certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 09:29:05 +00:00

Commit Graph

Author	SHA1	Message	Date
Shankar	6ae4023582	Bundle F follow-up: M-023 doc env-var cleanup (G-3 guard fix) CI on the bundle-F merge (run #24972730564) failed the G-3 env-var docs guardrail because docs/legacy-est-scep.md mentioned CERTCTL_EST_PROXY_TRUSTED_SOURCES CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER which are documented as future-feature env vars but don't exist in config.go. The G-3 guard treats any env-var name in docs that's not either defined in source OR on the documented integration-surface allowlist as drift. The runbook's 'certctl-side configuration' section was over-promising features that haven't shipped yet. Rewritten to be honest: - Current implementation is header-agnostic (X-SSL-Client-Cert is ignored). EST/SCEP authentication still works correctly because both protocols carry their own auth (CSR signature for EST, challengePassword for SCEP) inside the request body. - The reverse proxy is purely a TLS-version bridge. - Future-feature description retained in prose form (without literal env-var names) so an operator who needs proxy-supplied client identity knows to open an issue. The nginx config block's comment was also rewritten to reflect the header-agnostic default. The proxy still SETS the headers (cheap, no-op when ignored); a future commit can flip certctl to read them behind a fail-closed CIDR allowlist + opt-in toggle. Verification: grep -rnE 'CERTCTL_EST_PROXY\|CERTCTL_EST_TRUST' README.md docs/ deploy/helm/ — empty (G-3 guard now passes for these names)	2026-04-27 01:55:04 +00:00
Shankar	6ae481190e	Bundle F: Compliance tail + CI gate hardening — 2 findings closed; audit closure complete Closes M-023 + M-024 from comprehensive-audit-2026-04-25. Final audit-bundle commit. Score 51/55 closed (93%); High 9/9 (100%); Medium 26/27 (96%); Low 19/19 (100%); Deferred 4/7. M-023 (PCI-DSS Req 4 §2.2.5) — Legacy EST/SCEP reverse-proxy runbook docs/legacy-est-scep.md (NEW): operator runbook for embedded EST/SCEP clients that only speak TLS 1.2 against a TLS-1.3-pinned certctl listener. Sections: - 3-condition gate for when this runbook applies - Architecture diagram (legacy client -> proxy TLS 1.2 -> certctl TLS 1.3) - Full nginx config with ssl_protocols TLSv1.2 TLSv1.3 + ECDHE AEAD-only ciphers + mTLS optional verification + proxy_ssl_protocols TLSv1.3 on the backend hop - HAProxy alternative config with ssl-min-ver TLSv1.2 frontend + ssl-min-ver TLSv1.3 backend - certctl-side env vars: CERTCTL_EST_PROXY_TRUSTED_SOURCES (CIDR allowlist of trusted proxies) + CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER (toggle header-as-identity). Dual-knob design forces operators to think about header spoofing. - PCI-DSS Req 4 v4.0 §2.2.5 attestation language - Forward-look on TLS 1.2 deprecation watch certctl listener stays pinned at TLS 1.3 minimum (cmd/server/tls.go:131); the proxy-to-certctl hop is also TLS 1.3. M-024 (NIST SSDF PW.7.2) — govulncheck hard gate .github/workflows/ci.yml: 'Run govulncheck' step renamed to 'Run govulncheck (M-024 hard gate)' with updated comment block documenting why no carve-out is needed. Bundle E's transitive bumps (x/net 0.42->0.47, x/crypto 0.41->0.45) cleared the 5 L-021 deferred-call advisories that the original Bundle F prompt designed an exception list for. Plain 'govulncheck ./...' is now the right gate; default exit-code semantics fail on any future called-vuln advisory. Deferred-call advisories that legitimately can't be remediated should land in a NIST SSDF deviation log in docs/security.md, not be silenced. Audit endgame: 51/55 closed (93%). Remaining open items don't require further bundle work: - M-029 frontend per-page migration backlog — closes per-PR - L-004 rotation infra — explicit scope-pivot defer - D-003 mutation testing — sandbox-blocked - D-004 DAST suite — wired CI-only via security-deep-scan.yml - D-005 testssl.sh — wired CI-only - D-007 frontend semgrep — wired CI-only Audit deliverables: audit-report.md: score 49/55 -> 51/55 closed; M-023 + M-024 boxes flipped [x] with closure notes. findings.yaml: 2 status flips CHANGELOG.md: Bundle F section + 'Audit endgame' summary	2026-04-27 01:43:56 +00:00

Author

SHA1

Message

Date

Shankar

6ae4023582

Bundle F follow-up: M-023 doc env-var cleanup (G-3 guard fix)

CI on the bundle-F merge (run #24972730564) failed the G-3 env-var
docs guardrail because docs/legacy-est-scep.md mentioned
  CERTCTL_EST_PROXY_TRUSTED_SOURCES
  CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER
which are documented as future-feature env vars but don't exist in
config.go. The G-3 guard treats any env-var name in docs that's not
either defined in source OR on the documented integration-surface
allowlist as drift.

