diff --git a/internal/scep/intune/challenge.go b/internal/scep/intune/challenge.go new file mode 100644 index 0000000..652687d --- /dev/null +++ b/internal/scep/intune/challenge.go @@ -0,0 +1,343 @@ +package intune + +import ( + "crypto" + "crypto/ecdsa" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "math/big" + "strings" + "time" +) + +// Typed challenge-validation errors. The handler audits the specific +// failure dimension via errors.Is so operators can distinguish e.g. an +// expired challenge (clock skew, latent enrollment) from a tampered one +// (active attack) without string-matching error messages. +// +// SCEP RFC 8894 + Intune master bundle Phase 7.4. +var ( + ErrChallengeMalformed = errors.New("intune: challenge is not in the JWT-like compact-serialization format") + ErrChallengeSignature = errors.New("intune: challenge signature does not verify against any configured trust anchor") + ErrChallengeExpired = errors.New("intune: challenge expired") + ErrChallengeNotYetValid = errors.New("intune: challenge not yet valid (iat in future, possible clock skew)") + ErrChallengeWrongAudience = errors.New("intune: challenge audience does not match this SCEP endpoint URL") + ErrChallengeReplay = errors.New("intune: challenge nonce already seen (replay attempt)") + ErrChallengeUnknownVersion = errors.New("intune: challenge has an unknown version claim — parser does not support this format") +) + +// ParseChallenge decodes the JWT-like compact serialization of an Intune +// dynamic challenge into header, payload, and signature byte slices. Does +// NOT verify the signature; that's ValidateChallenge's job. +// +// Format: base64url(header) "." base64url(payload) "." base64url(signature) +// where the base64url alphabet is RFC 4648 §5 (URL-safe, no padding). +// +// We accept both padded and unpadded base64url because some Connector +// versions have shipped padded encodings in the wild despite RFC 7515 §2 +// mandating unpadded. The stdlib base64.RawURLEncoding rejects padding, +// so we strip trailing '=' before decoding. +func ParseChallenge(raw string) (header, payload, signature []byte, err error) { + if raw == "" { + return nil, nil, nil, fmt.Errorf("%w: empty input", ErrChallengeMalformed) + } + parts := strings.Split(raw, ".") + if len(parts) != 3 { + return nil, nil, nil, fmt.Errorf("%w: expected 3 dot-separated segments, got %d", ErrChallengeMalformed, len(parts)) + } + for i, p := range parts { + if p == "" { + return nil, nil, nil, fmt.Errorf("%w: segment %d is empty", ErrChallengeMalformed, i) + } + } + header, err = b64urlDecode(parts[0]) + if err != nil { + return nil, nil, nil, fmt.Errorf("%w: header base64url: %v", ErrChallengeMalformed, err) + } + payload, err = b64urlDecode(parts[1]) + if err != nil { + return nil, nil, nil, fmt.Errorf("%w: payload base64url: %v", ErrChallengeMalformed, err) + } + signature, err = b64urlDecode(parts[2]) + if err != nil { + return nil, nil, nil, fmt.Errorf("%w: signature base64url: %v", ErrChallengeMalformed, err) + } + // Sanity-check the header parses as JSON before we hand it back; a + // non-JSON header is a clear malformed signal we'd otherwise only + // catch later in ValidateChallenge during alg dispatch. Earlier + // rejection = better operator audit log shape. + var probe map[string]any + if err := json.Unmarshal(header, &probe); err != nil { + return nil, nil, nil, fmt.Errorf("%w: header is not JSON: %v", ErrChallengeMalformed, err) + } + return header, payload, signature, nil +} + +// b64urlDecode decodes RFC 4648 §5 base64url with or without trailing +// '=' padding. RFC 7515 §2 mandates unpadded; some Intune Connector +// versions emit padded; tolerate both. +func b64urlDecode(s string) ([]byte, error) { + stripped := strings.TrimRight(s, "=") + return base64.RawURLEncoding.DecodeString(stripped) +} + +// jwtHeader is the JOSE-style header carried in the first segment of an +// Intune challenge. We only consult `alg` for signature dispatch; other +// JWS fields (kid, x5c, jku, etc.) are intentionally NOT honored — the +// trust anchor is operator-supplied at startup and pinned, not negotiated +// per-request. Honoring kid/jku would expand the attack surface to "any +// URL the Connector header claims is the truth," which is exactly the +// JWT vulnerability class we're avoiding by not pulling in a full JOSE +// implementation. +type jwtHeader struct { + Alg string `json:"alg"` + Typ string `json:"typ,omitempty"` +} + +// versionedChallenge is the lightest possible pre-parse to extract a +// version claim BEFORE the full JSON unmarshal commits to a struct +// shape. v1 (current) has no "version" key; v2+ MUST. +// +// SCEP RFC 8894 + Intune master bundle Phase 7.4 (version dispatcher +// rationale): Microsoft has changed the Connector signed-challenge format +// at least twice in the past 5 years. Adding the dispatcher today costs +// ~30 LoC + 2 tests; not having it when v2 ships costs a P0 incident +// where every Intune enrollment fails until a hot-fix lands. +type versionedChallenge struct { + Version string `json:"version,omitempty"` +} + +// versionUnmarshalers maps a version string to its claim parser. Adding +// v2 = adding a parser + a registration line. Adding v3 = same. Existing +// v1 path stays untouched. +var versionUnmarshalers = map[string]func(payload []byte) (*ChallengeClaim, error){ + "": unmarshalChallengeV1, // legacy / current default + "v1": unmarshalChallengeV1, // explicit v1, future-belt-and-suspenders + // "v2": unmarshalChallengeV2, // ← future, when Microsoft ships it +} + +// challengePayloadV1 is the on-the-wire JSON shape of the v1 Connector +// challenge. Separated from the public ChallengeClaim because the wire +// format uses Unix-second numerics for iat/exp while the in-memory type +// uses time.Time (caller-friendly + sentinel-safe). +type challengePayloadV1 struct { + Issuer string `json:"iss,omitempty"` + Subject string `json:"sub,omitempty"` + Audience string `json:"aud,omitempty"` + IssuedAt int64 `json:"iat,omitempty"` + ExpiresAt int64 `json:"exp,omitempty"` + Nonce string `json:"nonce,omitempty"` + DeviceName string `json:"device_name,omitempty"` + SANDNS []string `json:"san_dns,omitempty"` + SANRFC822 []string `json:"san_rfc822,omitempty"` + SANUPN []string `json:"san_upn,omitempty"` +} + +// unmarshalChallengeV1 parses the v1 wire format. Conservative: any +// unrecognised JSON fields are silently dropped (forward-compat for the +// inevitable v1.x minor additions Microsoft makes without bumping the +// version key). +func unmarshalChallengeV1(payload []byte) (*ChallengeClaim, error) { + var p challengePayloadV1 + if err := json.Unmarshal(payload, &p); err != nil { + return nil, fmt.Errorf("%w: v1 payload unmarshal: %v", ErrChallengeMalformed, err) + } + c := &ChallengeClaim{ + Issuer: p.Issuer, + Subject: p.Subject, + Audience: p.Audience, + Nonce: p.Nonce, + DeviceName: p.DeviceName, + SANDNS: p.SANDNS, + SANRFC822: p.SANRFC822, + SANUPN: p.SANUPN, + } + if p.IssuedAt > 0 { + c.IssuedAt = time.Unix(p.IssuedAt, 0).UTC() + } + if p.ExpiresAt > 0 { + c.ExpiresAt = time.Unix(p.ExpiresAt, 0).UTC() + } + return c, nil +} + +// ValidateChallenge runs the full Intune-challenge validation pipeline: +// +// 1. ParseChallenge(raw) — JWT compact deserialize +// 2. Verify signature over (segment0 || "." || segment1) against any +// trust-anchor cert's public key (try each until one verifies) +// 3. Extract version claim via the lightweight versioned-prelude +// 4. Dispatch to the per-version unmarshaler (v1 today) +// 5. Time bounds: now ≥ iat AND now < exp (with stdlib RFC 3339 grace) +// 6. Audience: claim.Audience == expectedAudience (when expectedAudience +// is non-empty; empty disables the check, useful for tests) +// +// Returns *ChallengeClaim on success, typed error on failure (caller can +// errors.Is the specific dimension). +// +// Replay protection is the CALLER's responsibility — pass the returned +// claim's Nonce to a *ReplayCache.CheckAndInsert. We deliberately don't +// own the cache here so the validator stays stateless + testable; the +// handler glues parser + cache together. +func ValidateChallenge(raw string, trust []*x509.Certificate, expectedAudience string, now time.Time) (*ChallengeClaim, error) { + if len(trust) == 0 { + return nil, fmt.Errorf("%w: no trust anchors configured", ErrChallengeSignature) + } + + header, payload, signature, err := ParseChallenge(raw) + if err != nil { + return nil, err + } + + // JWS signing