certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:41:31 +00:00

Author	SHA1	Message	Date
shankar0123	30f9f1e712	Bundle B: Auth & transport surface tightening — 5 findings closed Closes M-001 + M-002 + M-013 + M-018 + M-025 from comprehensive-audit-2026-04-25. M-001 (CWE-916) — PBKDF2 100k -> 600k via v3 blob format internal/crypto/encryption.go: - New v3Magic (0x03), pbkdf2IterationsV3 (600,000 — OWASP 2024 Password Storage Cheat Sheet floor), v3SaltSize (16 bytes), deriveKeyWithSaltV3 helper. - EncryptIfKeySet now unconditionally writes v3: magic(0x03) \|\| salt(16) \|\| nonce(12) \|\| ciphertext+tag - DecryptIfKeySet falls through v3 -> v2 -> v1 with AEAD verification at each step. Wrong-passphrase v3 reads cannot be silently misattributed to v2/v1. - IsLegacyFormat updated to recognize 0x03 as non-legacy. internal/crypto/encryption_v3_test.go (NEW, 7 tests): V3 round-trip / V2 read-fallback against deterministic v2 fixture / V3 wrong-passphrase fails / V3-vs-V2 dispatch order / V2 vs V3 keys differ for same (passphrase, salt) / iteration-count pin at OWASP 2024 floor / IsLegacyFormat-recognises-V3. Coverage internal/crypto: 86.7% -> 88.2%. M-002 (CWE-862) — Auth-exempt allowlist constants + AST regression test Recon found auth-exempt surface spans TWO layers (audit's claim was incomplete): Layer 1 (router.go direct r.mux.Handle): GET /health, GET /ready, GET /api/v1/auth/info, GET /api/v1/version Layer 2 (cmd/server/main.go::buildFinalHandler URL-prefix dispatch): /.well-known/pki/, /.well-known/est/, /scep[/...]* internal/api/router/router.go: - New AuthExemptRouterRoutes constant with per-entry justifications. - New AuthExemptDispatchPrefixes constant. internal/api/router/auth_exempt_test.go (NEW, 2 tests): AST-walks router.go for every direct mux.Handle call and asserts set equals AuthExemptRouterRoutes; reads source bytes of Register / RegisterFunc and asserts they still wrap with middleware.Chain. cmd/server/auth_exempt_test.go (NEW, 2 tests): 14-case table test on buildFinalHandler asserting documented prefixes route to noAuthHandler and authenticated routes route to apiHandler; inverse-overlap pin proves no documented bypass shadows an authenticated prefix. M-013 (CWE-942) — CORS deny-by-default verified-already-clean + pin Audit claim 'default allows all origins if env-var unset' was WRONG. internal/api/middleware/middleware.go::NewCORS already denies cross- origin requests when len(cfg.AllowedOrigins) == 0 (no Access-Control-Allow-Origin header is emitted, same-origin policy applies). internal/api/middleware/cors_test.go: +TestNewCORS_NilOriginsDeniesAll + TestNewCORS_M013_ContractDocumentedInOrder (5-case table test pinning the 3-arm dispatch contract). M-018 (CWE-319 / PCI-DSS Req 4) — Postgres TLS opt-in toggle deploy/helm/certctl/values.yaml: new postgresql.tls.{mode,caSecretRef} operator-facing knobs. Default 'disable' preserves in-cluster pod- network behavior; PCI-scoped operators set verify-full. deploy/helm/certctl/templates/_helpers.tpl: certctl.databaseURL helper pipes postgresql.tls.mode into ?sslmode=. deploy/helm/certctl/templates/server-secret.yaml: uses the helper instead of hardcoded sslmode=disable. deploy/docker-compose.yml: CERTCTL_DATABASE_URL is now ${CERTCTL_DATABASE_URL:-...} so operators override without editing. docs/database-tls.md (NEW): operator runbook covering 4 deployment shapes, RDS verify-full example with PGSSLROOTCERT mount, and pg_stat_ssl verification query. helm template + helm lint clean. M-025 (OWASP ASVS L2 §11.2.1) — Per-key rate limiting internal/api/middleware/middleware.go::NewRateLimiter rewritten from a single global tokenBucket to a keyedRateLimiter map keyed on 'user:'+GetUser(ctx) for authenticated callers 'ip:'+RemoteAddr-host for unauthenticated - Empty UserKey strings treated as unauthenticated. - X-Forwarded-For intentionally NOT consulted (header-spoofing risk). - Create-on-demand bucket allocation under sync.RWMutex with double- check pattern. RateLimitConfig.PerUserRPS / PerUserBurstSize fields with env vars CERTCTL_RATE_LIMIT_PER_USER_RPS / CERTCTL_RATE_LIMIT_PER_USER_BURST allow per-user budgets distinct from per-IP. internal/api/middleware/ratelimit_keyed_test.go (NEW, 5 tests): TwoIPsHaveIndependentBuckets / SameUserDifferentIPsShareBucket / TwoUsersHaveIndependentBuckets / PerUserBudgetOverride / EmptyUserKeyTreatedAsAnonymous. Coverage internal/api/middleware: 82.1% -> 83.7%. Audit deliverables: cowork/comprehensive-audit-2026-04-25/audit-report.md: score 25/55 -> 30/55 closed (High 7/9, Medium 7/27 -> 12/27, Low 8/19). cowork/comprehensive-audit-2026-04-25/findings.yaml: 5 status flips open -> closed with closure notes citing the Bundle B mechanism. certctl/CHANGELOG.md: Bundle B section under [unreleased]. Verification: go test -count=1 -short ./... all green staticcheck on changed packages no new SA/ST hits (the 4 pre-existing SA1019 sites in cmd/server/main_test.go are Bundle 9 / M-028 partial closure leftovers tracked in Bundle C) helm template + helm lint clean internal/repository/postgres setup-fail sandbox disk pressure, same on master HEAD before this branch — environmental, not Bundle B	2026-04-26 23:09:10 +00:00
