certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	8b75e0311b	chore: rename Go module path to github.com/certctl-io/certctl Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol sub-module's go.mod, every Go file's import path (361 files), and a rebuild of the checked-in f5-mock-icontrol binary so its embedded build-info reflects the new module path. No behavior change. Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A (keep module path declared as github.com/shankar0123/certctl regardless of repo URL) shipped on the day of the org transfer (2026-05-03) since we had no external Go consumers; this commit closes that deferral. Backward-compat: GitHub HTTP redirects continue to forward github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL level, but Go's module proxy uses the path declared in go.mod as the canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...` hit a "module path mismatch" error because go.mod said github.com/shankar0123/certctl and the URL they fetched it from said certctl-io/certctl. Post-fix, the canonical name and the URL agree, so go get / go install / external Go consumers / Go-tooling integrations work cleanly via either the new path (preferred) or the old path (which redirects and Go follows the redirect for source fetch). Anyone still importing the old path inside their own code keeps working provided they update their go.mod's `require` line to match — the module path declared in their consumer's go.sum / go.mod is the authoritative import name, so a mass sed across their import statements is the migration on the consumer side. No external consumers exist today. Diff shape: 361 *.go files — import path replacement only 2 go.mod — module declaration replacement only 1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt so embedded build-info reflects the new path (8618965 vs 8618933 bytes; 32-byte diff is the build-info change) Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure mechanical substitution. Verification: gofmt: 17 files needed re-alignment after sed (the new path is one char shorter than the old, so column-aligned import groups drifted). Applied `gofmt -w` to fix. go mod tidy: clean exit on both modules. go vet ./...: clean exit. go build ./...: clean exit. go test -short -count=1 on representative packages: all green (internal/domain, internal/validation, internal/crypto, internal/crypto/signer, cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...` confirming the module path resolves correctly. binary: f5-mock-icontrol rebuilt; `strings \| grep shankar0123` returns nothing; `strings \| grep certctl-io/certctl` shows the new module path embedded in build-info. Files intentionally NOT touched in this commit: README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io URLs in commit `0729ee4` (the post-transfer URL refresh). This commit is purely the Go-tooling layer. Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account namespace, not a Go import or GitHub repo URL. Stays. This is a non-blocking, non-customer-impacting change. Operators pulling container images, running `make verify`, hitting the API, or installing the agent see no functional difference. Only Go-tooling consumers (none today) are affected, and they're enabled — not broken — by this commit.	2026-05-04 00:30:29 +00:00
shankar0123	7b40361bc4	lint(scep): fix CI lint failures in Phase 3 commit (`b540d44`) Three lint issues from golangci-lint that didn't fire locally because I ran 'go vet' but not 'staticcheck' before commit (the recent crypto/signer QF1008 incident pattern repeating — must run staticcheck before committing per CLAUDE.md::pre-commit-verification-gate; landing this fixup, then will run staticcheck on every future SCEP-bundle commit). internal/pkcs7/envelopeddata.go:78 * ST1022: 'comment on exported var ErrEnvelopedDataDecrypt should be of the form "ErrEnvelopedDataDecrypt ..."' — staticcheck enforces the Go-doc convention that var/const docs start with the symbol name. Renamed the leading 'Sentinel decryption error.' to 'ErrEnvelopedDataDecrypt is the sentinel decryption error.' internal/pkcs7/certrep_test.go:246-247 * U1000: 'func nowMinus1Hour is unused' / 'func nowPlus30Days is unused' — left-over helpers from a previous draft of selfSignedCertPEM that inlined the time math. Removed both. Verified with — clean. Tests still green (handler 79.0% / service 73.2% / pkcs7 80.5%). Restores green CI on the lint job for the Phase 3 push.	2026-04-29 12:50:46 +00:00