input per RFC 7515 §5.1: ASCII bytes of segment0 + "." + segment1. + // We re-derive from raw (split-by-dots) rather than re-base64-encode the + // decoded segments, because RFC 7515 §3.1 specifies the signing input + // is the encoded form, and some encoders omit padding while others + // don't — re-encoding could produce a byte-different input than what + // the Connector originally signed. Use the raw on-wire bytes. + parts := strings.Split(raw, ".") + if len(parts) != 3 { + // ParseChallenge already enforced this; defensive double-check. + return nil, fmt.Errorf("%w: post-parse segment count drift", ErrChallengeMalformed) + } + signingInput := []byte(parts[0] + "." + parts[1]) + + var hdr jwtHeader + if err := json.Unmarshal(header, &hdr); err != nil { + return nil, fmt.Errorf("%w: header JSON: %v", ErrChallengeMalformed, err) + } + + if err := verifyChallengeSignature(hdr.Alg, signingInput, signature, trust); err != nil { + return nil, err + } + + // Version dispatch — extract the version claim BEFORE the full unmarshal. + var v versionedChallenge + if err := json.Unmarshal(payload, &v); err != nil { + return nil, fmt.Errorf("%w: prelude unmarshal: %v", ErrChallengeMalformed, err) + } + unmarshaler, ok := versionUnmarshalers[v.Version] + if !ok { + return nil, fmt.Errorf("%w: %q", ErrChallengeUnknownVersion, v.Version) + } + claim, err := unmarshaler(payload) + if err != nil { + return nil, err + } + + // Time bounds. The Connector's signed iat/exp ARE authoritative; + // we don't impose a separate validity cap here (the operator can + // add one in the handler if defense-in-depth is wanted, e.g. via + // SCEPProfileConfig.IntuneChallengeValidity in Phase 8). + if !claim.IssuedAt.IsZero() && now.Before(claim.IssuedAt) { + return nil, fmt.Errorf("%w: iat=%s now=%s", ErrChallengeNotYetValid, + claim.IssuedAt.Format(time.RFC3339), now.Format(time.RFC3339)) + } + if !claim.ExpiresAt.IsZero() && !now.Before(claim.ExpiresAt) { + return nil, fmt.Errorf("%w: exp=%s now=%s", ErrChallengeExpired, + claim.ExpiresAt.Format(time.RFC3339), now.Format(time.RFC3339)) + } + + // Audience binds the challenge to a specific SCEP endpoint URL. An + // empty expectedAudience disables the check (test convenience + the + // Phase 8 config allows operator opt-out for proxy / load-balancer + // scenarios where the URL the Connector saw isn't the URL we see). + if expectedAudience != "" && claim.Audience != "" && claim.Audience != expectedAudience { + return nil, fmt.Errorf("%w: claim=%q expected=%q", ErrChallengeWrongAudience, + claim.Audience, expectedAudience) + } + + return claim, nil +} + +// verifyChallengeSignature dispatches on the JWS alg header to the +// matching stdlib signature-verify routine, then iterates the trust +// anchors trying each cert's public key until one verifies. +// +// Supported algs: +// - RS256: RSASSA-PKCS1-v1_5 over SHA-256 (Microsoft's published Connector default) +// - ES256: ECDSA P-256 over SHA-256 (community-reported Connector option) +// +// Deliberately rejected algs: +// - "none" (RFC 7515 §3.6 vulnerability vector) +// - HS256 / HS384 / HS512 (HMAC; no shared secret in our threat model) +// - PS256+ (RSA-PSS; not seen in Intune Connector traffic — add only when needed) +// +// Adding a new alg = add a case + a verify helper. The trust-anchor loop +// stays unchanged. +func verifyChallengeSignature(alg string, signingInput, signature []byte, trust []*x509.Certificate) error { + switch alg { + case "RS256": + return verifyRS256(signingInput, signature, trust) + case "ES256": + return verifyES256(signingInput, signature, trust) + case "": + return fmt.Errorf("%w: missing alg header (RFC 7515 §4.1.1 mandates)", ErrChallengeSignature) + case "none": + // Explicit reject so the failure mode in the audit log distinguishes + // "unsupported alg" from "active attack with the alg-none vector." + return fmt.Errorf("%w: alg \"none\" rejected (RFC 7515 §3.6 attack)", ErrChallengeSignature) + default: + return fmt.Errorf("%w: unsupported alg %q (only RS256 and ES256 are accepted)", ErrChallengeSignature, alg) + } +} + +// verifyRS256 hashes the signing input with SHA-256 and checks the +// signature against each trust anchor's public key. Constant-time: the +// stdlib's rsa.VerifyPKCS1v15 returns nil on success and an error on +// failure without timing-leak surface area on the hash compare path. +func verifyRS256(signingInput, signature []byte, trust []*x509.Certificate) error { + h := sha256.Sum256(signingInput) + for _, cert := range trust { + pub, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + continue + } + if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, h[:], signature); err == nil { + return nil + } + } + return ErrChallengeSignature +} + +// verifyES256 dispatches between the two ECDSA signature encodings the +// JOSE spec allows for ES256: +// +// - RFC 7515 §3.4 fixed-width: r || s, each 32 bytes (raw concat) — the +// wire format JOSE-compliant Connectors use. +// - ASN.1 DER (SEQUENCE { r INTEGER, s INTEGER }) — older Connector +// builds and many .NET-based JWT libraries emit DER instead of the +// RFC 7515 fixed-width form. +// +// Try fixed-width first (the spec-blessed format); fall back to ASN.1. +// crypto/ecdsa.VerifyASN1 + ecdsa.Verify both return bool — no timing +// leak on the success path. +func verifyES256(signingInput, signature []byte, trust []*x509.Certificate) error { + h := sha256.Sum256(signingInput) + for _, cert := range trust { + pub, ok := cert.PublicKey.(*ecdsa.PublicKey) + if !ok { + continue + } + + // Fixed-width r||s form (JOSE-canonical for P-256 = 64 bytes). + if len(signature) == 64 { + r := new(big.Int).SetBytes(signature[:32]) + s := new(big.Int).SetBytes(signature[32:]) + if ecdsa.Verify(pub, h[:], r, s) { + return nil + } + } + + // ASN.1 DER form (older / non-JOSE encoders). + if ecdsa.VerifyASN1(pub, h[:], signature) { + return nil + } + } + return ErrChallengeSignature +} diff --git a/internal/scep/intune/challenge_test.go b/internal/scep/intune/challenge_test.go new file mode 100644 index 0000000..9b0e4be --- /dev/null +++ b/internal/scep/intune/challenge_test.go @@ -0,0 +1,526 @@ +package intune + +import ( + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/base64" + "encoding/json" + "errors" + "math/big" + "strings" + "testing" + "time" +) + +// Test idiom: each test materialises a real Connector signing cert + +// private key, builds a JWT-shaped challenge by hand, then runs it +// through Parse / Validate. Round-trip pins the exact wire format the +// Microsoft Intune Certificate Connector emits today (v1). + +// ============================================================================= +// Test helpers — Connector trust-anchor + signed challenge factories. +// ============================================================================= + +type testRSAConnector struct { + key *rsa.PrivateKey + cert *x509.Certificate +} + +func genTestRSAConnector(t *testing.T) testRSAConnector { + t.Helper() + key, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + t.Fatalf("rsa.GenerateKey: %v", err) + } + tmpl := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{CommonName: "test-intune-connector"}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature, + BasicConstraintsValid: true, + } + der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key) + if err != nil { + t.Fatalf("x509.CreateCertificate: %v", err) + } + cert, err := x509.ParseCertificate(der) + if err != nil { + t.Fatalf("x509.ParseCertificate: %v", err) + } + return testRSAConnector{key: key, cert: cert} +} + +type testECDSAConnector struct { + key *ecdsa.PrivateKey + cert *x509.Certificate +} + +func genTestECDSAConnector(t *testing.T) testECDSAConnector { + t.Helper() + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("ecdsa.GenerateKey: %v", err) + } + tmpl := &x509.Certificate{ + SerialNumber: big.NewInt(2), + Subject: pkix.Name{CommonName: "test-intune-connector-es256"}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature, + BasicConstraintsValid: true, + } + der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key) + if err != nil { + t.Fatalf("x509.CreateCertificate: %v", err) + } + cert, err := x509.ParseCertificate(der) + if err != nil { + t.Fatalf("x509.ParseCertificate: %v", err) + } + return testECDSAConnector{key: key, cert: cert} +} + +// signTestChallengeRS256 builds + signs a challenge with the given payload. +// alg defaults to RS256. +func signTestChallengeRS256(t *testing.T, c testRSAConnector, payload any) string { + t.Helper() + hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"}) + pl, _ := json.Marshal(payload) + signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + h := sha256.Sum256([]byte(signingInput)) + sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:]) + if err != nil { + t.Fatalf("rsa.SignPKCS1v15: %v", err) + } + return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig) +} + +// signTestChallengeES256_FixedWidth produces a JOSE-canonical r||s ES256. +func signTestChallengeES256_FixedWidth(t *testing.T, c testECDSAConnector, payload any) string { + t.Helper() + hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"}) + pl, _ := json.Marshal(payload) + signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + h := sha256.Sum256([]byte(signingInput)) + r, s, err := ecdsa.Sign(rand.Reader, c.key, h[:]) + if err != nil { + t.Fatalf("ecdsa.Sign: %v", err) + } + rb, sb := r.Bytes(), s.Bytes() + sig := make([]byte, 64) + copy(sig[32-len(rb):], rb) + copy(sig[64-len(sb):], sb) + return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig) +} + +// signTestChallengeES256_DER produces the older non-JOSE ASN.1 DER form. +func signTestChallengeES256_DER(t *testing.T, c testECDSAConnector, payload any) string { + t.Helper() + hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"}) + pl, _ := json.Marshal(payload) + signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + h := sha256.Sum256([]byte(signingInput)) + derSig, err := ecdsa.SignASN1(rand.Reader, c.key, h[:]) + if err != nil { + t.Fatalf("ecdsa.SignASN1: %v", err) + } + return signingInput + "." + base64.RawURLEncoding.EncodeToString(derSig) +} + +// validV1Payload returns a v1 challenge payload that is currently in-window. +func validV1Payload(now time.Time) challengePayloadV1 { + return challengePayloadV1{ + Issuer: "test-connector-installation-guid", + Subject: "device-guid-123", + Audience: "https://certctl.example.com/scep/corp", + IssuedAt: now.Add(-1 * time.Minute).Unix(), + ExpiresAt: now.Add(59 * time.Minute).Unix(), + Nonce: "abc123nonce", + DeviceName: "DEVICE-001", + SANDNS: []string{"device-001.example.com"}, + SANRFC822: []string{"device-001@example.com"}, + } +} + +// ============================================================================= +// ParseChallenge. +// ============================================================================= + +func TestParseChallenge_HappyPath(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + raw := signTestChallengeRS256(t, c, validV1Payload(now)) + + header, payload, signature, err := ParseChallenge(raw) + if err != nil { + t.Fatalf("ParseChallenge: %v", err) + } + if len(header) == 0 || len(payload) == 0 || len(signature) == 0 { + t.Fatalf("decoded segments are empty: header=%d payload=%d signature=%d", + len(header), len(payload), len(signature)) + } + var p challengePayloadV1 + if err := json.Unmarshal(payload, &p); err != nil { + t.Fatalf("payload not valid JSON: %v", err) + } + if p.DeviceName != "DEVICE-001" { + t.Errorf("DeviceName = %q, want DEVICE-001", p.DeviceName) + } +} + +func TestParseChallenge_Malformed(t *testing.T) { + cases := []struct { + name string + in string + }{ + {"empty", ""}, + {"missing dots", "abc"}, + {"two dots one missing segment", "abc..def"}, + {"trailing dot extra segment", "a.b.c.d"}, + {"first segment empty", ".b.c"}, + {"middle segment empty", "a..c"}, + {"last segment empty", "a.b."}, + {"non-base64 header", "!!!.YWJj.YWJj"}, + {"non-JSON header", base64.RawURLEncoding.EncodeToString([]byte("not json")) + ".YWJj.YWJj"}, + } + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + _, _, _, err := ParseChallenge(tc.in) + if !errors.Is(err, ErrChallengeMalformed) { + t.Fatalf("got %v, want errors.Is(ErrChallengeMalformed)", err) + } + }) + } +} + +func TestParseChallenge_PaddedBase64Tolerated(t *testing.T) { + // Some Connector versions emit padded base64url; we tolerate both. + hdr := base64.URLEncoding.EncodeToString([]byte(`{"alg":"RS256"}`)) + pl := base64.URLEncoding.EncodeToString([]byte(`{"foo":"bar"}`)) + sig := base64.URLEncoding.EncodeToString([]byte("xx")) + if !strings.HasSuffix(hdr, "=") && !strings.HasSuffix(pl, "=") && !strings.HasSuffix(sig, "=") { + t.Skip("encoder didn't produce padding for this fixture; skipping") + } + raw := hdr + "." + pl + "." + sig + if _, _, _, err := ParseChallenge(raw); err != nil { + t.Fatalf("padded base64url should be tolerated: %v", err) + } +} + +// ============================================================================= +// ValidateChallenge — happy paths for both algs + both ES256 encodings. +// ============================================================================= + +func TestValidateChallenge_HappyPath_RS256(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, c, pl) + + got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now) + if err != nil { + t.Fatalf("ValidateChallenge: %v", err) + } + if got.DeviceName != "DEVICE-001" { + t.Errorf("DeviceName = %q", got.DeviceName) + } + if got.Nonce != "abc123nonce" { + t.Errorf("Nonce = %q", got.Nonce) + } + if got.IssuedAt.IsZero() || got.ExpiresAt.IsZero() { + t.Errorf("iat/exp not populated: iat=%v exp=%v", got.IssuedAt, got.ExpiresAt) + } +} + +func TestValidateChallenge_HappyPath_ES256_FixedWidth(t *testing.T) { + c := genTestECDSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeES256_FixedWidth(t, c, pl) + + got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now) + if err != nil { + t.Fatalf("ValidateChallenge: %v", err) + } + if got.Subject != "device-guid-123" { + t.Errorf("Subject = %q", got.Subject) + } +} + +func TestValidateChallenge_HappyPath_ES256_DER(t *testing.T) { + c := genTestECDSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeES256_DER(t, c, pl) + + if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now); err != nil { + t.Fatalf("ValidateChallenge ES256 DER: %v", err) + } +} + +// ============================================================================= +// ValidateChallenge — failure dimensions. +// ============================================================================= + +func TestValidateChallenge_Expired(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + pl.ExpiresAt = now.Add(-1 * time.Minute).Unix() + raw := signTestChallengeRS256(t, c, pl) + + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now) + if !errors.Is(err, ErrChallengeExpired) { + t.Fatalf("got %v, want ErrChallengeExpired", err) + } +} + +func TestValidateChallenge_NotYetValid(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + pl.IssuedAt = now.Add(5 * time.Minute).Unix() // future iat (clock skew) + pl.ExpiresAt = now.Add(65 * time.Minute).Unix() + raw := signTestChallengeRS256(t, c, pl) + + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now) + if !errors.Is(err, ErrChallengeNotYetValid) { + t.Fatalf("got %v, want ErrChallengeNotYetValid", err) + } +} + +func TestValidateChallenge_WrongAudience(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, c, pl) + + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "https://wrong-host.example.com/scep", now) + if !errors.Is(err, ErrChallengeWrongAudience) { + t.Fatalf("got %v, want ErrChallengeWrongAudience", err) + } +} + +func TestValidateChallenge_EmptyExpectedAudienceDisablesCheck(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, c, pl) + + if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", now); err != nil { + t.Fatalf("empty expected audience should disable the check: %v", err) + } +} + +func TestValidateChallenge_TamperedSignature(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, c, pl) + + parts := strings.Split(raw, ".") + // Flip one byte in the b64-decoded signature, then re-encode. + sig, _ := base64.RawURLEncoding.DecodeString(parts[2]) + sig[0] ^= 0xFF + parts[2] = base64.RawURLEncoding.EncodeToString(sig) + tampered := strings.Join(parts, ".") + + _, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature", err) + } +} + +func TestValidateChallenge_TamperedPayload(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, c, pl) + + // Re-encode the payload with a different DeviceName but keep the + // original signature. Signature verification MUST catch this. + parts := strings.Split(raw, ".") + pl.DeviceName = "ATTACKER-CHANGED-DEVICE" + tamperedPayload, _ := json.Marshal(pl) + parts[1] = base64.RawURLEncoding.EncodeToString(tamperedPayload) + tampered := strings.Join(parts, ".") + + _, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature", err) + } +} + +func