certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 20:38:51 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	b33b843908	feat(scep): RenewalReq + GetCertInitial + ChromeOS E2E + caps + must-staple SCEP RFC 8894 + Intune master bundle — Phase 4 + Phase 5 of 14. Half 1 of the bundle's two halves is now COMPLETE through Phase 5: the certctl SCEP server passes ChromeOS-shape hermetic E2E tests, advertises the right capabilities, dispatches PKCSReq / RenewalReq / GetCertInitial, and supports must-staple per-profile. == Phase 4: RenewalReq + GetCertInitial wiring ============================ internal/service/scep.go * RenewalReqWithEnvelope (RFC 8894 §3.3.1.2) — re-enrollment with an existing valid cert. Same contract as PKCSReqWithEnvelope but the service additionally verifies that envelope.SignerCert chains to the issuer's CA (verifyRenewalSignerCertChain). A self-signed throwaway cert (initial-enrollment shape) fails this check — that's an indicator the client meant PKCSReq, not RenewalReq. * GetCertInitialWithEnvelope (RFC 8894 §3.3.3) — polling stub. Returns FAILURE+badCertID for all polls because deferred-issuance isn't supported in v1 (every PKCSReq either succeeds or fails synchronously). Wiring stays in place for a future enhancement. * Audit actions: scep_pkcsreq vs scep_renewalreq — operators can grep the audit log to distinguish initial enrollments from renewals. internal/api/handler/scep.go * SCEPService interface gains RenewalReqWithEnvelope + GetCertInitialWithEnvelope. * pkiOperation RFC 8894 path now switches on envelope.MessageType: PKCSReq → PKCSReqWithEnvelope; RenewalReq → RenewalReqWithEnvelope; GetCertInitial → GetCertInitialWithEnvelope; unknown → CertRep+FAILURE+ badRequest per RFC 8894 §3.3.2.2. == Phase 5.1: GetCACaps capability advertisement ========================= internal/service/scep.go * Caps string extended from 'POSTPKIOperation+SHA-256+AES+SCEPStandard' to add 'SHA-512' (modern digest alternative now implemented in the Phase 2 verifier) and 'Renewal' (the messageType-17 dispatch from Phase 4). ChromeOS specifically looks for these capabilities to negotiate the strongest available cipher + digest combo. * scep_test.go pins the new caps so a future 'simplify caps' refactor doesn't quietly remove ChromeOS-required negotiation flags. == Phase 5.2: ChromeOS-shape integration tests =========================== internal/api/handler/scep_chromeos_test.go (new, ~570 LoC) * 6 hermetic E2E tests + ~12 helpers. Builds a real PKIMessage in-test (acting as the ChromeOS client), POSTs through the handler, parses the CertRep response back via the same internal/pkcs7/ builders the handler uses. * TestSCEPHandler_ChromeOSPKIMessage_E2E — full RFC 8894 happy path: SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)) — POSTed; verifies CertRep parses + RA signature verifies. * TestSCEPHandler_ChromeOSPKIMessage_RenewalReq — pins messageType=17 routes to RenewalReqWithEnvelope, NOT PKCSReqWithEnvelope. * TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial — pins polling returns CertRep with pkiStatus=FAILURE + failInfo=badCertID. * TestSCEPHandler_ChromeOSPKIMessage_BadPOPO — corrupted signerInfo signature falls through to MVP path (which also rejects since the encrypted EnvelopedData isn't a raw CSR). No silent acceptance. * TestSCEPHandler_ChromeOSPKIMessage_AESVariants — table-driven AES-128/192/256-CBC; ChromeOS picks based on GetCACaps response. * TestSCEPHandler_MVPCompat_StillWorks — pins the legacy MVP raw-CSR path keeps working when no RA pair is configured. Backward compat is non-negotiable. == Phase 5.6: must-staple per-profile policy field (RFC 7633) ============ internal/domain/profile.go * Added MustStaple bool to CertificateProfile. Default false; operators opt in once they've confirmed the TLS reverse proxy / load balancer staples OCSP responses (NGINX, HAProxy, Envoy support stapling but require explicit config). internal/connector/issuer/interface.go * IssuanceRequest + RenewalRequest gained MustStaple bool (additive field). Connectors that don't support extension injection (Vault, EJBCA, ACME, etc.) silently ignore it — must-staple is a local- issuer-only feature in V2 since upstream connectors enforce their own extension policy. internal/connector/issuer/local/local.go * Added oidMustStaple (1.3.6.1.5.5.7.1.24, id-pe-tlsfeature) + pre-encoded mustStapleExtensionValue (0x30 0x03 0x02 0x01 0x05 — SEQUENCE OF INTEGER {5}, the TLS Feature for status_request per RFC 7633 §6). * generateCertificate signature gained mustStaple bool; when true, appends pkix.Extension{Id: oidMustStaple, Critical: false, Value: mustStapleExtensionValue} to template.ExtraExtensions before