certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:51:29 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	1dcc7455cd	Bundle 9: Local-issuer hardening — 5 findings closed + 1 partial Closes H-010 + L-002 + L-003 + L-012 + L-014 from comprehensive-audit-2026-04-25; partial-closes M-028 (the local.go:682 elliptic.Marshal site only). H-010 (CWE-1257) — local-issuer coverage 68.3% -> 86.7% * internal/connector/issuer/local/bundle9_coverage_test.go (NEW) Adds ~30 subtests across CSR-acceptance failure paths, parsePrivateKey four-format coverage, resolveEKUsAndKeyUsage all-EKU + fallback, hashPublicKey RSA + ECDSA P-256/P-384/P-521 + unsupported curve, ecdsaToECDH byte-identical round-trip pin, loadCAFromDisk expired/non-CA/missing/happy, validateCSRUnicode all rejection arms, marshalPrivateKeyAndZeroize / ensureKeyDirSecure all branches, ValidateConfig 5 arms, MaxTTLSeconds cap. * .github/workflows/ci.yml — flips local-issuer floor 60% -> 85% hard with explicit "add tests, do not lower the gate" comment. L-002 (CWE-226) — agent + local-CA private-key zeroization * internal/connector/issuer/local/keymem.go (NEW) * cmd/agent/keymem.go (NEW) marshalPrivateKeyAndZeroize wraps x509.MarshalECPrivateKey with defer clear(der). Agent additionally defer clear(privKeyPEM) on the encoded buffer. Bounds heap-resident exposure of the private scalar to the duration of PEM-encode + os.WriteFile. L-003 (CWE-732) — 0700 key-directory hardening * internal/connector/issuer/local/keystore.go (NEW) * cmd/agent/keymem.go (NEW) ensureKeyDirSecure / ensureAgentKeyDirSecure create dir tree at 0700, accept owner-only modes, chmod-tighten permissive leaves with re-stat verification, refuse empty/root/dot. Wired ahead of every os.WriteFile(keyPath, ..., 0600) site in cmd/agent/main.go. L-012 (CWE-1007 + CWE-176) — Unicode safety in CN/SAN * internal/validation/unicode.go (NEW) * internal/validation/unicode_test.go (NEW, 8 test functions) ValidateUnicodeSafe rejects RTL/LTR overrides U+202A..U+202E + U+2066..U+2069, zero-width U+200B..U+200D + U+2060 + U+FEFF, control chars <0x20 + 0x7F..0x9F, and per-DNS-label Latin+non-Latin-letter mixes (Cyrillic-а-in-apple homograph). Pure-IDN labels allowed. Errors cite codepoint + byte offset. Wired into IssueCertificate + RenewCertificate via validateCSRUnicode covering CSR Subject CommonName + DNSNames + EmailAddresses + request-side additional SANs. L-014 — CA-key-in-process threat-model documentation * internal/connector/issuer/local/local.go file-header doc comment Documents what the bundled defense-in-depth measures DO and DO NOT protect against; directs operators with stricter requirements to HSM/PKCS#11/cloud-KMS-backed signing (V3 Pro KMS-issuance roadmap entry as the source-of-truth fix). M-028 (CWE-477) PARTIAL — 1 of 6 SA1019 sites * internal/connector/issuer/local/local.go::ecdsaToECDH (NEW helper) Replaces deprecated elliptic.Marshal(k.Curve, k.X, k.Y) inside hashPublicKey with crypto/ecdh.PublicKey.Bytes(). Dispatches on Curve.Params().Name to avoid importing crypto/elliptic for sentinel comparisons. Supports P-256/P-384/P-521; P-224 returns unsupported-curve error and the caller falls back to a stable X+Y big.Int.Bytes() hash (so SKI generation never panics). * TestHashPublicKey_ECDSA_RoundTripPin — byte-identical regression oracle that pins the new output to the legacy elliptic.Marshal output across all three supported curves (with explicit //nolint:staticcheck on the SA1019 reference). Migration cannot silently change the SubjectKeyId of every previously-issued cert. * 5 SA1019 sites still open (test-file middleware.NewAuth × 3 + scep.go csr.Attributes). Audit deliverables updated: * cowork/comprehensive-audit-2026-04-25/audit-report.md — score 20/55 -> 25/55 closed (High 6/9 -> 7/9; Low 4/19 -> 8/19). * cowork/comprehensive-audit-2026-04-25/findings.yaml — H-010 + L-002 + L-003 + L-012 + L-014 status open -> closed; M-028 status open -> partial_closed; closure notes cite the Bundle-9 mechanism. * certctl/CHANGELOG.md — Bundle-9 section under [unreleased].	2026-04-26 17:18:00 +00:00

Author

SHA1

Message

Date

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

1dcc7455cd

Bundle 9: Local-issuer hardening — 5 findings closed + 1 partial

Closes H-010 + L-002 + L-003 + L-012 + L-014 from
comprehensive-audit-2026-04-25; partial-closes M-028 (the local.go:682
elliptic.Marshal site only).