shankar0123	b540d4421e	feat(scep): CertRep PKIMessage response builder (RFC 8894 §3.3.2) SCEP RFC 8894 + Intune master bundle — Phase 3 of 14. Implements the SCEP CertRep response builder + wires it into the handler's RFC 8894 path. After this commit, certctl emits proper CertRep PKIMessage responses (signed by the RA key, with EnvelopedData encrypting the issued cert chain to the device's transient signing cert) for both success and failure outcomes — RFC 8894 §3.3 mandates a PKIMessage response on every PKIOperation request, including failure cases that carry pkiStatus=2 + failInfo. internal/pkcs7/certrep.go (new, ~370 LoC) * BuildCertRepPKIMessage: assembles the full ContentInfo → SignedData → {certs, signerInfo, encapContent} structure per RFC 8894 §3.3.2 + RFC 5652 §5+§6. * Success path: encrypts the issued cert chain (PKCS#7 certs-only) INSIDE an EnvelopedData targeting req.SignerCert (the device's transient cert, NOT the RA cert — response goes back to the device encrypted with its public key). AES-256-CBC + random 16-byte IV + PKCS#7 padding + RSA PKCS#1v1.5 keyTrans. * Failure path: encapContent is empty (no EnvelopedData); the failInfo auth-attr is populated. * Pending path: encapContent is empty; client polls via GetCertInitial. * Auth-attr ordering matches micromdm/scep for byte-level wire-format diffing (DER SET-OF normalises order anyway, but matching the reference implementation makes audit + manual inspection easier). * senderNonce is freshly generated from crypto/rand on every call. * RA key signs the canonical SET OF Attribute re-serialisation (RFC 5652 §5.4 quirk every CMS implementation hits — wire form is [0] IMPLICIT but the signature is computed over EXPLICIT SET OF). * Helper functions: buildCertRepAuthAttrs, buildSignerInfoCertRep, signCertRep, buildEncapContentInfo, buildEnvelopedDataAES256, all constructed via this package's existing ASN1Wrap primitives (avoids asn1.Marshal nuances with nested RawValues — same pattern Phase 2 settled on). internal/pkcs7/signedinfo.go (1-line tweak) * ParseSignedData no longer refuses when SignerInfos is empty. The degenerate certs-only SignedData form (RFC 8894 §3.5.1 GetCACert response, RFC 7030 EST cacerts, AND now the encrypted certs-only inner content of the CertRep EnvelopedData) is structurally valid with zero signers. Caller decides whether the lack of signers is an error in their context. internal/pkcs7/certrep_test.go (new, ~230 LoC) * TestBuildCertRepPKIMessage_Success_RoundTrip — full pipeline round-trip: build → ParseSignedData → VerifySignature → auth-attr extractors → ParseEnvelopedData(encapContent) → Decrypt with device key → ParseSignedData(innerCertsOnly) → assert issued cert CN. Catches drift between the build-side encoding and the parse-side decoding. * TestBuildCertRepPKIMessage_Failure_NoEncapContent — pkiStatus=2 + failInfo populated; encapContent empty. * TestBuildCertRepPKIMessage_FreshSenderNonceEachCall — pins the 'never reuse senderNonce' invariant from RFC 8894 §3.2.1.4.5 (replay defense). * TestBuildCertRepPKIMessage_RejectsNonRSADeviceCert — pins the RSA-only requirement on the device's transient cert (KTRI requires RSA pubkey for keyTrans encryption). * TestBuildCertRepPKIMessage_NilArgs_Refuses. internal/pkcs7/certrep_fuzz_test.go (new, ~150 LoC) * FuzzBuildCertRepPKIMessage — varies transactionID + senderNonce + signerCert; asserts no panic. When build succeeds for the success path, asserts round-trip soundness (output parses back via ParseSignedData). 6s seed-corpus run hit no panics. internal/api/handler/scep.go * pkiOperation now emits writeCertRepPKIMessage for the RFC 8894 path (both success AND failure). MVP path keeps writeSCEPResponse for backward compat with lightweight clients. * tryParseRFC8894 extended to extract the RFC 2985 §5.4.1 challengePassword attribute from the recovered CSR, so the service-layer's challenge-password gate can run on the RFC 8894 path the same way it does on the MVP path. Returns (envelope, csrPEM, challengePassword, ok) — was 3-tuple before. * extractChallengePasswordFromCSR helper mirrors the MVP path's extractCSRFields logic; same staticcheck SA1019 carve-out for the deprecated csr.Attributes API (RFC 2985 challengePassword has no non-deprecated stdlib API per the M-028 audit closure). * writeCertRepPKIMessage helper wraps pkcs7.BuildCertRepPKIMessage; on build failure (programmer/config bug) returns HTTP 500 rather than try a fallback PKIMessage that might re-trigger the same bug. Verification: * gofmt + go vet clean across pkcs7 / api/handler. * go test -short -count=1 green across pkcs7 / api/handler / api/router / service / cmd/server. * Coverage: pkcs7 80.5% (was 78.4% before Phase 3). Handler/service held steady. * Fuzz seed-corpus (6s): FuzzBuildCertRepPKIMessage — no panic; round-trip soundness invariant held for every successful build. Phase 3 of 14 in SCEP RFC 8894 + Intune master bundle. Living progress at cowork/scep-rfc8894-intune/progress.md.	2026-04-29 12:46:30 +00:00