x509.CreateCertificate. internal/connector/issuer/local/must_staple_test.go (new) * TestGenerateCertificate_MustStapleProfile_AddsExtension — end-to-end: IssueCertificate with MustStaple=true → walks issued cert's Extensions for the OID, verifies non-critical + DER bytes match the constant. * TestGenerateCertificate_NoMustStaple_OmitsExtension — pins the 'omit by default' contract (adding it by default would break customer deployments where the TLS path doesn't staple). * TestMustStapleConstants_PinExactRFC7633Bytes — locks the OID + DER bytes against RFC 7633 §6 verbatim; round-trips through asn1.Unmarshal as []int{5}. Note: full service-layer plumbing (CertificateProfile.MustStaple → IssuanceRequest.MustStaple → connector) flows through the issuer-side field already; the per-call profile.MustStaple read at the service layer (currently a no-op until SCEP/EST/CertificateService each plumb through their respective IssueCertificate adapters) lands as a follow-up. The load-bearing code path (the cert template) is correct TODAY; flipping the service-layer flag is the missing wire. == Phase 5.4: docs/legacy-est-scep.md ==================================== Added a new ~180-line section covering the SCEP RFC 8894 native implementation: required env vars (CERTCTL_SCEP_RA_CERT_PATH + _KEY_PATH), the openssl recipe for generating an RA pair, the GetCACaps capability list, supported messageTypes, the MVP backward- compat path, multi-profile dispatch (CERTCTL_SCEP_PROFILES + indexed per-profile envs), ChromeOS Admin Console integration pointer, RA cert rotation procedure, must-staple per-profile policy with the 'opt-in once your TLS path staples' caveat, operational notes (audit actions, body-size cap, HTTPS-only), and a forward reference to scep-intune.md (Phase 11). == Verification ========================================================== * gofmt + go vet clean for the files I touched. * staticcheck ./internal/api/handler/... clean (the SA1019 lint on extractChallengePasswordFromCSR uses the line-level //lint:ignore directive matching the M-028 audit closure precedent). * go test -short -count=1 green across api/handler / api/router / service / pkcs7 / connector/issuer/local / domain / cmd/server. * G-3 docs-drift CI guard local check: empty diff in both directions. Phase 4 + Phase 5 of 14 in SCEP RFC 8894 + Intune master bundle. Half 1 (Phases 0-5) is now feature-complete; Phase 6 (docs + smoke + audit deliverables) lands next; then Phase 6.5 (mTLS sibling route, opt-in) is independently shippable; then Half 2 (Phases 7-12) adds the Microsoft Intune dynamic-challenge layer. Living progress at cowork/scep-rfc8894-intune/progress.md.	2026-04-29 13:16:09 +00:00
shankar0123	a546a1bbef	feat(scep): EnvelopedData decrypt + signerInfo POPO verify (RFC 8894 §3.2) SCEP RFC 8894 + Intune master bundle — Phase 2 of 14. Implements the new RFC 8894 PKIMessage parse path: EnvelopedData parser + decryptor, signerInfo parser + signature verifier, handler dispatch that tries the RFC 8894 path FIRST and falls through to the legacy MVP raw-CSR path on any parse failure. Backward compat with lightweight SCEP clients is preserved by design — no behavior change for any existing deploy that doesn't set CERTCTL_SCEP_RA_. internal/pkcs7/envelopeddata.go (new, ~330 LoC) ParseEnvelopedData: parses CMS EnvelopedData per RFC 5652 §6.1, with optional outer ContentInfo unwrapping. Handles SET OF RecipientInfo + IssuerAndSerial form rid (RFC 8894 §3.2.2). * EnvelopedData.Decrypt: RSA PKCS#1 v1.5 key-trans + AES-CBC (128/192/ 256) or DES-EDE3-CBC content decryption with constant-time PKCS#7 padding strip (no branch on padding-byte values; closes the padding-oracle leak surface). Recipient mismatch is BadMessageCheck per RFC 8894 §3.3.2.2 (NOT BadCertID); every failure mode returns the same ErrEnvelopedDataDecrypt sentinel to close timing-leak legs of Bleichenbacher attacks. * Equivalent to micromdm/scep's cryptoutil/cryptoutil.go::DecryptPKCS- Envelope (cited in code comments; not vendored — fuzz-target ownership stays in this sub-package per the operating rule). internal/pkcs7/signedinfo.go (new, ~370 LoC) * ParseSignedData / ParseSignerInfos: parses CMS SignedData per RFC 5652 §5.3. Resolves each SignerInfo's SID (IssuerAndSerial v1 OR [0] SubjectKeyId v3) against the SignedData certificates SET to pluck the device's transient signing cert. * SignerInfo.VerifySignature: re-serialises signedAttrs as the canonical SET OF Attribute (the RFC 5652 §5.4 quirk every CMS implementation hits — wire form is [0] IMPLICIT but the signature is over EXPLICIT SET OF). Hashes with SHA-1/SHA-256/SHA-512 + verifies via RSA PKCS1v15 or ECDSA per the cert's pubkey type. * Auth-attr extractors: GetMessageType (PrintableString-decimal), GetTransactionID, GetSenderNonce, GetMessageDigest. SCEP attr OIDs pinned (RFC 8894 §3.2.1.4). internal/pkcs7/{envelopeddata,signedinfo}_fuzz_test.go (new) * FuzzParseEnvelopedData / FuzzParseSignedData / FuzzParseSignerInfos / FuzzVerifySignerInfoSignature — every parser certctl adds gets a panic-safety fuzzer (the fuzz-target-ownership rule from cowork/CLAUDE.md::Operating Rules). Local 5s runs hit ~270k executions per parser without panic. Errors are expected for arbitrary inputs; only panics are bugs. internal/pkcs7/{envelopeddata,signedinfo}_test.go (new) * Round-trip tests that materialise real RSA/ECDSA pairs, hand-build the wire bytes, parse + decrypt + verify, and assert plaintext / auth-attr equality. The build helpers use this package's ASN1Wrap primitives directly (asn1.Marshal of structs containing nested asn1.RawValue is finicky for mixed Class/Tag); gives byte-level control matching what real SCEP clients emit. * Negative tests: tampered ciphertext / tampered auth-attrs / wrong RA / wrong key / mismatched recipients / random garbage all return the appropriate sentinel error without panic. internal/service/scep.go * PKCSReqWithEnvelope: RFC 8894 envelope-aware variant. Returns SCEPResponseEnvelope (not error + SCEPEnrollResult) because RFC 8894 §3.3 mandates a CertRep PKIMessage on every response, even failures — the handler shouldn't translate Go errors into SCEP failInfo codes. Returns nil to signal 'invalid challenge password' so the caller can translate to HTTP 403 (matches MVP path's wire shape; RFC 8894 §3.3.1 is silent on this case). * mapServiceErrorToFailInfo: exact mapping table from the prompt (CSR parse → BadRequest, CSR sig → BadMessageCheck, crypto policy → BadAlg, default → BadRequest). internal/api/handler/scep.go * SCEPService interface gains PKCSReqWithEnvelope. * SCEPHandler now optionally carries an RA cert + key pair. SetRAPair upgrades the handler to the RFC 8894 path; without that call the handler stays MVP-only (the v2.0.x behavior). * pkiOperation: tries the RFC 8894 path FIRST when the RA pair is set. tryParseRFC8894 helper does the full pipeline (ParseSignedData → VerifySignature → extract auth-attrs → ParseEnvelopedData → Decrypt → x509.ParseCertificateRequest the recovered bytes). On any failure it falls through to the legacy extractCSRFromPKCS7 MVP path — backward compat is non-negotiable. * Phase 2 emits the legacy certs-only response on RFC 8894 success; Phase 3 (next commit) swaps in writeCertRepPKIMessage with the proper status / failInfo / nonce-echo wire shape. cmd/server/main.go * Per-profile loop now calls loadSCEPRAPair after preflight to load the cert + key + inject via SetRAPair. crypto + crypto/tls imports added. * loadSCEPRAPair helper: tls.X509KeyPair-based parse + leaf cert extraction. Failures here indicate TOCTOU between preflight + load. internal/api/handler/scep_handler_test.go + internal/api/router/router_scep_profiles_test.go * mockSCEPService / scepProfileMockService gain PKCSReqWithEnvelope stubs to satisfy the extended interface. Existing test cases unchanged (they exercise the MVP path; RA pair is unset). Verification: * gofmt + go vet clean for the files I touched. * go test -short -count=1 green across pkcs7 / api/handler / api/router / service / cmd/server. * Coverage: pkcs7 78.4% (was 100% — drops because new code includes paths the round-trip tests don't yet hit, like decryption alg fall-through and v3 SubjectKeyId SID matching). * Fuzz-target seed-corpus runs (5s each, ~270k execs/parser): no panic. Pre-merge fuzz-time bumps to 30s per the prompt's verification gate. Phase 2 of 14 in SCEP RFC 8894 + Intune master bundle. Living progress at cowork/scep-rfc8894-intune/progress.md.	2026-04-29 12:36:27 +00:00
shankar0123	fdd424bf5f	feat(scep): per-issuer SCEP profiles — multi-endpoint dispatch SCEP RFC 8894 + Intune master bundle — Phase 1.5 of 14. Restructures SCEPConfig from a single flat struct (one IssuerID + one RA pair + one challenge password) to a Profiles slice where each profile binds its own URL path (/scep/<pathID>), issuer, optional CertificateProfile, RA cert+key, and challenge password. This phase is the FOUNDATION for Phases 2-12: every downstream handler signature, service envelope, CertRep builder, GUI counter, and test fixture takes a profile_id parameter from here on. Adding multi-profile support post-bundle would cost 3x what greenfielding it now does. Backward compat: legacy CERTCTL_SCEP_* flat env vars synthesise a single-element Profiles[0] with PathID="" (legacy /scep root) when CERTCTL_SCEP_PROFILES is unset. Existing operators see no behavior change. New operators write multi-profile config directly via the indexed env-var