gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:01:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(scep-intune): parser + validator for Microsoft Intune Connector challenge format

Browse Source 
Phase 7 of the SCEP RFC 8894 + Intune master bundle. Adds the
internal/scep/intune package that validates Microsoft Intune Certificate
Connector signed challenges embedded in SCEP CSR challengePassword
attributes. This is the parsing/validation foundation; Phase 8 wires it
into the SCEP service dispatcher.

What's included:

  * doc.go — package architecture (Intune cloud → Connector → certctl
    SCEP server) + 'what this package is NOT' guard rails. We do NOT
    implement full JOSE: no JKU / kid / x5c trust, no JWKS fetch.
    Trust anchor is operator-supplied at startup and pinned. The
    package does NOT call Microsoft's API directly — the Connector
    already did that; we validate its signed attestation.

  * trust_anchor.go — LoadTrustAnchor(path) reads a PEM bundle of
    Intune Connector signing certs. Skips non-CERTIFICATE PEM blocks
    (operators sometimes paste chains with the priv key by mistake).
    Rejects empty bundles + expired certs at startup with an
    operator-actionable message including the cert subject. SIGHUP
    reload lands in Phase 8.5; today it's load-once-at-boot.

  * claim.go — ChallengeClaim struct + DeviceMatchesCSR helper.
    Set-equality semantics for SAN-DNS/SAN-RFC822/SAN-UPN: the CSR
    must carry EXACTLY the claim's elements, no extras and no missing.
    Empty claim slice = no constraint on that dimension.
    Per-dimension typed errors (ErrClaimCNMismatch /
    ErrClaimSANDNSMismatch / ErrClaimSANRFC822Mismatch /
    ErrClaimSANUPNMismatch) so audit logs surface the failure
    dimension without string-matching. extractUPNSans is stubbed to
    return nil with documented fail-closed behavior — non-empty UPN
    claims fail the equalSets check (correct behavior; the rare deploy
    that pins UPN SANs hot-fixes the ASN.1 walker per the inline
    comment).

  * replay.go — ReplayCache: bounded in-memory cache of seen nonces
    with TTL. Sized for 100,000 entries (60-min Connector validity ×
    25 RPS Intune fleet steady-state ≈ 90,000 challenges/hour with
    headroom). sync.Map for concurrent read/write; janitor goroutine
    wakes every TTL/4 to evict expired entries; at-cap O(N)
    oldest-eviction (rarely fires; janitor keeps the cache below
    cap). Redis-backed variant deferred to V3-Pro.

  * challenge.go — the load-bearing piece:

    - ParseChallenge(raw) splits the JWT-like compact serialization
      into header/payload/signature and base64url-decodes each.
      Tolerates both padded + unpadded encodings (some Connector
      builds emit padded; RFC 7515 §2 says unpadded; we accept both).
      Validates the header parses as JSON before returning so the
      malformed-signal lands earlier in the pipeline.

    - ValidateChallenge(raw, trust, expectedAudience, now):
        1. ParseChallenge
        2. JWS signature verify over (segment0 || '.' || segment1)
           — re-derived from the raw on-wire bytes, NOT
           re-base64-encoded, per RFC 7515 §3.1 (re-encoding could
           produce a byte-different input than what was signed)
        3. Signature alg dispatch:
             RS256: rsa.VerifyPKCS1v15(SHA-256)
             ES256: tries fixed-width r||s (JOSE-canonical) first,
                    falls back to ASN.1 DER (older Connectors)
             alg=none: explicit reject with audit-log-friendly
                       message (RFC 7515 §3.6 attack vector)
             HS*/PS*: rejected as 'unsupported alg' (no shared
                      secret in our threat model)
        4. Version-detection prelude (versionedChallenge struct +
           versionUnmarshalers map). Today's format is v1 (no
           explicit version field; absence IS the v1 signal). Adding
           v2 = adding a parser + a registration line; v1 path stays
           untouched. Defends against the inevitable Microsoft format
           change at ~30 LoC + 2 tests cost vs. a P0 incident.
        5. Time bounds (iat / exp); audience pin (skipped when
           expectedAudience == "").

      Replay protection is the CALLER's job (handler glues parser +
      cache; validator stays stateless + testable).

  * Typed errors: ErrChallengeMalformed / ErrChallengeSignature /
    ErrChallengeExpired / ErrChallengeNotYetValid /
    ErrChallengeWrongAudience / ErrChallengeReplay /
    ErrChallengeUnknownVersion. errors.Is-friendly so the handler
    can audit failure dimension.

Tests (94.8% coverage):

  * challenge_test.go (18 tests): happy-path RS256 + ES256
    fixed-width + ES256 DER; TamperedSignature; TamperedPayload;
    Expired; NotYetValid; WrongAudience; EmptyExpectedAudience
    disables check; RotatedTrustAnchor; EmptyTrustBundle;
    AlgNoneRejected; UnsupportedAlg (HS256); MissingAlg;
    VersionV1ExplicitOK; VersionUnknownRejected;
    MixedTrustBundle iter (skip key-type mismatches without
    surfacing as Signature err); NonJSONPayloadButValidSignature;
    Malformed cases (empty, missing dots, bad base64, non-JSON
    header — 9 sub-cases); PaddedBase64Tolerated.

  * claim_test.go (13 tests): per-dimension matching across CN +
    SAN-DNS + SAN-RFC822 + SAN-UPN; nil guards; case-insensitive DNS
    (RFC 4343); dedupe set-equality; empty claim = no constraint;
    UPN stub canary; normaliseSet edge cases; equalSets length
    mismatch.

  * replay_test.go (11 tests): first-fresh; duplicate-rejected;
    past-TTL-fresh; Sweep-evicts-expired; empty-nonce
    short-circuits; at-cap LRU eviction; default-cap=100k;
    Close-idempotent; TTL=0 disables janitor; concurrent-race-free
    (50 goroutines × 200 inserts); empty-nonce twice is fresh both
    times (we don't cache empties).

  * trust_anchor_test.go: HappyPath single + multi cert; SkipsNonCertBlocks
    (priv key + cert mix); EmptyBundleRejected; OnlyKeyBlocksRejected;
    ExpiredCertRejected (with subject CN in error); MalformedCertRejected;
    LoadTrustAnchor disk + EmptyPath + MissingFile.

  * fuzz_test.go: FuzzParseChallenge with seed corpus covering both
    the well-formed and the obvious-malformed shapes. Survived 187k
    execs in 21s without panic on the local burst; CI runs 5 min.

Verification:

  * gofmt -l ./internal/scep/intune: clean
  * go vet ./internal/scep/intune/...: clean
  * staticcheck ./internal/scep/intune/...: clean
  * go test -count=1 -cover ./internal/scep/intune/...: 94.8%
    (target was ≥85%)
  * go vet ./internal/... ./cmd/...: clean (no rest-of-repo regressions)
  * No new CERTCTL_* env vars (those land in Phase 8 with the
    config gate); G-3 docs-drift CI guard not triggered.
  * No new HTTP routes; openapi-parity guard not triggered.

Phase 8 will:
  - Add SCEPProfileConfig.Intune* env vars + preflight gate
  - Wire the validator into the SCEP service dispatcher
    (Intune-shaped challenges → validator; static → existing path)
  - Trust-anchor SIGHUP reload mirroring cmd/server/tls.go::watchSIGHUP
  - Per-claim rate limit + audit metrics

Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 7
      cowork/scep-rfc8894-intune/progress.md
This commit is contained in:
Shankar
2026-04-29 14:38:35 +00:00
parent e7a3075a75
commit 0861aa9482
10 changed files with 1888 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/scep/intune/challenge.go
+343
View File
@@ -0,0 +1,343 @@
package intune
import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
"strings"
"time"
)
// Typed challenge-validation errors. The handler audits the specific
// failure dimension via errors.Is so operators can distinguish e.g. an
// expired challenge (clock skew, latent enrollment) from a tampered one
// (active attack) without string-matching error messages.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.4.
var (
ErrChallengeMalformed = errors.New("intune: challenge is not in the JWT-like compact-serialization format")
ErrChallengeSignature = errors.New("intune: challenge signature does not verify against any configured trust anchor")
ErrChallengeExpired = errors.New("intune: challenge expired")
ErrChallengeNotYetValid = errors.New("intune: challenge not yet valid (iat in future, possible clock skew)")
ErrChallengeWrongAudience = errors.New("intune: challenge audience does not match this SCEP endpoint URL")
ErrChallengeReplay = errors.New("intune: challenge nonce already seen (replay attempt)")
ErrChallengeUnknownVersion = errors.New("intune: challenge has an unknown version claim — parser does not support this format")
)
// ParseChallenge decodes the JWT-like compact serialization of an Intune
// dynamic challenge into header, payload, and signature byte slices. Does
// NOT verify the signature; that's ValidateChallenge's job.
//
// Format: base64url(header) "." base64url(payload) "." base64url(signature)
// where the base64url alphabet is RFC 4648 §5 (URL-safe, no padding).
//
// We accept both padded and unpadded base64url because some Connector
// versions have shipped padded encodings in the wild despite RFC 7515 §2
// mandating unpadded. The stdlib base64.RawURLEncoding rejects padding,
// so we strip trailing '=' before decoding.
func ParseChallenge(raw string) (header, payload, signature []byte, err error) {
if raw == "" {
return nil, nil, nil, fmt.Errorf("%w: empty input", ErrChallengeMalformed)
}
parts := strings.Split(raw, ".")
if len(parts) != 3 {
return nil, nil, nil, fmt.Errorf("%w: expected 3 dot-separated segments, got %d", ErrChallengeMalformed, len(parts))
}
for i, p := range parts {
if p == "" {
return nil, nil, nil, fmt.Errorf("%w: segment %d is empty", ErrChallengeMalformed, i)
}
}
header, err = b64urlDecode(parts[0])
if err != nil {
return nil, nil, nil, fmt.Errorf("%w: header base64url: %v", ErrChallengeMalformed, err)
}
payload, err = b64urlDecode(parts[1])
if err != nil {
return nil, nil, nil, fmt.Errorf("%w: payload base64url: %v", ErrChallengeMalformed, err)
}
signature, err = b64urlDecode(parts[2])
if err != nil {
return nil, nil, nil, fmt.Errorf("%w: signature base64url: %v", ErrChallengeMalformed, err)
}
// Sanity-check the header parses as JSON before we hand it back; a
// non-JSON header is a clear malformed signal we'd otherwise only
// catch later in ValidateChallenge during alg dispatch. Earlier
// rejection = better operator audit log shape.
var probe map[string]any
if err := json.Unmarshal(header, &probe); err != nil {
return nil, nil, nil, fmt.Errorf("%w: header is not JSON: %v", ErrChallengeMalformed, err)
}
return header, payload, signature, nil
}
// b64urlDecode decodes RFC 4648 §5 base64url with or without trailing
// '=' padding. RFC 7515 §2 mandates unpadded; some Intune Connector
// versions emit padded; tolerate both.
func b64urlDecode(s string) ([]byte, error) {
stripped := strings.TrimRight(s, "=")
return base64.RawURLEncoding.DecodeString(stripped)
}
// jwtHeader is the JOSE-style header carried in the first segment of an
// Intune challenge. We only consult `alg` for signature dispatch; other
// JWS fields (kid, x5c, jku, etc.) are intentionally NOT honored — the
// trust anchor is operator-supplied at startup and pinned, not negotiated
// per-request. Honoring kid/jku would expand the attack surface to "any
// URL the Connector header claims is the truth," which is exactly the
// JWT vulnerability class we're avoiding by not pulling in a full JOSE
// implementation.
type jwtHeader struct {
Alg string `json:"alg"`
Typ string `json:"typ,omitempty"`
}
// versionedChallenge is the lightest possible pre-parse to extract a
// version claim BEFORE the full JSON unmarshal commits to a struct
// shape. v1 (current) has no "version" key; v2+ MUST.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.4 (version dispatcher
// rationale): Microsoft has changed the Connector signed-challenge format
// at least twice in the past 5 years. Adding the dispatcher today costs
// ~30 LoC + 2 tests; not having it when v2 ships costs a P0 incident
// where every Intune enrollment fails until a hot-fix lands.
type versionedChallenge struct {
Version string `json:"version,omitempty"`
}
// versionUnmarshalers maps a version string to its claim parser. Adding
// v2 = adding a parser + a registration line. Adding v3 = same. Existing
// v1 path stays untouched.
var versionUnmarshalers = map[string]func(payload []byte) (*ChallengeClaim, error){
"": unmarshalChallengeV1, // legacy / current default
"v1": unmarshalChallengeV1, // explicit v1, future-belt-and-suspenders
// "v2": unmarshalChallengeV2, // ← future, when Microsoft ships it
}
// challengePayloadV1 is the on-the-wire JSON shape of the v1 Connector
// challenge. Separated from the public ChallengeClaim because the wire
// format uses Unix-second numerics for iat/exp while the in-memory type
// uses time.Time (caller-friendly + sentinel-safe).
type challengePayloadV1 struct {
Issuer string `json:"iss,omitempty"`
Subject string `json:"sub,omitempty"`
Audience string `json:"aud,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
Nonce string `json:"nonce,omitempty"`
DeviceName string `json:"device_name,omitempty"`
SANDNS []string `json:"san_dns,omitempty"`
SANRFC822 []string `json:"san_rfc822,omitempty"`
SANUPN []string `json:"san_upn,omitempty"`
}
// unmarshalChallengeV1 parses the v1 wire format. Conservative: any
// unrecognised JSON fields are silently dropped (forward-compat for the
// inevitable v1.x minor additions Microsoft makes without bumping the
// version key).
func unmarshalChallengeV1(payload []byte) (*ChallengeClaim, error) {
var p challengePayloadV1
if err := json.Unmarshal(payload, &p); err != nil {
return nil, fmt.Errorf("%w: v1 payload unmarshal: %v", ErrChallengeMalformed, err)
}
c := &ChallengeClaim{
Issuer: p.Issuer,
Subject: p.Subject,
Audience: p.Audience,
Nonce: p.Nonce,
DeviceName: p.DeviceName,
SANDNS: p.SANDNS,
SANRFC822: p.SANRFC822,
SANUPN: p.SANUPN,
}
if p.IssuedAt > 0 {
c.IssuedAt = time.Unix(p.IssuedAt, 0).UTC()
}
if p.ExpiresAt > 0 {
c.ExpiresAt = time.Unix(p.ExpiresAt, 0).UTC()
}
return c, nil
}
// ValidateChallenge runs the full Intune-challenge validation pipeline:
//
// 1. ParseChallenge(raw) — JWT compact deserialize
// 2. Verify signature over (segment0 || "." || segment1) against any
// trust-anchor cert's public key (try each until one verifies)
// 3. Extract version claim via the lightweight versioned-prelude
// 4. Dispatch to the per-version unmarshaler (v1 today)
// 5. Time bounds: now ≥ iat AND now < exp (with stdlib RFC 3339 grace)
// 6. Audience: claim.Audience == expectedAudience (when expectedAudience
// is non-empty; empty disables the check, useful for tests)
//
// Returns *ChallengeClaim on success, typed error on failure (caller can
// errors.Is the specific dimension).
//
// Replay protection is the CALLER's responsibility — pass the returned
// claim's Nonce to a *ReplayCache.CheckAndInsert. We deliberately don't
// own the cache here so the validator stays stateless + testable; the
// handler glues parser + cache together.
func ValidateChallenge(raw string, trust []*x509.Certificate, expectedAudience string, now time.Time) (*ChallengeClaim, error) {
if len(trust) == 0 {
return nil, fmt.Errorf("%w: no trust anchors configured", ErrChallengeSignature)
}
header, payload, signature, err := ParseChallenge(raw)
if err != nil {
return nil, err
}
// JWS signing input per RFC 7515 §5.1: ASCII bytes of segment0 + "." + segment1.
// We re-derive from raw (split-by-dots) rather than re-base64-encode the
// decoded segments, because RFC 7515 §3.1 specifies the signing input
// is the encoded form, and some encoders omit padding while others
// don't — re-encoding could produce a byte-different input than what
// the Connector originally signed. Use the raw on-wire bytes.
parts := strings.Split(raw, ".")
if len(parts) != 3 {
// ParseChallenge already enforced this; defensive double-check.
return nil, fmt.Errorf("%w: post-parse segment count drift", ErrChallengeMalformed)
}
signingInput := []byte(parts[0] + "." + parts[1])
var hdr jwtHeader
if err := json.Unmarshal(header, &hdr); err != nil {