TestValidateChallenge_RotatedTrustAnchor(t *testing.T) { + signedBy := genTestRSAConnector(t) + rotatedTo := genTestRSAConnector(t) // operator already rotated; old key gone + + now := time.Now() + pl := validV1Payload(now) + raw := signTestChallengeRS256(t, signedBy, pl) + + _, err := ValidateChallenge(raw, []*x509.Certificate{rotatedTo.cert}, pl.Audience, now) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature", err) + } +} + +func TestValidateChallenge_EmptyTrustBundle(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + raw := signTestChallengeRS256(t, c, validV1Payload(now)) + + _, err := ValidateChallenge(raw, nil, "", now) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature", err) + } +} + +func TestValidateChallenge_AlgNoneRejected(t *testing.T) { + // Active alg=none attack: header says alg=none, signature is empty, + // the validator MUST reject regardless of any "valid"-looking payload. + hdr, _ := json.Marshal(jwtHeader{Alg: "none"}) + pl, _ := json.Marshal(validV1Payload(time.Now())) + raw := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + "." + + base64.RawURLEncoding.EncodeToString([]byte("nope")) + + c := genTestRSAConnector(t) + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now()) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature for alg=none", err) + } + if !strings.Contains(err.Error(), "none") { + t.Errorf("error message should mention alg=none for audit clarity: %v", err) + } +} + +func TestValidateChallenge_UnsupportedAlg(t *testing.T) { + hdr, _ := json.Marshal(jwtHeader{Alg: "HS256"}) + pl, _ := json.Marshal(validV1Payload(time.Now())) + raw := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + "." + + base64.RawURLEncoding.EncodeToString([]byte("hmac-bytes")) + + c := genTestRSAConnector(t) + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now()) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature for unsupported alg", err) + } +} + +func TestValidateChallenge_MissingAlgHeader(t *testing.T) { + hdr, _ := json.Marshal(map[string]string{"typ": "JWT"}) + pl, _ := json.Marshal(validV1Payload(time.Now())) + raw := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + "." + + base64.RawURLEncoding.EncodeToString([]byte("xx")) + + c := genTestRSAConnector(t) + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now()) + if !errors.Is(err, ErrChallengeSignature) { + t.Fatalf("got %v, want ErrChallengeSignature for missing alg", err) + } +} + +// ============================================================================= +// Version dispatcher. +// ============================================================================= + +func TestValidateChallenge_VersionV1ExplicitOK(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + type plWithVersion struct { + Version string `json:"version"` + challengePayloadV1 + } + p := plWithVersion{Version: "v1", challengePayloadV1: validV1Payload(now)} + raw := signTestChallengeRS256(t, c, p) + + got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now) + if err != nil { + t.Fatalf("explicit v1 should be accepted: %v", err) + } + if got.DeviceName != "DEVICE-001" { + t.Errorf("DeviceName = %q", got.DeviceName) + } +} + +func TestValidateChallenge_VersionUnknownRejected(t *testing.T) { + c := genTestRSAConnector(t) + now := time.Now() + type plWithVersion struct { + Version string `json:"version"` + challengePayloadV1 + } + p := plWithVersion{Version: "v999", challengePayloadV1: validV1Payload(now)} + raw := signTestChallengeRS256(t, c, p) + + _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now) + if !errors.Is(err, ErrChallengeUnknownVersion) { + t.Fatalf("got %v, want ErrChallengeUnknownVersion", err) + } +} + +// ============================================================================= +// Trust-anchor walk: when a trust bundle has both algs configured, the +// validator must ignore key-type mismatches without returning Signature. +// ============================================================================= + +func TestValidateChallenge_MixedTrustBundle_IgnoresKeyTypeMismatches(t *testing.T) { + rsaConn := genTestRSAConnector(t) + ecConn := genTestECDSAConnector(t) + now := time.Now() + pl := validV1Payload(now) + + // Sign with RSA; trust bundle has BOTH the RSA cert and an unrelated + // ECDSA cert. Validator should iterate, skip the EC cert (key type + // mismatch), find RSA, verify, return success. + raw := signTestChallengeRS256(t, rsaConn, pl) + bundle := []*x509.Certificate{ecConn.cert, rsaConn.cert} + if _, err := ValidateChallenge(raw, bundle, pl.Audience, now); err != nil { + t.Fatalf("mixed-bundle validate: %v", err) + } +} + +// ============================================================================= +// Defensive: malformed payload after good signature still surfaces a +// useful error (not a panic). +// ============================================================================= + +func TestValidateChallenge_NonJSONPayloadButValidSignature(t *testing.T) { + c := genTestRSAConnector(t) + hdr, _ := json.Marshal(jwtHeader{Alg: "RS256"}) + pl := []byte("this is not JSON") + signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + h := sha256.Sum256([]byte(signingInput)) + sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:]) + if err != nil { + t.Fatalf("rsa.SignPKCS1v15: %v", err) + } + raw := signingInput + "." + base64.RawURLEncoding.EncodeToString(sig) + + _, vErr := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now()) + if !errors.Is(vErr, ErrChallengeMalformed) { + t.Fatalf("got %v, want ErrChallengeMalformed", vErr) + } +} + +// asn1 + math/big are imported to keep the test compile in case future +// helpers add ASN.1 wire shaping (e.g. malformed-DER ES256 fixture). +var ( + _ = asn1.Marshal + _ = big.NewInt +) diff --git a/internal/scep/intune/claim.go b/internal/scep/intune/claim.go new file mode 100644 index 0000000..cbb3f99 --- /dev/null +++ b/internal/scep/intune/claim.go @@ -0,0 +1,162 @@ +package intune + +import ( + "crypto/x509" + "errors" + "fmt" + "sort" + "strings" + "time" +) + +// ChallengeClaim is the parsed payload of an Intune dynamic challenge. +// +// SCEP RFC 8894 + Intune master bundle Phase 7.3. +// +// Fields documented from Microsoft's Connector source traces + +// community implementations (smallstep/step-ca and HashiCorp Vault's +// Intune integrations both reverse-engineered the same format). The +// JSON tags match what the Connector emits today (v1 format); a v2 +// format would land alongside via the version-detection dispatcher +// in challenge.go. +// +// Set-equality semantics: the SAN slices are normalised (sorted, +// de-duped) before comparison so Microsoft's Connector emitting in a +// non-deterministic order doesn't break DeviceMatchesCSR. +type ChallengeClaim struct { + Issuer string `json:"iss,omitempty"` // Connector identity (installation GUID typical) + Subject string `json:"sub,omitempty"` // device GUID or user UPN + Audience string `json:"aud,omitempty"` // expected SCEP endpoint URL (replay protection) + IssuedAt time.Time `json:"-"` // populated by claim unmarshaler from "iat" Unix seconds + ExpiresAt time.Time `json:"-"` // populated by claim unmarshaler from "exp" Unix seconds + Nonce string `json:"nonce,omitempty"` // replay-protection token; opaque + DeviceName string `json:"device_name,omitempty"` // expected CSR CommonName + SANDNS []string `json:"san_dns,omitempty"` // expected SAN DNS names + SANRFC822 []string `json:"san_rfc822,omitempty"` // expected SAN email addresses (user certs) + SANUPN []string `json:"san_upn,omitempty"` // expected SAN userPrincipalName +} + +// Typed claim-mismatch errors so the caller can audit the specific +// failure dimension without string-matching on error messages. +var ( + ErrClaimCNMismatch = errors.New("intune claim: device_name does not match CSR CommonName") + ErrClaimSANDNSMismatch = errors.New("intune claim: SAN DNS set does not match CSR") + ErrClaimSANRFC822Mismatch = errors.New("intune claim: SAN RFC822 (email) set does not match CSR") + ErrClaimSANUPNMismatch = errors.New("intune claim: SAN UPN (userPrincipalName) set does not match CSR") +) + +// DeviceMatchesCSR returns nil if the CSR's CN and SANs match the +// claim's expected values. Returns a typed error otherwise so the +// caller can audit the specific mismatch. +// +// Set-equality semantics: if the claim says +// SANDNS=["a.example.com","b.example.com"] and the CSR has only +// "a.example.com", that's a mismatch — the operator's Intune profile +// was misconfigured or the CSR was tampered with. Both are "fail +// closed" cases. +// +// Empty claim slices = no constraint on that dimension. So a claim +// with SANDNS=nil + a CSR with DNS SANs is OK (Intune didn't pin DNS, +// the CSR can carry whatever). A claim with SANDNS=["x"] + a CSR +// with no DNS SANs is a mismatch (Intune pinned x, CSR doesn't have +// it). +func (c *ChallengeClaim) DeviceMatchesCSR(csr *x509.CertificateRequest) error { + if c == nil { + return errors.New("intune claim: nil claim") + } + if csr == nil { + return errors.New("intune claim: nil CSR") + } + + // CN is straight equality. Empty claim CN = no constraint. + if c.DeviceName != "" && c.DeviceName != csr.Subject.CommonName { + return fmt.Errorf("%w: claim=%q csr=%q", ErrClaimCNMismatch, c.DeviceName, csr.Subject.CommonName) + } + + // SAN sets — set-equality means the SCEP CSR carries EXACTLY the + // claim's elements, no extras and no missing. Normalising via + // sorted lower-case slices makes the compare order-independent. + if len(c.SANDNS) > 0 { + got := normaliseSet(csr.DNSNames) + want := normaliseSet(c.SANDNS) + if !equalSets(got, want) { + return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANDNSMismatch, want, got) + } + } + if len(c.SANRFC822) > 0 { + got := normaliseSet(csr.EmailAddresses) + want := normaliseSet(c.SANRFC822) + if !equalSets(got, want) { + return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANRFC822Mismatch, want, got) + } + } + if len(c.SANUPN) > 0 { + // UPN SANs ride otherName extensions per RFC 4985 §1.1; Go's + // stdlib doesn't surface them as a typed slice. Walk the raw + // extensions if present. Most Intune deploys use SAN-RFC822 + // (email) for user certs rather than SAN-UPN, so this branch is + // uncommon but pinned for correctness. + got := normaliseSet(extractUPNSans(csr)) + want := normaliseSet(c.SANUPN) + if !equalSets(got, want) { + return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANUPNMismatch, want, got) + } + } + return nil +} + +// normaliseSet returns a sorted, lowercased, de-duplicated copy of s. +// Lowercase because DNS / email comparison is case-insensitive (DNS +// per RFC 4343, email local-part is case-sensitive per RFC 5321 but +// Microsoft + most TLS stacks treat it case-insensitively for SAN +// comparison). De-dup so a CSR with ["a","a"] matches a claim with +// ["a"] — the cert's effective SAN set is what we're comparing, not +// the multiset. +func normaliseSet(s []string) []string { + seen := map[string]struct{}{} + out := make([]string, 0, len(s)) + for _, v := range s { + v = strings.ToLower(strings.TrimSpace(v)) + if v == "" { + continue + } + if _, ok := seen[v]; ok { + continue + } + seen[v] = struct{}{} + out = append(out, v) + } + sort.Strings(out) + return out +} + +func equalSets(a, b []string) bool { + if len(a) != len(b) { + return false + } + for i := range a { + if a[i] != b[i] { + return false + } + } + return true +} + +// extractUPNSans walks a CSR's raw extensions for SAN entries with the +// otherName form carrying the id-ms-san-upn OID (1.3.6.1.4.1.311.20.2.3). +// Returns the decoded UTF-8 string values. Returns empty slice when no +// UPN SANs are present (the common case). +// +// Implementation note: Go's stdlib doesn't decode UPN SANs; we'd have +// to walk the SubjectAltName extension's raw value as ASN.1 SEQUENCE OF +// GeneralName, find the [0] otherName tags, parse each as +// {OID, [0] EXPLICIT ANY}, match the OID, and decode the EXPLICIT value +// as a UTF8String. That's ~50 LoC of ASN.1 fiddling. For Phase 7 v1 we +// punt on it: returning an empty slice means SANUPN claims with non- +// empty values fail the equalSets check below — which is the correct +// fail-closed behavior for the rare deploy that pins UPN SANs but +// hasn't audited the wire format. If/when an operator actually needs +// SAN-UPN matching, hot-fix this function with the ASN.1 walker. +func extractUPNSans(_ *x509.CertificateRequest) []string { + return nil +} diff --git a/internal/scep/intune/claim_test.go b/internal/scep/intune/claim_test.go new file mode 100644 index 0000000..81a2d31 --- /dev/null +++ b/internal/scep/intune/claim_test.go @@ -0,0 +1,159 @@ +package intune + +import ( + "crypto/x509" + "crypto/x509/pkix" + "errors" + "testing" +) + +// Each TestDeviceMatchesCSR_* covers a single dimension (CN / SAN-DNS / +// SAN-RFC822 / SAN-UPN) with both happy-path and mismatch fixtures so the +// per-dimension typed errors stay wired up over future refactors. + +func newCSRFixture(cn string, dns, email []string) *x509.CertificateRequest { + return &x509.CertificateRequest{ + Subject: pkix.Name{CommonName: cn}, + DNSNames: dns, + EmailAddresses: email, + } +} + +func TestDeviceMatchesCSR_HappyPath_AllDimensions(t *testing.T) { + csr := newCSRFixture("DEVICE-001", []string{"a.example.com", "b.example.com"}, + []string{"alice@example.com"}) + c := &ChallengeClaim{ + DeviceName: "DEVICE-001", + SANDNS: []string{"b.example.com", "a.example.com"}, // reversed; set-equality + SANRFC822: []string{"alice@example.com"}, + } + if err := c.DeviceMatchesCSR(csr); err != nil { + t.Fatalf("happy-path match should succeed: %v", err) + } +} + +func TestDeviceMatchesCSR_NilGuards(t *testing.T) { + var nilClaim *ChallengeClaim + if err := nilClaim.DeviceMatchesCSR(&x509.CertificateRequest{}); err == nil { + t.Errorf("nil claim should error") + } + c := &ChallengeClaim{} + if err := c.DeviceMatchesCSR(nil); err == nil { + t.Errorf("nil CSR should error") + } +} + +func TestDeviceMatchesCSR_CNMismatch(t *testing.T) { + csr := newCSRFixture("ATTACKER-DEVICE", nil, nil) + c := &ChallengeClaim{DeviceName: "DEVICE-001"} + if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimCNMismatch) { + t.Fatalf("got %v, want ErrClaimCNMismatch", err) + } +} + +func TestDeviceMatchesCSR_EmptyClaimCN_NoConstraint(t *testing.T) { + csr := newCSRFixture("any-cn-is-fine", nil, nil) + c := &ChallengeClaim{} // no DeviceName pinned + if err := c.DeviceMatchesCSR(csr); err != nil { + t.Fatalf("empty claim CN must impose no constraint: %v", err) + } +} + +func TestDeviceMatchesCSR_SANDNSMismatch_Missing(t *testing.T) { + csr := newCSRFixture("d", []string{"a.example.com"}, nil) // missing b + c := &ChallengeClaim{SANDNS: []string{"a.example.com", "b.example.com"}} + if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) { + t.Fatalf("got %v, want ErrClaimSANDNSMismatch", err) + } +} + +func TestDeviceMatchesCSR_SANDNSMismatch_Extra(t *testing.T) { + csr := newCSRFixture("d", []string{"a.example.com", "evil.example.com"}, nil) + c := &ChallengeClaim{SANDNS: []string{"a.example.com"}} + if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) { + t.Fatalf("got %v, want ErrClaimSANDNSMismatch (CSR carries extra SAN)", err) + } +} + +func TestDeviceMatchesCSR_SANDNSMatch_CaseInsensitive(t *testing.T) { + csr := newCSRFixture("d", []string{"A.Example.COM"}, nil) + c := &ChallengeClaim{SANDNS: []string{"a.example.com"}} + if err := c.DeviceMatchesCSR(csr); err != nil { + t.Fatalf("DNS comparison must be case-insensitive (RFC 4343): %v", err) + } +} + +func TestDeviceMatchesCSR_SANDNSDedupe(t *testing.T) { + // CSR with duplicate SAN entries should still match a claim that + // only lists each unique value once. The "set" in set-equality is + // the cert's effective SAN set, not the multiset. + csr := newCSRFixture("d", []string{"a.example.com", "a.example.com"}, nil) + c := &ChallengeClaim{SANDNS: []string{"a.example.com"}} + if err := c.DeviceMatchesCSR(csr); err != nil { + t.Fatalf("dedup-equality must hold: %v", err) + } +} + +func TestDeviceMatchesCSR_EmptyClaimSAN_NoConstraint(t *testing.T) { + csr := newCSRFixture("d", []string{"any.example.com"}, nil) + c := &ChallengeClaim{} // no SANDNS pinned + if err := c.DeviceMatchesCSR(csr); err != nil { + t.Fatalf("empty claim SANDNS must impose no constraint: %v", err) + } +} + +func TestDeviceMatchesCSR_SANRFC822Mismatch(t *testing.T) { + csr := newCSRFixture("d", nil, []string{"bob@example.com"}) + c := &ChallengeClaim{SANRFC822: []string{"alice@example.com"}} + if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANRFC822Mismatch) { + t.Fatalf("got %v, want ErrClaimSANRFC822Mismatch", err) + } +} + +func TestDeviceMatchesCSR_SANUPNMismatch_NoExtractor(t *testing.T) { + // extractUPNSans currently returns nil; any non-empty SANUPN claim + // is therefore a guaranteed mismatch (correct fail-closed