2 Commits

Author	SHA1	Message	Date
shankar0123	521802f824	Bundle 9 follow-up: ST1018 ESC sweep + make verify pre-commit gate ... CI on the bundle-9 merge (run #24962543332) failed golangci-lint with 16 staticcheck ST1018 'string literal contains the Unicode format character U+202X, consider using the \u202X escape sequence' hits — across the two test files we added (internal/validation/unicode_test.go + internal/connector/issuer/local/bundle9_coverage_test.go). Mechanical sweep, byte-identical at runtime: internal/validation/unicode_test.go (13 + 1 hits cleared) RTL/LTR overrides U+202A..U+202E + U+2066..U+2069 (lines 39-47) zero-width U+200B..U+200D + U+2060 (lines 67-70) additional U+202E in TestValidateUnicodeSafe_ErrorMentionsByteOffset internal/connector/issuer/local/bundle9_coverage_test.go (3 hits) U+202E in TestValidateCSRUnicode_RejectsDNSNameRTL U+200B in TestValidateCSRUnicode_RejectsEmailZeroWidth U+202E in TestValidateCSRUnicode_RejectsAdditionalSAN The strings now use Go \uXXXX escape sequences. Identical UTF-8 bytes hit ValidateUnicodeSafe at runtime — every test passes unchanged locally. The file-header comment in unicode_test.go that promised this convention is now actually honored. Verification: staticcheck -checks=ST1018 returns clean across the two packages. go test -count=1 -short still green. Pre-commit gate added to prevent recurrence: Makefile: new 'verify' aggregate target runs gofmt + go vet + golangci-lint run + go test -short — same set CI enforces. Run 'make verify' before every commit going forward. cowork/CLAUDE.md: new 'Pre-commit verification gate' paragraph in Operating Rules. Documents make verify as the canonical gate; explains WHY (Bundle-9 shipped green-on-vet / red-on-CI because ST1018 only fires under golangci-lint's staticcheck, not vet); documents the staticcheck-only fallback for disk-constrained sandboxes. This commit changes only: - 2 test source files (\uXXXX escapes, no behavior change) - Makefile (1 new target, 1 .PHONY entry, 1 help line) - cowork/CLAUDE.md (1 new operating-rule paragraph)	2026-04-26 21:17:12 +00:00
shankar0123	1dcc7455cd	Bundle 9: Local-issuer hardening — 5 findings closed + 1 partial ... Closes H-010 + L-002 + L-003 + L-012 + L-014 from comprehensive-audit-2026-04-25; partial-closes M-028 (the local.go:682 elliptic.Marshal site only). H-010 (CWE-1257) — local-issuer coverage 68.3% -> 86.7% * internal/connector/issuer/local/bundle9_coverage_test.go (NEW) Adds ~30 subtests across CSR-acceptance failure paths, parsePrivateKey four-format coverage, resolveEKUsAndKeyUsage all-EKU + fallback, hashPublicKey RSA + ECDSA P-256/P-384/P-521 + unsupported curve, ecdsaToECDH byte-identical round-trip pin, loadCAFromDisk expired/non-CA/missing/happy, validateCSRUnicode all rejection arms, marshalPrivateKeyAndZeroize / ensureKeyDirSecure all branches, ValidateConfig 5 arms, MaxTTLSeconds cap. * .github/workflows/ci.yml — flips local-issuer floor 60% -> 85% hard with explicit "add tests, do not lower the gate" comment. L-002 (CWE-226) — agent + local-CA private-key zeroization * internal/connector/issuer/local/keymem.go (NEW) * cmd/agent/keymem.go (NEW) marshalPrivateKeyAndZeroize wraps x509.MarshalECPrivateKey with defer clear(der). Agent additionally defer clear(privKeyPEM) on the encoded buffer. Bounds heap-resident exposure of the private scalar to the duration of PEM-encode + os.WriteFile. L-003 (CWE-732) — 0700 key-directory hardening * internal/connector/issuer/local/keystore.go (NEW) * cmd/agent/keymem.go (NEW) ensureKeyDirSecure / ensureAgentKeyDirSecure create dir tree at 0700, accept owner-only modes, chmod-tighten permissive leaves with re-stat verification, refuse empty/root/dot. Wired ahead of every os.WriteFile(keyPath, ..., 0600) site in cmd/agent/main.go. L-012 (CWE-1007 + CWE-176) — Unicode safety in CN/SAN * internal/validation/unicode.go (NEW) * internal/validation/unicode_test.go (NEW, 8 test functions) ValidateUnicodeSafe rejects RTL/LTR overrides U+202A..U+202E + U+2066..U+2069, zero-width U+200B..U+200D + U+2060 + U+FEFF, control chars <0x20 + 0x7F..0x9F, and per-DNS-label Latin+non-Latin-letter mixes (Cyrillic-а-in-apple homograph). Pure-IDN labels allowed. Errors cite codepoint + byte offset. Wired into IssueCertificate + RenewCertificate via validateCSRUnicode covering CSR Subject CommonName + DNSNames + EmailAddresses + request-side additional SANs. L-014 — CA-key-in-process threat-model documentation * internal/connector/issuer/local/local.go file-header doc comment Documents what the bundled defense-in-depth measures DO and DO NOT protect against; directs operators with stricter requirements to HSM/PKCS#11/cloud-KMS-backed signing (V3 Pro KMS-issuance roadmap entry as the source-of-truth fix). M-028 (CWE-477) PARTIAL — 1 of 6 SA1019 sites * internal/connector/issuer/local/local.go::ecdsaToECDH (NEW helper) Replaces deprecated elliptic.Marshal(k.Curve, k.X, k.Y) inside hashPublicKey with crypto/ecdh.PublicKey.Bytes(). Dispatches on Curve.Params().Name to avoid importing crypto/elliptic for sentinel comparisons. Supports P-256/P-384/P-521; P-224 returns unsupported-curve error and the caller falls back to a stable X+Y big.Int.Bytes() hash (so SKI generation never panics). * TestHashPublicKey_ECDSA_RoundTripPin — byte-identical regression oracle that pins the new output to the legacy elliptic.Marshal output across all three supported curves (with explicit //nolint:staticcheck on the SA1019 reference). Migration cannot silently change the SubjectKeyId of every previously-issued cert. * 5 SA1019 sites still open (test-file middleware.NewAuth × 3 + scep.go csr.Attributes). Audit deliverables updated: * cowork/comprehensive-audit-2026-04-25/audit-report.md — score 20/55 -> 25/55 closed (High 6/9 -> 7/9; Low 4/19 -> 8/19). * cowork/comprehensive-audit-2026-04-25/findings.yaml — H-010 + L-002 + L-003 + L-012 + L-014 status open -> closed; M-028 status open -> partial_closed; closure notes cite the Bundle-9 mechanism. * certctl/CHANGELOG.md — Bundle-9 section under [unreleased].	2026-04-26 17:18:00 +00:00