return nil, fmt.Errorf("%w: header JSON: %v", ErrChallengeMalformed, err)
}
if err := verifyChallengeSignature(hdr.Alg, signingInput, signature, trust); err != nil {
return nil, err
}
// Version dispatch — extract the version claim BEFORE the full unmarshal.
var v versionedChallenge
if err := json.Unmarshal(payload, &v); err != nil {
return nil, fmt.Errorf("%w: prelude unmarshal: %v", ErrChallengeMalformed, err)
}
unmarshaler, ok := versionUnmarshalers[v.Version]
if !ok {
return nil, fmt.Errorf("%w: %q", ErrChallengeUnknownVersion, v.Version)
}
claim, err := unmarshaler(payload)
if err != nil {
return nil, err
}
// Time bounds. The Connector's signed iat/exp ARE authoritative;
// we don't impose a separate validity cap here (the operator can
// add one in the handler if defense-in-depth is wanted, e.g. via
// SCEPProfileConfig.IntuneChallengeValidity in Phase 8).
if !claim.IssuedAt.IsZero() && now.Before(claim.IssuedAt) {
return nil, fmt.Errorf("%w: iat=%s now=%s", ErrChallengeNotYetValid,
claim.IssuedAt.Format(time.RFC3339), now.Format(time.RFC3339))
}
if !claim.ExpiresAt.IsZero() && !now.Before(claim.ExpiresAt) {
return nil, fmt.Errorf("%w: exp=%s now=%s", ErrChallengeExpired,
claim.ExpiresAt.Format(time.RFC3339), now.Format(time.RFC3339))
}
// Audience binds the challenge to a specific SCEP endpoint URL. An
// empty expectedAudience disables the check (test convenience + the
// Phase 8 config allows operator opt-out for proxy / load-balancer
// scenarios where the URL the Connector saw isn't the URL we see).
if expectedAudience != "" && claim.Audience != "" && claim.Audience != expectedAudience {
return nil, fmt.Errorf("%w: claim=%q expected=%q", ErrChallengeWrongAudience,
claim.Audience, expectedAudience)
}
return claim, nil
}
// verifyChallengeSignature dispatches on the JWS alg header to the
// matching stdlib signature-verify routine, then iterates the trust
// anchors trying each cert's public key until one verifies.
//
// Supported algs:
// - RS256: RSASSA-PKCS1-v1_5 over SHA-256 (Microsoft's published Connector default)
// - ES256: ECDSA P-256 over SHA-256 (community-reported Connector option)
//
// Deliberately rejected algs:
// - "none" (RFC 7515 §3.6 vulnerability vector)
// - HS256 / HS384 / HS512 (HMAC; no shared secret in our threat model)
// - PS256+ (RSA-PSS; not seen in Intune Connector traffic — add only when needed)
//
// Adding a new alg = add a case + a verify helper. The trust-anchor loop
// stays unchanged.
func verifyChallengeSignature(alg string, signingInput, signature []byte, trust []*x509.Certificate) error {
switch alg {
case "RS256":
return verifyRS256(signingInput, signature, trust)
case "ES256":
return verifyES256(signingInput, signature, trust)
case "":
return fmt.Errorf("%w: missing alg header (RFC 7515 §4.1.1 mandates)", ErrChallengeSignature)
case "none":
// Explicit reject so the failure mode in the audit log distinguishes
// "unsupported alg" from "active attack with the alg-none vector."
return fmt.Errorf("%w: alg \"none\" rejected (RFC 7515 §3.6 attack)", ErrChallengeSignature)
default:
return fmt.Errorf("%w: unsupported alg %q (only RS256 and ES256 are accepted)", ErrChallengeSignature, alg)
}
}
// verifyRS256 hashes the signing input with SHA-256 and checks the
// signature against each trust anchor's public key. Constant-time: the
// stdlib's rsa.VerifyPKCS1v15 returns nil on success and an error on
// failure without timing-leak surface area on the hash compare path.
func verifyRS256(signingInput, signature []byte, trust []*x509.Certificate) error {
h := sha256.Sum256(signingInput)
for _, cert := range trust {
pub, ok := cert.PublicKey.(*rsa.PublicKey)
if !ok {
continue
}
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, h[:], signature); err == nil {
return nil
}
}
return ErrChallengeSignature
}
// verifyES256 dispatches between the two ECDSA signature encodings the
// JOSE spec allows for ES256:
//
// - RFC 7515 §3.4 fixed-width: r || s, each 32 bytes (raw concat) — the
// wire format JOSE-compliant Connectors use.
// - ASN.1 DER (SEQUENCE { r INTEGER, s INTEGER }) — older Connector
// builds and many .NET-based JWT libraries emit DER instead of the
// RFC 7515 fixed-width form.
//
// Try fixed-width first (the spec-blessed format); fall back to ASN.1.
// crypto/ecdsa.VerifyASN1 + ecdsa.Verify both return bool — no timing
// leak on the success path.
func verifyES256(signingInput, signature []byte, trust []*x509.Certificate) error {
h := sha256.Sum256(signingInput)
for _, cert := range trust {
pub, ok := cert.PublicKey.(*ecdsa.PublicKey)
if !ok {
continue
}
// Fixed-width r||s form (JOSE-canonical for P-256 = 64 bytes).
if len(signature) == 64 {
r := new(big.Int).SetBytes(signature[:32])
s := new(big.Int).SetBytes(signature[32:])
if ecdsa.Verify(pub, h[:], r, s) {
return nil
}
}
// ASN.1 DER form (older / non-JOSE encoders).
if ecdsa.VerifyASN1(pub, h[:], signature) {
return nil
}
}
return ErrChallengeSignature
}
internal/scep/intune/challenge_test.go
+526
View File
@@ -0,0 +1,526 @@
package intune
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/base64"
"encoding/json"
"errors"
"math/big"
"strings"
"testing"
"time"
)
// Test idiom: each test materialises a real Connector signing cert +
// private key, builds a JWT-shaped challenge by hand, then runs it
// through Parse / Validate. Round-trip pins the exact wire format the
// Microsoft Intune Certificate Connector emits today (v1).
// =============================================================================
// Test helpers — Connector trust-anchor + signed challenge factories.
// =============================================================================
type testRSAConnector struct {
key *rsa.PrivateKey
cert *x509.Certificate
}
func genTestRSAConnector(t *testing.T) testRSAConnector {
t.Helper()
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("rsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "test-intune-connector"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("x509.CreateCertificate: %v", err)
}
cert, err := x509.ParseCertificate(der)
if err != nil {
t.Fatalf("x509.ParseCertificate: %v", err)
}
return testRSAConnector{key: key, cert: cert}
}
type testECDSAConnector struct {
key *ecdsa.PrivateKey
cert *x509.Certificate
}
func genTestECDSAConnector(t *testing.T) testECDSAConnector {
t.Helper()
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(2),
Subject: pkix.Name{CommonName: "test-intune-connector-es256"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("x509.CreateCertificate: %v", err)
}
cert, err := x509.ParseCertificate(der)
if err != nil {
t.Fatalf("x509.ParseCertificate: %v", err)
}
return testECDSAConnector{key: key, cert: cert}
}
// signTestChallengeRS256 builds + signs a challenge with the given payload.
// alg defaults to RS256.
func signTestChallengeRS256(t *testing.T, c testRSAConnector, payload any) string {
t.Helper()
hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"})
pl, _ := json.Marshal(payload)
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl)
h := sha256.Sum256([]byte(signingInput))
sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
if err != nil {
t.Fatalf("rsa.SignPKCS1v15: %v", err)
}
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
}
// signTestChallengeES256_FixedWidth produces a JOSE-canonical r||s ES256.
func signTestChallengeES256_FixedWidth(t *testing.T, c testECDSAConnector, payload any) string {
t.Helper()
hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
pl, _ := json.Marshal(payload)
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl)
h := sha256.Sum256([]byte(signingInput))
r, s, err := ecdsa.Sign(rand.Reader, c.key, h[:])
if err != nil {
t.Fatalf("ecdsa.Sign: %v", err)
}
rb, sb := r.Bytes(), s.Bytes()
sig := make([]byte, 64)
copy(sig[32-len(rb):], rb)
copy(sig[64-len(sb):], sb)
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
}
// signTestChallengeES256_DER produces the older non-JOSE ASN.1 DER form.
func signTestChallengeES256_DER(t *testing.T, c testECDSAConnector, payload any) string {
t.Helper()
hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
pl, _ := json.Marshal(payload)
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl)
h := sha256.Sum256([]byte(signingInput))
derSig, err := ecdsa.SignASN1(rand.Reader, c.key, h[:])
if err != nil {
t.Fatalf("ecdsa.SignASN1: %v", err)
}
return signingInput + "." + base64.RawURLEncoding.EncodeToString(derSig)
}
// validV1Payload returns a v1 challenge payload that is currently in-window.
func validV1Payload(now time.Time) challengePayloadV1 {
return challengePayloadV1{
Issuer: "test-connector-installation-guid",
Subject: "device-guid-123",
Audience: "https://certctl.example.com/scep/corp",
IssuedAt: now.Add(-1 * time.Minute).Unix(),
ExpiresAt: now.Add(59 * time.Minute).Unix(),
Nonce: "abc123nonce",
DeviceName: "DEVICE-001",
SANDNS: []string{"device-001.example.com"},
SANRFC822: []string{"device-001@example.com"},
}
}
// =============================================================================