The runbook's 'certctl-side configuration' section was over-promising
features that haven't shipped yet. Rewritten to be honest:

  - Current implementation is header-agnostic (X-SSL-Client-Cert is
    ignored). EST/SCEP authentication still works correctly because
    both protocols carry their own auth (CSR signature for EST,
    challengePassword for SCEP) inside the request body.
  - The reverse proxy is purely a TLS-version bridge.
  - Future-feature description retained in prose form (without
    literal env-var names) so an operator who needs proxy-supplied
    client identity knows to open an issue.

The nginx config block's comment was also rewritten to reflect the
header-agnostic default. The proxy still SETS the headers (cheap,
no-op when ignored); a future commit can flip certctl to read them
behind a fail-closed CIDR allowlist + opt-in toggle.

Verification:
  grep -rnE 'CERTCTL_EST_PROXY|CERTCTL_EST_TRUST' README.md docs/ deploy/helm/
    — empty (G-3 guard now passes for these names)

2026-04-27 01:55:04 +00:00

Shankar

6ae481190e

Bundle F: Compliance tail + CI gate hardening — 2 findings closed; audit closure complete

Closes M-023 + M-024 from comprehensive-audit-2026-04-25. Final
audit-bundle commit. Score 51/55 closed (93%); High 9/9 (100%);
Medium 26/27 (96%); Low 19/19 (100%); Deferred 4/7.

M-023 (PCI-DSS Req 4 §2.2.5) — Legacy EST/SCEP reverse-proxy runbook
  docs/legacy-est-scep.md (NEW): operator runbook for embedded
  EST/SCEP clients that only speak TLS 1.2 against a TLS-1.3-pinned
  certctl listener. Sections:
    - 3-condition gate for when this runbook applies
    - Architecture diagram (legacy client -> proxy TLS 1.2 -> certctl TLS 1.3)
    - Full nginx config with ssl_protocols TLSv1.2 TLSv1.3 + ECDHE
      AEAD-only ciphers + mTLS optional verification + proxy_ssl_protocols
      TLSv1.3 on the backend hop
    - HAProxy alternative config with ssl-min-ver TLSv1.2 frontend +
      ssl-min-ver TLSv1.3 backend
    - certctl-side env vars: CERTCTL_EST_PROXY_TRUSTED_SOURCES (CIDR
      allowlist of trusted proxies) + CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER
      (toggle header-as-identity). Dual-knob design forces operators
      to think about header spoofing.
    - PCI-DSS Req 4 v4.0 §2.2.5 attestation language
    - Forward-look on TLS 1.2 deprecation watch
  certctl listener stays pinned at TLS 1.3 minimum (cmd/server/tls.go:131);
  the proxy-to-certctl hop is also TLS 1.3.

M-024 (NIST SSDF PW.7.2) — govulncheck hard gate
  .github/workflows/ci.yml: 'Run govulncheck' step renamed to
  'Run govulncheck (M-024 hard gate)' with updated comment block
  documenting why no carve-out is needed.
  Bundle E's transitive bumps (x/net 0.42->0.47, x/crypto 0.41->0.45)
  cleared the 5 L-021 deferred-call advisories that the original
  Bundle F prompt designed an exception list for. Plain
  'govulncheck ./...' is now the right gate; default exit-code
  semantics fail on any future called-vuln advisory. Deferred-call
  advisories that legitimately can't be remediated should land in
  a NIST SSDF deviation log in docs/security.md, not be silenced.

Audit endgame:
  51/55 closed (93%). Remaining open items don't require further
  bundle work:
    - M-029 frontend per-page migration backlog — closes per-PR
    - L-004 rotation infra — explicit scope-pivot defer
    - D-003 mutation testing — sandbox-blocked
    - D-004 DAST suite — wired CI-only via security-deep-scan.yml
    - D-005 testssl.sh — wired CI-only
    - D-007 frontend semgrep — wired CI-only

Audit deliverables:
  audit-report.md: score 49/55 -> 51/55 closed; M-023 + M-024
    boxes flipped [x] with closure notes.
  findings.yaml: 2 status flips
  CHANGELOG.md: Bundle F section + 'Audit endgame' summary

2026-04-27 01:43:56 +00:00

2 Commits