *AuthenticationManager) Authenticate(ctx context.Context, credentials *Credentials) (*AuthResult, error) { return &AuthResult{Success: true}, nil } func (azm *AuthorizationManager) Authorize(ctx context.Context, request *AuthorizationRequest) (*AuthorizationResult, error) { return &AuthorizationResult{Decision: DecisionAllow}, nil } func (sal *SecurityAuditLogger) LogSecurityEvent(ctx context.Context, event *SecurityEvent) error { return nil } func (de *DistributionEncryption) Encrypt(ctx context.Context, data []byte, recipients []string) ([]byte, error) { return data, nil } func (de *DistributionEncryption) Decrypt(ctx context.Context, encryptedData []byte, nodeID string) ([]byte, error) { return encryptedData, nil } func (td *ThreatDetector) DetectThreats(ctx context.Context, events []*SecurityEvent) ([]*ThreatEvent, error) { return []*ThreatEvent{}, nil } // Supporting types (placeholders) type TokenValidator interface{} type SessionManager struct{} type MultiFactorAuth struct{} type CredentialStore struct{} type LoginAttempts struct{} type AuthPolicy struct{} type RBACManager struct{} type ACLManager struct{} type ResourceManager struct{} type PermissionCache struct{} type AuthorizationPolicy struct{} type SecurityPolicy struct{} type SecurityAlertManager struct{} type ComplianceManager struct{} type AuditRetentionPolicy struct{} type SecurityEventCriteria struct{} type CertificateAuth struct{} type KeyExchange struct{} type TrustStore struct{} type NodeRegistry struct{} type ChallengeManager struct{} type BehaviorAnalyzer struct{} type AnomalyDetector struct{} type ThreatIntelligence struct{} type ThreatEvent struct{} type MitigationStrategy struct{} type ThreatCondition struct{} type ThreatAction struct{} type CertificateStore struct{} type CRLManager struct{} type OCSPResponder struct{} type DistributionKeyManager struct{} type EncryptionSuite struct{} type KeyRotationPolicy struct{} type EncryptionMetrics struct{}