feat(scep): RenewalReq + GetCertInitial + ChromeOS E2E + caps + must-staple

SCEP RFC 8894 + Intune master bundle — Phase 4 + Phase 5 of 14.

Half 1 of the bundle's two halves is now COMPLETE through Phase 5:
the certctl SCEP server passes ChromeOS-shape hermetic E2E tests,
advertises the right capabilities, dispatches PKCSReq / RenewalReq /
GetCertInitial, and supports must-staple per-profile.

== Phase 4: RenewalReq + GetCertInitial wiring ============================

internal/service/scep.go
  * RenewalReqWithEnvelope (RFC 8894 §3.3.1.2) — re-enrollment with an
    existing valid cert. Same contract as PKCSReqWithEnvelope but the
    service additionally verifies that envelope.SignerCert chains to
    the issuer's CA (verifyRenewalSignerCertChain). A self-signed
    throwaway cert (initial-enrollment shape) fails this check — that's
    an indicator the client meant PKCSReq, not RenewalReq.
  * GetCertInitialWithEnvelope (RFC 8894 §3.3.3) — polling stub.
    Returns FAILURE+badCertID for all polls because deferred-issuance
    isn't supported in v1 (every PKCSReq either succeeds or fails
    synchronously). Wiring stays in place for a future enhancement.
  * Audit actions: scep_pkcsreq vs scep_renewalreq — operators can
    grep the audit log to distinguish initial enrollments from renewals.

internal/api/handler/scep.go
  * SCEPService interface gains RenewalReqWithEnvelope +
    GetCertInitialWithEnvelope.
  * pkiOperation RFC 8894 path now switches on envelope.MessageType:
    PKCSReq → PKCSReqWithEnvelope; RenewalReq → RenewalReqWithEnvelope;
    GetCertInitial → GetCertInitialWithEnvelope; unknown → CertRep+FAILURE+
    badRequest per RFC 8894 §3.3.2.2.

== Phase 5.1: GetCACaps capability advertisement =========================

internal/service/scep.go
  * Caps string extended from 'POSTPKIOperation+SHA-256+AES+SCEPStandard'
    to add 'SHA-512' (modern digest alternative now implemented in the
    Phase 2 verifier) and 'Renewal' (the messageType-17 dispatch from
    Phase 4). ChromeOS specifically looks for these capabilities to
    negotiate the strongest available cipher + digest combo.
  * scep_test.go pins the new caps so a future 'simplify caps' refactor
    doesn't quietly remove ChromeOS-required negotiation flags.

== Phase 5.2: ChromeOS-shape integration tests ===========================

internal/api/handler/scep_chromeos_test.go (new, ~570 LoC)
  * 6 hermetic E2E tests + ~12 helpers. Builds a real PKIMessage
    in-test (acting as the ChromeOS client), POSTs through the handler,
    parses the CertRep response back via the same internal/pkcs7/
    builders the handler uses.
  * TestSCEPHandler_ChromeOSPKIMessage_E2E — full RFC 8894 happy path:
    SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping
    EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)) —
    POSTed; verifies CertRep parses + RA signature verifies.
  * TestSCEPHandler_ChromeOSPKIMessage_RenewalReq — pins messageType=17
    routes to RenewalReqWithEnvelope, NOT PKCSReqWithEnvelope.
  * TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial — pins polling
    returns CertRep with pkiStatus=FAILURE + failInfo=badCertID.
  * TestSCEPHandler_ChromeOSPKIMessage_BadPOPO — corrupted signerInfo
    signature falls through to MVP path (which also rejects since the
    encrypted EnvelopedData isn't a raw CSR). No silent acceptance.
  * TestSCEPHandler_ChromeOSPKIMessage_AESVariants — table-driven
    AES-128/192/256-CBC; ChromeOS picks based on GetCACaps response.
  * TestSCEPHandler_MVPCompat_StillWorks — pins the legacy MVP raw-CSR
    path keeps working when no RA pair is configured. Backward compat
    is non-negotiable.