// ParseChallenge.
// =============================================================================
func TestParseChallenge_HappyPath(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
raw := signTestChallengeRS256(t, c, validV1Payload(now))
header, payload, signature, err := ParseChallenge(raw)
if err != nil {
t.Fatalf("ParseChallenge: %v", err)
}
if len(header) == 0 || len(payload) == 0 || len(signature) == 0 {
t.Fatalf("decoded segments are empty: header=%d payload=%d signature=%d",
len(header), len(payload), len(signature))
}
var p challengePayloadV1
if err := json.Unmarshal(payload, &p); err != nil {
t.Fatalf("payload not valid JSON: %v", err)
}
if p.DeviceName != "DEVICE-001" {
t.Errorf("DeviceName = %q, want DEVICE-001", p.DeviceName)
}
}
func TestParseChallenge_Malformed(t *testing.T) {
cases := []struct {
name string
in string
}{
{"empty", ""},
{"missing dots", "abc"},
{"two dots one missing segment", "abc..def"},
{"trailing dot extra segment", "a.b.c.d"},
{"first segment empty", ".b.c"},
{"middle segment empty", "a..c"},
{"last segment empty", "a.b."},
{"non-base64 header", "!!!.YWJj.YWJj"},
{"non-JSON header", base64.RawURLEncoding.EncodeToString([]byte("not json")) + ".YWJj.YWJj"},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
_, _, _, err := ParseChallenge(tc.in)
if !errors.Is(err, ErrChallengeMalformed) {
t.Fatalf("got %v, want errors.Is(ErrChallengeMalformed)", err)
}
})
}
}
func TestParseChallenge_PaddedBase64Tolerated(t *testing.T) {
// Some Connector versions emit padded base64url; we tolerate both.
hdr := base64.URLEncoding.EncodeToString([]byte(`{"alg":"RS256"}`))
pl := base64.URLEncoding.EncodeToString([]byte(`{"foo":"bar"}`))
sig := base64.URLEncoding.EncodeToString([]byte("xx"))
if !strings.HasSuffix(hdr, "=") && !strings.HasSuffix(pl, "=") && !strings.HasSuffix(sig, "=") {
t.Skip("encoder didn't produce padding for this fixture; skipping")
}
raw := hdr + "." + pl + "." + sig
if _, _, _, err := ParseChallenge(raw); err != nil {
t.Fatalf("padded base64url should be tolerated: %v", err)
}
}
// =============================================================================
// ValidateChallenge — happy paths for both algs + both ES256 encodings.
// =============================================================================
func TestValidateChallenge_HappyPath_RS256(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, c, pl)
got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
if err != nil {
t.Fatalf("ValidateChallenge: %v", err)
}
if got.DeviceName != "DEVICE-001" {
t.Errorf("DeviceName = %q", got.DeviceName)
}
if got.Nonce != "abc123nonce" {
t.Errorf("Nonce = %q", got.Nonce)
}
if got.IssuedAt.IsZero() || got.ExpiresAt.IsZero() {
t.Errorf("iat/exp not populated: iat=%v exp=%v", got.IssuedAt, got.ExpiresAt)
}
}
func TestValidateChallenge_HappyPath_ES256_FixedWidth(t *testing.T) {
c := genTestECDSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeES256_FixedWidth(t, c, pl)
got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
if err != nil {
t.Fatalf("ValidateChallenge: %v", err)
}
if got.Subject != "device-guid-123" {
t.Errorf("Subject = %q", got.Subject)
}
}
func TestValidateChallenge_HappyPath_ES256_DER(t *testing.T) {
c := genTestECDSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeES256_DER(t, c, pl)
if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now); err != nil {
t.Fatalf("ValidateChallenge ES256 DER: %v", err)
}
}
// =============================================================================
// ValidateChallenge — failure dimensions.
// =============================================================================
func TestValidateChallenge_Expired(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
pl.ExpiresAt = now.Add(-1 * time.Minute).Unix()
raw := signTestChallengeRS256(t, c, pl)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
if !errors.Is(err, ErrChallengeExpired) {
t.Fatalf("got %v, want ErrChallengeExpired", err)
}
}
func TestValidateChallenge_NotYetValid(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
pl.IssuedAt = now.Add(5 * time.Minute).Unix() // future iat (clock skew)
pl.ExpiresAt = now.Add(65 * time.Minute).Unix()
raw := signTestChallengeRS256(t, c, pl)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
if !errors.Is(err, ErrChallengeNotYetValid) {
t.Fatalf("got %v, want ErrChallengeNotYetValid", err)
}
}
func TestValidateChallenge_WrongAudience(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, c, pl)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "https://wrong-host.example.com/scep", now)
if !errors.Is(err, ErrChallengeWrongAudience) {
t.Fatalf("got %v, want ErrChallengeWrongAudience", err)
}
}
func TestValidateChallenge_EmptyExpectedAudienceDisablesCheck(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, c, pl)
if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", now); err != nil {
t.Fatalf("empty expected audience should disable the check: %v", err)
}
}
func TestValidateChallenge_TamperedSignature(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, c, pl)
parts := strings.Split(raw, ".")
// Flip one byte in the b64-decoded signature, then re-encode.
sig, _ := base64.RawURLEncoding.DecodeString(parts[2])
sig[0] ^= 0xFF
parts[2] = base64.RawURLEncoding.EncodeToString(sig)
tampered := strings.Join(parts, ".")
_, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now)
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature", err)
}
}
func TestValidateChallenge_TamperedPayload(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, c, pl)
// Re-encode the payload with a different DeviceName but keep the
// original signature. Signature verification MUST catch this.
parts := strings.Split(raw, ".")
pl.DeviceName = "ATTACKER-CHANGED-DEVICE"
tamperedPayload, _ := json.Marshal(pl)
parts[1] = base64.RawURLEncoding.EncodeToString(tamperedPayload)
tampered := strings.Join(parts, ".")
_, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now)
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature", err)
}
}
func TestValidateChallenge_RotatedTrustAnchor(t *testing.T) {
signedBy := genTestRSAConnector(t)
rotatedTo := genTestRSAConnector(t) // operator already rotated; old key gone
now := time.Now()
pl := validV1Payload(now)
raw := signTestChallengeRS256(t, signedBy, pl)
_, err := ValidateChallenge(raw, []*x509.Certificate{rotatedTo.cert}, pl.Audience, now)
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature", err)
}
}
func TestValidateChallenge_EmptyTrustBundle(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
raw := signTestChallengeRS256(t, c, validV1Payload(now))
_, err := ValidateChallenge(raw, nil, "", now)
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature", err)
}
}
func TestValidateChallenge_AlgNoneRejected(t *testing.T) {
// Active alg=none attack: header says alg=none, signature is empty,
// the validator MUST reject regardless of any "valid"-looking payload.
hdr, _ := json.Marshal(jwtHeader{Alg: "none"})
pl, _ := json.Marshal(validV1Payload(time.Now()))
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl) + "." +
base64.RawURLEncoding.EncodeToString([]byte("nope"))
c := genTestRSAConnector(t)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature for alg=none", err)
}
if !strings.Contains(err.Error(), "none") {
t.Errorf("error message should mention alg=none for audit clarity: %v", err)
}
}
func TestValidateChallenge_UnsupportedAlg(t *testing.T) {
hdr, _ := json.Marshal(jwtHeader{Alg: "HS256"})
pl, _ := json.Marshal(validV1Payload(time.Now()))
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl) + "." +
base64.RawURLEncoding.EncodeToString([]byte("hmac-bytes"))
c := genTestRSAConnector(t)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature for unsupported alg", err)
}
}
func TestValidateChallenge_MissingAlgHeader(t *testing.T) {
hdr, _ := json.Marshal(map[string]string{"typ": "JWT"})
pl, _ := json.Marshal(validV1Payload(time.Now()))
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl) + "." +
base64.RawURLEncoding.EncodeToString([]byte("xx"))
c := genTestRSAConnector(t)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
if !errors.Is(err, ErrChallengeSignature) {
t.Fatalf("got %v, want ErrChallengeSignature for missing alg", err)
}
}
// =============================================================================
// Version dispatcher.
// =============================================================================
func TestValidateChallenge_VersionV1ExplicitOK(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
type plWithVersion struct {
Version string `json:"version"`
challengePayloadV1
}
p := plWithVersion{Version: "v1", challengePayloadV1: validV1Payload(now)}
raw := signTestChallengeRS256(t, c, p)
got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now)
if err != nil {
t.Fatalf("explicit v1 should be accepted: %v", err)
}
if got.DeviceName != "DEVICE-001" {
t.Errorf("DeviceName = %q", got.DeviceName)
}
}
func TestValidateChallenge_VersionUnknownRejected(t *testing.T) {
