feat: add EST server (RFC 7030) for device certificate enrollment (M23)

Implement Enrollment over Secure Transport protocol with 4 endpoints under /.well-known/est/ — cacerts (CA chain distribution), simpleenroll (initial enrollment), simplereenroll (certificate renewal), and csrattrs (CSR attributes). PKCS#7 certs-only wire format with hand-rolled ASN.1, accepts both PEM and base64-encoded DER CSRs, configurable issuer and profile binding, full audit trail. 28 new tests (18 handler + 10 service). Also includes: - GetCACertPEM added to issuer connector interface (all 4 issuers updated) - EST integration tests wired into e2e test suite (13 test cases) - QA testing guide Part 26 (15 manual EST test cases) - All docs updated: README, features, architecture, concepts, connectors, quickstart, demo-advanced (endpoint counts, MCP wording, agent IDs, issuer interface, resource lists, OpenSSL status) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-09 10:48:59 +00:00 · 2026-03-25 15:31:06 -04:00
parent 42fa9c7791
commit e4ba8d4de2
27 changed files with 1807 additions and 20 deletions
@@ -2,9 +2,17 @@ package integration

 import (
 	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"io"
 	"net/http"
+	"strings"
 	"testing"
 	"time"

@@ -892,3 +900,214 @@ func TestM20EnhancedQueryAPI(t *testing.T) {
 		}
 	})
 }
+
+// generateE2ECSRPEM creates a valid ECDSA P-256 CSR PEM for integration testing.
+func generateE2ECSRPEM(t *testing.T, cn string, sans []string) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+	template := &x509.CertificateRequest{
+		Subject:  pkix.Name{CommonName: cn},
+		DNSNames: sans,
+	}
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, template, key)
+	if err != nil {
+		t.Fatalf("create CSR: %v", err)
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER}))
+}
+
+// generateE2ECSRBase64DER creates a valid base64-encoded DER CSR for EST wire format testing.
+func generateE2ECSRBase64DER(t *testing.T, cn string, sans []string) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+	template := &x509.CertificateRequest{
+		Subject:  pkix.Name{CommonName: cn},
+		DNSNames: sans,
+	}
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, template, key)
+	if err != nil {
+		t.Fatalf("create CSR: %v", err)
+	}
+	return base64.StdEncoding.EncodeToString(csrDER)
+}
+
+// TestESTEndpoints exercises the EST (RFC 7030) enrollment endpoints end-to-end (M23).
+func TestESTEndpoints(t *testing.T) {
+	server, _, _, _ := setupTestServer(t)
+
+	// ===========================
+	// GET /cacerts — CA certificate chain
+	// ===========================
+	t.Run("GetCACerts_Success", func(t *testing.T) {
+		resp, err := http.Get(server.URL + "/.well-known/est/cacerts")
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
+		}
+		ct := resp.Header.Get("Content-Type")
+		if !strings.Contains(ct, "application/pkcs7-mime") {
+			t.Errorf("expected application/pkcs7-mime content type, got %s", ct)
+		}
+		cte := resp.Header.Get("Content-Transfer-Encoding")
+		if cte != "base64" {
+			t.Errorf("expected base64 content-transfer-encoding, got %s", cte)
+		}
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		if len(bodyBytes) == 0 {
+			t.Error("expected non-empty PKCS#7 response body")
+		}
+	})
+
+	t.Run("GetCACerts_MethodNotAllowed", func(t *testing.T) {
+		resp, err := http.Post(server.URL+"/.well-known/est/cacerts", "application/json", nil)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusMethodNotAllowed {
+			t.Errorf("expected 405, got %d", resp.StatusCode)
+		}
+	})
+
+	// ===========================
+	// POST /simpleenroll — certificate enrollment
+	// ===========================
+	t.Run("SimpleEnroll_PEM_Success", func(t *testing.T) {
+		csrPEM := generateE2ECSRPEM(t, "est-test.example.com", []string{"est-test.example.com"})
+		resp, err := http.Post(server.URL+"/.well-known/est/simpleenroll", "application/pkcs10", strings.NewReader(csrPEM))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
+		}
+		ct := resp.Header.Get("Content-Type")
+		if !strings.Contains(ct, "application/pkcs7-mime") {
+			t.Errorf("expected application/pkcs7-mime, got %s", ct)
+		}
+	})
+
+	t.Run("SimpleEnroll_Base64DER_Success", func(t *testing.T) {
+		csrB64 := generateE2ECSRBase64DER(t, "est-der.example.com", []string{"est-der.example.com"})
+		resp, err := http.Post(server.URL+"/.well-known/est/simpleenroll", "application/pkcs10", strings.NewReader(csrB64))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
+		}
+	})
+
+	t.Run("SimpleEnroll_EmptyBody", func(t *testing.T) {
+		resp, err := http.Post(server.URL+"/.well-known/est/simpleenroll", "application/pkcs10", strings.NewReader(""))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusBadRequest {
+			t.Errorf("expected 400 for empty body, got %d", resp.StatusCode)
+		}
+	})
+
+	t.Run("SimpleEnroll_InvalidCSR", func(t *testing.T) {
+		resp, err := http.Post(server.URL+"/.well-known/est/simpleenroll", "application/pkcs10", strings.NewReader("not-a-valid-csr"))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusBadRequest {
+			t.Errorf("expected 400 for invalid CSR, got %d", resp.StatusCode)
+		}
+	})
+
+	t.Run("SimpleEnroll_MissingCN", func(t *testing.T) {
+		csrPEM := generateE2ECSRPEM(t, "", []string{"no-cn.example.com"})
+		resp, err := http.Post(server.URL+"/.well-known/est/simpleenroll", "application/pkcs10", strings.NewReader(csrPEM))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		// Should fail because EST requires a Common Name
+		if resp.StatusCode == http.StatusOK {
+			t.Error("expected error for CSR without Common Name")
+		}
+	})
+
+	t.Run("SimpleEnroll_MethodNotAllowed", func(t *testing.T) {
+		resp, err := http.Get(server.URL + "/.well-known/est/simpleenroll")
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusMethodNotAllowed {
+			t.Errorf("expected 405, got %d", resp.StatusCode)
+		}
+	})
+
+	// ===========================
+	// POST /simplereenroll — certificate re-enrollment
+	// ===========================
+	t.Run("SimpleReEnroll_Success", func(t *testing.T) {
+		csrPEM := generateE2ECSRPEM(t, "renew-est.example.com", []string{"renew-est.example.com"})
+		resp, err := http.Post(server.URL+"/.well-known/est/simplereenroll", "application/pkcs10", strings.NewReader(csrPEM))
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
+		}
+	})
+
+	t.Run("SimpleReEnroll_MethodNotAllowed", func(t *testing.T) {
+		resp, err := http.Get(server.URL + "/.well-known/est/simplereenroll")
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusMethodNotAllowed {
+			t.Errorf("expected 405, got %d", resp.StatusCode)
+		}
+	})
+
+	// ===========================
+	// GET /csrattrs — CSR attributes
+	// ===========================
+	t.Run("GetCSRAttrs_NoContent", func(t *testing.T) {
+		resp, err := http.Get(server.URL + "/.well-known/est/csrattrs")
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		// Default implementation returns nil attrs → 204 No Content
+		if resp.StatusCode != http.StatusNoContent {
+			t.Errorf("expected 204, got %d", resp.StatusCode)
+		}
+	})
+
+	t.Run("GetCSRAttrs_MethodNotAllowed", func(t *testing.T) {
+		resp, err := http.Post(server.URL+"/.well-known/est/csrattrs", "application/json", nil)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusMethodNotAllowed {
+			t.Errorf("expected 405, got %d", resp.StatusCode)
+		}
+	})
+}
@@ -82,6 +82,10 @@ func TestCertificateLifecycle(t *testing.T) {
 	discoveryHandler := handler.NewDiscoveryHandler(&mockDiscoveryService{})
 	networkScanHandler := handler.NewNetworkScanHandler(&mockNetworkScanService{})