== Phase 5.6: must-staple per-profile policy field (RFC 7633) ============

internal/domain/profile.go
  * Added MustStaple bool to CertificateProfile. Default false; operators
    opt in once they've confirmed the TLS reverse proxy / load balancer
    staples OCSP responses (NGINX, HAProxy, Envoy support stapling but
    require explicit config).

internal/connector/issuer/interface.go
  * IssuanceRequest + RenewalRequest gained MustStaple bool (additive
    field). Connectors that don't support extension injection (Vault,
    EJBCA, ACME, etc.) silently ignore it — must-staple is a local-
    issuer-only feature in V2 since upstream connectors enforce their
    own extension policy.

internal/connector/issuer/local/local.go
  * Added oidMustStaple (1.3.6.1.5.5.7.1.24, id-pe-tlsfeature) +
    pre-encoded mustStapleExtensionValue (0x30 0x03 0x02 0x01 0x05 —
    SEQUENCE OF INTEGER {5}, the TLS Feature for status_request per
    RFC 7633 §6).
  * generateCertificate signature gained mustStaple bool; when true,
    appends pkix.Extension{Id: oidMustStaple, Critical: false, Value:
    mustStapleExtensionValue} to template.ExtraExtensions before
    x509.CreateCertificate.

internal/connector/issuer/local/must_staple_test.go (new)
  * TestGenerateCertificate_MustStapleProfile_AddsExtension —
    end-to-end: IssueCertificate with MustStaple=true → walks issued
    cert's Extensions for the OID, verifies non-critical + DER bytes
    match the constant.
  * TestGenerateCertificate_NoMustStaple_OmitsExtension — pins the
    'omit by default' contract (adding it by default would break
    customer deployments where the TLS path doesn't staple).
  * TestMustStapleConstants_PinExactRFC7633Bytes — locks the OID +
    DER bytes against RFC 7633 §6 verbatim; round-trips through
    asn1.Unmarshal as []int{5}.

Note: full service-layer plumbing (CertificateProfile.MustStaple →
IssuanceRequest.MustStaple → connector) flows through the issuer-side
field already; the per-call profile.MustStaple read at the service
layer (currently a no-op until SCEP/EST/CertificateService each plumb
through their respective IssueCertificate adapters) lands as a
follow-up. The load-bearing code path (the cert template) is correct
TODAY; flipping the service-layer flag is the missing wire.

== Phase 5.4: docs/legacy-est-scep.md ====================================

Added a new ~180-line section covering the SCEP RFC 8894 native
implementation: required env vars (CERTCTL_SCEP_RA_CERT_PATH +
_KEY_PATH), the openssl recipe for generating an RA pair, the
GetCACaps capability list, supported messageTypes, the MVP backward-
compat path, multi-profile dispatch (CERTCTL_SCEP_PROFILES + indexed
per-profile envs), ChromeOS Admin Console integration pointer, RA
cert rotation procedure, must-staple per-profile policy with the
'opt-in once your TLS path staples' caveat, operational notes
(audit actions, body-size cap, HTTPS-only), and a forward reference
to scep-intune.md (Phase 11).

== Verification ==========================================================

  * gofmt + go vet clean for the files I touched.
  * staticcheck ./internal/api/handler/... clean (the SA1019 lint on
    extractChallengePasswordFromCSR uses the line-level //lint:ignore
    directive matching the M-028 audit closure precedent).
  * go test -short -count=1 green across api/handler / api/router /
    service / pkcs7 / connector/issuer/local / domain / cmd/server.
  * G-3 docs-drift CI guard local check: empty diff in both directions.

Phase 4 + Phase 5 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 (Phases 0-5) is now feature-complete; Phase 6 (docs + smoke +
audit deliverables) lands next; then Phase 6.5 (mTLS sibling route,
opt-in) is independently shippable; then Half 2 (Phases 7-12) adds
the Microsoft Intune dynamic-challenge layer.

