mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-14 13:38:56 +00:00
EST RFC 7030 hardening master bundle Phases 2-4: end-to-end mTLS sibling
route + RFC 9266 channel binding + HTTP Basic enrollment-password +
per-source-IP failed-auth limit + per-(CN, sourceIP) sliding-window cap.
Two new shared packages so EST + Intune share infrastructure:
- internal/cms/ — RFC 9266 tls-exporter extractor (ExtractTLSExporter
with stdlib-panic recovery for synthetic ConnectionStates) +
CSR-side channel-binding parser via raw TBSCertificationRequestInfo
walk (the stdlib's csr.Attributes can't represent the OCTET STRING
binding value), VerifyChannelBinding composite, EmbedChannel-
BindingAttribute fixture helper, typed sentinel errors for missing
/ mismatch / not-TLS-1.3 mapped to HTTP 400 / 409 / 426 in handler.
- internal/trustanchor/ — extracted from scep/intune/trust_anchor*.go
so the EST mTLS sibling route + Intune dispatcher share the same
SIGHUP-reloadable PEM bundle primitive. intune.TrustAnchorHolder
is now `= trustanchor.Holder` (type alias) + NewTrustAnchorHolder =
trustanchor.New (function alias) — every existing call site compiles
unchanged. Intune's LoadTrustAnchor is a thin wrapper over
trustanchor.LoadBundle. White-box tests moved to the new package.
- internal/ratelimit/ — extracted from scep/intune/rate_limit.go (this
was Phase 4.1, in the same bundle). intune.PerDeviceRateLimiter
is now a thin wrapper preserving the (subject, issuer)→key
composition; EST handler reaches for SlidingWindowLimiter directly.
ESTHandler grew six optional fields wired by per-profile setters
(SetMTLSTrust / SetChannelBindingRequired / SetEnrollmentPassword /
SetSourceIPRateLimiter / SetPerPrincipalRateLimiter / SetLabelForLog)
plus four new mTLS-route methods (CACertsMTLS / SimpleEnrollMTLS /
SimpleReEnrollMTLS / CSRAttrsMTLS); shared internal pipeline
handleEnrollOrReEnroll(reEnroll, viaMTLS) keeps the auth/binding/
rate-limit gates DRY. New router method RegisterESTMTLSHandlers
registers /.well-known/est-mtls/<PathID>/{cacerts,simpleenroll,
simplereenroll,csrattrs}; AuthExemptDispatchPrefixes extends the
no-auth chain to /.well-known/est-mtls.
cmd/server/main.go's EST loop wires per-profile mTLS holder +
channel-binding policy + per-principal limiter + (when EnrollmentPassword
non-empty) Basic + source-IP limiter; new preflightESTMTLSClientCATrust-
Bundle returns *trustanchor.Holder so SIGHUP rotates the EST mTLS
bundle live without restart. SCEP + EST mTLS profiles now share a
single union mtlsUnionPoolForTLS passed to buildServerTLSConfigWithMTLS
(replaces the protocol-specific scepMTLSUnionPoolForTLS); per-handler
re-verify enforces "cert must chain to THIS profile's bundle" so
cross-protocol bleed is blocked at the application layer even though
the TLS layer trusts certs from either pool's union.
Phase 3.3 source-IP failed-Basic limiter defaults: 10 attempts / 1h
/ 50k tracked IPs (no env var; tunable in a follow-up). Phase 4.2
per-principal limiter cap from CERTCTL_EST_PROFILE_<NAME>_RATE_
LIMIT_PER_PRINCIPAL_24H (existing field, Phase 1 shipped).
New tests:
- internal/cms/channelbinding_test.go: extractor + CSR-side parser +
composite + TLS-1.3 round-trip end-to-end + EmbedChannelBinding-
Attribute round-trip
- internal/trustanchor/holder_test.go: parseBundlePEM white-box +
LoadBundle + Holder Get/Pool/SetLabelForLog/Reload-happy/
Reload-keeps-old-on-failure/Reload-keeps-old-on-expired/
WatchSIGHUP-reloads-pool/WatchSIGHUP-stop-clean
- internal/api/handler/est_hardening_test.go: 16 named cases covering
mTLS no-trust-pool 500 + no-cert 401 + cross-profile cert 401 +
happy-path 200 + CACertsMTLS auth gate + CSRAttrsMTLS auth gate +
channel-binding required-absent-rejected + not-required-absent-
allowed + writeChannelBindingError mapping + Basic no-header 401
+ Basic wrong-password 401 + Basic correct-200 + Basic-no-password
no-gate + per-IP failed-attempt lockout 429 + per-principal
blocks-after-cap + different-principals-independent + no-limiter-
unbounded.
Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean for
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
cmd/server, go test -short -count=1 green for cms/trustanchor/
api/handler/api/router/scep/intune/ratelimit/service. G-3
docs-drift guard reproduced locally clean (Phase 1 already
documented every new env var; Phases 2-4 added zero new env vars).