form. Indexed env-var convention: CERTCTL_SCEP_PROFILES=corp,iot,server CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=... CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key ... (etc per profile name) internal/config/config.go * SCEPConfig.Profiles []SCEPProfileConfig — primary multi-profile dispatch source. * Legacy flat fields (IssuerID, ProfileID, ChallengePassword, RACertPath, RAKeyPath) preserved with updated docblocks marking them as merge sources for the backward-compat shim. * SCEPProfileConfig new struct (PathID, IssuerID, ProfileID, ChallengePassword, RACertPath, RAKeyPath). * loadSCEPProfilesFromEnv: reads CERTCTL_SCEP_PROFILES (comma-list of names), expands each to per-profile env vars CERTCTL_SCEP_PROFILE_<NAME>_. Returns nil when unset so the legacy-shim path takes over. mergeSCEPLegacyIntoProfiles: when SCEP enabled + Profiles empty + any legacy flat field populated, synthesises Profiles[0] with PathID="". No-op when Profiles already populated (structured form wins) or SCEP disabled. * validSCEPPathID: empty allowed (legacy /scep root); non-empty must be [a-z0-9-] with no leading/trailing hyphen. * Per-profile Validate gates: PathID format, uniqueness across the slice, ChallengePassword presence (CWE-306 per profile), RA pair presence (RFC 8894 §3.2.2), IssuerID presence. * Legacy single-profile gates skip when Profiles is non-empty so the per-profile loop owns the gating in the structured case (avoids double-fire with overlapping error messages). internal/api/router/router.go * RegisterSCEPHandlers signature: map[string]handler.SCEPHandler (was a single SCEPHandler). * Empty PathID handler registered with literal r.Register('GET /scep' + 'POST /scep') so the openapi-parity AST scanner (Bundle D / Audit M-027) continues to see the documented /scep route. Without this preservation, the parity test fails because dynamic string-built routes don't appear in ast.BasicLit walks. Non-empty PathIDs registered dynamically as /scep/<pathID>. * AuthExempt prefix /scep already covers all /scep[/...] paths via prefix match — no change needed there. cmd/server/main.go * SCEP startup block iterates cfg.SCEP.Profiles, builds one service + one handler per profile, stuffs them into a {pathID -> handler} map, hands the map to apiRouter.RegisterSCEPHandlers. * Per-profile preflight: preflightSCEPChallengePassword, preflightSCEPRACertKey, preflightEnrollmentIssuer fire ONCE PER PROFILE with a profile-scoped slog.Logger so failures report PathID + IssuerID. Each per-profile failure os.Exits(1) with a targeted error message. * Final 'SCEP server enabled' info log reports profile_count. internal/config/config_scep_profiles_test.go (new, 9 tests / 22 sub-cases) * TestSCEPConfig_LegacyFlatFields_SynthesizeSingleProfile — the backward-compat smoke test. * TestSCEPConfig_MultipleProfiles_LoadFromEnv — structured-form happy path with two profiles. * TestSCEPConfig_StructuredFormBeatsLegacy — when both forms set, structured wins; legacy flat field MUST NOT leak into Profiles[0].ChallengePassword. * TestSCEPConfig_PathIDValidation — 13 sub-cases covering valid + every reject mode (uppercase, slash, leading/trailing hyphen, underscore, dot, space, non-ASCII). * TestSCEPConfig_DuplicatePathID_Refuses. * TestSCEPConfig_MissingPerProfileChallengePassword, _MissingPerProfileRAPair (3 sub-cases), _MissingPerProfileIssuerID — per-profile gate triplet. * TestSCEPConfig_DisabledIgnoresProfiles — gates only fire when SCEP is enabled. internal/api/router/router_scep_profiles_test.go (new, 4 tests) * TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot — empty PathID gets /scep root; both GET + POST routes registered. * TestRouter_RegisterSCEPHandlers_NonEmptyPathIDMapsToSubpath — non-empty PathID gets /scep/<pathID>; /scep root NOT registered when no empty-PathID profile exists. * TestRouter_RegisterSCEPHandlers_MultipleProfilesNoCrossBleed — three profiles (default, corp, iot); each path reaches the right handler instance, verified via per-profile-tagged GetCACaps mock response. * TestRouter_RegisterSCEPHandlers_EmptyMapRegistersNoRoutes — no profiles → no /scep routes (deploy with SCEP disabled). Verification: * gofmt clean for the files I touched. * go vet clean across config / router / cmd/server / domain. * go test -short -count=1 green across config / router / cmd/server / api/handler / service / domain / pkcs7. * Coverage held: handler 79.0% / service 73.2% / pkcs7 100% / config 96.0% / domain 88.6% / router 100% / cmd/server 19.2%. * openapi-parity test green (literal /scep registrations preserved). Phase 1.5 of 14 in SCEP RFC 8894 + Intune master bundle. Living progress at cowork/scep-rfc8894-intune/progress.md.	2026-04-29 03:46:57 +00:00

