EST RFC 7030 hardening master bundle Phases 5-7: end-to-end serverkeygen

+ profile-driven csrattrs + admin observability with per-status
counters + reload-trust endpoint.

Phase 5 — RFC 7030 §4.4 server-driven key generation:
- internal/pkcs7/envelopeddata_builder.go is the inverse of the
  existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1
  v1.5 keyTrans + per-call random IV. Round-trip pinned in test
  (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the
  original plaintext byte-for-byte).
- ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client
  CSR → require RSA pubkey for keyTrans → resolve per-profile
  algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in-
  memory keygen → re-build CSR with server pubkey → run existing
  issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a
  synthetic recipient cert wrapping the device's CSR-supplied pubkey
  → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM
  + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey-
  Encipherment / ErrServerKeygenUnsupportedAlgorithm /
  ErrServerKeygenDisabled.
- ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2
  multipart/mixed with random per-response boundary; per-profile
  SetServerKeygenEnabled gate returns 404 when off (defense in depth
  even if the route was registered).
- New routes POST /.well-known/est/[<PathID>/]serverkeygen +
  /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml +
  openapi-parity guard updated.

Phase 6 — Real csrattrs implementation:
- New CertificateProfile.RequiredCSRAttributes []string + migration
  000022_certificate_profiles_csrattrs.up.sql. The migration also
  lands the previously-unwired must_staple column (closes the 5.6
  follow-up loop where the field shipped at the domain + service
  layer but the postgres scan/insert/update never persisted it).
- domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-*
  EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985
  PKCS#10 attributes + Microsoft Intune device-serial OID.
- ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a
  profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU /
  attribute strings dropped + warning-logged so a typo doesn't take
  down the entire endpoint.

Phase 7 — Admin observability + counters + reload-trust:
- internal/service/est_counters.go: estCounterTab (sync/atomic; 12
  named labels) + ESTStatsSnapshot per-profile shape +
  ESTService.Stats(now) zero-allocation accessor + ReloadTrust()
  SIGHUP-equivalent + SetESTAdminMetadata setter.
- Counter ticks wired into processEnrollment + SimpleServerKeygen at
  every success/failure leg.
- internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim:
  Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both
  endpoints admin-gated (M-008 triplet pinned + admin_est.go added
  to AdminGatedHandlers).
- New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/
  est/reload-trust; openapi.yaml documented; openapi-parity guard
  reproduced clean.
- cmd/server/main.go grows estServices map populated by the per-
  profile EST loop + handed to AdminEST. New MTLSTrust() +
  HasMTLSTrust() accessors on ESTHandler so main.go can pull the
  trust holder for the admin-metadata wire-up.
- Per-profile counter isolation regression test
  (internal/service/est_profile_counter_isolation_test.go) proves
  a future shared-counter refactor would fail at compile-time
  pointer-identity check.

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean across
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
service/pkcs7/domain/cmd/server, go test -short -count=1 green
for every non-postgres package. G-3 docs-drift guard reproduced
locally clean (Phases 5-7 added zero new env vars; Phase 1
already documented per-profile SERVER_KEYGEN_ENABLED).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation /
docs/est.md / release prep) remain — post-2.1.0 work.

