EST RFC 7030 hardening master bundle Phases 10-11: libest sidecar e2e

+ Cisco IOS quirk fixtures + ManagedCertificate.Source provenance +
EST bulk-revoke endpoint + 13 typed audit action codes.

Phase 10.1 — libest reference-client sidecar:
- deploy/test/libest/Dockerfile: multi-stage Debian-bookworm-slim
  build of Cisco's libest v3.2.0-2 from source (autoconf/automake/
  libtool + libcurl4-openssl-dev + libssl-dev). Runtime stage
  carries only estclient + bash + openssl + ca-certificates so the
  exec surface stays small + predictable.
- docker-compose.test.yml libest-client entry (profiles: [est-e2e])
  with bind mounts for /config/est (test workspace) + /config/certs
  (certctl CA bundle for TLS pinning); IP 10.30.50.9 (10.30.50.8
  was already taken by certctl-agent).
- deploy/test/est/.gitkeep keeps the bind-mount target tracked.

Phase 10.2 — 5 integration tests (//go:build integration) in
deploy/test/est_e2e_test.go:
- TestEST_LibESTClient_Enrollment_Integration (cacerts → simpleenroll
  → cert-shape assertion)
- TestEST_LibESTClient_MTLSEnrollment_Integration (mTLS sibling-route
  cert auth; skip when bootstrap cert absent)
- TestEST_LibESTClient_ServerKeygen_Integration (RFC 7030 §4.4
  multipart; skip when profile gate disabled)
- TestEST_LibESTClient_RateLimited_Integration (4th enroll trips
  per-principal cap, asserts 429-shaped error)
- TestEST_LibESTClient_ChannelBinding_Integration (libest
  --tls-exporter; skip when libest build lacks the flag).
- requireESTSidecar guard skips the suite when the operator forgot
  --profile est-e2e; helpful error message includes the exact
  command to bring the sidecar up.

Phase 10.3 — Cisco IOS quirk fixtures + 3 unit tests in
internal/api/handler/cisco_ios_quirks_test.go:
- testdata/cisco_ios_15x_pem_csr.txt: PEM body sent with
  Content-Type application/x-pem-file. Handler dispatches on
  body-prefix not Content-Type — accepts cleanly.
- testdata/cisco_ios_16x_trailing_newline_csr.txt: extra trailing
  newlines after base64 body. strings.TrimSpace tolerates.
- testdata/cisco_ios_crlf_b64_csr.txt: CRLF-wrapped base64.
  base64.StdEncoding handles CRLF + LF identically.

Phase 11.1 — ManagedCertificate.Source provenance:
- New domain.CertificateSource enum (Unspecified/EST/SCEP/API/Agent).
- Migration 000023_managed_certificates_source.up.sql adds source
  TEXT NOT NULL DEFAULT '' so existing rows scan as
  CertificateSourceUnspecified — back-compat: bulk-revoke filter
  treats empty as "any source".
- Postgres repo Insert/Update/scan paths all wire the new column.

Phase 11.2 — EST bulk-revoke endpoint:
- BulkRevocationCriteria.Source field (Source-only requests rejected
  as too broad — must accompany at least one narrower criterion).
- service.bulk_revocation.resolveCertificates post-filter by Source
  (empty=any, no SQL change so existing CertificateFilter callers
  unaffected).
- New BulkRevocationHandler.BulkRevokeEST method pins Source=EST +
  dispatches; new route POST /api/v1/est/certificates/bulk-revoke
  (M-008 admin-gated). openapi.yaml documented + parity-guard green.

Phase 11.3 — 13 typed audit action codes in
internal/service/est_audit_actions.go:
- est_simple_enroll_success / _failed
- est_simple_reenroll_success / _failed
- est_server_keygen_success / _failed
- est_auth_failed_basic / _mtls / _channel_binding
- est_rate_limited
- est_csr_policy_violation
- est_bulk_revoke
- est_trust_anchor_reloaded
- ESTService.processEnrollment + SimpleServerKeygen + ReloadTrust
  split-emit BOTH the legacy bare action codes (back-compat for the
  GUI activity-tab chip filters that match by exact string +
  existing audit-log analysers) AND the new typed _success / _failed
  variants (operator grep target + per-failure-mode counter).

