secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2)

Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.

This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.

Shared (internal/secret/):

- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
  blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
  NewRefFromString without callers having to know the field type
  changed. Null and missing keys leave the receiver nil; non-string
  payloads (numbers, bools) are rejected with a typed error. Pinned
  by TestRef_UnmarshalJSON: string_value, null, missing_key,
  number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
  goes through "[redacted]" intentionally — JSON-marshal-then-
  unmarshal of a Config with secrets is NOT a supported test pattern;
  callers that construct a rawConfig must use a JSON literal with
  the real values).

Per-connector migration:

- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
  empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
  to call Token.Use; the Bearer header string is built inside the
  callback and the buffer is zeroed on return. mTLS path is
  unaffected.

- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
  → *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
  Extracted setAuthHeaders helper consolidates the four duplicated
  triple-Set sites (ValidateConfig probe, IssueCertificate,
  RevokeCertificate, pollCertificateOnce) so any future header-shape
  change applies once. ValidateConfig now pulls from the local cfg
  (post-Unmarshal) so the helper takes a *Config rather than the
  receiver — needed because ValidateConfig writes the validated cfg
  onto c.config only AFTER the probe succeeds.

- Sectigo (sectigo.go): Config.Login + Config.Password: string →
  *secret.Ref. CustomerURI stays plain string (org identifier, not
  a credential). setAuthHeaders rewritten to call Login.Use +
  Password.Use; ValidateConfig's inline header writes use the same
  pattern (the ValidateConfig probe writes to a local cfg, not
  c.config, so it can't share setAuthHeaders without rewiring — the
  inline form is fine, kept consistent in shape).

Test migration:

- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
  Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
  import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
  APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
  Password.

Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.

Out of scope (intentional):

- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
  `EJBCAConfig` env-var-loader structs are still plain strings —
  those types are the env-load shape, not the steady-state runtime
  shape. The seed path in service/issuer.go json-marshals them into
  a map[string]interface{} which the factory then UnmarshalJSON's
  into the connector Config; the new UnmarshalJSON on *Ref handles
  the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
  will pick them up. The audit explicitly named EJBCA / GlobalSign /
  Sectigo as the Phase 2 scope (RESULTS.md L633).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
  issuerfactory, service, api/handler: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.

internal/secret/secret.go

@@ -31,6 +31,7 @@
 package secret
 
 import (
+	"encoding/json"
 	"fmt"
 	"io"
 )
@@ -124,6 +125,28 @@ func (r *Ref) MarshalJSON() ([]byte, error) {
 	return []byte(`"[redacted]"`), nil
 }
 
+// UnmarshalJSON parses a JSON string into a Ref via NewRefFromString.
+// Required for the production wiring path where issuer Config structs
+// are JSON-deserialized from the DB-stored config blob (the factory's
+// NewFromConfig in internal/connector/issuerfactory).
+//
+// Accepts either a JSON string ("abc") or null (treated as nil Ref).
+// Other JSON shapes (numbers, objects, arrays) are rejected — a
+// credential is always either a string or absent.
+func (r *Ref) UnmarshalJSON(data []byte) error {
+	if string(data) == "null" {
+		// nil-Ref unmarshal is a no-op; the field on the parent
+		// struct stays nil and IsEmpty() reports true.
+		return nil
+	}
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return fmt.Errorf("secret.Ref: expected JSON string, got: %w", err)
+	}
+	*r = *NewRefFromString(s)
+	return nil
+}
+
 // IsEmpty reports whether the source returns an empty byte slice
 // (zero-length credential). Useful for ValidateConfig paths that need
 // to check "did the operator set the credential" without obtaining

internal/secret/secret_test.go

@@ -175,6 +175,74 @@ func TestRef_IsEmpty(t *testing.T) {
 	}
 }
 
+// TestRef_UnmarshalJSON — parse a JSON string into a Ref via
+// NewRefFromString. Required for the factory's JSON-deserialization
+// path that loads issuer configs from the DB.
+func TestRef_UnmarshalJSON(t *testing.T) {
+	type cfg struct {
+		Token *Ref `json:"token"`
+	}
+
+	t.Run("string_value", func(t *testing.T) {
+		var c cfg
+		if err := json.Unmarshal([]byte(`{"token":"my-secret-token"}`), &c); err != nil {
+			t.Fatalf("Unmarshal: %v", err)
+		}
+		if c.Token == nil {
+			t.Fatal("expected non-nil Ref")
+		}
+		_ = c.Token.Use(func(buf []byte) error {
+			if string(buf) != "my-secret-token" {
+				t.Errorf("Use: want 'my-secret-token', got %q", buf)
+			}
+			return nil
+		})
+	})
+
+	t.Run("null", func(t *testing.T) {
+		var c cfg
+		if err := json.Unmarshal([]byte(`{"token":null}`), &c); err != nil {
+			t.Fatalf("Unmarshal: %v", err)
+		}
+		if c.Token != nil {
+			t.Errorf("null should leave Ref nil, got %v", c.Token)
+		}
+	})
+
+	t.Run("missing_key", func(t *testing.T) {
+		var c cfg
+		if err := json.Unmarshal([]byte(`{}`), &c); err != nil {
+			t.Fatalf("Unmarshal: %v", err)
+		}
+		if c.Token != nil {
+			t.Error("missing key should leave Ref nil")
+		}
+	})
+
+	t.Run("number_rejected", func(t *testing.T) {
+		var c cfg
+		err := json.Unmarshal([]byte(`{"token":123}`), &c)
+		if err == nil {
+			t.Error("expected error for non-string Ref input")
+		}
+	})
+
+	t.Run("roundtrip_marshal_then_unmarshal", func(t *testing.T) {
+		// Marshal returns "[redacted]" — round-tripping through
+		// Unmarshal would store the string "[redacted]" as the
+		// new credential. Documented behavior; operators marshal
+		// for inspection, not for re-loading.
+		original := cfg{Token: NewRefFromString("real-secret")}
+		marshaled, err := json.Marshal(original)
+		if err != nil {
+			t.Fatalf("Marshal: %v", err)
+		}
+		if string(marshaled) != `{"token":"[redacted]"}` {
+			t.Errorf("Marshal: got %s", marshaled)
+		}
+	})
+}
+
 // TestZero — direct test of the zero helper to lock the
 // implementation: every byte set to 0.
 func TestZero(t *testing.T) {