internal/pkcs7/envelopeddata_builder.go

@@ -0,0 +1,237 @@
+// EnvelopedData BUILDER (inverse of envelopeddata.go's parser+decryptor).
+//
+// EST RFC 7030 hardening master bundle Phase 5.2.
+//
+// The SCEP path landed the parser/decryptor; the EST `serverkeygen`
+// endpoint (RFC 7030 §4.4) needs the BUILDER so the server can encrypt
+// the server-generated private key TO the client's CSR-supplied
+// key-encipherment public key, then return it as a CMS EnvelopedData.
+//
+// Wire shape produced (matches the parser's input, RFC 5652 §6.1):
+//
+//	ContentInfo ::= SEQUENCE {
+//	  contentType OBJECT IDENTIFIER,                  -- 1.2.840.113549.1.7.3 (envelopedData)
+//	  content     [0] EXPLICIT EnvelopedData
+//	}
+//	EnvelopedData ::= SEQUENCE {
+//	  version                  INTEGER (0),           -- v0 (no originatorInfo + no ori)
+//	  recipientInfos           SET SIZE(1) OF KeyTransRecipientInfo,
+//	  encryptedContentInfo     EncryptedContentInfo
+//	}
+//	KeyTransRecipientInfo ::= SEQUENCE {
+//	  version                  INTEGER (0),           -- v0 (IssuerAndSerialNumber rid)
+//	  rid                      IssuerAndSerialNumber, -- recipient cert's issuer + serial
+//	  keyEncryptionAlgorithm   AlgorithmIdentifier,   -- rsaEncryption (PKCS#1 v1.5 keyTrans)
+//	  encryptedKey             OCTET STRING           -- AES key wrapped to recipient pubkey
+//	}
+//	EncryptedContentInfo ::= SEQUENCE {
+//	  contentType                OBJECT IDENTIFIER,   -- pkcs7-data (1.2.840.113549.1.7.1)
+//	  contentEncryptionAlgorithm AlgorithmIdentifier, -- aes-256-cbc with IV in parameters
+//	  encryptedContent           [0] IMPLICIT OCTET STRING
+//	}
+//
+// Algorithm choices (locked at GA):
+//
+//   - Content cipher: AES-256-CBC. Strongest of the parser-supported ciphers
+//     (parser also accepts AES-128, AES-192, DES-EDE3-CBC for legacy SCEP
+//     interop; the BUILDER emits only AES-256). Random 16-byte IV per call.
+//   - Key transport: RSA PKCS#1 v1.5 (rsaEncryption OID). Mirror of what
+//     the parser supports — adding OAEP would mean parsing OAEP parameters
+//     in the parser too, deferred to V3.
+//   - Content-type carrier: pkcs7-data (1.2.840.113549.1.7.1). The
+//     plaintext bytes ARE the inner content directly; the parser's
+//     decryptCBC strips PKCS#7 padding so the BUILDER's PKCS#7-pad here
+//     round-trips correctly.
+
+package pkcs7
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"io"
+)
+
+// ErrBuildEnvelopedData is the umbrella build-time error. Unlike the
+// decrypt path (which deliberately collapses every internal failure to
+// one sentinel to close padding-oracle / Bleichenbacher leaks), the
+// BUILDER's errors are caller-introspectable — the caller is local
+// server code, not an attacker.
+var ErrBuildEnvelopedData = errors.New("envelopedData: build failed")
+
+// BuildEnvelopedData produces the CMS EnvelopedData wire bytes for the
+// given plaintext, encrypted to the supplied recipient cert.
+//
+// Inputs:
+//   - plaintext: the bytes to encrypt (e.g. a marshaled PKCS#8 private key
+//     for the EST serverkeygen path).
+//   - recipientCert: the cert whose pubkey wraps the AES key. MUST be RSA
+//     (the parser/decryptor only supports rsaEncryption keyTrans).
+//   - rng: source of random bytes for the AES key + IV. Pass nil to use
+//     crypto/rand.Reader. Tests can inject a deterministic reader so
