fix(bundle-4): EST/SCEP Attack Surface Hardening — 3 audit findings closed

Closes 3 findings (1 High + 1 Medium + 1 Low) from
/Users/shankar/Desktop/cowork/comprehensive-audit-2026-04-25/.

Bundle 4 hardens the only attack surface reachable by an anonymous network
attacker in certctl: the unauthenticated EST + SCEP enrollment endpoints.

Findings closed:

  - H-004 (High): Hand-rolled ASN.1 parser had no fuzz target.
    The audit's original framing pointed at internal/pkcs7/, but recon
    confirmed that package is an ASN.1 ENCODER (BuildCertsOnlyPKCS7,
    ASN1Wrap*, ASN1EncodeLength) — not a parser. The actual hand-rolled
    PKCS#7 PARSING reachable via anonymous network is in
    internal/api/handler/scep.go::extractCSRFromPKCS7 +
    parseSignedDataForCSR. Added native go fuzz targets:
      * internal/api/handler/scep_fuzz_test.go::FuzzExtractCSRFromPKCS7
      * internal/api/handler/scep_fuzz_test.go::FuzzParseSignedDataForCSR
      * internal/pkcs7/pkcs7_fuzz_test.go::FuzzPEMToDERChain (defense-in-depth)
      * internal/pkcs7/pkcs7_fuzz_test.go::FuzzASN1EncodeLength (defense-in-depth)
    Local 15s fuzz session: 150k execs on FuzzExtractCSRFromPKCS7,
    937k on FuzzPEMToDERChain, 925k on FuzzASN1EncodeLength — zero panics.

  - M-021 (Medium): EST TLS-Unique channel binding (RFC 7030 §3.2.3).
    Added internal/api/handler/est.go::verifyESTTransport — defense-in-depth
    TLS pre-conditions (r.TLS != nil; HandshakeComplete; TLS ≥ 1.2).
    The full §3.2.3 channel binding only applies when EST mTLS is in use;
    certctl does not currently support EST mTLS, so the §3.2.3 requirement
    is moot today. RFC 9266 (TLS 1.3 tls-exporter) and EST mTLS are
    documented as deferred follow-ups in the verifyESTTransport doc comment.

  - L-005 (Low): EST/SCEP issuer-binding fail-loud at startup.
    Pre-Bundle-4 cmd/server/main.go validated that CERTCTL_EST_ISSUER_ID and
    CERTCTL_SCEP_ISSUER_ID existed in the registry but did NOT validate the
    issuer TYPE could emit a CA cert. An operator binding EST to an ACME
    issuer (whose GetCACertPEM returns explicit error) booted successfully
    and only failed at first /est/cacerts request. Post-Bundle-4: new
    preflightEnrollmentIssuer helper calls GetCACertPEM(ctx) at startup
    with a 10s timeout. Failure logs the connector error + the candidate
    issuer types and os.Exit(1).

Tests added/modified:
  - internal/api/handler/est_transport_test.go (new) — 5 verifyESTTransport
    table cases covering plaintext-rejected, incomplete-handshake-rejected,
    TLS 1.0 rejected, TLS 1.2/1.3 accepted
  - cmd/server/preflight_test.go (new) — TestPreflightEnrollmentIssuer
    covering nil-connector, error-from-issuer, empty-PEM, valid cases
  - internal/api/handler/est_handler_test.go (modified) — 7 POST sites
    now stamp r.TLS to satisfy the new transport pre-condition
  - internal/integration/negative_test.go (modified) — setupTestServer
    wraps the test handler with a fake-TLS-state injector so the EST
    handler receives r.TLS != nil; production paths still rely on the
    real TLS listener

Threat model reference: TB-11 (EST/SCEP client ↔ Server) per
cowork/comprehensive-audit-2026-04-25/threat-model.md.
Standards: RFC 7030 §3.2.3, RFC 8894 §3, RFC 5652, RFC 9266 (deferred).

internal/api/handler/est.go

@@ -109,6 +109,11 @@ func (h ESTHandler) SimpleEnroll(w http.ResponseWriter, r *http.Request) {
 
 	requestID := middleware.GetRequestID(r.Context())
 