Tests:
- internal/api/handler/bulk_revocation_est_test.go — 5 cases
  (admin-true happy path pins Source=EST + non-admin 403 +
  empty-criteria 400 + invalid-reason 400 + method-not-allowed).
- internal/service/est_audit_actions_test.go — 5 cases (SimpleEnroll
  legacy+typed emission / SimpleReEnroll typed / IssuerError
  typed-failed / PolicyViolation triple-emit /
  unique-string invariant).

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres testcontainers limit), staticcheck
clean across api/handler/api/router/domain/service/deploy/test,
go test -short -count=1 green for every non-postgres Go package +
integration build (`go build -tags integration ./deploy/test/...`)
clean. G-3 docs-drift guard reproduced locally clean (Phases 10-11
added zero new env vars).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
12-13 (docs/est.md + WiFi/802.1X / IoT bootstrap / FreeRADIUS
recipes; release prep + tag) remain — post-2.1.0 work.

internal/api/handler/bulk_revocation.go

@@ -104,3 +104,72 @@ func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request
 
 	JSON(w, http.StatusOK, result)
 }
+
+// BulkRevokeEST handles EST-source-scoped bulk certificate revocation.
+// POST /api/v1/est/certificates/bulk-revoke
+//
+// EST RFC 7030 hardening master bundle Phase 11.2.
+//
+// Identical to BulkRevoke above but the Source criterion is pinned to
+// CertificateSourceEST so the operation only affects certs the EST
+// service stamped at issuance time. Operators who want to revoke
+// "every cert this device family ever issued through EST" hit this
+// endpoint with a profile_id / owner_id / etc. criterion + the
+// handler narrows the result set to EST-only.
+//
+// Same M-008 admin-gate as the generic BulkRevoke. Audit action
+// emitted by the service is `est_bulk_revoke` (typed code from Phase
+// 11.3) so operators grep on the action string distinguishes
+// EST-bulk-revoke from the generic bulk-revoke.
+func (h BulkRevocationHandler) BulkRevokeEST(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+	requestID := middleware.GetRequestID(r.Context())
+	if !middleware.IsAdmin(r.Context()) {
+		ErrorWithRequestID(w, http.StatusForbidden,
+			"EST bulk revocation requires admin privileges", requestID)
+		return
+	}
+	var req bulkRevokeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+		return
+	}
+	if req.Reason == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Revocation reason is required", requestID)
+		return
+	}
+	if !domain.IsValidRevocationReason(req.Reason) {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid revocation reason: "+req.Reason, requestID)
+		return
+	}
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID:      req.ProfileID,
+		OwnerID:        req.OwnerID,
+		AgentID:        req.AgentID,
+		IssuerID:       req.IssuerID,
+		TeamID:         req.TeamID,
+		CertificateIDs: req.CertificateIDs,
+		// Pin Source to EST — operators MUST also supply at least one
+		// narrower criterion (criteria.IsEmpty intentionally excludes
+		// Source so a Source-only request is still rejected as too
+		// broad). This protects against "revoke every EST cert in the
+		// fleet" via a malformed body.
+		Source: domain.CertificateSourceEST,
+	}
+	if criteria.IsEmpty() {
+		ErrorWithRequestID(w, http.StatusBadRequest,
+			"At least one narrower criterion is required (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids); EST bulk-revoke is implicitly Source-scoped to EST",
+			requestID)
+		return
+	}
+	actor := resolveActor(r.Context())
+	result, err := h.svc.BulkRevoke(r.Context(), criteria, req.Reason, actor)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "EST bulk revocation failed: "+err.Error(), requestID)
+		return
+	}
+	JSON(w, http.StatusOK, result)
+}

