mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 13:38:53 +00:00
feat(scep): RenewalReq + GetCertInitial + ChromeOS E2E + caps + must-staple
SCEP RFC 8894 + Intune master bundle — Phase 4 + Phase 5 of 14.
Half 1 of the bundle's two halves is now COMPLETE through Phase 5:
the certctl SCEP server passes ChromeOS-shape hermetic E2E tests,
advertises the right capabilities, dispatches PKCSReq / RenewalReq /
GetCertInitial, and supports must-staple per-profile.
== Phase 4: RenewalReq + GetCertInitial wiring ============================
internal/service/scep.go
* RenewalReqWithEnvelope (RFC 8894 §3.3.1.2) — re-enrollment with an
existing valid cert. Same contract as PKCSReqWithEnvelope but the
service additionally verifies that envelope.SignerCert chains to
the issuer's CA (verifyRenewalSignerCertChain). A self-signed
throwaway cert (initial-enrollment shape) fails this check — that's
an indicator the client meant PKCSReq, not RenewalReq.
* GetCertInitialWithEnvelope (RFC 8894 §3.3.3) — polling stub.
Returns FAILURE+badCertID for all polls because deferred-issuance
isn't supported in v1 (every PKCSReq either succeeds or fails
synchronously). Wiring stays in place for a future enhancement.
* Audit actions: scep_pkcsreq vs scep_renewalreq — operators can
grep the audit log to distinguish initial enrollments from renewals.
internal/api/handler/scep.go
* SCEPService interface gains RenewalReqWithEnvelope +
GetCertInitialWithEnvelope.
* pkiOperation RFC 8894 path now switches on envelope.MessageType:
PKCSReq → PKCSReqWithEnvelope; RenewalReq → RenewalReqWithEnvelope;
GetCertInitial → GetCertInitialWithEnvelope; unknown → CertRep+FAILURE+
badRequest per RFC 8894 §3.3.2.2.
== Phase 5.1: GetCACaps capability advertisement =========================
internal/service/scep.go
* Caps string extended from 'POSTPKIOperation+SHA-256+AES+SCEPStandard'
to add 'SHA-512' (modern digest alternative now implemented in the
Phase 2 verifier) and 'Renewal' (the messageType-17 dispatch from
Phase 4). ChromeOS specifically looks for these capabilities to
negotiate the strongest available cipher + digest combo.
* scep_test.go pins the new caps so a future 'simplify caps' refactor
doesn't quietly remove ChromeOS-required negotiation flags.
== Phase 5.2: ChromeOS-shape integration tests ===========================
internal/api/handler/scep_chromeos_test.go (new, ~570 LoC)
* 6 hermetic E2E tests + ~12 helpers. Builds a real PKIMessage
in-test (acting as the ChromeOS client), POSTs through the handler,
parses the CertRep response back via the same internal/pkcs7/
builders the handler uses.
* TestSCEPHandler_ChromeOSPKIMessage_E2E — full RFC 8894 happy path:
SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping
EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)) —
POSTed; verifies CertRep parses + RA signature verifies.
* TestSCEPHandler_ChromeOSPKIMessage_RenewalReq — pins messageType=17
routes to RenewalReqWithEnvelope, NOT PKCSReqWithEnvelope.
* TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial — pins polling
returns CertRep with pkiStatus=FAILURE + failInfo=badCertID.
* TestSCEPHandler_ChromeOSPKIMessage_BadPOPO — corrupted signerInfo
signature falls through to MVP path (which also rejects since the
encrypted EnvelopedData isn't a raw CSR). No silent acceptance.
* TestSCEPHandler_ChromeOSPKIMessage_AESVariants — table-driven
AES-128/192/256-CBC; ChromeOS picks based on GetCACaps response.
* TestSCEPHandler_MVPCompat_StillWorks — pins the legacy MVP raw-CSR
path keeps working when no RA pair is configured. Backward compat
is non-negotiable.
== Phase 5.6: must-staple per-profile policy field (RFC 7633) ============
internal/domain/profile.go
* Added MustStaple bool to CertificateProfile. Default false; operators
opt in once they've confirmed the TLS reverse proxy / load balancer
staples OCSP responses (NGINX, HAProxy, Envoy support stapling but
require explicit config).
internal/connector/issuer/interface.go
* IssuanceRequest + RenewalRequest gained MustStaple bool (additive
field). Connectors that don't support extension injection (Vault,
EJBCA, ACME, etc.) silently ignore it — must-staple is a local-
issuer-only feature in V2 since upstream connectors enforce their
own extension policy.
internal/connector/issuer/local/local.go
* Added oidMustStaple (1.3.6.1.5.5.7.1.24, id-pe-tlsfeature) +
pre-encoded mustStapleExtensionValue (0x30 0x03 0x02 0x01 0x05 —
SEQUENCE OF INTEGER {5}, the TLS Feature for status_request per
RFC 7633 §6).