+//     fixture round-trips are reproducible.
+//
+// Output: DER bytes of the outer ContentInfo. Suitable for direct embed
+// in the EST serverkeygen multipart body's `application/pkcs7-mime;
+// smime-type=enveloped-data` part.
+//
+// Behavior contract pinned by envelopeddata_builder_test.go:
+//   - Round-trip: BuildEnvelopedData → ParseEnvelopedData → Decrypt
+//     returns the original plaintext byte-for-byte.
+//   - Algorithm ID: AES-256-CBC (OID 2.16.840.1.101.3.4.1.42); IV is a
+//     random 16-byte value carried in the algorithm parameters as an
+//     OCTET STRING per RFC 3565 §2.3.
+//   - Recipient: exactly one KeyTransRecipientInfo whose IssuerAndSerial
+//     matches recipientCert.RawIssuer + recipientCert.SerialNumber.
+func BuildEnvelopedData(plaintext []byte, recipientCert *x509.Certificate, rng io.Reader) ([]byte, error) {
+	if len(plaintext) == 0 {
+		return nil, fmt.Errorf("%w: empty plaintext", ErrBuildEnvelopedData)
+	}
+	if recipientCert == nil {
+		return nil, fmt.Errorf("%w: nil recipient cert", ErrBuildEnvelopedData)
+	}
+	rsaPub, ok := recipientCert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("%w: recipient cert pubkey is not RSA (PKCS#1 v1.5 keyTrans only)", ErrBuildEnvelopedData)
+	}
+	if rng == nil {
+		rng = rand.Reader
+	}
+
+	// 1. Generate the symmetric key + IV. AES-256-CBC needs a 32-byte key
+	// + 16-byte IV. Both come from the RNG; AES-CBC requires an IV
+	// unique-per-message (not strictly random, but a CSPRNG-derived value
+	// is the simplest correct choice).
+	symKey := make([]byte, 32)
+	if _, err := io.ReadFull(rng, symKey); err != nil {
+		return nil, fmt.Errorf("%w: gen sym key: %w", ErrBuildEnvelopedData, err)
+	}
+	iv := make([]byte, aes.BlockSize) // aes.BlockSize == 16
+	if _, err := io.ReadFull(rng, iv); err != nil {
+		return nil, fmt.Errorf("%w: gen iv: %w", ErrBuildEnvelopedData, err)
+	}
+
+	// 2. PKCS#7-pad + AES-256-CBC encrypt the plaintext.
+	padded := pkcs7Pad(plaintext, aes.BlockSize)
+	block, err := aes.NewCipher(symKey)
+	if err != nil {
+		return nil, fmt.Errorf("%w: aes.NewCipher: %w", ErrBuildEnvelopedData, err)
+	}
+	ciphertext := make([]byte, len(padded))
+	cipher.NewCBCEncrypter(block, iv).CryptBlocks(ciphertext, padded)
+
+	// 3. Wrap the symmetric key with the recipient's RSA pubkey using
+	// PKCS#1 v1.5 keyTrans. Matches the parser's rsa.DecryptPKCS1v15
+	// expectation. NOTE: rsa.EncryptPKCS1v15 takes the plaintext (the
+	// AES key bytes) directly — no extra ASN.1 wrapping.
+	wrappedKey, err := rsa.EncryptPKCS1v15(rng, rsaPub, symKey)
+	if err != nil {
+		return nil, fmt.Errorf("%w: rsa.EncryptPKCS1v15: %w", ErrBuildEnvelopedData, err)
+	}
+
+	// 4. Build the AlgorithmIdentifier for AES-256-CBC. RFC 3565 §2.3:
+	// the parameters field is an OCTET STRING carrying the IV.
+	ivOctet, err := asn1.Marshal(iv) // marshal as OCTET STRING
+	if err != nil {
+		return nil, fmt.Errorf("%w: marshal iv: %w", ErrBuildEnvelopedData, err)
+	}
+	contentEncAlg := pkix.AlgorithmIdentifier{
+		Algorithm:  OIDAES256CBC,
+		Parameters: asn1.RawValue{FullBytes: ivOctet},
+	}
+
+	// 5. Build the IssuerAndSerialNumber rid. The recipient cert's
+	// RawIssuer is the DER of its issuer DN (already canonicalised by
+	// the cert's encoder); we splice it as a RawValue so re-serialisation
+	// preserves byte-for-byte equality with what the recipient sees in