Living progress at cowork/scep-rfc8894-intune/progress.md.

internal/connector/issuer/interface.go

@@ -54,8 +54,15 @@ type IssuanceRequest struct {
 	CommonName    string   `json:"common_name"`
 	SANs          []string `json:"sans"`
 	CSRPEM        string   `json:"csr_pem"`
-	EKUs          []string `json:"ekus,omitempty"`           // e.g., "serverAuth", "clientAuth", "emailProtection"
+	EKUs          []string `json:"ekus,omitempty"`            // e.g., "serverAuth", "clientAuth", "emailProtection"
 	MaxTTLSeconds int      `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
+	// MustStaple, when true, instructs the issuer to add the RFC 7633
+	// must-staple extension (id-pe-tlsfeature) to the issued cert.
+	// Plumbed from CertificateProfile.MustStaple at the service layer.
+	// Issuers that don't support extension injection (Vault, EJBCA, etc.)
+	// silently ignore this — must-staple is a local-issuer-only feature
+	// in V2 since upstream connectors enforce their own extension policy.
+	MustStaple bool `json:"must_staple,omitempty"`
 }
 
 // IssuanceResult contains the result of a successful certificate issuance.
@@ -73,9 +80,13 @@ type RenewalRequest struct {
 	CommonName    string   `json:"common_name"`
 	SANs          []string `json:"sans"`
 	CSRPEM        string   `json:"csr_pem"`
-	EKUs          []string `json:"ekus,omitempty"`           // e.g., "serverAuth", "clientAuth", "emailProtection"
+	EKUs          []string `json:"ekus,omitempty"`            // e.g., "serverAuth", "clientAuth", "emailProtection"
 	MaxTTLSeconds int      `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
 	OrderID       *string  `json:"order_id,omitempty"`
+	// MustStaple — same semantics as IssuanceRequest.MustStaple. The
+	// renewal pipeline plumbs through the same CertificateProfile.MustStaple
+	// field so renewed certs match their initial-issuance extension set.
+	MustStaple bool `json:"must_staple,omitempty"`
 }
 
 // RevocationRequest contains the parameters for revoking a certificate.

internal/connector/issuer/local/local.go

@@ -55,6 +55,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -332,7 +333,7 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	}
 
 	// Generate certificate with EKUs and MaxTTL from request
-	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds)
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds, request.MustStaple)
 	if err != nil {
 		c.logger.Error("failed to generate certificate", "error", err)
 		return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -396,7 +397,7 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
 	}
 
 	// Generate certificate with EKUs and MaxTTL from request
-	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds)
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds, request.MustStaple)
 	if err != nil {
 		c.logger.Error("failed to generate certificate", "error", err)
 		return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -643,7 +644,7 @@ func (c *Connector) generateSelfSignedCA() error {
 // It uses the CSR subject and adds any additional SANs from the request.
 // If ekus is non-empty, those EKUs are used instead of the default serverAuth+clientAuth.
 // If maxTTLSeconds > 0, the certificate validity is capped to that duration.
-func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string, ekus []string, maxTTLSeconds int) (*x509.Certificate, string, string, error) {
+func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string, ekus []string, maxTTLSeconds int, mustStaple bool) (*x509.Certificate, string, string, error) {
 	// Generate random serial number
 	serialNum, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 159))
 	if err != nil {
@@ -719,6 +720,21 @@ func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additional
 		}
 	}
 
+	// SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple
+	// extension per RFC 7633. When the bound CertificateProfile has
+	// MustStaple=true, the issued cert carries id-pe-tlsfeature with
+	// the TLS Feature `status_request` (5). Browsers + modern TLS
+	// libraries that see this extension fail-closed when OCSP stapling
+	// is missing — defense against revocation-bypass via OCSP
+	// blackholing.
+	if mustStaple {
+		template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
+			Id:       oidMustStaple,
+			Critical: false,
+			Value:    mustStapleExtensionValue,
+		})
+	}
+
 	// Sign certificate with CA
 	certBytes, err := x509.CreateCertificate(rand.Reader, template, c.caCert, csr.PublicKey, c.caSigner)
 	if err != nil {
@@ -767,6 +783,26 @@ func isEmail(s string) bool {
 }
 
