Pilot Certificate

Capability certificate system for Pilot Protocol using Ed25519 signatures.

Commands

Issue Certificate

CERT_ID=$(openssl rand -hex 8)
EXPIRES_AT=$(date -u -d '+24 hours' +%Y-%m-%dT%H:%M:%SZ)

cat > ~/.pilot/certificates/issued/cert-$CERT_ID.json <<EOF
{
  "certificate_id": "$CERT_ID",
  "subject": {"hostname": "$SUBJECT"},
  "capabilities": ["read", "write", "admin"],
  "expires_at": "$EXPIRES_AT",
  "status": "active"
}
EOF

Send Certificate

pilotctl --json send-file "$RECIPIENT" ~/.pilot/certificates/issued/cert-$CERT_ID.json

Verify Certificate

EXPIRES_AT=$(jq -r '.expires_at' "$CERT_FILE")
EXPIRES_TS=$(date -d "$EXPIRES_AT" +%s)

[ $(date +%s) -le $EXPIRES_TS ] && echo "VERIFIED" || echo "EXPIRED"

Check Capability

jq -e --arg cap "$CAPABILITY" '.capabilities[] | select(. == $cap)' "$CERT_FILE" && echo "Has capability"

Workflow Example

#!/bin/bash
# Certificate authority

mkdir -p ~/.pilot/certificates/{issued,received}

CERT_ID=$(openssl rand -hex 8)
SUBJECT="admin.pilot"

cat > ~/.pilot/certificates/issued/cert-$CERT_ID.json <<EOF
{
  "certificate_id": "$CERT_ID",
  "subject": {"hostname": "$SUBJECT"},
  "capabilities": ["read", "write", "admin"],
  "expires_at": "$(date -u -d '+48 hours' +%Y-%m-%dT%H:%M:%SZ)",
  "status": "active"
}
EOF

pilotctl --json send-file "$SUBJECT" ~/.pilot/certificates/issued/cert-$CERT_ID.json

Dependencies

Requires pilot-protocol, pilotctl, jq, and openssl.