+	if err := verifyESTTransport(r); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("EST transport precondition failed: %v", err), requestID)
+		return
+	}
+
 	csrPEM, err := h.readCSRFromRequest(r)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid CSR: %v", err), requestID)
@@ -134,6 +139,11 @@ func (h ESTHandler) SimpleReEnroll(w http.ResponseWriter, r *http.Request) {
 
 	requestID := middleware.GetRequestID(r.Context())
 
+	if err := verifyESTTransport(r); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("EST transport precondition failed: %v", err), requestID)
+		return
+	}
+
 	csrPEM, err := h.readCSRFromRequest(r)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid CSR: %v", err), requestID)
@@ -149,6 +159,60 @@ func (h ESTHandler) SimpleReEnroll(w http.ResponseWriter, r *http.Request) {
 	h.writeCertResponse(w, result)
 }
 
+// verifyESTTransport implements Bundle-4 / M-021 EST transport precondition.
+//
+// RFC 7030 §3.2.3 ("Linking Identity and POP Information") requires that when
+// EST clients use certificate-based authentication AND send a Proof-of-Possession
+// (PoP), the PoP MUST be cryptographically bound to the underlying TLS session
+// via TLS-Unique (RFC 5929). With TLS 1.3 (which certctl pins via
+// `tls.Config.MinVersion = tls.VersionTLS13` per the HTTPS-Everywhere milestone),
+// TLS-Unique is unavailable; RFC 9266 defines `tls-exporter` as the TLS 1.3
+// replacement.
+//
+// **Current scope of this function (Bundle-4 closure):** certctl does NOT
+// currently support EST client certificate authentication. The EST endpoint
+// accepts unauthenticated POSTs (the SCEP equivalent enforces a
+// challenge-password via `preflightSCEPChallengePassword`; EST has no
+// equivalent today). Per RFC 7030 §3.2.3, channel binding is REQUIRED only
+// when client certificate authentication is in use; without that, the §3.2.3
+// requirement is moot.
+//
+// What we DO enforce here as defense-in-depth:
+//
+//  1. r.TLS must be non-nil — the EST endpoint MUST be reached over TLS.
+//     Defensive: certctl pins HTTPS-only at the server-side TLS config, but
+//     a future routing-layer regression that exposes EST over plaintext
+//     would be caught here.
+//  2. Negotiated TLS version must be >= TLS 1.2 — RFC 7030 doesn't mandate
+//     a specific TLS version, but a pre-1.2 negotiation indicates a
+//     misconfigured client/server pair. certctl's MinVersion is TLS 1.3
+//     so this should always hold.
+//  3. r.TLS.HandshakeComplete must be true — defensive against partial-
+//     handshake replays.
+//
+// **Deferred to a future bundle (operator decision required):**
+//
+//   - RFC 9266 `tls-exporter` channel binding when EST mTLS is added.
+//   - EST mTLS support itself — currently EST is unauth-or-bearer; mTLS
+//     would be a V3-aligned compliance feature.
+//
+// Returns nil if all preconditions pass; non-nil error otherwise.
+func verifyESTTransport(r *http.Request) error {
+	if r.TLS == nil {
+		return fmt.Errorf("EST endpoint reached over plaintext; TLS required (RFC 7030 §3.2.1)")
+	}
+	if !r.TLS.HandshakeComplete {
+		return fmt.Errorf("EST request reached handler before TLS handshake completed")
+	}
+	// tls.VersionTLS12 == 0x0303; certctl's MinVersion is TLS 1.3 (0x0304).
+	// Defensive lower bound at TLS 1.2 lets us catch a future MinVersion
+	// regression cleanly without coupling this guard to the server config.
+	if r.TLS.Version < 0x0303 {
+		return fmt.Errorf("EST request negotiated TLS version 0x%04x; TLS 1.2 minimum required", r.TLS.Version)
+	}
+	return nil
+}
+
 // CSRAttrs handles GET /.well-known/est/csrattrs
 // Returns the CSR attributes the server wants the client to include in enrollment requests.
 func (h ESTHandler) CSRAttrs(w http.ResponseWriter, r *http.Request) {