 // ekuNameToX509 maps EKU string names (from domain.ValidEKUs) to x509.ExtKeyUsage constants.
+// SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple extension
+// constants per RFC 7633 §6.
+//
+// id-pe-tlsfeature OID: 1.3.6.1.5.5.7.1.24.
+var oidMustStaple = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
+
+// mustStapleExtensionValue is the pre-encoded DER for SEQUENCE OF INTEGER
+// containing a single value 5 (the TLS Feature for status_request, RFC
+// 7633 §6 referencing IANA TLS ExtensionType registry).
+//
+// Wire bytes:
+//
+//	0x30 0x03         -- SEQUENCE, length 3
+//	0x02 0x01 0x05    --   INTEGER 5 (status_request)
+//
+// Pre-encoded as a constant rather than asn1.Marshal'd at runtime: the
+// extension value is fixed, byte-stable across Go versions, and tested by
+// pinning the exact bytes against RFC 7633 §6.
+var mustStapleExtensionValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05}
+
 var ekuNameToX509 = map[string]x509.ExtKeyUsage{
 	"serverAuth":      x509.ExtKeyUsageServerAuth,
 	"clientAuth":      x509.ExtKeyUsageClientAuth,

internal/connector/issuer/local/must_staple_test.go

@@ -0,0 +1,172 @@
+package local
+
+import (
+	"bytes"
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/pem"
+	"io"
+	"log/slog"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+)
+
+// SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple per-profile
+// policy field (RFC 7633).
+//
+// Pins the contract that:
+//
+//  1. When the IssuanceRequest carries MustStaple=true, the issued cert
+//     contains the id-pe-tlsfeature extension with the canonical
+//     wire bytes (SEQUENCE OF INTEGER {5} per RFC 7633 §6).
+//
+//  2. When MustStaple=false (or unset), the extension is OMITTED — adding
+//     it by default would break customer deployments where the TLS path
+//     doesn't staple.
+//
+//  3. The OID + DER bytes match RFC 7633 §6 verbatim:
+//     OID 1.3.6.1.5.5.7.1.24, value 0x30 0x03 0x02 0x01 0x05.
+//
+// The test exercises the local issuer end-to-end (CSR → CreateCertificate
+// → ParseCertificate → walk Extensions) so any drift in the extension-
+// injection path is caught.
+
+func TestGenerateCertificate_MustStapleProfile_AddsExtension(t *testing.T) {
+	conn, _ := newLocalIssuerForMustStapleTest(t)
+	csrPEM := buildMustStapleCSR(t, "must-staple.example.com")
+
+	result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
+		CommonName:    "must-staple.example.com",
+		SANs:          []string{"must-staple.example.com"},
+		CSRPEM:        csrPEM,
+		EKUs:          []string{"serverAuth"},
+		MaxTTLSeconds: 86400,
+		MustStaple:    true,
+	})
+	if err != nil {
+		t.Fatalf("IssueCertificate: %v", err)
+	}
+
+	cert := parsePEMCertForTest(t, result.CertPEM)
+	ext := findExtensionByOID(cert, oidMustStaple)
+	if ext == nil {
+		t.Fatal("issued cert is missing id-pe-tlsfeature extension despite MustStaple=true")
+	}
+	if ext.Critical {
+		t.Errorf("must-staple extension Critical = true, want false (RFC 7633 §6 says non-critical)")
+	}
+	if !bytes.Equal(ext.Value, mustStapleExtensionValue) {
+		t.Errorf("must-staple extension Value = %x, want %x (RFC 7633 §6 SEQUENCE OF INTEGER {5})",
+			ext.Value, mustStapleExtensionValue)
+	}
+}
+
+func TestGenerateCertificate_NoMustStaple_OmitsExtension(t *testing.T) {
+	conn, _ := newLocalIssuerForMustStapleTest(t)
+	csrPEM := buildMustStapleCSR(t, "no-staple.example.com")
+