+	// EST handler — uses real Local CA issuer via ESTService
+	estService := service.NewESTService("iss-local", issuerRegistry["iss-local"], auditService, logger)
+	estHandler := handler.NewESTHandler(estService)
+
 	// Create router and register handlers
 	r := router.New()
 	r.RegisterHandlers(
@@ -103,6 +107,7 @@ func TestCertificateLifecycle(t *testing.T) {
 		discoveryHandler,
 		networkScanHandler,
 	)
+	r.RegisterESTHandlers(estHandler)

 	// Create test server
 	server := httptest.NewServer(r)
@@ -75,6 +75,10 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 	discoveryHandler := handler.NewDiscoveryHandler(&mockDiscoveryService{})
 	networkScanHandler := handler.NewNetworkScanHandler(&mockNetworkScanService{})

+	// EST handler — uses real Local CA issuer via ESTService
+	estService := service.NewESTService("iss-local", issuerRegistry["iss-local"], auditService, logger)
+	estHandler := handler.NewESTHandler(estService)
+
 	r := router.New()
 	r.RegisterHandlers(
 		certificateHandler,
@@ -95,6 +99,7 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 		discoveryHandler,
 		networkScanHandler,
 	)
+	r.RegisterESTHandlers(estHandler)

 	server := httptest.NewServer(r)
 	t.Cleanup(func() { server.Close() })