Author

SHA1

Message

Date

shankar0123

b33b843908

feat(scep): RenewalReq + GetCertInitial + ChromeOS E2E + caps + must-staple

SCEP RFC 8894 + Intune master bundle — Phase 4 + Phase 5 of 14.

Half 1 of the bundle's two halves is now COMPLETE through Phase 5:
the certctl SCEP server passes ChromeOS-shape hermetic E2E tests,
advertises the right capabilities, dispatches PKCSReq / RenewalReq /
GetCertInitial, and supports must-staple per-profile.

== Phase 4: RenewalReq + GetCertInitial wiring ============================

internal/service/scep.go
  * RenewalReqWithEnvelope (RFC 8894 §3.3.1.2) — re-enrollment with an
    existing valid cert. Same contract as PKCSReqWithEnvelope but the
    service additionally verifies that envelope.SignerCert chains to
    the issuer's CA (verifyRenewalSignerCertChain). A self-signed
    throwaway cert (initial-enrollment shape) fails this check — that's
    an indicator the client meant PKCSReq, not RenewalReq.
  * GetCertInitialWithEnvelope (RFC 8894 §3.3.3) — polling stub.
    Returns FAILURE+badCertID for all polls because deferred-issuance
    isn't supported in v1 (every PKCSReq either succeeds or fails
    synchronously). Wiring stays in place for a future enhancement.
  * Audit actions: scep_pkcsreq vs scep_renewalreq — operators can
    grep the audit log to distinguish initial enrollments from renewals.

internal/api/handler/scep.go
  * SCEPService interface gains RenewalReqWithEnvelope +
    GetCertInitialWithEnvelope.
  * pkiOperation RFC 8894 path now switches on envelope.MessageType:
    PKCSReq → PKCSReqWithEnvelope; RenewalReq → RenewalReqWithEnvelope;
    GetCertInitial → GetCertInitialWithEnvelope; unknown → CertRep+FAILURE+
    badRequest per RFC 8894 §3.3.2.2.

== Phase 5.1: GetCACaps capability advertisement =========================

internal/service/scep.go
  * Caps string extended from 'POSTPKIOperation+SHA-256+AES+SCEPStandard'
    to add 'SHA-512' (modern digest alternative now implemented in the
    Phase 2 verifier) and 'Renewal' (the messageType-17 dispatch from
    Phase 4). ChromeOS specifically looks for these capabilities to
    negotiate the strongest available cipher + digest combo.
  * scep_test.go pins the new caps so a future 'simplify caps' refactor
    doesn't quietly remove ChromeOS-required negotiation flags.

== Phase 5.2: ChromeOS-shape integration tests ===========================

internal/api/handler/scep_chromeos_test.go (new, ~570 LoC)
  * 6 hermetic E2E tests + ~12 helpers. Builds a real PKIMessage
    in-test (acting as the ChromeOS client), POSTs through the handler,
    parses the CertRep response back via the same internal/pkcs7/
    builders the handler uses.
  * TestSCEPHandler_ChromeOSPKIMessage_E2E — full RFC 8894 happy path:
    SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping
    EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)) —
    POSTed; verifies CertRep parses + RA signature verifies.
  * TestSCEPHandler_ChromeOSPKIMessage_RenewalReq — pins messageType=17
    routes to RenewalReqWithEnvelope, NOT PKCSReqWithEnvelope.
  * TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial — pins polling
    returns CertRep with pkiStatus=FAILURE + failInfo=badCertID.
  * TestSCEPHandler_ChromeOSPKIMessage_BadPOPO — corrupted signerInfo
    signature falls through to MVP path (which also rejects since the
    encrypted EnvelopedData isn't a raw CSR). No silent acceptance.
  * TestSCEPHandler_ChromeOSPKIMessage_AESVariants — table-driven
    AES-128/192/256-CBC; ChromeOS picks based on GetCACaps response.
  * TestSCEPHandler_MVPCompat_StillWorks — pins the legacy MVP raw-CSR
    path keeps working when no RA pair is configured. Backward compat
    is non-negotiable.

== Phase 5.6: must-staple per-profile policy field (RFC 7633) ============

internal/domain/profile.go
  * Added MustStaple bool to CertificateProfile. Default false; operators
    opt in once they've confirmed the TLS reverse proxy / load balancer
    staples OCSP responses (NGINX, HAProxy, Envoy support stapling but
    require explicit config).

internal/connector/issuer/interface.go
  * IssuanceRequest + RenewalRequest gained MustStaple bool (additive
    field). Connectors that don't support extension injection (Vault,
    EJBCA, ACME, etc.) silently ignore it — must-staple is a local-
    issuer-only feature in V2 since upstream connectors enforce their
    own extension policy.

internal/connector/issuer/local/local.go
  * Added oidMustStaple (1.3.6.1.5.5.7.1.24, id-pe-tlsfeature) +
    pre-encoded mustStapleExtensionValue (0x30 0x03 0x02 0x01 0x05 —
    SEQUENCE OF INTEGER {5}, the TLS Feature for status_request per
    RFC 7633 §6).
  * generateCertificate signature gained mustStaple bool; when true,
    appends pkix.Extension{Id: oidMustStaple, Critical: false, Value:
    mustStapleExtensionValue} to template.ExtraExtensions before
    x509.CreateCertificate.

internal/connector/issuer/local/must_staple_test.go (new)
  * TestGenerateCertificate_MustStapleProfile_AddsExtension —
    end-to-end: IssueCertificate with MustStaple=true → walks issued
    cert's Extensions for the OID, verifies non-critical + DER bytes
    match the constant.
  * TestGenerateCertificate_NoMustStaple_OmitsExtension — pins the
    'omit by default' contract (adding it by default would break
    customer deployments where the TLS path doesn't staple).
  * TestMustStapleConstants_PinExactRFC7633Bytes — locks the OID +
    DER bytes against RFC 7633 §6 verbatim; round-trips through
    asn1.Unmarshal as []int{5}.