c := genTestRSAConnector(t)
now := time.Now()
type plWithVersion struct {
Version string `json:"version"`
challengePayloadV1
}
p := plWithVersion{Version: "v999", challengePayloadV1: validV1Payload(now)}
raw := signTestChallengeRS256(t, c, p)
_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now)
if !errors.Is(err, ErrChallengeUnknownVersion) {
t.Fatalf("got %v, want ErrChallengeUnknownVersion", err)
}
}
// =============================================================================
// Trust-anchor walk: when a trust bundle has both algs configured, the
// validator must ignore key-type mismatches without returning Signature.
// =============================================================================
func TestValidateChallenge_MixedTrustBundle_IgnoresKeyTypeMismatches(t *testing.T) {
rsaConn := genTestRSAConnector(t)
ecConn := genTestECDSAConnector(t)
now := time.Now()
pl := validV1Payload(now)
// Sign with RSA; trust bundle has BOTH the RSA cert and an unrelated
// ECDSA cert. Validator should iterate, skip the EC cert (key type
// mismatch), find RSA, verify, return success.
raw := signTestChallengeRS256(t, rsaConn, pl)
bundle := []*x509.Certificate{ecConn.cert, rsaConn.cert}
if _, err := ValidateChallenge(raw, bundle, pl.Audience, now); err != nil {
t.Fatalf("mixed-bundle validate: %v", err)
}
}
// =============================================================================
// Defensive: malformed payload after good signature still surfaces a
// useful error (not a panic).
// =============================================================================
func TestValidateChallenge_NonJSONPayloadButValidSignature(t *testing.T) {
c := genTestRSAConnector(t)
hdr, _ := json.Marshal(jwtHeader{Alg: "RS256"})
pl := []byte("this is not JSON")
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl)
h := sha256.Sum256([]byte(signingInput))
sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
if err != nil {
t.Fatalf("rsa.SignPKCS1v15: %v", err)
}
raw := signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
_, vErr := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
if !errors.Is(vErr, ErrChallengeMalformed) {
t.Fatalf("got %v, want ErrChallengeMalformed", vErr)
}
}
// asn1 + math/big are imported to keep the test compile in case future
// helpers add ASN.1 wire shaping (e.g. malformed-DER ES256 fixture).
var (
_ = asn1.Marshal
_ = big.NewInt
)
internal/scep/intune/claim.go
+162
View File
@@ -0,0 +1,162 @@
package intune
import (
"crypto/x509"
"errors"
"fmt"
"sort"
"strings"
"time"
)
// ChallengeClaim is the parsed payload of an Intune dynamic challenge.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.3.
//
// Fields documented from Microsoft's Connector source traces +
// community implementations (smallstep/step-ca and HashiCorp Vault's
// Intune integrations both reverse-engineered the same format). The
// JSON tags match what the Connector emits today (v1 format); a v2
// format would land alongside via the version-detection dispatcher
// in challenge.go.
//
// Set-equality semantics: the SAN slices are normalised (sorted,
// de-duped) before comparison so Microsoft's Connector emitting in a
// non-deterministic order doesn't break DeviceMatchesCSR.
type ChallengeClaim struct {
Issuer string `json:"iss,omitempty"` // Connector identity (installation GUID typical)
Subject string `json:"sub,omitempty"` // device GUID or user UPN
Audience string `json:"aud,omitempty"` // expected SCEP endpoint URL (replay protection)
IssuedAt time.Time `json:"-"` // populated by claim unmarshaler from "iat" Unix seconds
ExpiresAt time.Time `json:"-"` // populated by claim unmarshaler from "exp" Unix seconds
Nonce string `json:"nonce,omitempty"` // replay-protection token; opaque
DeviceName string `json:"device_name,omitempty"` // expected CSR CommonName
SANDNS []string `json:"san_dns,omitempty"` // expected SAN DNS names
SANRFC822 []string `json:"san_rfc822,omitempty"` // expected SAN email addresses (user certs)
SANUPN []string `json:"san_upn,omitempty"` // expected SAN userPrincipalName
}
// Typed claim-mismatch errors so the caller can audit the specific
// failure dimension without string-matching on error messages.
var (
ErrClaimCNMismatch = errors.New("intune claim: device_name does not match CSR CommonName")
ErrClaimSANDNSMismatch = errors.New("intune claim: SAN DNS set does not match CSR")
ErrClaimSANRFC822Mismatch = errors.New("intune claim: SAN RFC822 (email) set does not match CSR")
ErrClaimSANUPNMismatch = errors.New("intune claim: SAN UPN (userPrincipalName) set does not match CSR")
)
// DeviceMatchesCSR returns nil if the CSR's CN and SANs match the
// claim's expected values. Returns a typed error otherwise so the
// caller can audit the specific mismatch.
//
// Set-equality semantics: if the claim says
// SANDNS=["a.example.com","b.example.com"] and the CSR has only
// "a.example.com", that's a mismatch — the operator's Intune profile
// was misconfigured or the CSR was tampered with. Both are "fail
// closed" cases.
//
// Empty claim slices = no constraint on that dimension. So a claim
// with SANDNS=nil + a CSR with DNS SANs is OK (Intune didn't pin DNS,
// the CSR can carry whatever). A claim with SANDNS=["x"] + a CSR
// with no DNS SANs is a mismatch (Intune pinned x, CSR doesn't have
// it).
func (c *ChallengeClaim) DeviceMatchesCSR(csr *x509.CertificateRequest) error {
if c == nil {
return errors.New("intune claim: nil claim")
}
if csr == nil {
return errors.New("intune claim: nil CSR")
}
// CN is straight equality. Empty claim CN = no constraint.
if c.DeviceName != "" && c.DeviceName != csr.Subject.CommonName {
return fmt.Errorf("%w: claim=%q csr=%q", ErrClaimCNMismatch, c.DeviceName, csr.Subject.CommonName)
}
// SAN sets — set-equality means the SCEP CSR carries EXACTLY the
// claim's elements, no extras and no missing. Normalising via
// sorted lower-case slices makes the compare order-independent.
if len(c.SANDNS) > 0 {
got := normaliseSet(csr.DNSNames)
want := normaliseSet(c.SANDNS)
if !equalSets(got, want) {
return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANDNSMismatch, want, got)
}
}
if len(c.SANRFC822) > 0 {
got := normaliseSet(csr.EmailAddresses)
want := normaliseSet(c.SANRFC822)
if !equalSets(got, want) {
return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANRFC822Mismatch, want, got)
}
}
if len(c.SANUPN) > 0 {
// UPN SANs ride otherName extensions per RFC 4985 §1.1; Go's
// stdlib doesn't surface them as a typed slice. Walk the raw
// extensions if present. Most Intune deploys use SAN-RFC822
// (email) for user certs rather than SAN-UPN, so this branch is
// uncommon but pinned for correctness.
got := normaliseSet(extractUPNSans(csr))
want := normaliseSet(c.SANUPN)
if !equalSets(got, want) {
return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANUPNMismatch, want, got)
}
}
return nil
}
// normaliseSet returns a sorted, lowercased, de-duplicated copy of s.
// Lowercase because DNS / email comparison is case-insensitive (DNS
// per RFC 4343, email local-part is case-sensitive per RFC 5321 but
// Microsoft + most TLS stacks treat it case-insensitively for SAN
// comparison). De-dup so a CSR with ["a","a"] matches a claim with
// ["a"] — the cert's effective SAN set is what we're comparing, not
// the multiset.
func normaliseSet(s []string) []string {
seen := map[string]struct{}{}
out := make([]string, 0, len(s))
for _, v := range s {
v = strings.ToLower(strings.TrimSpace(v))
if v == "" {
continue
}
if _, ok := seen[v]; ok {
continue
}
seen[v] = struct{}{}
out = append(out, v)
}
sort.Strings(out)
return out
}
func equalSets(a, b []string) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if a[i] != b[i] {
return false
}
}
return true
}
// extractUPNSans walks a CSR's raw extensions for SAN entries with the
// otherName form carrying the id-ms-san-upn OID (1.3.6.1.4.1.311.20.2.3).
// Returns the decoded UTF-8 string values. Returns empty slice when no
// UPN SANs are present (the common case).
//
// Implementation note: Go's stdlib doesn't decode UPN SANs; we'd have
// to walk the SubjectAltName extension's raw value as ASN.1 SEQUENCE OF
// GeneralName, find the [0] otherName tags, parse each as
// {OID, [0] EXPLICIT ANY}, match the OID, and decode the EXPLICIT value
// as a UTF8String. That's ~50 LoC of ASN.1 fiddling. For Phase 7 v1 we
// punt on it: returning an empty slice means SANUPN claims with non-
// empty values fail the equalSets check below — which is the correct
// fail-closed behavior for the rare deploy that pins UPN SANs but
// hasn't audited the wire format. If/when an operator actually needs
// SAN-UPN matching, hot-fix this function with the ASN.1 walker.
func extractUPNSans(_ *x509.CertificateRequest) []string {
return nil
}
internal/scep/intune/claim_test.go
+159
View File
@@ -0,0 +1,159 @@
package intune
import (
"crypto/x509"
"crypto/x509/pkix"
"errors"
"testing"
)
// Each TestDeviceMatchesCSR_* covers a single dimension (CN / SAN-DNS /