+	// its own cert.
+	issuerAndSerial := issuerAndSerialASN1{
+		Issuer:       asn1.RawValue{FullBytes: recipientCert.RawIssuer},
+		SerialNumber: recipientCert.SerialNumber,
+	}
+	iasDER, err := asn1.Marshal(issuerAndSerial)
+	if err != nil {
+		return nil, fmt.Errorf("%w: marshal IssuerAndSerial: %w", ErrBuildEnvelopedData, err)
+	}
+
+	// 6. Build the KeyTransRecipientInfo SEQUENCE.
+	ktri := keyTransRecipientInfoASN1{
+		Version:          0, // v0 with IssuerAndSerial rid
+		RID:              asn1.RawValue{FullBytes: iasDER},
+		KeyEncryptionAlg: pkix.AlgorithmIdentifier{Algorithm: OIDRSAEncryption, Parameters: asn1.NullRawValue},
+		EncryptedKey:     wrappedKey,
+	}
+	ktriDER, err := asn1.Marshal(ktri)
+	if err != nil {
+		return nil, fmt.Errorf("%w: marshal KTRI: %w", ErrBuildEnvelopedData, err)
+	}
+
+	// 7. Build the EncryptedContentInfo. encryptedContent is [0] IMPLICIT
+	// OCTET STRING; we marshal as a context-specific RawValue with class
+	// CONTEXT-SPECIFIC + tag 0 + the raw ciphertext bytes (no inner
+	// OCTET STRING tag since IMPLICIT replaces it).
+	encContent := asn1.RawValue{
+		Class:      asn1.ClassContextSpecific,
+		Tag:        0,
+		IsCompound: false,
+		Bytes:      ciphertext,
+	}
+	enci := encryptedContentInfoASN1{
+		ContentType:                OIDDataContent,
+		ContentEncryptionAlgorithm: contentEncAlg,
+		EncryptedContent:           encContent,
+	}
+
+	// 8. Compose the EnvelopedData SEQUENCE. The parser's struct uses
+	// `[]asn1.RawValue` for RecipientInfos with `set` tag; we mirror
+	// that shape so the parse round-trip exercises the same code path.
+	enveloped := envelopedDataASN1{
+		Version:              0, // v0 (no originatorInfo, no [1] unprotectedAttrs)
+		RecipientInfos:       []asn1.RawValue{{FullBytes: ktriDER}},
+		EncryptedContentInfo: enci,
+		// UnprotectedAttrs intentionally left zero-value; asn1.Marshal
+		// omits OPTIONAL fields whose RawValue is empty.
+	}
+	envelopedDER, err := asn1.Marshal(enveloped)
+	if err != nil {
+		return nil, fmt.Errorf("%w: marshal EnvelopedData: %w", ErrBuildEnvelopedData, err)
+	}
+
+	// 9. Wrap in the outer ContentInfo so peelContentInfo on the read
+	// side picks it up cleanly. RFC 5652 §3 — content is [0] EXPLICIT.
+	wrapped, err := asn1.Marshal(contentInfoASN1{
+		ContentType: OIDEnvelopedData,
+		Content:     asn1.RawValue{Class: asn1.ClassContextSpecific, Tag: 0, IsCompound: true, Bytes: envelopedDER},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("%w: marshal ContentInfo: %w", ErrBuildEnvelopedData, err)
+	}
+	return wrapped, nil
+}
+
+// contentInfoASN1 is the outer CMS ContentInfo wrapper. envelopeddata.go's
+// peelContentInfo is the read-side complement.
+type contentInfoASN1 struct {
+	ContentType asn1.ObjectIdentifier
+	Content     asn1.RawValue `asn1:"explicit,tag:0"`
+}
+
+// pkcs7Pad applies PKCS#7 padding (RFC 5652 §6.3 references RFC 2315 §10.3).
+// blockSize bytes' worth of (blockSize - len(in) % blockSize) is appended;
+// when the input is already a block-multiple, a full block of `blockSize`
+// padding bytes is appended (so unpad always has something to strip).
+func pkcs7Pad(in []byte, blockSize int) []byte {
+	padLen := blockSize - (len(in) % blockSize)
+	out := make([]byte, len(in)+padLen)
+	copy(out, in)
+	for i := len(in); i < len(out); i++ {
+		out[i] = byte(padLen)
+	}
+	return out
+}