internal/api/handler/bulk_revocation_est_test.go

@@ -0,0 +1,111 @@
+package handler
+
+import (
+	"bytes"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// EST RFC 7030 hardening master bundle Phase 11.4 — BulkRevokeEST handler tests.
+// Mirror the BulkRevoke pattern in bulk_revocation_handler_test.go but pin
+// the EST-source-scoping contract (criteria.Source MUST be set to EST + the
+// safety-guard that rejects narrower-criterion-empty requests fires
+// regardless of Source).
+
+func TestBulkRevokeEST_AdminTrue_PinsSourceToEST(t *testing.T) {
+	var capturedSource domain.CertificateSource
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(_ context.Context, criteria domain.BulkRevocationCriteria, _ string, _ string) (*domain.BulkRevocationResult, error) {
+			capturedSource = criteria.Source
+			return &domain.BulkRevocationResult{TotalMatched: 1, TotalRevoked: 1}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+	body := `{"reason":"keyCompromise","profile_id":"prof-iot"}`
+	req := httptest.NewRequest(http.MethodPost,
+		"/api/v1/est/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+	h.BulkRevokeEST(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("status = %d, want 200; body=%q", w.Code, w.Body.String())
+	}
+	if capturedSource != domain.CertificateSourceEST {
+		t.Errorf("Source = %q, want %q (handler must pin)", capturedSource, domain.CertificateSourceEST)
+	}
+}
+
+func TestBulkRevokeEST_NonAdmin_Returns403(t *testing.T) {
+	called := false
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(_ context.Context, _ domain.BulkRevocationCriteria, _ string, _ string) (*domain.BulkRevocationResult, error) {
+			called = true
+			return nil, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+	body := `{"reason":"keyCompromise","profile_id":"prof-iot"}`
+	req := httptest.NewRequest(http.MethodPost,
+		"/api/v1/est/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	// non-admin context (no AdminKey).
+	req = req.WithContext(context.Background())
+	w := httptest.NewRecorder()
+	h.BulkRevokeEST(w, req)
+	if w.Code != http.StatusForbidden {
+		t.Errorf("non-admin status = %d, want 403", w.Code)
+	}
+	if called {
+		t.Error("service was called despite non-admin caller")
+	}
+}
+
+func TestBulkRevokeEST_EmptyCriteria_400(t *testing.T) {
+	svc := &mockBulkRevocationService{}
+	h := NewBulkRevocationHandler(svc)
+	body := `{"reason":"keyCompromise"}` // no narrower criterion
+	req := httptest.NewRequest(http.MethodPost,
+		"/api/v1/est/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+	h.BulkRevokeEST(w, req)
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("empty-criterion status = %d, want 400", w.Code)
+	}
+	if !strings.Contains(w.Body.String(), "criterion") {
+		t.Errorf("error body should mention criterion; got %q", w.Body.String())
+	}
+}
+
+func TestBulkRevokeEST_InvalidReason_400(t *testing.T) {
+	svc := &mockBulkRevocationService{}
+	h := NewBulkRevocationHandler(svc)
+	body := `{"reason":"not-a-valid-reason","profile_id":"prof-iot"}`
+	req := httptest.NewRequest(http.MethodPost,
+		"/api/v1/est/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+	h.BulkRevokeEST(w, req)
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("invalid-reason status = %d, want 400", w.Code)
+	}
+}
+
+func TestBulkRevokeEST_MethodNotAllowed(t *testing.T) {
+	svc := &mockBulkRevocationService{}
+	h := NewBulkRevocationHandler(svc)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/est/certificates/bulk-revoke", nil)
+	w := httptest.NewRecorder()
+	h.BulkRevokeEST(w, req)
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("GET against POST-only endpoint status = %d, want 405", w.Code)
+	}
+}