shankar0123

8b75e0311b

chore: rename Go module path to github.com/certctl-io/certctl

Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.

Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.

Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).

Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.

Diff shape:
  361 *.go files  — import path replacement only
    2 go.mod     — module declaration replacement only
    1 binary     — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
                   so embedded build-info reflects the new path (8618965 vs
                   8618933 bytes; 32-byte diff is the build-info change)

  Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
  mechanical substitution.

Verification:
  gofmt: 17 files needed re-alignment after sed (the new path is one char
    shorter than the old, so column-aligned import groups drifted). Applied
    `gofmt -w` to fix.
  go mod tidy: clean exit on both modules.
  go vet ./...: clean exit.
  go build ./...: clean exit.
  go test -short -count=1 on representative packages: all green
    (internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
    cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
    confirming the module path resolves correctly.
  binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
    nothing; `strings | grep certctl-io/certctl` shows the new module path
    embedded in build-info.

Files intentionally NOT touched in this commit:
  README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
    URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
    purely the Go-tooling layer.
  Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
    namespace, not a Go import or GitHub repo URL. Stays.

This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.

2026-05-04 00:30:29 +00:00

shankar0123

7b40361bc4

lint(scep): fix CI lint failures in Phase 3 commit (b540d44)

Three lint issues from golangci-lint that didn't fire locally because I
ran 'go vet' but not 'staticcheck' before commit (the recent crypto/signer
QF1008 incident pattern repeating — must run staticcheck before
committing per CLAUDE.md::pre-commit-verification-gate; landing this
fixup, then will run staticcheck on every future SCEP-bundle commit).

internal/pkcs7/envelopeddata.go:78
  * ST1022: 'comment on exported var ErrEnvelopedDataDecrypt should be of
    the form "ErrEnvelopedDataDecrypt ..."' — staticcheck enforces the
    Go-doc convention that var/const docs start with the symbol name.
    Renamed the leading 'Sentinel decryption error.' to
    'ErrEnvelopedDataDecrypt is the sentinel decryption error.'

internal/pkcs7/certrep_test.go:246-247
  * U1000: 'func nowMinus1Hour is unused' / 'func nowPlus30Days is unused'
    — left-over helpers from a previous draft of selfSignedCertPEM that
    inlined the time math. Removed both.

Verified with  — clean. Tests still
green (handler 79.0% / service 73.2% / pkcs7 80.5%).

Restores green CI on the lint job for the Phase 3 push.

2026-04-29 12:50:46 +00:00

shankar0123

b540d4421e

feat(scep): CertRep PKIMessage response builder (RFC 8894 §3.3.2)

SCEP RFC 8894 + Intune master bundle — Phase 3 of 14.

Implements the SCEP CertRep response builder + wires it into the handler's
RFC 8894 path. After this commit, certctl emits proper CertRep PKIMessage
responses (signed by the RA key, with EnvelopedData encrypting the issued
cert chain to the device's transient signing cert) for both success and
failure outcomes — RFC 8894 §3.3 mandates a PKIMessage response on every
PKIOperation request, including failure cases that carry pkiStatus=2 +
failInfo.

