fix(scep-intune): close 11 audit gaps from 2026-04-29 pre-tag review

Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md). Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always take the complete path, not the easy path' — drove this closure: each gap was a load-bearing wire that crossed multiple layers (config → validator → service wire-up → tests → docs) and shipping the bundle without them would have produced lying-field footguns where operator- visible config options stored values without affecting behavior. WHAT LANDS: Phase A — Clock-skew tolerance (master prompt §15 hazard closure) internal/scep/intune/challenge.go: ValidateChallenge migrated from positional args to ValidateOptions{} struct; new ClockSkewTolerance field with default 0 (strict). 24 call sites updated mechanically. Asymmetric application: now+tolerance >= iat AND now-tolerance < exp. internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance default 60s + Validate() refusal when >= ChallengeValidity. cmd/server/main.go: SetIntuneIntegration signature extended; per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE. internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors. 4 new tests in challenge_test.go covering accept-within-tolerance, reject-beyond-tolerance, accept-expired-within-tolerance, negative-treated-as-zero defensive normalization. docs/scep-intune.md updated with the new env var + time-bounds rule. Phase B — unknown-version-rejected golden test internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload helper + signGoldenChallengeAny generic signer. challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected uses an in-process ECDSA fixture (the on-disk PEM was generated with a Go-stdlib version that produces different ecdsa.GenerateKey bytes from the current call). TestRegenerateGoldenFixtures emits the new unknown_version fixture file too. Phase C — Two named Intune e2e tests internal/api/handler/scep_intune_e2e_test.go: TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd returns FAILURE+badRequest with rate_limited counter ticked) TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate on-disk PEM + holder.Reload(); old-key challenge fails with badMessageCheck; signature_invalid counter ticked) intuneE2EFixture struct extended with trustHolder + trustPath fields so tests can rotate. Phase D — Four new ChromeOS hermetic tests (10 total now) internal/api/handler/scep_chromeos_test.go: _RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler rejects without reaching service. _3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified. _RSACSR + _ECDSACSR — explicit matrix-pair pinning. buildTestECDSACSR helper for ECDSA P-256 CSR construction; tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC; assertChromeOSPositiveCertRep shared assertion. Phase E — Per-profile counter isolation test internal/api/handler/scep_profile_counter_isolation_test.go: TestSCEPHandler_PerProfileIntuneCountersIsolated wires two SCEPService instances + drives distinct PKIMessages + asserts counter isolation. Guards against a future cmd/server/main.go refactor that shares a *intuneCounterTab across profiles. buildPerProfileIntuneFixture parameterized helper. Phase F — Server-boot regression tests cmd/server/preflight_scep_intune_test.go: 3 named tests covering disabled-backward-compat, broken-config-with-PathID, expired-cert refusal. preflightSCEPIntuneTrustAnchor signature extended with pathID arg so error messages carry PathID= for operator log-grep. Phase G — docs/connectors.md Four new subsections under §EST/SCEP Integration: multi-profile dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP probe in network scanner. Each has a one-paragraph operator explanation + an env-var or endpoint table. Phase H — Coverage uplift internal/service/scep_probe_persist_test.go: 5 unit tests on persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow + nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler ≥75) PASS at 70.9% / 79.3%. Phase I — deploy/test integration variant deploy/test/scep_intune_e2e_test.go (//go:build integration): TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration against the live docker-compose certctl container. Skip-when- stack-missing semantics so sandbox + CI both work. deploy/docker-compose.test.yml: new e2eintune SCEP profile env vars + bind-mount of deploy/test/fixtures/. deploy/test/fixtures/README.md: documents the deterministic trust anchor regeneration recipe. VERIFICATION (sandbox): gofmt -d — clean for all changed files staticcheck — clean for intune + handler + config + service + cmd/server packages go vet — clean for the same packages go test -short — green for intune (95.3% cov), service (70.9%), handler (79.3%), config (94.0%), cmd/server (boot path; my preflight tests cover the directly- testable function), pkcs7 (80.5% informational) DEFERRED (per closure prompt §7 out-of-scope): - V3-Pro Conditional Access gating + Microsoft Graph integration - Standalone certctl-scan CLI binary - OCSP rate-limiting, OCSP stapling, delta CRLs Spec preserved at cowork/scep-bundle-gap-closure-prompt.md; journal at cowork/scep-rfc8894-intune/progress.md (audit-closure section appended).
2026-06-12 10:28:52 +00:00 · 2026-04-29 20:28:53 +00:00
parent 9fcea95708
commit 444942eab8
20 changed files with 2143 additions and 74 deletions
@@ -285,6 +285,183 @@ func TestSCEPHandler_ChromeOSPKIMessage_AESVariants(t *testing.T) {
 	}
 }

+// TestSCEPHandler_ChromeOSPKIMessage_RAKeyMismatch — closure-bundle
+// gap M-1 / acceptance D.1 (cowork/scep-bundle-gap-closure-prompt.md).