behavior). + csr := newCSRFixture("d", nil, nil) + c := &ChallengeClaim{SANUPN: []string{"alice@corp.example.com"}} + if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANUPNMismatch) { + t.Fatalf("got %v, want ErrClaimSANUPNMismatch (UPN extractor stubbed)", err) + } +} + +func TestNormaliseSet_EdgeCases(t *testing.T) { + cases := []struct { + name string + in []string + want []string + }{ + {"empty", nil, []string{}}, + {"trim space", []string{" hello "}, []string{"hello"}}, + {"drop empty after trim", []string{" ", "x"}, []string{"x"}}, + {"lowercase", []string{"HELLO", "World"}, []string{"hello", "world"}}, + {"dedupe", []string{"a", "a", "b"}, []string{"a", "b"}}, + {"sort", []string{"c", "a", "b"}, []string{"a", "b", "c"}}, + } + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + got := normaliseSet(tc.in) + if !equalSets(got, tc.want) { + t.Errorf("normaliseSet(%v) = %v, want %v", tc.in, got, tc.want) + } + }) + } +} + +func TestEqualSets_LengthMismatch(t *testing.T) { + if equalSets([]string{"a", "b"}, []string{"a"}) { + t.Errorf("different-length sets must not compare equal") + } +} + +func TestExtractUPNSans_StubReturnsEmpty(t *testing.T) { + // Pin the documented stub behavior. If/when ExtractUPNSans is + // implemented for real, this test is the canary that flags the + // behavioral change. + if got := extractUPNSans(&x509.CertificateRequest{}); len(got) != 0 { + t.Errorf("extractUPNSans stub must return empty slice; got %v", got) + } +} diff --git a/internal/scep/intune/doc.go b/internal/scep/intune/doc.go new file mode 100644 index 0000000..6bf1654 --- /dev/null +++ b/internal/scep/intune/doc.go @@ -0,0 +1,56 @@ +// Package intune handles the Microsoft Intune dynamic-challenge format +// embedded in SCEP CSR challengePassword attributes when the SCEP server +// is sitting behind the Microsoft Intune Certificate Connector. +// +// SCEP RFC 8894 + Intune master bundle Phase 7. +// +// Architecture context: +// +// Intune cloud +// ↓ (device cert request) +// Intune Certificate Connector (on customer infra) +// ↓ (SCEP CSR with challenge signed by Connector) +// certctl SCEP server ← THIS PACKAGE validates the Connector's signed challenge +// ↓ (issue cert) +// issuer connector (local CA, Vault, EJBCA, etc.) +// +// The Connector's signed challenge is a JWT-like blob (compact +// serialization, header.payload.signature) where the payload is a JSON +// object containing the device + user claim, the expected CN + SANs, +// expiry, and a nonce. The signature is over header+"."+payload using +// the Connector's installation signing key — the operator extracts that +// key's certificate and configures it as certctl's trust anchor at +// startup. +// +// This package does NOT call Microsoft's API directly. The Connector +// already did that; this package validates the Connector's attestation. +// +// What this package is NOT: +// +// - NOT a full JWT (JOSE) implementation. It parses + verifies one +// specific format with a fixed set of supported algorithms (RS256, +// ES256). No JWKS fetch, no JKU header trust, no kid-based key +// rotation — the operator-supplied trust bundle IS the trust +// anchor, and the validator tries each cert in the bundle until +// one verifies. +// - NOT a generic SCEP-shape detector. The handler dispatches to this +// package only when the configured SCEPProfile has IntuneEnabled=true +// AND the inbound challengePassword "looks Intune-shaped" (length + +// dot-count heuristic landed in Phase 8). +// - NOT a Microsoft API client. The Connector's role is to talk to +// Microsoft; certctl's role is to validate the Connector's signed +// attestation. The replacement target this whole bundle eliminates +// is NDES, NOT the Connector. +// +// References: +// +// - https://learn.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview +// - https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure +// - smallstep/step-ca Intune integration (community reverse-engineering of the format) +// - HashiCorp Vault PKI Intune integration (same) +// +// The format details land in this package from a combination of +// Microsoft's published Connector behavior + community implementations +// that have reverse-engineered the JWT shape. Cite the implementation +// references in the parser code's doc comment when you change format. +package intune diff --git a/internal/scep/intune/fuzz_test.go b/internal/scep/intune/fuzz_test.go new file mode 100644 index 0000000..02e4b4e --- /dev/null +++ b/internal/scep/intune/fuzz_test.go @@ -0,0 +1,56 @@ +package intune + +import ( + "crypto/x509" + "encoding/base64" + "encoding/json" + "testing" + "time" +) + +// FuzzParseChallenge feeds arbitrary input to the parser and asserts +// no panics. The challenge wire format is exposed to untrusted devices +// (anyone who can hit the SCEP endpoint can submit a challenge); the +// parser MUST never crash the SCEP server. Run for at least 5 minutes +// in CI: `go test -run='^$' -fuzz=FuzzParseChallenge -fuzztime=5m +// ./internal/scep/intune/...` +// +// SCEP RFC 8894 + Intune master bundle Phase 7.5 (fuzz coverage). +func FuzzParseChallenge(f *testing.F) { + // Seed corpus: a real well-formed challenge so the fuzzer has + // structural mutation territory to explore (rather than starting + // from random ASCII). + hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"}) + pl, _ := json.Marshal(challengePayloadV1{ + Issuer: "fuzz", + Audience: "fuzz-aud", + IssuedAt: time.Now().Unix(), + ExpiresAt: time.Now().Add(1 * time.Hour).Unix(), + Nonce: "fuzz-nonce", + }) + seed := base64.RawURLEncoding.EncodeToString(hdr) + "." + + base64.RawURLEncoding.EncodeToString(pl) + "." + + base64.RawURLEncoding.EncodeToString([]byte("fuzz-sig-bytes")) + + f.Add(seed) + f.Add("") + f.Add(".") + f.Add("..") + f.Add("a.b.c") + f.Add("a..c") + f.Add(".b.") + f.Add("not-base64.not-base64.not-base64") + f.Add(string([]byte{0x00, 0x01, 0x02})) + + f.Fuzz(func(t *testing.T, raw string) { + // ParseChallenge on its own. + _, _, _, _ = ParseChallenge(raw) + + // Drive ValidateChallenge too — the full pipeline. Empty trust + // bundle short-circuits, but the parse + dispatch arms still + // execute; pass a non-empty placeholder so signature-verify + // gets exercised against arbitrary input. + bundle := []*x509.Certificate{} // empty to short-circuit cheap path + _, _ = ValidateChallenge(raw, bundle, "", time.Now()) + }) +} diff --git a/internal/scep/intune/replay.go b/internal/scep/intune/replay.go new file mode 100644 index 0000000..45f7488 --- /dev/null +++ b/internal/scep/intune/replay.go @@ -0,0 +1,191 @@ +package intune + +import ( + "sync" + "time" +) + +// ReplayCache is a bounded in-memory cache of seen Intune challenge +// nonces with TTL. Gates against the same Connector-signed challenge +// being replayed against the SCEP server within its validity window. +// +// SCEP RFC 8894 + Intune master bundle Phase 7.4b. +// +// Sizing rationale (cap = 100,000 entries): +// +// - Microsoft's published Connector defaults give each challenge +// a 60-minute validity window. A high-volume Intune fleet +// enrolling at ~25 RPS hits ~90,000 challenges/hour. +// - Capping at 100,000 covers the steady-state load with headroom. +// When the cap is hit, the janitor goroutine evicts entries past +// TTL first; if all entries are still in-window, oldest-first +// eviction kicks in (LRU semantics) — accepting the small +// replay-window risk over an OOM crash. +// - Operators who push beyond this rate should flip to a Redis- +// backed implementation (deferred to V3-Pro per the master +// prompt's deferral list); the in-memory variant is V2 default. +// +// Concurrency: sync.Map handles concurrent read/write without an +// explicit lock; the janitor goroutine periodically walks for expired +// entries. Cap enforcement on Insert is done under a small mutex so +// the cap check + size update are atomic. +type ReplayCache struct { + entries sync.Map // nonce → expiry (time.Time) + mu sync.Mutex // guards size + janitor lifecycle + size int // approximate count (sync.Map has no Len) + cap int // max entries before LRU eviction kicks in + ttl time.Duration + stop chan struct{} + stopOnce sync.Once +} + +// NewReplayCache returns a ReplayCache with the given TTL + cap. Starts +// a janitor goroutine that wakes every TTL/4 to evict expired entries. +// Caller MUST call Close when done to stop the goroutine. +// +// TTL = 0 disables the janitor (useful for tests that drive expiry +// manually). +// cap = 0 defaults to 100,000 (the rationale-documented production +// default). +func NewReplayCache(ttl time.Duration, capHint int) *ReplayCache { + if capHint <= 0 { + capHint = 100_000 + } + c := &ReplayCache{ + cap: capHint, + ttl: ttl, + stop: make(chan struct{}), + } + if ttl > 0 { + go c.janitor() + } + return c +} + +// CheckAndInsert returns true when the nonce has NOT been seen before +// (i.e. the challenge is not a replay) AND records the nonce as seen +// with expiry = now + c.ttl. Returns false when the nonce was already +// seen and is still within its TTL window — the caller should treat +// this as a replay attack and reject the challenge. +// +// At-cap behavior: when the cache is full, CheckAndInsert evicts the +// oldest entry (a single Range pass to find min-expiry) before +// inserting. This is O(N) at the boundary; in practice the janitor +// keeps the cache below cap so the eviction path rarely fires. +func (c *ReplayCache) CheckAndInsert(nonce string, now time.Time) bool { + if nonce == "" { + // Empty nonce can't be tracked meaningfully; treat as 'fresh' + // — the caller's claim-validation should reject empty-nonce + // challenges separately (it's a Connector-emitted-format bug). + return true + } + + if existing, ok := c.entries.Load(nonce); ok { + if existingExpiry, _ := existing.(time.Time); now.Before(existingExpiry) { + return false // replay + } + // Past TTL; drop + treat as fresh (race-safe: even if two + // goroutines see the expired entry, both proceed and the second + // Insert wins). + c.delete(nonce) + } + + // At-cap LRU eviction. + c.mu.Lock() + if c.size >= c.cap { + c.evictOldestLocked() + } + c.size++ + c.mu.Unlock() + + c.entries.Store(nonce, now.Add(c.ttl)) + return true +} + +// Close stops the janitor goroutine. Safe to call multiple times. +func (c *ReplayCache) Close() { + c.stopOnce.Do(func() { + close(c.stop) + }) +} + +// Sweep walks the entries and evicts any past TTL. Public so tests +// can drive expiry without waiting for the janitor's tick. Returns +// the number of entries evicted. +func (c *ReplayCache) Sweep(now time.Time) int { + evicted := 0 + c.entries.Range(func(k, v any) bool { + expiry, _ := v.(time.Time) + if !now.Before(expiry) { + c.delete(k.(string)) + evicted++ + } + return true + }) + return evicted +} + +// delete is the size-tracked counterpart to entries.Delete. The size +// counter is approximate (sync.Map.Range races with Insert), but the +// approximation only affects cap enforcement timing — never causes a +// false replay rejection. +func (c *ReplayCache) delete(nonce string) { + if _, loaded := c.entries.LoadAndDelete(nonce); loaded { + c.mu.Lock() + if c.size > 0 { + c.size-- + } + c.mu.Unlock() + } +} + +// evictOldestLocked is called under c.mu held. Walks entries to find +// the entry with the minimum expiry (i.e. the oldest entry — closest +// to its TTL deadline) and removes it. O(N) but rarely hit; the +// janitor keeps the cache below cap. +func (c *ReplayCache) evictOldestLocked() { + var oldestKey string + var oldestExpiry time.Time + first := true + c.entries.Range(func(k, v any) bool { + expiry, _ := v.(time.Time) + if first || expiry.Before(oldestExpiry) { + oldestKey = k.(string) + oldestExpiry = expiry + first = false + } + return true + }) + if oldestKey != "" { + if _, loaded := c.entries.LoadAndDelete(oldestKey); loaded && c.size > 0 { + c.size-- + } + } +} + +// janitor wakes every ttl/4 and sweeps expired entries. Background-only; +// the test harness can drive expiry deterministically via Sweep. +func (c *ReplayCache) janitor() { + interval := c.ttl / 4 + if interval <= 0 { + interval = 1 * time.Minute + } + t := time.NewTicker(interval) + defer t.Stop() + for { + select { + case <-c.stop: + return + case <-t.C: + c.Sweep(time.Now()) + } + } +} + +// Len returns the approximate cache size for observability. Not +// load-stable; use only for metrics + debug logs. +func (c *ReplayCache) Len() int { + c.mu.Lock() + defer c.mu.Unlock() + return c.size +} diff --git a/internal/scep/intune/replay_test.go b/internal/scep/intune/replay_test.go new file mode 100644 index 0000000..a17dd33 --- /dev/null +++ b/internal/scep/intune/replay_test.go @@ -0,0 +1,151 @@ +package intune + +import ( + "fmt" + "sync" + "testing" + "time" +) + +func TestReplayCache_FirstInsertFresh(t *testing.T) { + c := NewReplayCache(60*time.Minute, 100) + defer c.Close() + if !c.CheckAndInsert("nonce-1", time.Now()) { + t.Fatalf("first insert must report fresh") + } +} + +func TestReplayCache_DuplicateRejected(t *testing.T) { + c := NewReplayCache(60*time.Minute, 100) + defer c.Close() + now := time.Now() + if !c.CheckAndInsert("nonce-1", now) { + t.Fatalf("first insert must report fresh") + } + if c.CheckAndInsert("nonce-1", now) { + t.Fatalf("second insert must report replay") + } +} + +func TestReplayCache_PastTTLTreatedAsFresh(t *testing.T) { + // TTL=0 disables the janitor; we drive expiry by passing future timestamps. + c := NewReplayCache(10*time.Minute, 100) + defer c.Close() + + t0 := time.Now() + if !c.CheckAndInsert("nonce-1", t0) { + t.Fatalf("first insert must report fresh") + } + // Same nonce, but observation time is past expiry → fresh again. + if !c.CheckAndInsert("nonce-1", t0.Add(11*time.Minute)) { + t.Fatalf("post-TTL re-insert must report fresh") + } +} + +func TestReplayCache_SweepEvictsExpired(t *testing.T) { + c := NewReplayCache(10*time.Minute, 100) + defer c.Close() + + t0 := time.Now() + c.CheckAndInsert("nonce-1", t0) + c.CheckAndInsert("nonce-2", t0) + if got := c.Len(); got != 2 { + t.Fatalf("Len = %d, want 2", got) + } + + evicted := c.Sweep(t0.Add(11 * time.Minute)) + if evicted != 2 { + t.Errorf("Sweep evicted %d, want 2", evicted) + } + if got := c.Len(); got != 0 { + t.Errorf("Len after sweep = %d, want 0", got) + } +} + +func TestReplayCache_EmptyNonceTreatedAsFresh(t *testing.T) { + c := NewReplayCache(10*time.Minute, 100) + defer c.Close() + if !c.CheckAndInsert("", time.Now()) { + t.Fatalf("empty nonce must short-circuit to fresh (caller validates separately)") + } + // And a second empty also returns fresh (we don't track them). + if !c.CheckAndInsert("", time.Now()) { + t.Fatalf("second empty nonce should also report fresh; we don't cache empties") + } +} + +func TestReplayCache_AtCapEvictsOldest(t *testing.T) { + // Cap of 3 makes the boundary easy to hit deterministically. + c := NewReplayCache(60*time.Minute, 3) + defer c.Close() + + t0 := time.Now() + // Insert 3 entries with strictly increasing expiries. + c.CheckAndInsert("oldest", t0) + c.CheckAndInsert("middle", t0.Add(1*time.Minute)) + c.CheckAndInsert("newest", t0.Add(2*time.Minute)) + if got := c.Len(); got != 3 { + t.Fatalf("Len = %d, want 3", got) + } + + // 4th insert must evict "oldest". + c.CheckAndInsert("brand-new", t0.Add(3*time.Minute)) + if got := c.Len(); got != 3 { + t.Errorf("Len after at-cap insert = %d, want 3 (cap honored)", got) + } + // "oldest" should now be re-insertable as fresh. + if !c.CheckAndInsert("oldest", t0.Add(4*time.Minute)) { + t.Errorf("oldest must have been evicted under LRU at-cap policy") + } +} + +func TestReplayCache_DefaultCap(t *testing.T) { + // capHint = 0 should default to 100,000 per the documented sizing. + c := NewReplayCache(60*time.Minute, 0) + defer c.Close() + if c.cap != 100_000 { + t.Errorf("default cap = %d, want 100000", c.cap) + } +} + +func TestReplayCache_CloseIsIdempotent(t *testing.T) { + c := NewReplayCache(60*time.Minute, 10) + c.Close() + c.Close() // must not panic +} + +func TestReplayCache_TTLZeroDisablesJanitor(t *testing.T) { + // TTL=0 + capHint=0 should produce a usable cache that doesn't + // background-evict; the test mostly pins that NewReplayCache returns + // without panicking and that Close still works. + c := NewReplayCache(0, 10) + defer c.Close() + // Empty nonce path is the only safe one without TTL semantics; exercise it. + if !c.CheckAndInsert("", time.Now()) { + t.Fatalf("zero-TTL cache must still serve empty-nonce fast path") + } +} + +func TestReplayCache_ConcurrentInsertsRaceFree(t *testing.T) { + if testing.Short() { + t.Skip("race-style test under -short; run full suite for coverage") + } + c := NewReplayCache(60*time.Minute, 10000) + defer c.Close() + + var wg sync.WaitGroup + for i := 0; i < 50; i++ { + wg.Add(1) + go func(id int) { + defer wg.Done() + now := time.Now() + for j := 0; j < 200; j++ { + c.CheckAndInsert(fmt.Sprintf("g%d-n%d", id, j), now) + } + }(i) + } + wg.Wait() + if