security: scope revocation unique index to (issuer_id, serial_number) (fixes H-1)

RFC 5280 §5.2.3 defines certificate serial number uniqueness per issuing CA, not globally. The prior unique index on `certificate_revocations.serial_number` enforced a stricter invariant than the spec: with 12 issuer connectors (Local CA, ACME, Vault, step-ca, OpenSSL, DigiCert, Sectigo, Google CAS, AWS ACM PCA, Entrust, GlobalSign, EJBCA), two distinct certificates legitimately issued by different CAs can share a serial number. Recording a revocation for the second collision silently dropped via `ON CONFLICT DO NOTHING`, leaving the second cert persistently absent from OCSP/CRL responses. Changes: - Migration 000012 drops `idx_certificate_revocations_serial` and creates `idx_certificate_revocations_issuer_serial` UNIQUE ON (issuer_id, serial_number). Adds a non-unique `idx_certificate_revocations_serial_lookup` to preserve the serial-only fast path for OCSP/CRL probes that already know the issuer scope. - `CertificateRevocationRepository.Create` targets the new composite key in `ON CONFLICT` — same-issuer idempotency preserved, cross-issuer collisions now recorded as distinct rows. - `GetBySerial(serial)` renamed `GetByIssuerAndSerial(issuerID, serial)` on the interface and Postgres impl. All callers (OCSP responder, CRL generator, short-lived-cert exemption check) already have `issuerID` in scope because the protocol paths carry it (`/api/v1/ocsp/{issuer_id}/{serial}`, `/api/v1/crl/{issuer_id}`). - Repository integration test added: `TestRevocationRepository_CrossIssuerSerialCollision` asserts that serial `CAFEBABE01` can be stored under two issuers simultaneously, that lookups return the correct row per (issuer, serial), and that same-issuer idempotency still works (re-inserting (issuer, serial) does not error and does not duplicate). - Existing tests and service/integration mocks updated for the rename. Wire-format invariants preserved: CRL DER bytes, OCSP response bytes, and AES-256-GCM config encryption are unaffected — this change touches only revocation-record uniqueness scope. CWE-664.
2026-06-12 02:39:01 +00:00 · 2026-04-16 21:49:59 +00:00
parent fb4ce1a243
commit 844a05cc02
8 changed files with 184 additions and 21 deletions
@@ -19,13 +19,18 @@ func NewRevocationRepository(db *sql.DB) *RevocationRepository {
 }

 // Create records a new certificate revocation.
+//
+// Uniqueness is scoped to (issuer_id, serial_number) per RFC 5280 §5.2.3.
+// Serial numbers are only unique within an issuer, so certctl supports
+// collisions across different issuer connectors. The composite ON CONFLICT
+// target matches migration 000012's unique index.
 func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
 	_, err := r.db.ExecContext(ctx, `
 		INSERT INTO certificate_revocations (
 			id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 			issuer_id, issuer_notified, created_at
 		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-		ON CONFLICT (serial_number) DO NOTHING
+		ON CONFLICT (issuer_id, serial_number) DO NOTHING
 	`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
 		revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
 		revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
@@ -37,20 +42,24 @@ func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.Ce
 	return nil
 }

-// GetBySerial retrieves a revocation by serial number.
-func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial) pair.
+//
+// Per RFC 5280 §5.2.3, serial numbers are unique only within a single issuer.
+// Callers (OCSP handlers, CRL generation) always know the issuer because the
+// OCSP URL carries it as a path parameter and CRLs are generated per-issuer.
+func (r *RevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	var rev domain.CertificateRevocation
 	err := r.db.QueryRowContext(ctx, `
 		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 		       issuer_id, issuer_notified, created_at
 		FROM certificate_revocations
-		WHERE serial_number = $1
-	`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+		WHERE issuer_id = $1 AND serial_number = $2
+	`, issuerID, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
 		&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
 		&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)

 	if err != nil {
-		return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
+		return nil, fmt.Errorf("failed to get revocation by issuer and serial: %w", err)
 	}

 	return &rev, nil