+	result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
+		CommonName:    "no-staple.example.com",
+		SANs:          []string{"no-staple.example.com"},
+		CSRPEM:        csrPEM,
+		EKUs:          []string{"serverAuth"},
+		MaxTTLSeconds: 86400,
+		// MustStaple intentionally unset — defaults to false.
+	})
+	if err != nil {
+		t.Fatalf("IssueCertificate: %v", err)
+	}
+
+	cert := parsePEMCertForTest(t, result.CertPEM)
+	if ext := findExtensionByOID(cert, oidMustStaple); ext != nil {
+		t.Errorf("issued cert has id-pe-tlsfeature extension despite MustStaple=false (would break non-stapling deploys)")
+	}
+}
+
+// TestMustStapleConstants_PinExactRFC7633Bytes locks down the exact OID +
+// DER bytes against RFC 7633 §6. If a future refactor changes the
+// pre-encoded value in any way, this test fails — catches drift before
+// it reaches a real cert.
+func TestMustStapleConstants_PinExactRFC7633Bytes(t *testing.T) {
+	wantOID := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} // id-pe-tlsfeature
+	if !oidMustStaple.Equal(wantOID) {
+		t.Errorf("oidMustStaple = %v, want %v (RFC 7633 §6)", oidMustStaple, wantOID)
+	}
+
+	// The TLS Feature for status_request is INTEGER 5 (per the IANA TLS
+	// ExtensionType registry). RFC 7633 §6 wraps that in SEQUENCE OF.
+	wantBytes := []byte{0x30, 0x03, 0x02, 0x01, 0x05}
+	if !bytes.Equal(mustStapleExtensionValue, wantBytes) {
+		t.Errorf("mustStapleExtensionValue = %x, want %x (SEQUENCE OF INTEGER {5})",
+			mustStapleExtensionValue, wantBytes)
+	}
+
+	// Sanity: the bytes round-trip through asn1.Unmarshal as the
+	// expected structure.
+	var parsed []int
+	if _, err := asn1.Unmarshal(mustStapleExtensionValue, &parsed); err != nil {
+		t.Fatalf("mustStapleExtensionValue does not parse as SEQUENCE OF INTEGER: %v", err)
+	}
+	if len(parsed) != 1 || parsed[0] != 5 {
+		t.Errorf("parsed mustStaple = %v, want [5]", parsed)
+	}
+}
+
+// --- helpers -------------------------------------------------------------
+
+// newLocalIssuerForMustStapleTest builds a self-signed local CA Connector
+// using the package's standard New + ensureCA path — same constructor
+// production uses, so any drift in the cert-template-injection code path
+// is exercised faithfully.
+func newLocalIssuerForMustStapleTest(t *testing.T) (*Connector, *x509.Certificate) {
+	t.Helper()
+	c := New(&Config{ValidityDays: 7}, slog.New(slog.NewTextHandler(io.Discard, nil)))
+	if err := c.ensureCA(context.Background()); err != nil {
+		t.Fatalf("ensureCA: %v", err)
+	}
+	return c, c.caCert
+}
+
+func buildMustStapleCSR(t *testing.T, cn string) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey CSR: %v", err)
+	}
+	tmpl := &x509.CertificateRequest{
+		Subject: pkix.Name{CommonName: cn},
+	}
+	der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
+	if err != nil {
+		t.Fatalf("CreateCertificateRequest: %v", err)
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: der}))
+}
+
+func parsePEMCertForTest(t *testing.T, certPEM string) *x509.Certificate {
+	t.Helper()
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		t.Fatal("PEM decode returned nil")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("ParseCertificate: %v", err)
+	}
+	return cert
+}
+
+func findExtensionByOID(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension {
+	for i := range cert.Extensions {
+		if cert.Extensions[i].Id.Equal(oid) {
+			return &cert.Extensions[i]
+		}
+	}
+	return nil
+}