mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-13 20:38:52 +00:00
EST RFC 7030 hardening master bundle Phases 2-4: end-to-end mTLS sibling
route + RFC 9266 channel binding + HTTP Basic enrollment-password +
per-source-IP failed-auth limit + per-(CN, sourceIP) sliding-window cap.
Two new shared packages so EST + Intune share infrastructure:
- internal/cms/ — RFC 9266 tls-exporter extractor (ExtractTLSExporter
with stdlib-panic recovery for synthetic ConnectionStates) +
CSR-side channel-binding parser via raw TBSCertificationRequestInfo
walk (the stdlib's csr.Attributes can't represent the OCTET STRING
binding value), VerifyChannelBinding composite, EmbedChannel-
BindingAttribute fixture helper, typed sentinel errors for missing
/ mismatch / not-TLS-1.3 mapped to HTTP 400 / 409 / 426 in handler.
- internal/trustanchor/ — extracted from scep/intune/trust_anchor*.go
so the EST mTLS sibling route + Intune dispatcher share the same
SIGHUP-reloadable PEM bundle primitive. intune.TrustAnchorHolder
is now `= trustanchor.Holder` (type alias) + NewTrustAnchorHolder =
trustanchor.New (function alias) — every existing call site compiles
unchanged. Intune's LoadTrustAnchor is a thin wrapper over
trustanchor.LoadBundle. White-box tests moved to the new package.
- internal/ratelimit/ — extracted from scep/intune/rate_limit.go (this
was Phase 4.1, in the same bundle). intune.PerDeviceRateLimiter
is now a thin wrapper preserving the (subject, issuer)→key
composition; EST handler reaches for SlidingWindowLimiter directly.
ESTHandler grew six optional fields wired by per-profile setters
(SetMTLSTrust / SetChannelBindingRequired / SetEnrollmentPassword /
SetSourceIPRateLimiter / SetPerPrincipalRateLimiter / SetLabelForLog)
plus four new mTLS-route methods (CACertsMTLS / SimpleEnrollMTLS /
SimpleReEnrollMTLS / CSRAttrsMTLS); shared internal pipeline
handleEnrollOrReEnroll(reEnroll, viaMTLS) keeps the auth/binding/
rate-limit gates DRY. New router method RegisterESTMTLSHandlers
registers /.well-known/est-mtls/<PathID>/{cacerts,simpleenroll,
simplereenroll,csrattrs}; AuthExemptDispatchPrefixes extends the
no-auth chain to /.well-known/est-mtls.
cmd/server/main.go's EST loop wires per-profile mTLS holder +
channel-binding policy + per-principal limiter + (when EnrollmentPassword
non-empty) Basic + source-IP limiter; new preflightESTMTLSClientCATrust-
Bundle returns *trustanchor.Holder so SIGHUP rotates the EST mTLS
bundle live without restart. SCEP + EST mTLS profiles now share a
single union mtlsUnionPoolForTLS passed to buildServerTLSConfigWithMTLS
(replaces the protocol-specific scepMTLSUnionPoolForTLS); per-handler
re-verify enforces "cert must chain to THIS profile's bundle" so
cross-protocol bleed is blocked at the application layer even though
the TLS layer trusts certs from either pool's union.
Phase 3.3 source-IP failed-Basic limiter defaults: 10 attempts / 1h
/ 50k tracked IPs (no env var; tunable in a follow-up). Phase 4.2
per-principal limiter cap from CERTCTL_EST_PROFILE_<NAME>_RATE_
LIMIT_PER_PRINCIPAL_24H (existing field, Phase 1 shipped).
New tests:
- internal/cms/channelbinding_test.go: extractor + CSR-side parser +
composite + TLS-1.3 round-trip end-to-end + EmbedChannelBinding-
Attribute round-trip
- internal/trustanchor/holder_test.go: parseBundlePEM white-box +
LoadBundle + Holder Get/Pool/SetLabelForLog/Reload-happy/
Reload-keeps-old-on-failure/Reload-keeps-old-on-expired/
WatchSIGHUP-reloads-pool/WatchSIGHUP-stop-clean
- internal/api/handler/est_hardening_test.go: 16 named cases covering
mTLS no-trust-pool 500 + no-cert 401 + cross-profile cert 401 +
happy-path 200 + CACertsMTLS auth gate + CSRAttrsMTLS auth gate +
channel-binding required-absent-rejected + not-required-absent-
allowed + writeChannelBindingError mapping + Basic no-header 401
+ Basic wrong-password 401 + Basic correct-200 + Basic-no-password
no-gate + per-IP failed-attempt lockout 429 + per-principal
blocks-after-cap + different-principals-independent + no-limiter-
unbounded.
Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean for
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
cmd/server, go test -short -count=1 green for cms/trustanchor/
api/handler/api/router/scep/intune/ratelimit/service. G-3
docs-drift guard reproduced locally clean (Phase 1 already
documented every new env var; Phases 2-4 added zero new env vars).
This commit is contained in:
shankar0123
@@ -103,15 +103,11 @@ func TestPerDeviceRateLimiter_EmptySubjectShortCircuits(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestPerDeviceRateLimiter_DefaultCapsHonored(t *testing.T) {
|
||||
l := NewPerDeviceRateLimiter(5, 0, 0) // window=0 → 24h default; cap=0 → 100k default
|
||||
if l.window != 24*time.Hour {
|
||||
t.Errorf("default window = %v, want 24h", l.window)
|
||||
}
|
||||
if l.cap != 100_000 {
|
||||
t.Errorf("default cap = %d, want 100000", l.cap)
|
||||
}
|
||||
}
|
||||
// TestPerDeviceRateLimiter_DefaultCapsHonored — moved to
|
||||
// internal/ratelimit/sliding_window_test.go::TestSlidingWindowLimiter_DefaultCapsHonored
|
||||
// in EST RFC 7030 hardening Phase 4.1 (the white-box test reads private
|
||||
// fields that no longer exist on the wrapper). The shared package owns
|
||||
// the field-default contract.
|
||||
|
||||
func TestPerDeviceRateLimiter_MapCapEvictsOldest(t *testing.T) {
|
||||
// Cap of 3 keys to exercise the eviction branch deterministically.
|
||||
@@ -161,30 +157,8 @@ func TestPerDeviceRateLimiter_ConcurrentRaceFree(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestPruneOlderThan(t *testing.T) {
|
||||
t0 := time.Now()
|
||||
in := []time.Time{
|
||||
t0.Add(-3 * time.Hour), // pruned (older than cutoff)
|
||||
t0.Add(-2 * time.Hour), // pruned (older than cutoff)
|
||||
t0.Add(-1 * time.Hour), // survives (-60m is NEWER than the -90m cutoff)
|
||||
t0.Add(-30 * time.Minute), // survives
|
||||
t0, // survives
|
||||
}
|
||||
out := pruneOlderThan(in, t0.Add(-90*time.Minute))
|
||||
if len(out) != 3 {
|
||||
t.Fatalf("len(out) = %d, want 3 (-1h, -30m, t0 all newer than -90m cutoff)", len(out))
|
||||
}
|
||||
if !out[0].Equal(t0.Add(-1 * time.Hour)) {
|
||||
t.Errorf("out[0] = %v, want -1h (oldest surviving entry)", out[0])
|
||||
}
|
||||
}
|
||||
|
||||
func TestPruneOlderThan_NoOpWhenNothingToPrune(t *testing.T) {
|
||||
t0 := time.Now()
|
||||
in := []time.Time{t0.Add(-1 * time.Minute), t0}
|
||||
out := pruneOlderThan(in, t0.Add(-1*time.Hour))
|
||||
// Same slice header (no copy needed).
|
||||
if len(out) != len(in) {
|
||||
t.Fatalf("len(out) = %d, want %d", len(out), len(in))
|
||||
}
|
||||
}
|
||||
// TestPruneOlderThan + TestPruneOlderThan_NoOpWhenNothingToPrune — moved
|
||||
// to internal/ratelimit/sliding_window_test.go in EST RFC 7030 hardening
|
||||
// Phase 4.1. pruneOlderThan is now an unexported helper of the shared
|
||||
// ratelimit package (the implementation moved there); the white-box
|
||||
// tests follow.
|
||||
|
||||
Reference in New Issue
Block a user