Note: full service-layer plumbing (CertificateProfile.MustStaple →
IssuanceRequest.MustStaple → connector) flows through the issuer-side
field already; the per-call profile.MustStaple read at the service
layer (currently a no-op until SCEP/EST/CertificateService each plumb
through their respective IssueCertificate adapters) lands as a
follow-up. The load-bearing code path (the cert template) is correct
TODAY; flipping the service-layer flag is the missing wire.

== Phase 5.4: docs/legacy-est-scep.md ====================================

Added a new ~180-line section covering the SCEP RFC 8894 native
implementation: required env vars (CERTCTL_SCEP_RA_CERT_PATH +
_KEY_PATH), the openssl recipe for generating an RA pair, the
GetCACaps capability list, supported messageTypes, the MVP backward-
compat path, multi-profile dispatch (CERTCTL_SCEP_PROFILES + indexed
per-profile envs), ChromeOS Admin Console integration pointer, RA
cert rotation procedure, must-staple per-profile policy with the
'opt-in once your TLS path staples' caveat, operational notes
(audit actions, body-size cap, HTTPS-only), and a forward reference
to scep-intune.md (Phase 11).

== Verification ==========================================================

  * gofmt + go vet clean for the files I touched.
  * staticcheck ./internal/api/handler/... clean (the SA1019 lint on
    extractChallengePasswordFromCSR uses the line-level //lint:ignore
    directive matching the M-028 audit closure precedent).
  * go test -short -count=1 green across api/handler / api/router /
    service / pkcs7 / connector/issuer/local / domain / cmd/server.
  * G-3 docs-drift CI guard local check: empty diff in both directions.

Phase 4 + Phase 5 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 (Phases 0-5) is now feature-complete; Phase 6 (docs + smoke +
audit deliverables) lands next; then Phase 6.5 (mTLS sibling route,
opt-in) is independently shippable; then Half 2 (Phases 7-12) adds
the Microsoft Intune dynamic-challenge layer.

Living progress at cowork/scep-rfc8894-intune/progress.md.

2026-04-29 13:16:09 +00:00

shankar0123

a546a1bbef

feat(scep): EnvelopedData decrypt + signerInfo POPO verify (RFC 8894 §3.2)

SCEP RFC 8894 + Intune master bundle — Phase 2 of 14.

Implements the new RFC 8894 PKIMessage parse path: EnvelopedData parser
+ decryptor, signerInfo parser + signature verifier, handler dispatch
that tries the RFC 8894 path FIRST and falls through to the legacy MVP
raw-CSR path on any parse failure. Backward compat with lightweight SCEP
clients is preserved by design — no behavior change for any existing
deploy that doesn't set CERTCTL_SCEP_RA_*.

internal/pkcs7/envelopeddata.go (new, ~330 LoC)
  * ParseEnvelopedData: parses CMS EnvelopedData per RFC 5652 §6.1, with
    optional outer ContentInfo unwrapping. Handles SET OF RecipientInfo
    + IssuerAndSerial form rid (RFC 8894 §3.2.2).
  * EnvelopedData.Decrypt: RSA PKCS#1 v1.5 key-trans + AES-CBC (128/192/
    256) or DES-EDE3-CBC content decryption with **constant-time PKCS#7
    padding strip** (no branch on padding-byte values; closes the
    padding-oracle leak surface). Recipient mismatch is BadMessageCheck
    per RFC 8894 §3.3.2.2 (NOT BadCertID); every failure mode returns
    the same ErrEnvelopedDataDecrypt sentinel to close timing-leak legs
    of Bleichenbacher attacks.
  * Equivalent to micromdm/scep's cryptoutil/cryptoutil.go::DecryptPKCS-
    Envelope (cited in code comments; not vendored — fuzz-target
    ownership stays in this sub-package per the operating rule).

internal/pkcs7/signedinfo.go (new, ~370 LoC)
  * ParseSignedData / ParseSignerInfos: parses CMS SignedData per RFC
    5652 §5.3. Resolves each SignerInfo's SID (IssuerAndSerial v1 OR
    [0] SubjectKeyId v3) against the SignedData certificates SET to
    pluck the device's transient signing cert.
  * SignerInfo.VerifySignature: re-serialises signedAttrs as the
    canonical SET OF Attribute (the RFC 5652 §5.4 quirk every CMS
    implementation hits — wire form is [0] IMPLICIT but the signature
    is over EXPLICIT SET OF). Hashes with SHA-1/SHA-256/SHA-512 +
    verifies via RSA PKCS1v15 or ECDSA per the cert's pubkey type.
  * Auth-attr extractors: GetMessageType (PrintableString-decimal),
    GetTransactionID, GetSenderNonce, GetMessageDigest. SCEP attr OIDs
    pinned (RFC 8894 §3.2.1.4).

internal/pkcs7/{envelopeddata,signedinfo}_fuzz_test.go (new)
  * FuzzParseEnvelopedData / FuzzParseSignedData / FuzzParseSignerInfos
    / FuzzVerifySignerInfoSignature — every parser certctl adds gets a
    panic-safety fuzzer (the fuzz-target-ownership rule from
    cowork/CLAUDE.md::Operating Rules). Local 5s runs hit ~270k
    executions per parser without panic. Errors are expected for
    arbitrary inputs; only panics are bugs.