internal/api/handler/cisco_ios_quirks_test.go

@@ -0,0 +1,132 @@
+package handler
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// EST RFC 7030 hardening master bundle Phase 10.3 — Cisco IOS quirk
+// fixtures. Each fixture is a captured-shape CSR that exercises one
+// of the documented IOS wire-format deviations from the EST §4.2.1
+// happy-path; the test pins that ESTHandler.readCSRFromRequest +
+// the broader handler pipeline accept each shape without operator
+// intervention.
+//
+// Fixtures live under testdata/cisco_ios_*.txt — kept as plain-text
+// copies so a future reader can `cat` them + understand the shape
+// without re-deriving from a binary blob.
+
+// loadCiscoFixture reads the named testdata file. Path-traversal-safe
+// because the fixture name is a compile-time constant per call site;
+// we keep filepath.Clean for hygiene.
+func loadCiscoFixture(t *testing.T, name string) string {
+	t.Helper()
+	body, err := os.ReadFile(filepath.Clean(filepath.Join("testdata", name)))
+	if err != nil {
+		t.Fatalf("read fixture %q: %v", name, err)
+	}
+	return string(body)
+}
+
+// TestESTCiscoIOSQuirk_15xPEMUploadAccepted exercises the documented
+// IOS 15.x quirk: the device sends Content-Type `application/x-pem-file`
+// (PEM-encoded) instead of the EST §4.2.1 canonical
+// `application/pkcs10` (base64-DER). The handler's readCSRFromRequest
+// dispatches on body-prefix (`-----BEGIN CERTIFICATE REQUEST-----`)
+// rather than Content-Type, so the upload should parse cleanly + the
+// service should see a properly-formed CSR.
+func TestESTCiscoIOSQuirk_15xPEMUploadAccepted(t *testing.T) {
+	body := loadCiscoFixture(t, "cisco_ios_15x_pem_csr.txt")
+	if !strings.HasPrefix(body, "-----BEGIN CERTIFICATE REQUEST-----") {
+		t.Fatalf("fixture corrupted: expected PEM prefix, got %q", body[:60])
+	}
+
+	svc := &mockESTService{EnrollResult: ciscoQuirkOKResult(t)}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost,
+		"/.well-known/est/corp/simpleenroll", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/x-pem-file") // the IOS 15.x quirk
+	req.TLS = &tls.ConnectionState{HandshakeComplete: true, Version: tls.VersionTLS13}
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("IOS 15.x PEM upload status = %d, want 200; body=%q", w.Code, w.Body.String())
+	}
+}
+
+// TestESTCiscoIOSQuirk_16xTrailingNewlinesAccepted exercises the
+// documented IOS 16.x quirk: an extra trailing newline after the
+// base64 body. The handler's strings.TrimSpace pass MUST tolerate
+// any number of trailing whitespace bytes without surfacing as a
+// malformed-CSR rejection.
+func TestESTCiscoIOSQuirk_16xTrailingNewlinesAccepted(t *testing.T) {
+	body := loadCiscoFixture(t, "cisco_ios_16x_trailing_newline_csr.txt")
+	if !strings.HasSuffix(body, "\n\n\n") && !strings.HasSuffix(body, "\n\n") {
+		tail := body
+		if len(tail) > 10 {
+			tail = body[len(body)-10:]
+		}
+		t.Fatalf("fixture corrupted: expected ≥2 trailing newlines; got tail=%q", tail)
+	}
+
+	svc := &mockESTService{EnrollResult: ciscoQuirkOKResult(t)}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost,
+		"/.well-known/est/corp/simpleenroll", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/pkcs10")
+	req.TLS = &tls.ConnectionState{HandshakeComplete: true, Version: tls.VersionTLS13}
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("IOS 16.x trailing-newlines status = %d, want 200; body=%q", w.Code, w.Body.String())
+	}
+}
+
+// TestESTCiscoIOSQuirk_CRLFBase64Accepted exercises the documented
+// CRLF-line-ending quirk. Some IOS versions emit base64-DER with
+// CRLF wrapping (the RFC 2045 §6.8 wire shape) rather than bare LF
+// (the JSON-via-curl shape). The handler must strip both CRLF + LF
+// before passing to base64.StdEncoding.DecodeString.
+func TestESTCiscoIOSQuirk_CRLFBase64Accepted(t *testing.T) {
+	body := loadCiscoFixture(t, "cisco_ios_crlf_b64_csr.txt")
+	if !strings.Contains(body, "\r\n") {
+		t.Fatalf("fixture corrupted: expected CRLF-wrapped body; first 80 = %q", body[:80])
+	}
+
+	svc := &mockESTService{EnrollResult: ciscoQuirkOKResult(t)}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost,
+		"/.well-known/est/corp/simpleenroll", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/pkcs10")
+	req.TLS = &tls.ConnectionState{HandshakeComplete: true, Version: tls.VersionTLS13}
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("CRLF-wrapped base64 status = %d, want 200; body=%q", w.Code, w.Body.String())
+	}
+}
+
+// ciscoQuirkOKResult is the service-side response the mock returns for
+// every Cisco-quirk happy-path test. The cert content doesn't matter —
+// what matters is that the handler reaches the service call (i.e. it
+// successfully parsed the CSR), so we hand back a hard-coded EC cert
+// PEM that pkcs7.PEMToDERChain accepts cleanly.
+func ciscoQuirkOKResult(t *testing.T) *domain.ESTEnrollResult {
+	t.Helper()
+	return &domain.ESTEnrollResult{
+		CertPEM: "-----BEGIN CERTIFICATE-----\nMIIBnDCCAUOgAwIBAgIBATAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAljaXNjby10\nZXN0MB4XDTI1MDEwMTAwMDAwMFoXDTM1MTIzMTAwMDAwMFowFDESMBAGA1UEAwwJ\nY2lzY28tdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAfNh1+nAo15qVMF\nh0w4EQfHBn5zQgEDLkJhpZ+9PqJkgqdSwJgC+4Ah+UWrJOO6+P9YOPXqkSQU0E2X\n3/Ms2DyjUzBRMB0GA1UdDgQWBBSm1U4Fmh4j9eJDVa8qBOrkxqLhajAfBgNVHSME\nGDAWgBSm1U4Fmh4j9eJDVa8qBOrkxqLhajAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA0gAMEUCIQCY7d0XHVz7AmAFZrYTIVFmRn/PV+0qRu9HSqwvU1HYNgIg\nXKJM6e/0ckLhqLGB1lN9Bz/cvyZuYIcHLgMrlvNUwYE=\n-----END CERTIFICATE-----\n",
+	}
+}