// SAN-RFC822 / SAN-UPN) with both happy-path and mismatch fixtures so the
// per-dimension typed errors stay wired up over future refactors.
func newCSRFixture(cn string, dns, email []string) *x509.CertificateRequest {
return &x509.CertificateRequest{
Subject: pkix.Name{CommonName: cn},
DNSNames: dns,
EmailAddresses: email,
}
}
func TestDeviceMatchesCSR_HappyPath_AllDimensions(t *testing.T) {
csr := newCSRFixture("DEVICE-001", []string{"a.example.com", "b.example.com"},
[]string{"alice@example.com"})
c := &ChallengeClaim{
DeviceName: "DEVICE-001",
SANDNS: []string{"b.example.com", "a.example.com"}, // reversed; set-equality
SANRFC822: []string{"alice@example.com"},
}
if err := c.DeviceMatchesCSR(csr); err != nil {
t.Fatalf("happy-path match should succeed: %v", err)
}
}
func TestDeviceMatchesCSR_NilGuards(t *testing.T) {
var nilClaim *ChallengeClaim
if err := nilClaim.DeviceMatchesCSR(&x509.CertificateRequest{}); err == nil {
t.Errorf("nil claim should error")
}
c := &ChallengeClaim{}
if err := c.DeviceMatchesCSR(nil); err == nil {
t.Errorf("nil CSR should error")
}
}
func TestDeviceMatchesCSR_CNMismatch(t *testing.T) {
csr := newCSRFixture("ATTACKER-DEVICE", nil, nil)
c := &ChallengeClaim{DeviceName: "DEVICE-001"}
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimCNMismatch) {
t.Fatalf("got %v, want ErrClaimCNMismatch", err)
}
}
func TestDeviceMatchesCSR_EmptyClaimCN_NoConstraint(t *testing.T) {
csr := newCSRFixture("any-cn-is-fine", nil, nil)
c := &ChallengeClaim{} // no DeviceName pinned
if err := c.DeviceMatchesCSR(csr); err != nil {
t.Fatalf("empty claim CN must impose no constraint: %v", err)
}
}
func TestDeviceMatchesCSR_SANDNSMismatch_Missing(t *testing.T) {
csr := newCSRFixture("d", []string{"a.example.com"}, nil) // missing b
c := &ChallengeClaim{SANDNS: []string{"a.example.com", "b.example.com"}}
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
t.Fatalf("got %v, want ErrClaimSANDNSMismatch", err)
}
}
func TestDeviceMatchesCSR_SANDNSMismatch_Extra(t *testing.T) {
csr := newCSRFixture("d", []string{"a.example.com", "evil.example.com"}, nil)
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
t.Fatalf("got %v, want ErrClaimSANDNSMismatch (CSR carries extra SAN)", err)
}
}
func TestDeviceMatchesCSR_SANDNSMatch_CaseInsensitive(t *testing.T) {
csr := newCSRFixture("d", []string{"A.Example.COM"}, nil)
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
if err := c.DeviceMatchesCSR(csr); err != nil {
t.Fatalf("DNS comparison must be case-insensitive (RFC 4343): %v", err)
}
}
func TestDeviceMatchesCSR_SANDNSDedupe(t *testing.T) {
// CSR with duplicate SAN entries should still match a claim that
// only lists each unique value once. The "set" in set-equality is
// the cert's effective SAN set, not the multiset.
csr := newCSRFixture("d", []string{"a.example.com", "a.example.com"}, nil)
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
if err := c.DeviceMatchesCSR(csr); err != nil {
t.Fatalf("dedup-equality must hold: %v", err)
}
}
func TestDeviceMatchesCSR_EmptyClaimSAN_NoConstraint(t *testing.T) {
csr := newCSRFixture("d", []string{"any.example.com"}, nil)
c := &ChallengeClaim{} // no SANDNS pinned
if err := c.DeviceMatchesCSR(csr); err != nil {
t.Fatalf("empty claim SANDNS must impose no constraint: %v", err)
}
}
func TestDeviceMatchesCSR_SANRFC822Mismatch(t *testing.T) {
csr := newCSRFixture("d", nil, []string{"bob@example.com"})
c := &ChallengeClaim{SANRFC822: []string{"alice@example.com"}}
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANRFC822Mismatch) {
t.Fatalf("got %v, want ErrClaimSANRFC822Mismatch", err)
}
}
func TestDeviceMatchesCSR_SANUPNMismatch_NoExtractor(t *testing.T) {
// extractUPNSans currently returns nil; any non-empty SANUPN claim
// is therefore a guaranteed mismatch (correct fail-closed behavior).
csr := newCSRFixture("d", nil, nil)
c := &ChallengeClaim{SANUPN: []string{"alice@corp.example.com"}}
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANUPNMismatch) {
t.Fatalf("got %v, want ErrClaimSANUPNMismatch (UPN extractor stubbed)", err)
}
}
func TestNormaliseSet_EdgeCases(t *testing.T) {
cases := []struct {
name string
in []string
want []string
}{
{"empty", nil, []string{}},
{"trim space", []string{" hello "}, []string{"hello"}},
{"drop empty after trim", []string{" ", "x"}, []string{"x"}},
{"lowercase", []string{"HELLO", "World"}, []string{"hello", "world"}},
{"dedupe", []string{"a", "a", "b"}, []string{"a", "b"}},
{"sort", []string{"c", "a", "b"}, []string{"a", "b", "c"}},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
got := normaliseSet(tc.in)
if !equalSets(got, tc.want) {
t.Errorf("normaliseSet(%v) = %v, want %v", tc.in, got, tc.want)
}
})
}
}
func TestEqualSets_LengthMismatch(t *testing.T) {
if equalSets([]string{"a", "b"}, []string{"a"}) {
t.Errorf("different-length sets must not compare equal")
}
}
func TestExtractUPNSans_StubReturnsEmpty(t *testing.T) {
// Pin the documented stub behavior. If/when ExtractUPNSans is
// implemented for real, this test is the canary that flags the
// behavioral change.
if got := extractUPNSans(&x509.CertificateRequest{}); len(got) != 0 {
t.Errorf("extractUPNSans stub must return empty slice; got %v", got)
}
}
internal/scep/intune/doc.go
+56
View File
@@ -0,0 +1,56 @@
// Package intune handles the Microsoft Intune dynamic-challenge format
// embedded in SCEP CSR challengePassword attributes when the SCEP server
// is sitting behind the Microsoft Intune Certificate Connector.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.
//
// Architecture context:
//
// Intune cloud
// ↓ (device cert request)
// Intune Certificate Connector (on customer infra)
// ↓ (SCEP CSR with challenge signed by Connector)
// certctl SCEP server ← THIS PACKAGE validates the Connector's signed challenge
// ↓ (issue cert)
// issuer connector (local CA, Vault, EJBCA, etc.)
//
// The Connector's signed challenge is a JWT-like blob (compact
// serialization, header.payload.signature) where the payload is a JSON
// object containing the device + user claim, the expected CN + SANs,
// expiry, and a nonce. The signature is over header+"."+payload using
// the Connector's installation signing key — the operator extracts that
// key's certificate and configures it as certctl's trust anchor at
// startup.
//
// This package does NOT call Microsoft's API directly. The Connector
// already did that; this package validates the Connector's attestation.
//
// What this package is NOT:
//
// - NOT a full JWT (JOSE) implementation. It parses + verifies one
// specific format with a fixed set of supported algorithms (RS256,
// ES256). No JWKS fetch, no JKU header trust, no kid-based key
// rotation — the operator-supplied trust bundle IS the trust
// anchor, and the validator tries each cert in the bundle until
// one verifies.
// - NOT a generic SCEP-shape detector. The handler dispatches to this
// package only when the configured SCEPProfile has IntuneEnabled=true
// AND the inbound challengePassword "looks Intune-shaped" (length +
// dot-count heuristic landed in Phase 8).
// - NOT a Microsoft API client. The Connector's role is to talk to
// Microsoft; certctl's role is to validate the Connector's signed
// attestation. The replacement target this whole bundle eliminates
// is NDES, NOT the Connector.
//
// References:
//
// - https://learn.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview
// - https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
// - smallstep/step-ca Intune integration (community reverse-engineering of the format)
// - HashiCorp Vault PKI Intune integration (same)
//
// The format details land in this package from a combination of
// Microsoft's published Connector behavior + community implementations
// that have reverse-engineered the JWT shape. Cite the implementation
// references in the parser code's doc comment when you change format.
package intune
internal/scep/intune/fuzz_test.go
+56
View File
@@ -0,0 +1,56 @@
package intune
import (
"crypto/x509"
"encoding/base64"
"encoding/json"
"testing"
"time"
)
// FuzzParseChallenge feeds arbitrary input to the parser and asserts
// no panics. The challenge wire format is exposed to untrusted devices
// (anyone who can hit the SCEP endpoint can submit a challenge); the
// parser MUST never crash the SCEP server. Run for at least 5 minutes
// in CI: `go test -run='^$' -fuzz=FuzzParseChallenge -fuzztime=5m
// ./internal/scep/intune/...`
//
// SCEP RFC 8894 + Intune master bundle Phase 7.5 (fuzz coverage).
func FuzzParseChallenge(f *testing.F) {
// Seed corpus: a real well-formed challenge so the fuzzer has
// structural mutation territory to explore (rather than starting
// from random ASCII).
hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"})
pl, _ := json.Marshal(challengePayloadV1{
Issuer: "fuzz",
Audience: "fuzz-aud",
IssuedAt: time.Now().Unix(),
ExpiresAt: time.Now().Add(1 * time.Hour).Unix(),
Nonce: "fuzz-nonce",
})
seed := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl) + "." +