+// Build a PKIMessage encrypted to a freshly-generated RA cert whose
+// matching private key the server does NOT have. The handler MUST
+// reject (RFC 8894 path can't decrypt → falls through; MVP path can't
+// either because the EnvelopedData isn't a raw CSR). Assert no
+// PKCSReqWithEnvelope was reached. Closes the documented threat that
+// an attacker who swaps the RA cert in transit gets a polite error
+// rather than information leak about the underlying issuer.
+func TestSCEPHandler_ChromeOSPKIMessage_RAKeyMismatch(t *testing.T) {
+	fix := newChromeOSStackFixture(t)
+
+	// Build a PKIMessage targeting an UNRELATED RA cert (different key).
+	// The server's handler still has fix.raKey, so decryption MUST fail.
+	bogusRAKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey bogus RA: %v", err)
+	}
+	bogusRACert := selfSignedRSACert(t, bogusRAKey, "ra-bogus-not-on-server")
+	bogusFix := &chromeOSStackFixture{
+		raKey:      bogusRAKey,
+		raCert:     bogusRACert,
+		deviceKey:  fix.deviceKey,
+		deviceCert: fix.deviceCert,
+	}
+	pkiMessage := buildChromeOSStylePKIMessage(t, bogusFix, domain.SCEPMessageTypePKCSReq, "txn-ra-mismatch", "shared-secret-123", "ra-mismatch.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
+
+	w, _ := postPKIOperation(t, fix.handler, pkiMessage)
+	// RFC 8894 path returns FAILURE+badMessageCheck CertRep (200), MVP
+	// fall-through returns 400. Either is acceptable — what we MUST
+	// see is "the issuer never received the CSR."
+	if w.Code != http.StatusBadRequest && w.Code != http.StatusOK {
+		t.Errorf("POST PKIOperation (RA-key mismatch): got %d, want 400 (MVP fall-through) or 200 (CertRep+failInfo)", w.Code)
+	}
+	if fix.svc.pkcsReqEnvelope != nil {
+		t.Error("PKCSReqWithEnvelope was reached despite the RA-cert/key mismatch — decrypt-failure leaked through to the service")
+	}
+}
+
+// TestSCEPHandler_ChromeOSPKIMessage_3DESBackwardCompat — closure-bundle
+// gap M-1 / acceptance D.2. RFC 8894 §3.5.2 names DES-EDE3-CBC
+// (1.2.840.113549.3.7) as a "supported but discouraged" content-encryption
+// algorithm for backward compat with older Cisco IOS / Apple legacy
+// clients. Verify the parser accepts this OID + the handler reaches
+// the service with a decoded CSR.
+func TestSCEPHandler_ChromeOSPKIMessage_3DESBackwardCompat(t *testing.T) {
+	fix := newChromeOSStackFixture(t)
+	tdesKey := aesKeyForOID(pkcs7.OIDDESEDE3CBC) // 24 bytes (3DES K1||K2||K3)
+
+	csrDER := buildTestCSR(t, fix.deviceKey, "tdes.example.com", "shared-secret-123")
+
+	iv := make([]byte, des.BlockSize) // 8 bytes for 3DES
+	if _, err := rand.Read(iv); err != nil {
+		t.Fatalf("rand iv: %v", err)
+	}
+	ciphertext := tripleDESCBCEncrypt(t, tdesKey, iv, csrDER)
+	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, fix.raCert.PublicKey.(*rsa.PublicKey), tdesKey)
+	if err != nil {
+		t.Fatalf("rsa encrypt 3des key: %v", err)
+	}
+	envelopedData := buildEnvelopedDataForTest(t, fix.raCert, encryptedKey, iv, ciphertext, pkcs7.OIDDESEDE3CBC)
+	pkiMessage := buildSignedDataForTest(t, fix.deviceKey, fix.deviceCert, domain.SCEPMessageTypePKCSReq, "txn-3des", []byte("0123456789abcdef"), envelopedData)
+
+	w, body := postPKIOperation(t, fix.handler, pkiMessage)
+	if w.Code != http.StatusOK {
+		t.Fatalf("POST PKIOperation (3DES legacy): got %d, want 200 (RFC 8894 §3.5.2 backward-compat) — body=%q", w.Code, body)
+	}
+	if fix.svc.pkcsReqEnvelope == nil {
+		t.Fatal("PKCSReqWithEnvelope was NOT reached — 3DES decrypt path didn't make it to the service")
+	}
+}
+
+// TestSCEPHandler_ChromeOSPKIMessage_RSACSR — closure-bundle gap M-1 /
+// acceptance D.4. Pins the "RSA CSR" matrix corner explicitly so a
+// future helper refactor that quietly drops the RSA path doesn't
+// disappear from the test count without a counter dropping. The
+// shared positive-flow assertions live in
+// assertChromeOSPositiveCertRep so the matrix-pair {RSA, ECDSA} stays
+// readable.