internal/pkcs7/envelopeddata_builder_test.go

@@ -0,0 +1,171 @@
+package pkcs7
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"testing"
+	"time"
+)
+
+// freshRSARecipient produces a self-signed RSA-2048 cert + matching key
+// usable as both EnvelopedData recipient (BUILDER input) and EnvelopedData
+// decryptor (Decrypt input). RSA-2048 is the minimum the parser supports
+// for keyTrans.
+func freshRSARecipient(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey: %v", err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject:      pkix.Name{CommonName: "envelopeddata-builder-test"},
+		Issuer:       pkix.Name{CommonName: "envelopeddata-builder-test-issuer"},
+		NotBefore:    time.Now().Add(-1 * time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+		KeyUsage:     x509.KeyUsageKeyEncipherment,
+	}
+	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("CreateCertificate: %v", err)
+	}
+	cert, err := x509.ParseCertificate(der)
+	if err != nil {
+		t.Fatalf("ParseCertificate: %v", err)
+	}
+	return cert, key
+}
+
+func TestBuildEnvelopedData_RoundTrip(t *testing.T) {
+	cert, key := freshRSARecipient(t)
+	plaintext := []byte("the eagle has landed at coordinate 47.6062N 122.3321W; key zeroize at exit")
+
+	wire, err := BuildEnvelopedData(plaintext, cert, nil)
+	if err != nil {
+		t.Fatalf("BuildEnvelopedData: %v", err)
+	}
+	if len(wire) == 0 {
+		t.Fatal("empty wire bytes")
+	}
+
+	parsed, err := ParseEnvelopedData(wire)
+	if err != nil {
+		t.Fatalf("ParseEnvelopedData: %v", err)
+	}
+	got, err := parsed.Decrypt(key, cert)
+	if err != nil {
+		t.Fatalf("Decrypt: %v", err)
+	}
+	if !bytes.Equal(got, plaintext) {
+		t.Errorf("round-trip mismatch:\n got = %q\nwant = %q", got, plaintext)
+	}
+}
+
+func TestBuildEnvelopedData_AlgorithmIsAES256CBC(t *testing.T) {
+	cert, _ := freshRSARecipient(t)
+	wire, err := BuildEnvelopedData([]byte("alg-id pin"), cert, nil)
+	if err != nil {
+		t.Fatalf("BuildEnvelopedData: %v", err)
+	}
+	parsed, err := ParseEnvelopedData(wire)
+	if err != nil {
+		t.Fatalf("ParseEnvelopedData: %v", err)
+	}
+	if !parsed.ContentEncryptionAlg.Algorithm.Equal(OIDAES256CBC) {
+		t.Errorf("alg = %v, want OIDAES256CBC %v", parsed.ContentEncryptionAlg.Algorithm, OIDAES256CBC)
+	}
+}
+
+func TestBuildEnvelopedData_RecipientMatchesIssuerAndSerial(t *testing.T) {
+	cert, _ := freshRSARecipient(t)
+	wire, err := BuildEnvelopedData([]byte("rid pin"), cert, nil)
+	if err != nil {
+		t.Fatalf("BuildEnvelopedData: %v", err)
+	}
+	parsed, err := ParseEnvelopedData(wire)
+	if err != nil {
+		t.Fatalf("ParseEnvelopedData: %v", err)
+	}
+	if len(parsed.RecipientInfos) != 1 {
+		t.Fatalf("recipient count = %d, want 1", len(parsed.RecipientInfos))
+	}
+	rid := parsed.RecipientInfos[0].IssuerAndSerial
+	if !bytes.Equal(rid.IssuerRaw.FullBytes, cert.RawIssuer) {
+		t.Errorf("issuer mismatch:\n got = %x\nwant = %x", rid.IssuerRaw.FullBytes, cert.RawIssuer)
+	}
+	if rid.SerialNumber == nil || rid.SerialNumber.Cmp(cert.SerialNumber) != 0 {
+		t.Errorf("serial mismatch: got %v, want %v", rid.SerialNumber, cert.SerialNumber)
+	}
+}
+
+func TestBuildEnvelopedData_RejectsNonRSARecipient(t *testing.T) {
+	// EnvelopedData keyTrans requires RSA per the parser's contract; ECDSA
+	// recipient certs MUST be rejected at build time so an operator never
+	// ships a serverkeygen response that no client can decrypt.
+	ecKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey: %v", err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(99),
+		Subject:      pkix.Name{CommonName: "ecdsa-recipient-reject-test"},
+		Issuer:       pkix.Name{CommonName: "ecdsa-recipient-reject-test-issuer"},
+		NotBefore:    time.Now().Add(-1 * time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+	}
+	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &ecKey.PublicKey, ecKey)
+	if err != nil {
+		t.Fatalf("CreateCertificate: %v", err)
+	}
+	cert, err := x509.ParseCertificate(der)
+	if err != nil {
+		t.Fatalf("ParseCertificate: %v", err)
+	}
+	if _, err := BuildEnvelopedData([]byte("test"), cert, nil); err == nil {
+		t.Fatal("expected error for non-RSA recipient cert")
+	}
+}
+
+func TestBuildEnvelopedData_RejectsEmptyPlaintext(t *testing.T) {
+	cert, _ := freshRSARecipient(t)
+	_, err := BuildEnvelopedData(nil, cert, nil)
+	if err == nil {
+		t.Fatal("expected error for empty plaintext")
+	}
+}
+
+func TestBuildEnvelopedData_RejectsNilCert(t *testing.T) {
+	_, err := BuildEnvelopedData([]byte("x"), nil, nil)
+	if err == nil {
+		t.Fatal("expected error for nil recipient cert")
+	}
+}
+
+func TestBuildEnvelopedData_LargePlaintextRoundTrip(t *testing.T) {
+	// PKCS#7 padding + AES-256-CBC works for arbitrary plaintext lengths.
+	// Pin the contract for a 4KiB-aligned key blob (typical PKCS#8 RSA-2048
+	// is ~1.2KB; ECDSA P-384 is ~250B).
+	cert, key := freshRSARecipient(t)
+	big := bytes.Repeat([]byte("ABCDEFGH"), 512) // 4 KiB
+	wire, err := BuildEnvelopedData(big, cert, nil)
+	if err != nil {
+		t.Fatalf("BuildEnvelopedData: %v", err)
+	}
+	parsed, err := ParseEnvelopedData(wire)
+	if err != nil {
+		t.Fatalf("ParseEnvelopedData: %v", err)
+	}
+	got, err := parsed.Decrypt(key, cert)
+	if err != nil {
+		t.Fatalf("Decrypt: %v", err)
+	}
+	if !bytes.Equal(got, big) {
+		t.Errorf("4KiB round-trip mismatch")
+	}
+}