This commit is contained in:
shankar0123
@@ -1,73 +1,45 @@
|
||||
package intune
|
||||
|
||||
// SCEP RFC 8894 + Intune master bundle Phase 7.2 (originally) +
|
||||
// EST RFC 7030 hardening master bundle Phase 2.1 (extraction).
|
||||
//
|
||||
// LoadTrustAnchor + parseTrustAnchorPEM were extracted to
|
||||
// internal/trustanchor.LoadBundle + parseBundlePEM so the EST mTLS
|
||||
// sibling route (Phase 2 of the EST hardening bundle), the Intune
|
||||
// dispatcher, and any future per-profile-trust-bundle caller can share
|
||||
// the same PEM-bundle loader + SIGHUP-reload semantics. The shim below
|
||||
// preserves the original public surface so existing intune callers
|
||||
// (cmd/server/main.go, scep_intune_e2e_test.go, scep_profile_counter_
|
||||
// isolation_test.go, scep_intune.go service) compile unchanged.
|
||||
//
|
||||
// New callers SHOULD import internal/trustanchor directly — the
|
||||
// trustanchor.Holder + trustanchor.LoadBundle are the modern API.
|
||||
//
|
||||
// Note: the legacy intune error messages ("intune: trust anchor cert
|
||||
// in %q expired ...") are NOT preserved verbatim across the extraction;
|
||||
// the shared trustanchor package emits "trustanchor: ..." messages
|
||||
// instead. The operator-facing log line at cmd/server/main.go's
|
||||
// preflightSCEPIntuneTrustAnchor wraps the error in its own outer
|
||||
// ("SCEP profile (PathID=...) INTUNE trust anchor load failed: ...")
|
||||
// so the prefix change is invisible to log-grep runbooks that filter
|
||||
// on the outer message.
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/shankar0123/certctl/internal/trustanchor"
|
||||
)
|
||||
|
||||
// LoadTrustAnchor reads a PEM bundle of one or more Intune Connector
|
||||
// signing certificates from the configured path. Returns the slice of
|
||||
// parsed certs that the validator will accept as challenge issuers.
|
||||
// signing certificates from the configured path. Delegates to the
|
||||
// shared trustanchor.LoadBundle (extracted in EST RFC 7030 hardening
|
||||
// Phase 2.1) so the EST mTLS sibling route + the Intune dispatcher
|
||||
// + any future per-profile trust-bundle caller share the same
|
||||
// loader semantics (path-empty refusal, expired-cert refusal,
|
||||
// non-CERTIFICATE-block tolerance).
|
||||
//
|
||||
// SCEP RFC 8894 + Intune master bundle Phase 7.2.
|
||||
//
|
||||
// Behavior:
|
||||
//
|
||||
// - File must exist + be readable.
|
||||
// - PEM-decodes the file; non-CERTIFICATE blocks are skipped (so an
|
||||
// operator can paste a chain that includes a private key by mistake
|
||||
// without breaking the load — the priv key is just ignored).
|
||||
// - Returns an error if zero CERTIFICATE blocks parse.
|
||||
// - Returns an error if any cert is past NotAfter (a stale trust
|
||||
// anchor would silently reject every Intune challenge at runtime;
|
||||
// fail loud at startup instead).
|
||||
//
|
||||
// Operators rotate Connector signing certs periodically; the trust
|
||||
// anchor file is reloaded on SIGHUP (handled by the existing config
|
||||
// watch loop in cmd/server/main.go — see cmd/server/tls.go::watchSIGHUP
|
||||
// for the precedent).
|
||||
// Preserved here as a wrapper so existing intune callers compile
|
||||
// unchanged. New callers SHOULD use trustanchor.LoadBundle directly.
|
||||
func LoadTrustAnchor(path string) ([]*x509.Certificate, error) {
|
||||
if path == "" {
|
||||
return nil, fmt.Errorf("intune: trust anchor path is empty")
|
||||
}
|
||||
body, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("intune: read trust anchor %q: %w", path, err)
|
||||
}
|
||||
return parseTrustAnchorPEM(body, path, time.Now())
|
||||
}
|
||||
|
||||
// parseTrustAnchorPEM is the file-IO-free core of LoadTrustAnchor. Split
|
||||
// out so unit tests can hand it byte slices without writing temp files.
|
||||
// `now` is taken as a parameter so expiry tests can pin a deterministic
|
||||
// clock.
|
||||
func parseTrustAnchorPEM(body []byte, sourceLabel string, now time.Time) ([]*x509.Certificate, error) {
|
||||
var out []*x509.Certificate
|
||||
rest := body
|
||||
for {
|
||||
var block *pem.Block
|
||||
block, rest = pem.Decode(rest)
|
||||
if block == nil {
|
||||
break
|
||||
}
|
||||
if block.Type != "CERTIFICATE" {
|
||||
continue
|
||||
}
|
||||
cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("intune: parse trust anchor cert in %q: %w", sourceLabel, err)
|
||||
}
|
||||
if now.After(cert.NotAfter) {
|
||||
return nil, fmt.Errorf("intune: trust anchor cert in %q expired at %s (subject=%q) — operator must rotate the Connector signing cert before restart",
|
||||
sourceLabel, cert.NotAfter.Format(time.RFC3339), cert.Subject.CommonName)
|
||||
}
|
||||
out = append(out, cert)
|
||||
}
|
||||
if len(out) == 0 {
|
||||
return nil, fmt.Errorf("intune: trust anchor %q contains no CERTIFICATE PEM blocks", sourceLabel)
|
||||
}
|
||||
return out, nil
|
||||
return trustanchor.LoadBundle(path)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user