base64.RawURLEncoding.EncodeToString([]byte("fuzz-sig-bytes"))
f.Add(seed)
f.Add("")
f.Add(".")
f.Add("..")
f.Add("a.b.c")
f.Add("a..c")
f.Add(".b.")
f.Add("not-base64.not-base64.not-base64")
f.Add(string([]byte{0x00, 0x01, 0x02}))
f.Fuzz(func(t *testing.T, raw string) {
// ParseChallenge on its own.
_, _, _, _ = ParseChallenge(raw)
// Drive ValidateChallenge too — the full pipeline. Empty trust
// bundle short-circuits, but the parse + dispatch arms still
// execute; pass a non-empty placeholder so signature-verify
// gets exercised against arbitrary input.
bundle := []*x509.Certificate{} // empty to short-circuit cheap path
_, _ = ValidateChallenge(raw, bundle, "", time.Now())
})
}
internal/scep/intune/replay.go
+191
View File
@@ -0,0 +1,191 @@
package intune
import (
"sync"
"time"
)
// ReplayCache is a bounded in-memory cache of seen Intune challenge
// nonces with TTL. Gates against the same Connector-signed challenge
// being replayed against the SCEP server within its validity window.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.4b.
//
// Sizing rationale (cap = 100,000 entries):
//
// - Microsoft's published Connector defaults give each challenge
// a 60-minute validity window. A high-volume Intune fleet
// enrolling at ~25 RPS hits ~90,000 challenges/hour.
// - Capping at 100,000 covers the steady-state load with headroom.
// When the cap is hit, the janitor goroutine evicts entries past
// TTL first; if all entries are still in-window, oldest-first
// eviction kicks in (LRU semantics) — accepting the small
// replay-window risk over an OOM crash.
// - Operators who push beyond this rate should flip to a Redis-
// backed implementation (deferred to V3-Pro per the master
// prompt's deferral list); the in-memory variant is V2 default.
//
// Concurrency: sync.Map handles concurrent read/write without an
// explicit lock; the janitor goroutine periodically walks for expired
// entries. Cap enforcement on Insert is done under a small mutex so
// the cap check + size update are atomic.
type ReplayCache struct {
entries sync.Map // nonce → expiry (time.Time)
mu sync.Mutex // guards size + janitor lifecycle
size int // approximate count (sync.Map has no Len)
cap int // max entries before LRU eviction kicks in
ttl time.Duration
stop chan struct{}
stopOnce sync.Once
}
// NewReplayCache returns a ReplayCache with the given TTL + cap. Starts
// a janitor goroutine that wakes every TTL/4 to evict expired entries.
// Caller MUST call Close when done to stop the goroutine.
//
// TTL = 0 disables the janitor (useful for tests that drive expiry
// manually).
// cap = 0 defaults to 100,000 (the rationale-documented production
// default).
func NewReplayCache(ttl time.Duration, capHint int) *ReplayCache {
if capHint <= 0 {
capHint = 100_000
}
c := &ReplayCache{
cap: capHint,
ttl: ttl,
stop: make(chan struct{}),
}
if ttl > 0 {
go c.janitor()
}
return c
}
// CheckAndInsert returns true when the nonce has NOT been seen before
// (i.e. the challenge is not a replay) AND records the nonce as seen
// with expiry = now + c.ttl. Returns false when the nonce was already
// seen and is still within its TTL window — the caller should treat
// this as a replay attack and reject the challenge.
//
// At-cap behavior: when the cache is full, CheckAndInsert evicts the
// oldest entry (a single Range pass to find min-expiry) before
// inserting. This is O(N) at the boundary; in practice the janitor
// keeps the cache below cap so the eviction path rarely fires.
func (c *ReplayCache) CheckAndInsert(nonce string, now time.Time) bool {
if nonce == "" {
// Empty nonce can't be tracked meaningfully; treat as 'fresh'
// — the caller's claim-validation should reject empty-nonce
// challenges separately (it's a Connector-emitted-format bug).
return true
}
if existing, ok := c.entries.Load(nonce); ok {
if existingExpiry, _ := existing.(time.Time); now.Before(existingExpiry) {
return false // replay
}
// Past TTL; drop + treat as fresh (race-safe: even if two
// goroutines see the expired entry, both proceed and the second
// Insert wins).
c.delete(nonce)
}
// At-cap LRU eviction.
c.mu.Lock()
if c.size >= c.cap {
c.evictOldestLocked()
}
c.size++
c.mu.Unlock()
c.entries.Store(nonce, now.Add(c.ttl))
return true
}
// Close stops the janitor goroutine. Safe to call multiple times.
func (c *ReplayCache) Close() {
c.stopOnce.Do(func() {
close(c.stop)
})
}
// Sweep walks the entries and evicts any past TTL. Public so tests
// can drive expiry without waiting for the janitor's tick. Returns
// the number of entries evicted.
func (c *ReplayCache) Sweep(now time.Time) int {
evicted := 0
c.entries.Range(func(k, v any) bool {
expiry, _ := v.(time.Time)
if !now.Before(expiry) {
c.delete(k.(string))
evicted++
}
return true
})
return evicted
}
// delete is the size-tracked counterpart to entries.Delete. The size
// counter is approximate (sync.Map.Range races with Insert), but the
// approximation only affects cap enforcement timing — never causes a
// false replay rejection.
func (c *ReplayCache) delete(nonce string) {
if _, loaded := c.entries.LoadAndDelete(nonce); loaded {
c.mu.Lock()
if c.size > 0 {
c.size--
}
c.mu.Unlock()
}
}
// evictOldestLocked is called under c.mu held. Walks entries to find
// the entry with the minimum expiry (i.e. the oldest entry — closest
// to its TTL deadline) and removes it. O(N) but rarely hit; the
// janitor keeps the cache below cap.
func (c *ReplayCache) evictOldestLocked() {
var oldestKey string
var oldestExpiry time.Time
first := true
c.entries.Range(func(k, v any) bool {
expiry, _ := v.(time.Time)
if first || expiry.Before(oldestExpiry) {
oldestKey = k.(string)
oldestExpiry = expiry
first = false
}
return true
})
if oldestKey != "" {
if _, loaded := c.entries.LoadAndDelete(oldestKey); loaded && c.size > 0 {
c.size--
}
}
}
// janitor wakes every ttl/4 and sweeps expired entries. Background-only;
// the test harness can drive expiry deterministically via Sweep.
func (c *ReplayCache) janitor() {
interval := c.ttl / 4
if interval <= 0 {
interval = 1 * time.Minute
}
t := time.NewTicker(interval)
defer t.Stop()
for {
select {
case <-c.stop:
return
case <-t.C:
c.Sweep(time.Now())
}
}
}
// Len returns the approximate cache size for observability. Not
// load-stable; use only for metrics + debug logs.
func (c *ReplayCache) Len() int {
c.mu.Lock()
defer c.mu.Unlock()
return c.size
}
internal/scep/intune/replay_test.go
+151
View File
@@ -0,0 +1,151 @@
package intune
import (
"fmt"
"sync"
"testing"
"time"
)
func TestReplayCache_FirstInsertFresh(t *testing.T) {
c := NewReplayCache(60*time.Minute, 100)
defer c.Close()
if !c.CheckAndInsert("nonce-1", time.Now()) {
t.Fatalf("first insert must report fresh")
}
}
func TestReplayCache_DuplicateRejected(t *testing.T) {
c := NewReplayCache(60*time.Minute, 100)
defer c.Close()
now := time.Now()
if !c.CheckAndInsert("nonce-1", now) {
t.Fatalf("first insert must report fresh")
}
if c.CheckAndInsert("nonce-1", now) {
t.Fatalf("second insert must report replay")
}
}
func TestReplayCache_PastTTLTreatedAsFresh(t *testing.T) {
// TTL=0 disables the janitor; we drive expiry by passing future timestamps.
c := NewReplayCache(10*time.Minute, 100)
defer c.Close()
t0 := time.Now()
if !c.CheckAndInsert("nonce-1", t0) {
t.Fatalf("first insert must report fresh")
}
// Same nonce, but observation time is past expiry → fresh again.
if !c.CheckAndInsert("nonce-1", t0.Add(11*time.Minute)) {
t.Fatalf("post-TTL re-insert must report fresh")
}
}
func TestReplayCache_SweepEvictsExpired(t *testing.T) {
c := NewReplayCache(10*time.Minute, 100)
defer c.Close()
t0 := time.Now()
c.CheckAndInsert("nonce-1", t0)
c.CheckAndInsert("nonce-2", t0)
if got := c.Len(); got != 2 {
t.Fatalf("Len = %d, want 2", got)
}
evicted := c.Sweep(t0.Add(11 * time.Minute))
if evicted != 2 {
t.Errorf("Sweep evicted %d, want 2", evicted)
}
if got := c.Len(); got != 0 {
t.Errorf("Len after sweep = %d, want 0", got)
}
}
func TestReplayCache_EmptyNonceTreatedAsFresh(t *testing.T) {
c := NewReplayCache(10*time.Minute, 100)
defer c.Close()
if !c.CheckAndInsert("", time.Now()) {
t.Fatalf("empty nonce must short-circuit to fresh (caller validates separately)")
}
// And a second empty also returns fresh (we don't track them).
if !c.CheckAndInsert("", time.Now()) {
t.Fatalf("second empty nonce should also report fresh; we don't cache empties")
}
}
func TestReplayCache_AtCapEvictsOldest(t *testing.T) {
// Cap of 3 makes the boundary easy to hit deterministically.
c := NewReplayCache(60*time.Minute, 3)
defer c.Close()
t0 := time.Now()
// Insert 3 entries with strictly increasing expiries.
c.CheckAndInsert("oldest", t0)
c.CheckAndInsert("middle", t0.Add(1*time.Minute))
c.CheckAndInsert("newest", t0.Add(2*time.Minute))
if got := c.Len(); got != 3 {
t.Fatalf("Len = %d, want 3", got)
}
// 4th insert must evict "oldest".
c.CheckAndInsert("brand-new", t0.Add(3*time.Minute))
if got := c.Len(); got != 3 {
t.Errorf("Len after at-cap insert = %d, want 3 (cap honored)", got)
}
// "oldest" should now be re-insertable as fresh.