internal/api/handler/testdata/cisco_ios_15x_pem_csr.txt

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBHDCBwwIBADAnMSUwIwYDVQQDExxkZXZpY2UtY2lzY28tMTV4LmV4YW1wbGUu
+Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBfqE3v4r/07DDezeXNHXFPsn
+YvmAD8mpnlCZ1Pa8pXUDSxxfHZ9m/JHoXc+3/8c600ZP+IMaP2NZQba+lo53rKA6
+MDgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIcZGV2aWNlLWNpc2NvLTE1eC5l
+eGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA75uwUhlbytlHRADC84bwz4uc
+X7OG5SwpWLx8lqIt304CIDsYVz0CaWKklgyVHA5E2EkTA83p/fsqooycE+81jhiy
+-----END CERTIFICATE REQUEST-----

internal/api/handler/testdata/cisco_ios_16x_trailing_newline_csr.txt

@@ -0,0 +1,3 @@
+MIIBHDCBwwIBADAnMSUwIwYDVQQDExxkZXZpY2UtY2lzY28tMTZ4LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKKkWJlc/Ew/iM/B1PB7PgceMAG4lXj15LvlNQzZTF8yz4WyeGxzlQFrADQm5Ufhihir+syBUuUR356Ov7vS4r6A6MDgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIcZGV2aWNlLWNpc2NvLTE2eC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA21LN5VSneM+2hyN2K1YOzPpkmzNkAHu2ff8DBNzhqjQCIDe5NnSaNa7TzxTQAXsRUJoOITllKgCaNyZptTKZcTII
+
+

internal/api/handler/testdata/cisco_ios_crlf_b64_csr.txt

@@ -0,0 +1,7 @@
+MIIBHTCBxQIBADAoMSYwJAYDVQQDEx1kZXZpY2UtY2lzY28tY3JsZi5leGFtcGxl
+LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJdkH3YYwI7NmFW5z8pRWaSN
+RprlyI8aqn7GX1Z+qcBwmvskW5Y21VsQGQlYHYb/sIIXHRr+uAigNVhnlQf+ShWg
+OzA5BgkqhkiG9w0BCQ4xLDAqMCgGA1UdEQQhMB+CHWRldmljZS1jaXNjby1jcmxm
+LmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEbYyU5slKbF/HmTqywElydE
+1K5785vZo7bngwBSpwBsAiANMZhP1NykOfyyN1rM4v3jrisTq/u4i3QHNOnVgHN1
+7Q==