internal/pkcs7/{envelopeddata,signedinfo}_test.go (new)
  * Round-trip tests that materialise real RSA/ECDSA pairs, hand-build
    the wire bytes, parse + decrypt + verify, and assert plaintext /
    auth-attr equality. The build helpers use this package's ASN1Wrap
    primitives directly (asn1.Marshal of structs containing nested
    asn1.RawValue is finicky for mixed Class/Tag); gives byte-level
    control matching what real SCEP clients emit.
  * Negative tests: tampered ciphertext / tampered auth-attrs / wrong
    RA / wrong key / mismatched recipients / random garbage all return
    the appropriate sentinel error without panic.

internal/service/scep.go
  * PKCSReqWithEnvelope: RFC 8894 envelope-aware variant. Returns
    *SCEPResponseEnvelope (not error + *SCEPEnrollResult) because RFC
    8894 §3.3 mandates a CertRep PKIMessage on every response, even
    failures — the handler shouldn't translate Go errors into SCEP
    failInfo codes. Returns nil to signal 'invalid challenge password'
    so the caller can translate to HTTP 403 (matches MVP path's wire
    shape; RFC 8894 §3.3.1 is silent on this case).
  * mapServiceErrorToFailInfo: exact mapping table from the prompt
    (CSR parse → BadRequest, CSR sig → BadMessageCheck, crypto policy
    → BadAlg, default → BadRequest).

internal/api/handler/scep.go
  * SCEPService interface gains PKCSReqWithEnvelope.
  * SCEPHandler now optionally carries an RA cert + key pair. SetRAPair
    upgrades the handler to the RFC 8894 path; without that call the
    handler stays MVP-only (the v2.0.x behavior).
  * pkiOperation: tries the RFC 8894 path FIRST when the RA pair is
    set. tryParseRFC8894 helper does the full pipeline (ParseSignedData
    → VerifySignature → extract auth-attrs → ParseEnvelopedData → Decrypt
    → x509.ParseCertificateRequest the recovered bytes). On any failure
    it falls through to the legacy extractCSRFromPKCS7 MVP path —
    backward compat is non-negotiable.
  * Phase 2 emits the legacy certs-only response on RFC 8894 success;
    Phase 3 (next commit) swaps in writeCertRepPKIMessage with the
    proper status / failInfo / nonce-echo wire shape.

cmd/server/main.go
  * Per-profile loop now calls loadSCEPRAPair after preflight to load
    the cert + key + inject via SetRAPair. crypto + crypto/tls imports
    added.
  * loadSCEPRAPair helper: tls.X509KeyPair-based parse + leaf cert
    extraction. Failures here indicate TOCTOU between preflight + load.

internal/api/handler/scep_handler_test.go +
internal/api/router/router_scep_profiles_test.go
  * mockSCEPService / scepProfileMockService gain PKCSReqWithEnvelope
    stubs to satisfy the extended interface. Existing test cases
    unchanged (they exercise the MVP path; RA pair is unset).

Verification:
  * gofmt + go vet clean for the files I touched.
  * go test -short -count=1 green across pkcs7 / api/handler /
    api/router / service / cmd/server.
  * Coverage: pkcs7 78.4% (was 100% — drops because new code includes
    paths the round-trip tests don't yet hit, like decryption alg
    fall-through and v3 SubjectKeyId SID matching).
  * Fuzz-target seed-corpus runs (5s each, ~270k execs/parser): no
    panic. Pre-merge fuzz-time bumps to 30s per the prompt's
    verification gate.

Phase 2 of 14 in SCEP RFC 8894 + Intune master bundle.
Living progress at cowork/scep-rfc8894-intune/progress.md.

2026-04-29 12:36:27 +00:00

shankar0123

fdd424bf5f

feat(scep): per-issuer SCEP profiles — multi-endpoint dispatch

SCEP RFC 8894 + Intune master bundle — Phase 1.5 of 14.

Restructures SCEPConfig from a single flat struct (one IssuerID + one
RA pair + one challenge password) to a Profiles slice where each
profile binds its own URL path (/scep/<pathID>), issuer, optional
CertificateProfile, RA cert+key, and challenge password.

This phase is the FOUNDATION for Phases 2-12: every downstream handler
signature, service envelope, CertRep builder, GUI counter, and test
fixture takes a profile_id parameter from here on. Adding multi-profile
support post-bundle would cost 3x what greenfielding it now does.

Backward compat: legacy CERTCTL_SCEP_* flat env vars synthesise a
single-element Profiles[0] with PathID="" (legacy /scep root) when
CERTCTL_SCEP_PROFILES is unset. Existing operators see no behavior
change. New operators write multi-profile config directly via the
indexed env-var form.

