certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 12:58:53 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	633a10aa4e	secret: add Ref opaque-credential abstraction (Phase 1) Phase 1 of the #6 acquisition-readiness fix from the 2026-05-01 issuer coverage audit. Pre-fix, GlobalSign / EJBCA / Sectigo store API keys / OAuth tokens / 3-header credentials as plain Go strings on the Connector struct. Encrypted at rest via internal/crypto/encryption.go (AES-256-GCM v3 + PBKDF2-600k), they sit in process memory in the clear after load and are sent in HTTP headers on every API call. Under DEBUG-level HTTP request logging, the headers leak. This commit ships the foundation type. Per-connector migrations (GlobalSign / EJBCA / Sectigo Config field changes from string to secret.Ref, plus auth-header write-path changes) are Phase 2 — a separate commit per connector keeps each diff reviewable. Phase 1 (this commit): - internal/secret/secret.go with Ref: NewRef(src func() ([]byte, error)) — production: decrypt-on-demand NewRefFromString(s string) — tests / config-loading Use(fn func(buf []byte) error) — invoke fn with a fresh buffer, zero on return WriteTo(w io.Writer) — convenience for the "set a header" case String() — returns "[redacted]" MarshalJSON() — returns "[redacted]" IsEmpty() — for ValidateConfig paths - The bytes are zeroed (every byte set to 0) after Use returns — defeats casual heap-dump extraction. The `[redacted]` brackets (rather than `<redacted>`) avoid Go's json HTMLEscape behavior. - 9 unit tests covering: bytes-exposed-and-zeroed contract, the buffer-escape anti-pattern (asserts post-Use buffer is zeroed), WriteTo, String/MarshalJSON redaction, JSON-encoding inside a parent struct, nil-Ref safety on every method, source-error propagation, IsEmpty, direct test of the zero helper. Phase 2 (separate follow-up commits): - GlobalSign Config.APIKey / APISecret migration to secret.Ref. - EJBCA Config.Token migration to *secret.Ref. - Sectigo Config.CustomerURI / Login / Password migration. - Each migration includes the auth-header write-path change (setAuthHeaders → Ref.WriteTo) and the env-var-loading update (NewRefFromString at config load time). - Outbound HTTP transport-wrapping for per-connector credential- header redaction in DEBUG logs (defense against third-party SDK leakage; not in scope for the foundation). Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #6 — Phase 1.	2026-05-02 02:22:07 +00:00

Author

SHA1

Message

Date

shankar0123

633a10aa4e

secret: add Ref opaque-credential abstraction (Phase 1)

Phase 1 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Pre-fix, GlobalSign / EJBCA / Sectigo store API keys
/ OAuth tokens / 3-header credentials as plain Go strings on the
Connector struct. Encrypted at rest via internal/crypto/encryption.go
(AES-256-GCM v3 + PBKDF2-600k), they sit in process memory in the
clear after load and are sent in HTTP headers on every API call.
Under DEBUG-level HTTP request logging, the headers leak.

This commit ships the foundation type. Per-connector migrations
(GlobalSign / EJBCA / Sectigo Config field changes from string to
*secret.Ref, plus auth-header write-path changes) are Phase 2 — a
separate commit per connector keeps each diff reviewable.

Phase 1 (this commit):
- internal/secret/secret.go with Ref:
    NewRef(src func() ([]byte, error))   — production: decrypt-on-demand
    NewRefFromString(s string)            — tests / config-loading
    Use(fn func(buf []byte) error)        — invoke fn with a fresh
                                            buffer, zero on return
    WriteTo(w io.Writer)                  — convenience for the
                                            "set a header" case
    String()                              — returns "[redacted]"
    MarshalJSON()                         — returns "[redacted]"
    IsEmpty()                             — for ValidateConfig paths
- The bytes are zeroed (every byte set to 0) after Use returns —
  defeats casual heap-dump extraction. The `[redacted]` brackets
  (rather than `<redacted>`) avoid Go's json HTMLEscape behavior.
- 9 unit tests covering: bytes-exposed-and-zeroed contract, the
  buffer-escape anti-pattern (asserts post-Use buffer is zeroed),
  WriteTo, String/MarshalJSON redaction, JSON-encoding inside a
  parent struct, nil-Ref safety on every method, source-error
  propagation, IsEmpty, direct test of the zero helper.

Phase 2 (separate follow-up commits):
- GlobalSign Config.APIKey / APISecret migration to *secret.Ref.
- EJBCA Config.Token migration to *secret.Ref.
- Sectigo Config.CustomerURI / Login / Password migration.
- Each migration includes the auth-header write-path change
  (setAuthHeaders → Ref.WriteTo) and the env-var-loading update
  (NewRefFromString at config load time).
- Outbound HTTP transport-wrapping for per-connector credential-
  header redaction in DEBUG logs (defense against third-party
  SDK leakage; not in scope for the foundation).

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 1.

2026-05-02 02:22:07 +00:00

1 Commits