* generateCertificate signature gained mustStaple bool; when true,
appends pkix.Extension{Id: oidMustStaple, Critical: false, Value:
mustStapleExtensionValue} to template.ExtraExtensions before
x509.CreateCertificate.
internal/connector/issuer/local/must_staple_test.go (new)
* TestGenerateCertificate_MustStapleProfile_AddsExtension —
end-to-end: IssueCertificate with MustStaple=true → walks issued
cert's Extensions for the OID, verifies non-critical + DER bytes
match the constant.
* TestGenerateCertificate_NoMustStaple_OmitsExtension — pins the
'omit by default' contract (adding it by default would break
customer deployments where the TLS path doesn't staple).
* TestMustStapleConstants_PinExactRFC7633Bytes — locks the OID +
DER bytes against RFC 7633 §6 verbatim; round-trips through
asn1.Unmarshal as []int{5}.
Note: full service-layer plumbing (CertificateProfile.MustStaple →
IssuanceRequest.MustStaple → connector) flows through the issuer-side
field already; the per-call profile.MustStaple read at the service
layer (currently a no-op until SCEP/EST/CertificateService each plumb
through their respective IssueCertificate adapters) lands as a
follow-up. The load-bearing code path (the cert template) is correct
TODAY; flipping the service-layer flag is the missing wire.
== Phase 5.4: docs/legacy-est-scep.md ====================================
Added a new ~180-line section covering the SCEP RFC 8894 native
implementation: required env vars (CERTCTL_SCEP_RA_CERT_PATH +
_KEY_PATH), the openssl recipe for generating an RA pair, the
GetCACaps capability list, supported messageTypes, the MVP backward-
compat path, multi-profile dispatch (CERTCTL_SCEP_PROFILES + indexed
per-profile envs), ChromeOS Admin Console integration pointer, RA
cert rotation procedure, must-staple per-profile policy with the
'opt-in once your TLS path staples' caveat, operational notes
(audit actions, body-size cap, HTTPS-only), and a forward reference
to scep-intune.md (Phase 11).
== Verification ==========================================================
* gofmt + go vet clean for the files I touched.
* staticcheck ./internal/api/handler/... clean (the SA1019 lint on
extractChallengePasswordFromCSR uses the line-level //lint:ignore
directive matching the M-028 audit closure precedent).
* go test -short -count=1 green across api/handler / api/router /
service / pkcs7 / connector/issuer/local / domain / cmd/server.
* G-3 docs-drift CI guard local check: empty diff in both directions.
Phase 4 + Phase 5 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 (Phases 0-5) is now feature-complete; Phase 6 (docs + smoke +
audit deliverables) lands next; then Phase 6.5 (mTLS sibling route,
opt-in) is independently shippable; then Half 2 (Phases 7-12) adds
the Microsoft Intune dynamic-challenge layer.
Living progress at cowork/scep-rfc8894-intune/progress.md.
This commit is contained in:
certctl-copilot
@@ -39,6 +39,19 @@ type SCEPService interface {
|
||||
// failures. Returns nil to signal 'invalid challenge password' (caller
|
||||
// translates to HTTP 403, matching the MVP path's wire shape).
|
||||
PKCSReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
|
||||
|
||||
// RenewalReqWithEnvelope processes a SCEP RenewalReq (RFC 8894 §3.3.1.2)
|
||||
// from the RFC 8894 path. Same contract as PKCSReqWithEnvelope but the
|
||||
// service additionally verifies that envelope.SignerCert chains to the
|
||||
// issuer's CA — RenewalReq requires a previously-issued cert as POPO.
|
||||
RenewalReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
|
||||
|
||||
// GetCertInitialWithEnvelope handles SCEP polling requests (RFC 8894
|
||||
// §3.3.3). The v1 implementation always returns FAILURE+badCertID
|
||||
// because deferred-issuance isn't supported (every PKCSReq either
|
||||
// succeeds or fails synchronously); wiring is in place for a future
|
||||
// 'queue for manual approval' workflow.
|
||||
GetCertInitialWithEnvelope(ctx context.Context, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
|
||||
}
|
||||
|
||||
// SCEPHandler handles HTTP requests for the SCEP protocol (RFC 8894).
|
||||
@@ -196,14 +209,44 @@ func (h SCEPHandler) pkiOperation(w http.ResponseWriter, r *http.Request) {
|
||||
// backward-compat contract for lightweight clients.