Indexed env-var convention:
  CERTCTL_SCEP_PROFILES=corp,iot,server
  CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop
  CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls
  CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=...
  CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt
  CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key
  ... (etc per profile name)

internal/config/config.go
  * SCEPConfig.Profiles []SCEPProfileConfig — primary multi-profile
    dispatch source.
  * Legacy flat fields (IssuerID, ProfileID, ChallengePassword,
    RACertPath, RAKeyPath) preserved with updated docblocks marking
    them as merge sources for the backward-compat shim.
  * SCEPProfileConfig new struct (PathID, IssuerID, ProfileID,
    ChallengePassword, RACertPath, RAKeyPath).
  * loadSCEPProfilesFromEnv: reads CERTCTL_SCEP_PROFILES (comma-list
    of names), expands each to per-profile env vars
    CERTCTL_SCEP_PROFILE_<NAME>_*. Returns nil when unset so the
    legacy-shim path takes over.
  * mergeSCEPLegacyIntoProfiles: when SCEP enabled + Profiles empty +
    any legacy flat field populated, synthesises Profiles[0] with
    PathID="". No-op when Profiles already populated (structured form
    wins) or SCEP disabled.
  * validSCEPPathID: empty allowed (legacy /scep root); non-empty
    must be [a-z0-9-] with no leading/trailing hyphen.
  * Per-profile Validate gates: PathID format, uniqueness across the
    slice, ChallengePassword presence (CWE-306 per profile), RA pair
    presence (RFC 8894 §3.2.2), IssuerID presence.
  * Legacy single-profile gates skip when Profiles is non-empty so
    the per-profile loop owns the gating in the structured case
    (avoids double-fire with overlapping error messages).

internal/api/router/router.go
  * RegisterSCEPHandlers signature: map[string]handler.SCEPHandler
    (was a single SCEPHandler).
  * Empty PathID handler registered with literal r.Register('GET /scep'
    + 'POST /scep') so the openapi-parity AST scanner (Bundle D /
    Audit M-027) continues to see the documented /scep route. Without
    this preservation, the parity test fails because dynamic
    string-built routes don't appear in *ast.BasicLit walks.
  * Non-empty PathIDs registered dynamically as /scep/<pathID>.
  * AuthExempt prefix /scep already covers all /scep[/...] paths via
    prefix match — no change needed there.

cmd/server/main.go
  * SCEP startup block iterates cfg.SCEP.Profiles, builds one service
    + one handler per profile, stuffs them into a {pathID -> handler}
    map, hands the map to apiRouter.RegisterSCEPHandlers.
  * Per-profile preflight: preflightSCEPChallengePassword,
    preflightSCEPRACertKey, preflightEnrollmentIssuer fire ONCE PER
    PROFILE with a profile-scoped slog.Logger so failures report
    PathID + IssuerID. Each per-profile failure os.Exits(1) with a
    targeted error message.
  * Final 'SCEP server enabled' info log reports profile_count.

internal/config/config_scep_profiles_test.go (new, 9 tests / 22 sub-cases)
  * TestSCEPConfig_LegacyFlatFields_SynthesizeSingleProfile — the
    backward-compat smoke test.
  * TestSCEPConfig_MultipleProfiles_LoadFromEnv — structured-form
    happy path with two profiles.
  * TestSCEPConfig_StructuredFormBeatsLegacy — when both forms set,
    structured wins; legacy flat field MUST NOT leak into
    Profiles[0].ChallengePassword.
  * TestSCEPConfig_PathIDValidation — 13 sub-cases covering valid +
    every reject mode (uppercase, slash, leading/trailing hyphen,
    underscore, dot, space, non-ASCII).
  * TestSCEPConfig_DuplicatePathID_Refuses.
  * TestSCEPConfig_MissingPerProfileChallengePassword,
    _MissingPerProfileRAPair (3 sub-cases),
    _MissingPerProfileIssuerID — per-profile gate triplet.
  * TestSCEPConfig_DisabledIgnoresProfiles — gates only fire when
    SCEP is enabled.

internal/api/router/router_scep_profiles_test.go (new, 4 tests)
  * TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot —
    empty PathID gets /scep root; both GET + POST routes registered.
  * TestRouter_RegisterSCEPHandlers_NonEmptyPathIDMapsToSubpath —
    non-empty PathID gets /scep/<pathID>; /scep root NOT registered
    when no empty-PathID profile exists.
  * TestRouter_RegisterSCEPHandlers_MultipleProfilesNoCrossBleed —
    three profiles (default, corp, iot); each path reaches the right
    handler instance, verified via per-profile-tagged GetCACaps mock
    response.
  * TestRouter_RegisterSCEPHandlers_EmptyMapRegistersNoRoutes — no
    profiles → no /scep routes (deploy with SCEP disabled).

Verification:
  * gofmt clean for the files I touched.
  * go vet clean across config / router / cmd/server / domain.
  * go test -short -count=1 green across config / router / cmd/server /
    api/handler / service / domain / pkcs7.
  * Coverage held: handler 79.0% / service 73.2% / pkcs7 100% /
    config 96.0% / domain 88.6% / router 100% / cmd/server 19.2%.
  * openapi-parity test green (literal /scep registrations preserved).

Phase 1.5 of 14 in SCEP RFC 8894 + Intune master bundle.
Living progress at cowork/scep-rfc8894-intune/progress.md.

2026-04-29 03:46:57 +00:00

3 Commits