internal/pkcs7/certrep.go (new, ~370 LoC)
  * BuildCertRepPKIMessage: assembles the full ContentInfo → SignedData →
    {certs, signerInfo, encapContent} structure per RFC 8894 §3.3.2 +
    RFC 5652 §5+§6.
  * Success path: encrypts the issued cert chain (PKCS#7 certs-only)
    INSIDE an EnvelopedData targeting req.SignerCert (the device's
    transient cert, NOT the RA cert — response goes back to the device
    encrypted with its public key). AES-256-CBC + random 16-byte IV +
    PKCS#7 padding + RSA PKCS#1v1.5 keyTrans.
  * Failure path: encapContent is empty (no EnvelopedData); the failInfo
    auth-attr is populated.
  * Pending path: encapContent is empty; client polls via GetCertInitial.
  * Auth-attr ordering matches micromdm/scep for byte-level wire-format
    diffing (DER SET-OF normalises order anyway, but matching the
    reference implementation makes audit + manual inspection easier).
  * senderNonce is freshly generated from crypto/rand on every call.
  * RA key signs the canonical SET OF Attribute re-serialisation (RFC
    5652 §5.4 quirk every CMS implementation hits — wire form is [0]
    IMPLICIT but the signature is computed over EXPLICIT SET OF).
  * Helper functions: buildCertRepAuthAttrs, buildSignerInfoCertRep,
    signCertRep, buildEncapContentInfo, buildEnvelopedDataAES256, all
    constructed via this package's existing ASN1Wrap primitives (avoids
    asn1.Marshal nuances with nested RawValues — same pattern Phase 2
    settled on).

internal/pkcs7/signedinfo.go (1-line tweak)
  * ParseSignedData no longer refuses when SignerInfos is empty. The
    degenerate certs-only SignedData form (RFC 8894 §3.5.1 GetCACert
    response, RFC 7030 EST cacerts, AND now the encrypted certs-only
    inner content of the CertRep EnvelopedData) is structurally valid
    with zero signers. Caller decides whether the lack of signers is
    an error in their context.

internal/pkcs7/certrep_test.go (new, ~230 LoC)
  * TestBuildCertRepPKIMessage_Success_RoundTrip — full pipeline
    round-trip: build → ParseSignedData → VerifySignature → auth-attr
    extractors → ParseEnvelopedData(encapContent) → Decrypt with device
    key → ParseSignedData(innerCertsOnly) → assert issued cert CN.
    Catches drift between the build-side encoding and the parse-side
    decoding.
  * TestBuildCertRepPKIMessage_Failure_NoEncapContent — pkiStatus=2 +
    failInfo populated; encapContent empty.
  * TestBuildCertRepPKIMessage_FreshSenderNonceEachCall — pins the
    'never reuse senderNonce' invariant from RFC 8894 §3.2.1.4.5
    (replay defense).
  * TestBuildCertRepPKIMessage_RejectsNonRSADeviceCert — pins the
    RSA-only requirement on the device's transient cert (KTRI requires
    RSA pubkey for keyTrans encryption).
  * TestBuildCertRepPKIMessage_NilArgs_Refuses.

internal/pkcs7/certrep_fuzz_test.go (new, ~150 LoC)
  * FuzzBuildCertRepPKIMessage — varies transactionID + senderNonce +
    signerCert; asserts no panic. When build succeeds for the success
    path, asserts round-trip soundness (output parses back via
    ParseSignedData). 6s seed-corpus run hit no panics.

internal/api/handler/scep.go
  * pkiOperation now emits writeCertRepPKIMessage for the RFC 8894
    path (both success AND failure). MVP path keeps writeSCEPResponse
    for backward compat with lightweight clients.
  * tryParseRFC8894 extended to extract the RFC 2985 §5.4.1
    challengePassword attribute from the recovered CSR, so the
    service-layer's challenge-password gate can run on the RFC 8894
    path the same way it does on the MVP path. Returns
    (envelope, csrPEM, challengePassword, ok) — was 3-tuple before.
  * extractChallengePasswordFromCSR helper mirrors the MVP path's
    extractCSRFields logic; same staticcheck SA1019 carve-out for
    the deprecated csr.Attributes API (RFC 2985 challengePassword
    has no non-deprecated stdlib API per the M-028 audit closure).
  * writeCertRepPKIMessage helper wraps pkcs7.BuildCertRepPKIMessage;
    on build failure (programmer/config bug) returns HTTP 500 rather
    than try a fallback PKIMessage that might re-trigger the same bug.

Verification:
  * gofmt + go vet clean across pkcs7 / api/handler.
  * go test -short -count=1 green across pkcs7 / api/handler /
    api/router / service / cmd/server.
  * Coverage: pkcs7 80.5% (was 78.4% before Phase 3). Handler/service
    held steady.
  * Fuzz seed-corpus (6s): FuzzBuildCertRepPKIMessage — no panic;
    round-trip soundness invariant held for every successful build.

Phase 3 of 14 in SCEP RFC 8894 + Intune master bundle.
Living progress at cowork/scep-rfc8894-intune/progress.md.

2026-04-29 12:46:30 +00:00

3 Commits