+func TestSCEPHandler_ChromeOSPKIMessage_RSACSR(t *testing.T) {
+	fix := newChromeOSStackFixture(t)
+	pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypePKCSReq, "txn-rsa-csr", "shared-secret-123", "rsa-csr.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
+	assertChromeOSPositiveCertRep(t, fix, pkiMessage)
+}
+
+// TestSCEPHandler_ChromeOSPKIMessage_ECDSACSR — closure-bundle gap M-1
+// / acceptance D.3. The CSR's keypair is ECDSA P-256; the device's
+// transient signerInfo identity stays RSA (matches what real ChromeOS
+// + Intune-managed devices commonly emit — device identity is a
+// long-lived RSA key, the new cert can be ECDSA). Verifies the
+// handler doesn't choke on the inner CSR's algorithm even when the
+// outer SignerInfo is RSA-SHA256.
+func TestSCEPHandler_ChromeOSPKIMessage_ECDSACSR(t *testing.T) {
+	fix := newChromeOSStackFixture(t)
+
+	csrKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey: %v", err)
+	}
+	csrDER := buildTestECDSACSR(t, csrKey, "ecdsa-csr.example.com", "shared-secret-123")
+
+	symKey := aesKeyForOID(pkcs7.OIDAES256CBC)
+	iv := make([]byte, aes.BlockSize)
+	if _, err := rand.Read(iv); err != nil {
+		t.Fatalf("rand iv: %v", err)
+	}
+	ciphertext := aesCBCEncrypt(t, symKey, iv, csrDER)
+	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, fix.raCert.PublicKey.(*rsa.PublicKey), symKey)
+	if err != nil {
+		t.Fatalf("rsa encrypt symKey: %v", err)
+	}
+	envelopedData := buildEnvelopedDataForTest(t, fix.raCert, encryptedKey, iv, ciphertext, pkcs7.OIDAES256CBC)
+	pkiMessage := buildSignedDataForTest(t, fix.deviceKey, fix.deviceCert, domain.SCEPMessageTypePKCSReq, "txn-ecdsa-csr", []byte("0123456789abcdef"), envelopedData)
+	assertChromeOSPositiveCertRep(t, fix, pkiMessage)
+}
+
+// assertChromeOSPositiveCertRep is the shared positive-flow assertion
+// helper for the {RSA, ECDSA} CSR matrix tests. Asserts HTTP 200 +
+// content-type + the service-level mock saw the envelope.
+func assertChromeOSPositiveCertRep(t *testing.T, fix *chromeOSStackFixture, pkiMessage []byte) {
+	t.Helper()
+	w, body := postPKIOperation(t, fix.handler, pkiMessage)
+	if w.Code != http.StatusOK {
+		t.Fatalf("POST PKIOperation: got %d, want 200 (body=%q)", w.Code, body)
+	}
+	if got := w.Header().Get("Content-Type"); got != "application/x-pki-message" {
+		t.Errorf("Content-Type = %q, want application/x-pki-message", got)
+	}
+	if fix.svc.pkcsReqEnvelope == nil {
+		t.Fatal("PKCSReqWithEnvelope was NOT reached — handler dispatched to MVP path or rejected the message")
+	}
+}
+
+// buildTestECDSACSR mirrors buildTestCSR but for an ECDSA P-256
+// signing key. Closure-bundle Phase D helper. The CSR carries the
+// challengePassword attribute the same way the RSA helper does.
+func buildTestECDSACSR(t *testing.T, key *ecdsa.PrivateKey, commonName, challengePassword string) []byte {
+	t.Helper()
+	tmpl := &x509.CertificateRequest{
+		Subject:         pkix.Name{CommonName: commonName},
+		ExtraExtensions: []pkix.Extension{},
+		Attributes: []pkix.AttributeTypeAndValueSET{
+			{
+				Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7},
+				Value: [][]pkix.AttributeTypeAndValue{
+					{{Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}, Value: challengePassword}},
+				},
+			},
+		},
+	}
+	der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
+	if err != nil {
+		t.Fatalf("CreateCertificateRequest (ECDSA): %v", err)
+	}
+	return der
+}
+
+// tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES — used by the
+// 3DES backward-compat test. PKCS#7 padding to 8-byte blocks.
+func tripleDESCBCEncrypt(t *testing.T, key, iv, plaintext []byte) []byte {
+	t.Helper()
+	block, err := des.NewTripleDESCipher(key) //nolint:gosec // RFC 8894 §3.5.2 legacy backward-compat test fixture
+	if err != nil {
+		t.Fatalf("des.NewTripleDESCipher: %v", err)
+	}
+	bs := block.BlockSize()
+	padLen := bs - len(plaintext)%bs
+	padded := append([]byte{}, plaintext...)
+	for i := 0; i < padLen; i++ {
+		padded = append(padded, byte(padLen))
+	}
+	enc := cipher.NewCBCEncrypter(block, iv)
+	out := make([]byte, len(padded))
+	enc.CryptBlocks(out, padded)
+	return out
+}
+
 // TestSCEPHandler_MVPCompat_StillWorks asserts the existing MVP path (raw
 // CSR inside a stripped SignedData, no EnvelopedData) STILL works for
 // backward compat with lightweight clients.