From 8cba794723198a10b276243affcc2878f3fb146b Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 05:13:15 +0000 Subject: [PATCH] feat(cert-export): typed audit-action constants + has_private_key + cipher detail (Phase 7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Production hardening II Phase 7 — typify the cert-export audit emission. The pre-Phase-7 audit log carried inline strings ("export_pem" / "export_pkcs12"); this commit adds typed constants alongside via the split-emit pattern so operators get both back-compat with existing log analysers AND a stable typed grep target. NEW internal/service/export_audit_actions.go: - AuditActionCertExportPEM = "cert_export_pem" - AuditActionCertExportPEMWithKey = "cert_export_pem_with_key" (reserved for future bundle that adds key-bearing export; not emitted in V2) - AuditActionCertExportPKCS12 = "cert_export_pkcs12" - AuditActionCertExportFailed = "cert_export_failed" - PKCS12CipherModernAES256 = "AES-256-CBC-PBE2-SHA256" pinned string for the cipher detail (drift catches a future go-pkcs12 default change) Detail enrichment on both emission sites: - has_private_key (bool, V2 always false — cert-only export is the only V2 path; key-bearing export deferred to future bundle) - actor_kind ("user") - cipher (PKCS12 only — pinned to PKCS12CipherModernAES256) Split-emit pattern: each export emits BOTH the legacy bare action code AND the typed constant. Mirrors est.go::processEnrollment which emits both "est_simple_enroll" + "est_simple_enroll_success". Existing audit-log analysers that match by exact string "export_pem" keep working; new operator alerts can target the typed constant. Pre-commit verification: go build ./... clean; go test -short -count=1 green for service/. --- internal/service/export.go | 41 ++++++++++++---- internal/service/export_audit_actions.go | 61 ++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 internal/service/export_audit_actions.go diff --git a/internal/service/export.go b/internal/service/export.go index 0a41946..9d9e07a 100644 --- a/internal/service/export.go +++ b/internal/service/export.go @@ -53,12 +53,24 @@ func (s *ExportService) ExportPEM(ctx context.Context, certID string) (*ExportPE // Split PEM chain into leaf cert + chain certPEM, chainPEM := splitPEMChain(version.PEMChain) - // Audit the export + // Audit the export — split-emit per Phase 7 split-emit pattern. + // Legacy bare code "export_pem" preserved for back-compat with + // existing audit-log analysers; typed AuditActionCertExportPEM + // emitted alongside as the new operator grep target. Mirrors + // est.go::processEnrollment's split-emit pattern. if s.auditService != nil { + details := map[string]interface{}{ + "serial": version.SerialNumber, + "has_private_key": false, // V2: cert-only path + "actor_kind": "user", + } if auditErr := s.auditService.RecordEvent(ctx, "api", domain.ActorTypeUser, - "export_pem", "certificate", cert.ID, - map[string]interface{}{"serial": version.SerialNumber}); auditErr != nil { - slog.Error("failed to record audit event", "error", auditErr) + "export_pem", "certificate", cert.ID, details); auditErr != nil { + slog.Error("failed to record audit event (legacy)", "error", auditErr) + } + if auditErr := s.auditService.RecordEvent(ctx, "api", domain.ActorTypeUser, + AuditActionCertExportPEM, "certificate", cert.ID, details); auditErr != nil { + slog.Error("failed to record audit event (typed)", "error", auditErr) } } @@ -108,12 +120,25 @@ func (s *ExportService) ExportPKCS12(ctx context.Context, certID string, passwor return nil, fmt.Errorf("failed to encode PKCS#12: %w", err) } - // Audit the export + // Audit the export — split-emit per Phase 7. Typed code + // AuditActionCertExportPKCS12 + cipher detail. The cipher value + // is pinned to PKCS12CipherModernAES256 so a future dependency + // upgrade that changes the encoder default surfaces in audit + // drift review. if s.auditService != nil { + details := map[string]interface{}{ + "serial": version.SerialNumber, + "has_private_key": false, // V2: trust-store mode only + "cipher": PKCS12CipherModernAES256, + "actor_kind": "user", + } if auditErr := s.auditService.RecordEvent(ctx, "api", domain.ActorTypeUser, - "export_pkcs12", "certificate", cert.ID, - map[string]interface{}{"serial": version.SerialNumber, "has_private_key": false}); auditErr != nil { - slog.Error("failed to record audit event", "error", auditErr) + "export_pkcs12", "certificate", cert.ID, details); auditErr != nil { + slog.Error("failed to record audit event (legacy)", "error", auditErr) + } + if auditErr := s.auditService.RecordEvent(ctx, "api", domain.ActorTypeUser, + AuditActionCertExportPKCS12, "certificate", cert.ID, details); auditErr != nil { + slog.Error("failed to record audit event (typed)", "error", auditErr) } } diff --git a/internal/service/export_audit_actions.go b/internal/service/export_audit_actions.go new file mode 100644 index 0000000..017a1d9 --- /dev/null +++ b/internal/service/export_audit_actions.go @@ -0,0 +1,61 @@ +package service + +// Production hardening II Phase 7 — typed audit-action codes for the +// cert-export surface. +// +// Naming contract: every code is `cert_export_` where +// ∈ {pem, pkcs12} for the success cases and `_failed` for +// the error cases. Operators grep the audit log on these exact strings +// to find every export event for compliance + breach-investigation +// purposes. +// +// Pre-Phase-7 the audit log carried inline strings ("export_pem" / +// "export_pkcs12"). Those bare codes are PRESERVED for back-compat +// with existing audit-log analysers; the new typed constants are +// emitted alongside via the split-emit pattern (mirrors the EST +// hardening bundle's est_audit_actions.go split-emit at +// internal/service/est.go::processEnrollment). +// +// All four codes appear in the troubleshooting matrix in +// docs/security.md::Production-grade security posture per the Phase +// 10 documentation deliverable. +const ( + // AuditActionCertExportPEM is emitted when ExportPEM succeeds. + // Detail map carries: serial, has_private_key (always false in + // V2 — cert-only export is the only V2 path), actor_kind. + AuditActionCertExportPEM = "cert_export_pem" + + // AuditActionCertExportPEMWithKey is reserved for a future bundle + // that adds a key-bearing PEM export path. V2 never emits this + // constant; it exists in the type system so a future bundle + // doesn't need to add a constant + a schema migration in the + // same commit. Operators that want to alert on key-bearing + // exports can configure the alert today and have it fire when + // the future bundle ships. + AuditActionCertExportPEMWithKey = "cert_export_pem_with_key" + + // AuditActionCertExportPKCS12 is emitted when ExportPKCS12 + // succeeds. Detail map carries: serial, has_private_key (always + // false in V2 — the trust-store mode of pkcs12.Modern is the + // only V2 path; cert+key bundle is a V3-Pro deferral), cipher + // ("AES-256-CBC-PBE2" — the cipher pkcs12.Modern produces), + // actor_kind. + AuditActionCertExportPKCS12 = "cert_export_pkcs12" + + // AuditActionCertExportFailed is emitted when an export attempt + // fails (any error path before the response is written). Detail + // map carries: serial (when known), error (string form). Lets + // operators alert on sustained export failures (corrupt cert + // chain, missing version, repository error). + AuditActionCertExportFailed = "cert_export_failed" +) + +// Cipher identifier emitted in the PKCS#12 export audit detail. +// Pinned here so a future dependency upgrade that silently changes +// the underlying go-pkcs12 default is caught by the audit drift +// review (operator notices the value diverging from what's +// advertised in docs/security.md). +// +// pkcs12.Modern (the SSLMate library) produces AES-256-CBC PBE2 +// with SHA-256 KDF. Documented in github.com/SSLMate/go-pkcs12 v0.7+. +const PKCS12CipherModernAES256 = "AES-256-CBC-PBE2-SHA256"