H-010 (CWE-1257) — local-issuer coverage 68.3% -> 86.7%
  * internal/connector/issuer/local/bundle9_coverage_test.go (NEW)
    Adds ~30 subtests across CSR-acceptance failure paths, parsePrivateKey
    four-format coverage, resolveEKUsAndKeyUsage all-EKU + fallback,
    hashPublicKey RSA + ECDSA P-256/P-384/P-521 + unsupported curve,
    ecdsaToECDH byte-identical round-trip pin, loadCAFromDisk
    expired/non-CA/missing/happy, validateCSRUnicode all rejection arms,
    marshalPrivateKeyAndZeroize / ensureKeyDirSecure all branches,
    ValidateConfig 5 arms, MaxTTLSeconds cap.
  * .github/workflows/ci.yml — flips local-issuer floor 60% -> 85% hard
    with explicit "add tests, do not lower the gate" comment.

L-002 (CWE-226) — agent + local-CA private-key zeroization
  * internal/connector/issuer/local/keymem.go (NEW)
  * cmd/agent/keymem.go (NEW)
    marshalPrivateKeyAndZeroize wraps x509.MarshalECPrivateKey with
    defer clear(der). Agent additionally defer clear(privKeyPEM) on the
    encoded buffer. Bounds heap-resident exposure of the private scalar
    to the duration of PEM-encode + os.WriteFile.

L-003 (CWE-732) — 0700 key-directory hardening
  * internal/connector/issuer/local/keystore.go (NEW)
  * cmd/agent/keymem.go (NEW)
    ensureKeyDirSecure / ensureAgentKeyDirSecure create dir tree at 0700,
    accept owner-only modes, chmod-tighten permissive leaves with
    re-stat verification, refuse empty/root/dot. Wired ahead of every
    os.WriteFile(keyPath, ..., 0600) site in cmd/agent/main.go.

L-012 (CWE-1007 + CWE-176) — Unicode safety in CN/SAN
  * internal/validation/unicode.go (NEW)
  * internal/validation/unicode_test.go (NEW, 8 test functions)
    ValidateUnicodeSafe rejects RTL/LTR overrides U+202A..U+202E +
    U+2066..U+2069, zero-width U+200B..U+200D + U+2060 + U+FEFF,
    control chars <0x20 + 0x7F..0x9F, and per-DNS-label
    Latin+non-Latin-letter mixes (Cyrillic-а-in-apple homograph).
    Pure-IDN labels allowed. Errors cite codepoint + byte offset.
    Wired into IssueCertificate + RenewCertificate via
    validateCSRUnicode covering CSR Subject CommonName + DNSNames +
    EmailAddresses + request-side additional SANs.

L-014 — CA-key-in-process threat-model documentation
  * internal/connector/issuer/local/local.go file-header doc comment
    Documents what the bundled defense-in-depth measures DO and DO NOT
    protect against; directs operators with stricter requirements to
    HSM/PKCS#11/cloud-KMS-backed signing (V3 Pro KMS-issuance roadmap
    entry as the source-of-truth fix).

M-028 (CWE-477) PARTIAL — 1 of 6 SA1019 sites
  * internal/connector/issuer/local/local.go::ecdsaToECDH (NEW helper)
    Replaces deprecated elliptic.Marshal(k.Curve, k.X, k.Y) inside
    hashPublicKey with crypto/ecdh.PublicKey.Bytes(). Dispatches on
    Curve.Params().Name to avoid importing crypto/elliptic for sentinel
    comparisons. Supports P-256/P-384/P-521; P-224 returns
    unsupported-curve error and the caller falls back to a stable X+Y
    big.Int.Bytes() hash (so SKI generation never panics).
  * TestHashPublicKey_ECDSA_RoundTripPin — byte-identical regression
    oracle that pins the new output to the legacy elliptic.Marshal
    output across all three supported curves (with explicit
    //nolint:staticcheck on the SA1019 reference). Migration cannot
    silently change the SubjectKeyId of every previously-issued cert.
  * 5 SA1019 sites still open (test-file middleware.NewAuth × 3 +
    scep.go csr.Attributes).

Audit deliverables updated:
  * cowork/comprehensive-audit-2026-04-25/audit-report.md — score
    20/55 -> 25/55 closed (High 6/9 -> 7/9; Low 4/19 -> 8/19).
  * cowork/comprehensive-audit-2026-04-25/findings.yaml — H-010 +
    L-002 + L-003 + L-012 + L-014 status open -> closed; M-028 status
    open -> partial_closed; closure notes cite the Bundle-9 mechanism.
  * certctl/CHANGELOG.md — Bundle-9 section under [unreleased].

2026-04-26 17:18:00 +00:00

2 Commits