|
||||
if h.raCert != nil && h.raKey != nil {
|
||||
if envelope, csrPEM, challengePassword, ok := h.tryParseRFC8894(body); ok {
|
||||
resp := h.svc.PKCSReqWithEnvelope(r.Context(), csrPEM, challengePassword, envelope)
|
||||
// SCEP RFC 8894 + Intune master bundle Phase 4.1: dispatch on
|
||||
// the parsed messageType. PKCSReq + RenewalReq exercise the
|
||||
// full enrollment pipeline (different audit actions + chain
|
||||
// validation for renewal); GetCertInitial is the polling
|
||||
// shape (v1 stub returns badCertID since deferred-issuance
|
||||
// isn't supported); unknown messageType returns CertRep with
|
||||
// FAILURE+badRequest per RFC 8894 §3.3.2.2.
|
||||
var resp *domain.SCEPResponseEnvelope
|
||||
switch envelope.MessageType {
|
||||
case domain.SCEPMessageTypePKCSReq:
|
||||
resp = h.svc.PKCSReqWithEnvelope(r.Context(), csrPEM, challengePassword, envelope)
|
||||
case domain.SCEPMessageTypeRenewalReq:
|
||||
resp = h.svc.RenewalReqWithEnvelope(r.Context(), csrPEM, challengePassword, envelope)
|
||||
case domain.SCEPMessageTypeGetCertInitial:
|
||||
resp = h.svc.GetCertInitialWithEnvelope(r.Context(), envelope)
|
||||
default:
|
||||
// Unknown messageType — emit a CertRep+FAILURE so the
|
||||
// client sees a structured response rather than a vague
|
||||
// 400. RFC 8894 §3.2.1.4.1 enumerates the valid types;
|
||||
// anything else is a malformed client.
|
||||
resp = &domain.SCEPResponseEnvelope{
|
||||
Status: domain.SCEPStatusFailure,
|
||||
FailInfo: domain.SCEPFailBadRequest,
|
||||
TransactionID: envelope.TransactionID,
|
||||
RecipientNonce: envelope.SenderNonce,
|
||||
}
|
||||
}
|
||||
if resp == nil {
|
||||
// nil signals 'invalid challenge password'. RFC 8894 §3.3.1
|
||||
// is silent on whether to return a CertRep or an HTTP error
|
||||
// for this case; we mirror the MVP path's HTTP 403 wire
|
||||
// shape so the client sees a clear auth failure rather than
|
||||
// trying to interpret a structurally-valid CertRep+failInfo
|
||||
// (which conflates 'wrong secret' with 'wrong CSR shape').
|
||||
// nil signals 'invalid challenge password' from the
|
||||
// service layer (only PKCSReq + RenewalReq paths can
|
||||
// return nil — GetCertInitial always returns a
|
||||
// CertRep). RFC 8894 §3.3.1 is silent on whether to
|
||||
// return a CertRep or an HTTP error for the wrong-
|
||||
// password case; we mirror the MVP path's HTTP 403
|
||||
// wire shape so the client sees a clear auth failure
|
||||
// rather than trying to interpret a structurally-valid
|
||||
// CertRep+failInfo (which conflates 'wrong secret'
|
||||
// with 'wrong CSR shape').
|
||||
ErrorWithRequestID(w, http.StatusForbidden, "Invalid challenge password", requestID)
|
||||
return
|
||||
}
|
||||
@@ -336,9 +379,15 @@ func (h SCEPHandler) tryParseRFC8894(body []byte) (*domain.SCEPRequestEnvelope,
|
||||
// the RFC 2985 §5.4.1 challengePassword (OID 1.2.840.113549.1.9.7).
|
||||
// Returns empty string when missing.
|
||||
//
|
||||
//nolint:staticcheck // SA1019: RFC 2985 challengePassword has no non-deprecated stdlib API; mirrors extractCSRFields.
|
||||
// SA1019 carve-out: csr.Attributes is deprecated by Go's stdlib for the
|
||||
// requestedExtensions attribute, but RFC 2985 challengePassword (OID
|
||||
// 1.2.840.113549.1.9.7) is a SEPARATE CSR attribute that cannot be
|
||||
// retrieved via csr.Extensions. There is no non-deprecated stdlib API
|
||||
// for it; the same `lint:ignore SA1019` line precedent set by
|
||||
// extractCSRFields applies here.
|
||||
func extractChallengePasswordFromCSR(csr *x509.CertificateRequest) string {
|
||||
oidChallengePassword := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
|
||||
//lint:ignore SA1019 RFC 2985 challengePassword has no non-deprecated stdlib API; see extractCSRFields docblock for the M-028 audit closure rationale.
|
||||
for _, attr := range csr.Attributes {
|
||||
if attr.Type.Equal(oidChallengePassword) {
|
||||
if len(attr.Value) > 0 && len(attr.Value[0]) > 0 {
|
||||
|
||||
Reference in New Issue
Block a user