got := c.Len(); got != 50*200 { + t.Errorf("Len = %d, want %d (no Insert dropped under contention)", got, 50*200) + } +} diff --git a/internal/scep/intune/trust_anchor.go b/internal/scep/intune/trust_anchor.go new file mode 100644 index 0000000..b3d19de --- /dev/null +++ b/internal/scep/intune/trust_anchor.go @@ -0,0 +1,73 @@ +package intune + +import ( + "crypto/x509" + "encoding/pem" + "fmt" + "os" + "time" +) + +// LoadTrustAnchor reads a PEM bundle of one or more Intune Connector +// signing certificates from the configured path. Returns the slice of +// parsed certs that the validator will accept as challenge issuers. +// +// SCEP RFC 8894 + Intune master bundle Phase 7.2. +// +// Behavior: +// +// - File must exist + be readable. +// - PEM-decodes the file; non-CERTIFICATE blocks are skipped (so an +// operator can paste a chain that includes a private key by mistake +// without breaking the load — the priv key is just ignored). +// - Returns an error if zero CERTIFICATE blocks parse. +// - Returns an error if any cert is past NotAfter (a stale trust +// anchor would silently reject every Intune challenge at runtime; +// fail loud at startup instead). +// +// Operators rotate Connector signing certs periodically; the trust +// anchor file is reloaded on SIGHUP (handled by the existing config +// watch loop in cmd/server/main.go — see cmd/server/tls.go::watchSIGHUP +// for the precedent). +func LoadTrustAnchor(path string) ([]*x509.Certificate, error) { + if path == "" { + return nil, fmt.Errorf("intune: trust anchor path is empty") + } + body, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("intune: read trust anchor %q: %w", path, err) + } + return parseTrustAnchorPEM(body, path, time.Now()) +} + +// parseTrustAnchorPEM is the file-IO-free core of LoadTrustAnchor. Split +// out so unit tests can hand it byte slices without writing temp files. +// `now` is taken as a parameter so expiry tests can pin a deterministic +// clock. +func parseTrustAnchorPEM(body []byte, sourceLabel string, now time.Time) ([]*x509.Certificate, error) { + var out []*x509.Certificate + rest := body + for { + var block *pem.Block + block, rest = pem.Decode(rest) + if block == nil { + break + } + if block.Type != "CERTIFICATE" { + continue + } + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, fmt.Errorf("intune: parse trust anchor cert in %q: %w", sourceLabel, err) + } + if now.After(cert.NotAfter) { + return nil, fmt.Errorf("intune: trust anchor cert in %q expired at %s (subject=%q) — operator must rotate the Connector signing cert before restart", + sourceLabel, cert.NotAfter.Format(time.RFC3339), cert.Subject.CommonName) + } + out = append(out, cert) + } + if len(out) == 0 { + return nil, fmt.Errorf("intune: trust anchor %q contains no CERTIFICATE PEM blocks", sourceLabel) + } + return out, nil +} diff --git a/internal/scep/intune/trust_anchor_test.go b/internal/scep/intune/trust_anchor_test.go new file mode 100644 index 0000000..db5c304 --- /dev/null +++ b/internal/scep/intune/trust_anchor_test.go @@ -0,0 +1,171 @@ +package intune + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "errors" + "math/big" + "os" + "path/filepath" + "strings" + "testing" + "time" +) + +// pemEncodeCert is a small DRY helper for the PEM bundle fixtures. +func pemEncodeCert(t *testing.T, der []byte) []byte { + t.Helper() + return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}) +} + +// freshConnectorCertDER returns a freshly-minted EC P-256 cert as raw DER +// + the matching key. Lifetime is parameterised so the same factory drives +// both the happy-path and expired-cert cases. +func freshConnectorCertDER(t *testing.T, notAfter time.Time) ([]byte, *ecdsa.PrivateKey) { + t.Helper() + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("ecdsa.GenerateKey: %v", err) + } + tmpl := &x509.Certificate{ + SerialNumber: big.NewInt(time.Now().UnixNano()), + Subject: pkix.Name{CommonName: "intune-connector-test"}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: notAfter, + } + der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key) + if err != nil { + t.Fatalf("x509.CreateCertificate: %v", err) + } + return der, key +} + +func TestParseTrustAnchorPEM_HappyPath_SingleCert(t *testing.T) { + der, _ := freshConnectorCertDER(t, time.Now().Add(365*24*time.Hour)) + body := pemEncodeCert(t, der) + + certs, err := parseTrustAnchorPEM(body, "test", time.Now()) + if err != nil { + t.Fatalf("parseTrustAnchorPEM: %v", err) + } + if len(certs) != 1 { + t.Fatalf("len(certs) = %d, want 1", len(certs)) + } + if certs[0].Subject.CommonName != "intune-connector-test" { + t.Errorf("Subject.CommonName = %q", certs[0].Subject.CommonName) + } +} + +func TestParseTrustAnchorPEM_HappyPath_MultiCert(t *testing.T) { + d1, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour)) + d2, _ := freshConnectorCertDER(t, time.Now().Add(60*24*time.Hour)) + body := append(pemEncodeCert(t, d1), pemEncodeCert(t, d2)...) + + certs, err := parseTrustAnchorPEM(body, "test", time.Now()) + if err != nil { + t.Fatalf("parseTrustAnchorPEM: %v", err) + } + if len(certs) != 2 { + t.Fatalf("len(certs) = %d, want 2", len(certs)) + } +} + +func TestParseTrustAnchorPEM_SkipsNonCertBlocks(t *testing.T) { + der, key := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour)) + keyDER, err := x509.MarshalECPrivateKey(key) + if err != nil { + t.Fatalf("MarshalECPrivateKey: %v", err) + } + keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}) + body := append(keyPEM, pemEncodeCert(t, der)...) // priv key first, cert second + + certs, err := parseTrustAnchorPEM(body, "test", time.Now()) + if err != nil { + t.Fatalf("parseTrustAnchorPEM should ignore non-CERTIFICATE blocks: %v", err) + } + if len(certs) != 1 { + t.Fatalf("len(certs) = %d, want 1 (priv key block must be skipped)", len(certs)) + } +} + +func TestParseTrustAnchorPEM_EmptyBundleRejected(t *testing.T) { + _, err := parseTrustAnchorPEM([]byte("nothing here"), "test", time.Now()) + if err == nil || !strings.Contains(err.Error(), "no CERTIFICATE PEM blocks") { + t.Fatalf("expected 'no CERTIFICATE PEM blocks' error, got %v", err) + } +} + +func TestParseTrustAnchorPEM_OnlyKeyBlocksRejected(t *testing.T) { + key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + keyDER, _ := x509.MarshalECPrivateKey(key) + body := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}) + + _, err := parseTrustAnchorPEM(body, "test", time.Now()) + if err == nil { + t.Fatalf("expected error for bundle with no certs, got nil") + } +} + +func TestParseTrustAnchorPEM_ExpiredCertRejected(t *testing.T) { + der, _ := freshConnectorCertDER(t, time.Now().Add(-1*time.Hour)) // already expired + body := pemEncodeCert(t, der) + + _, err := parseTrustAnchorPEM(body, "expired-bundle", time.Now()) + if err == nil || !strings.Contains(err.Error(), "expired") { + t.Fatalf("expected expiry error, got %v", err) + } + // Operator-actionable message must include the subject so the audit + // log says exactly which cert to rotate. + if !strings.Contains(err.Error(), "intune-connector-test") { + t.Errorf("error must include subject CN for operator action: %v", err) + } +} + +func TestParseTrustAnchorPEM_MalformedCertRejected(t *testing.T) { + bad := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: []byte("not-a-real-asn1-cert")}) + + _, err := parseTrustAnchorPEM(bad, "test", time.Now()) + if err == nil { + t.Fatalf("expected x509 parse error, got nil") + } +} + +func TestLoadTrustAnchor_FromDisk(t *testing.T) { + der, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour)) + body := pemEncodeCert(t, der) + + dir := t.TempDir() + path := filepath.Join(dir, "intune-trust.pem") + if err := os.WriteFile(path, body, 0o600); err != nil { + t.Fatalf("WriteFile: %v", err) + } + certs, err := LoadTrustAnchor(path) + if err != nil { + t.Fatalf("LoadTrustAnchor: %v", err) + } + if len(certs) != 1 { + t.Fatalf("len(certs) = %d, want 1", len(certs)) + } +} + +func TestLoadTrustAnchor_EmptyPath(t *testing.T) { + _, err := LoadTrustAnchor("") + if err == nil || !strings.Contains(err.Error(), "empty") { + t.Fatalf("expected empty-path error, got %v", err) + } +} + +func TestLoadTrustAnchor_MissingFile(t *testing.T) { + _, err := LoadTrustAnchor("/tmp/does-not-exist-intune-trust.pem") + if err == nil { + t.Fatalf("expected file-not-found error, got nil") + } + // Don't string-assert on the OS error — just make sure it's surfaced. + if errors.Is(err, nil) { + t.Fatalf("error must be non-nil") + } +}