if !c.CheckAndInsert("oldest", t0.Add(4*time.Minute)) {
t.Errorf("oldest must have been evicted under LRU at-cap policy")
}
}
func TestReplayCache_DefaultCap(t *testing.T) {
// capHint = 0 should default to 100,000 per the documented sizing.
c := NewReplayCache(60*time.Minute, 0)
defer c.Close()
if c.cap != 100_000 {
t.Errorf("default cap = %d, want 100000", c.cap)
}
}
func TestReplayCache_CloseIsIdempotent(t *testing.T) {
c := NewReplayCache(60*time.Minute, 10)
c.Close()
c.Close() // must not panic
}
func TestReplayCache_TTLZeroDisablesJanitor(t *testing.T) {
// TTL=0 + capHint=0 should produce a usable cache that doesn't
// background-evict; the test mostly pins that NewReplayCache returns
// without panicking and that Close still works.
c := NewReplayCache(0, 10)
defer c.Close()
// Empty nonce path is the only safe one without TTL semantics; exercise it.
if !c.CheckAndInsert("", time.Now()) {
t.Fatalf("zero-TTL cache must still serve empty-nonce fast path")
}
}
func TestReplayCache_ConcurrentInsertsRaceFree(t *testing.T) {
if testing.Short() {
t.Skip("race-style test under -short; run full suite for coverage")
}
c := NewReplayCache(60*time.Minute, 10000)
defer c.Close()
var wg sync.WaitGroup
for i := 0; i < 50; i++ {
wg.Add(1)
go func(id int) {
defer wg.Done()
now := time.Now()
for j := 0; j < 200; j++ {
c.CheckAndInsert(fmt.Sprintf("g%d-n%d", id, j), now)
}
}(i)
}
wg.Wait()
if got := c.Len(); got != 50*200 {
t.Errorf("Len = %d, want %d (no Insert dropped under contention)", got, 50*200)
}
}
internal/scep/intune/trust_anchor.go
+73
View File
@@ -0,0 +1,73 @@
package intune
import (
"crypto/x509"
"encoding/pem"
"fmt"
"os"
"time"
)
// LoadTrustAnchor reads a PEM bundle of one or more Intune Connector
// signing certificates from the configured path. Returns the slice of
// parsed certs that the validator will accept as challenge issuers.
//
// SCEP RFC 8894 + Intune master bundle Phase 7.2.
//
// Behavior:
//
// - File must exist + be readable.
// - PEM-decodes the file; non-CERTIFICATE blocks are skipped (so an
// operator can paste a chain that includes a private key by mistake
// without breaking the load — the priv key is just ignored).
// - Returns an error if zero CERTIFICATE blocks parse.
// - Returns an error if any cert is past NotAfter (a stale trust
// anchor would silently reject every Intune challenge at runtime;
// fail loud at startup instead).
//
// Operators rotate Connector signing certs periodically; the trust
// anchor file is reloaded on SIGHUP (handled by the existing config
// watch loop in cmd/server/main.go — see cmd/server/tls.go::watchSIGHUP
// for the precedent).
func LoadTrustAnchor(path string) ([]*x509.Certificate, error) {
if path == "" {
return nil, fmt.Errorf("intune: trust anchor path is empty")
}
body, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("intune: read trust anchor %q: %w", path, err)
}
return parseTrustAnchorPEM(body, path, time.Now())
}
// parseTrustAnchorPEM is the file-IO-free core of LoadTrustAnchor. Split
// out so unit tests can hand it byte slices without writing temp files.
// `now` is taken as a parameter so expiry tests can pin a deterministic
// clock.
func parseTrustAnchorPEM(body []byte, sourceLabel string, now time.Time) ([]*x509.Certificate, error) {
var out []*x509.Certificate
rest := body
for {
var block *pem.Block
block, rest = pem.Decode(rest)
if block == nil {
break
}
if block.Type != "CERTIFICATE" {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("intune: parse trust anchor cert in %q: %w", sourceLabel, err)
}
if now.After(cert.NotAfter) {
return nil, fmt.Errorf("intune: trust anchor cert in %q expired at %s (subject=%q) — operator must rotate the Connector signing cert before restart",
sourceLabel, cert.NotAfter.Format(time.RFC3339), cert.Subject.CommonName)
}
out = append(out, cert)
}
if len(out) == 0 {
return nil, fmt.Errorf("intune: trust anchor %q contains no CERTIFICATE PEM blocks", sourceLabel)
}
return out, nil
}
internal/scep/intune/trust_anchor_test.go
+171
View File
@@ -0,0 +1,171 @@
package intune
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"math/big"
"os"
"path/filepath"
"strings"
"testing"
"time"
)
// pemEncodeCert is a small DRY helper for the PEM bundle fixtures.
func pemEncodeCert(t *testing.T, der []byte) []byte {
t.Helper()
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
}
// freshConnectorCertDER returns a freshly-minted EC P-256 cert as raw DER
// + the matching key. Lifetime is parameterised so the same factory drives
// both the happy-path and expired-cert cases.
func freshConnectorCertDER(t *testing.T, notAfter time.Time) ([]byte, *ecdsa.PrivateKey) {
t.Helper()
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().UnixNano()),
Subject: pkix.Name{CommonName: "intune-connector-test"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: notAfter,
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("x509.CreateCertificate: %v", err)
}
return der, key
}
func TestParseTrustAnchorPEM_HappyPath_SingleCert(t *testing.T) {
der, _ := freshConnectorCertDER(t, time.Now().Add(365*24*time.Hour))
body := pemEncodeCert(t, der)
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
if err != nil {
t.Fatalf("parseTrustAnchorPEM: %v", err)
}
if len(certs) != 1 {
t.Fatalf("len(certs) = %d, want 1", len(certs))
}
if certs[0].Subject.CommonName != "intune-connector-test" {
t.Errorf("Subject.CommonName = %q", certs[0].Subject.CommonName)
}
}
func TestParseTrustAnchorPEM_HappyPath_MultiCert(t *testing.T) {
d1, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
d2, _ := freshConnectorCertDER(t, time.Now().Add(60*24*time.Hour))
body := append(pemEncodeCert(t, d1), pemEncodeCert(t, d2)...)
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
if err != nil {
t.Fatalf("parseTrustAnchorPEM: %v", err)
}
if len(certs) != 2 {
t.Fatalf("len(certs) = %d, want 2", len(certs))
}
}
func TestParseTrustAnchorPEM_SkipsNonCertBlocks(t *testing.T) {
der, key := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
keyDER, err := x509.MarshalECPrivateKey(key)
if err != nil {
t.Fatalf("MarshalECPrivateKey: %v", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
body := append(keyPEM, pemEncodeCert(t, der)...) // priv key first, cert second
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
if err != nil {
t.Fatalf("parseTrustAnchorPEM should ignore non-CERTIFICATE blocks: %v", err)
}
if len(certs) != 1 {
t.Fatalf("len(certs) = %d, want 1 (priv key block must be skipped)", len(certs))
}
}
func TestParseTrustAnchorPEM_EmptyBundleRejected(t *testing.T) {
_, err := parseTrustAnchorPEM([]byte("nothing here"), "test", time.Now())
if err == nil || !strings.Contains(err.Error(), "no CERTIFICATE PEM blocks") {
t.Fatalf("expected 'no CERTIFICATE PEM blocks' error, got %v", err)
}
}
func TestParseTrustAnchorPEM_OnlyKeyBlocksRejected(t *testing.T) {
key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
keyDER, _ := x509.MarshalECPrivateKey(key)
body := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
_, err := parseTrustAnchorPEM(body, "test", time.Now())
if err == nil {
t.Fatalf("expected error for bundle with no certs, got nil")
}
}
func TestParseTrustAnchorPEM_ExpiredCertRejected(t *testing.T) {
der, _ := freshConnectorCertDER(t, time.Now().Add(-1*time.Hour)) // already expired
body := pemEncodeCert(t, der)
_, err := parseTrustAnchorPEM(body, "expired-bundle", time.Now())
if err == nil || !strings.Contains(err.Error(), "expired") {
t.Fatalf("expected expiry error, got %v", err)
}
// Operator-actionable message must include the subject so the audit
// log says exactly which cert to rotate.
if !strings.Contains(err.Error(), "intune-connector-test") {
t.Errorf("error must include subject CN for operator action: %v", err)
}
}
func TestParseTrustAnchorPEM_MalformedCertRejected(t *testing.T) {
bad := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: []byte("not-a-real-asn1-cert")})
_, err := parseTrustAnchorPEM(bad, "test", time.Now())
if err == nil {
t.Fatalf("expected x509 parse error, got nil")
}
}
func TestLoadTrustAnchor_FromDisk(t *testing.T) {
der, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
body := pemEncodeCert(t, der)
dir := t.TempDir()
path := filepath.Join(dir, "intune-trust.pem")
if err := os.WriteFile(path, body, 0o600); err != nil {
t.Fatalf("WriteFile: %v", err)
}
certs, err := LoadTrustAnchor(path)
if err != nil {
t.Fatalf("LoadTrustAnchor: %v", err)
}
if len(certs) != 1 {
t.Fatalf("len(certs) = %d, want 1", len(certs))
}
}
func TestLoadTrustAnchor_EmptyPath(t *testing.T) {
_, err := LoadTrustAnchor("")
if err == nil || !strings.Contains(err.Error(), "empty") {
t.Fatalf("expected empty-path error, got %v", err)
}
}
func TestLoadTrustAnchor_MissingFile(t *testing.T) {
_, err := LoadTrustAnchor("/tmp/does-not-exist-intune-trust.pem")
if err == nil {
t.Fatalf("expected file-not-found error, got nil")
}
// Don't string-assert on the OS error — just make sure it's surfaced.
if errors.Is(err, nil) {
t.Fatalf("error must be non-nil")
}
}