shankar0123	5abeeb882b	fix(crypto): per-ciphertext PBKDF2 salt + v2 versioned format with v1 fallback (M-8)	2026-04-17 05:36:29 +00:00
shankar0123	f549a7aa79	security: fail closed when CERTCTL_CONFIG_ENCRYPTION_KEY is unset (fixes C-2) EncryptIfKeySet/DecryptIfKeySet in internal/crypto/encryption.go previously returned plaintext + wasEncrypted=false when the operator had not configured CERTCTL_CONFIG_ENCRYPTION_KEY. That produced a data-at-rest confidentiality bypass (CWE-311): sensitive fields on dynamically-configured issuer and target rows (source='database') were persisted to PostgreSQL without any encryption, and no caller could distinguish the encrypted from the plaintext branch at runtime. The only visible signal was a single warning log line emitted once at startup. Fail closed instead: - EncryptIfKeySet / DecryptIfKeySet now return crypto.ErrEncryptionKeyRequired (a new exported sentinel, errors.Is-unwrappable) when the key is empty or nil, rather than silently emitting plaintext. The (result, wasEncrypted, err) tuple signature is preserved for source compatibility; only the semantics of the no-key branch changed. - cmd/server/main.go grows a startup pre-flight check: if no encryption key is configured the server lists issuers and targets, counts rows with source='database', and refuses to start (os.Exit(1)) if any exist. Operators must either configure CERTCTL_CONFIG_ENCRYPTION_KEY or remove the exposed rows before the control plane can boot. The warning-only path is retained for the clean-slate case (no database rows). - internal/service/issuer.go's SeedFromEnvVars now guards the encryption call with len(s.encryptionKey) > 0 so env-seeded rows (source='env', which are reconstructable on every boot from process env) continue to persist as plaintext in the 'config' column when no key is configured. Registry load already falls through to cfg.Config when EncryptedConfig is nil. GUI/API write paths (source='database') remain fail-closed via propagation of ErrEncryptionKeyRequired. - Integration tests that exercise CreateIssuer via the handler layer now supply a real 32-byte AES-256 test key so the encrypt path runs instead of returning ErrEncryptionKeyRequired. Same pattern in internal/service/ testutil_test.go for consolidated service-layer tests. - internal/crypto/encryption_test.go grows regression guards: TestEncryptIfKeySet_EmptyKeyFailsClosed (nil_key + empty_key subtests), TestDecryptIfKeySet_EmptyKeyFailsClosed (nil_key + empty_key subtests), TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext, TestDecryptIfKeySet_RejectsTamperedCiphertext, and TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel (verifies the sentinel unwraps through fmt.Errorf(%w)-style wrapping). Wire format is unchanged: AES-256-GCM Encrypt/Decrypt/DeriveKey, the 12-byte nonce prefix, the GCM auth tag, the PBKDF2 salt ('certctl-config-encryption-v1'), and the 100,000 iteration count are all byte-identical. Ciphertexts produced before this change remain decryptable. Verified: - go build ./... : clean - go vet ./... : clean - go test -race ./internal/crypto/... ./internal/service/... \ ./internal/integration/... ./cmd/server/... : pass - golangci-lint run ./... : 0 issues - govulncheck ./... : 0 reachable vulnerabilities - rg 'return plaintext, false, nil' internal/ : no matches - Coverage: crypto 85.0% (unchanged), service 67.8% (was 67.9%, noise), cmd/server 0.0% (unchanged baseline). All above CI thresholds. See certctl-audit-report.md for the full finding record and resolution log.	2026-04-16 21:10:40 +00:00
shankar0123	995b72df05	feat(M34): dynamic issuer configuration with encrypted config storage Replace static env-var-based issuer wiring with GUI-driven dynamic configuration stored encrypted in PostgreSQL. Operators can now configure, test, enable/disable, and manage issuers from the dashboard without restarting the server. Key changes: - AES-256-GCM encryption for sensitive issuer config at rest (PBKDF2 key derivation with 100k iterations) - Dynamic IssuerRegistry with sync.RWMutex replacing static map - Connector factory pattern (issuerfactory.NewFromConfig) replacing 140 lines of static wiring in main.go - Migration 000009: encrypted_config, last_tested_at, test_status, source columns on issuers table - Env var seeding on first boot with ON CONFLICT DO NOTHING - Registry Rebuild() for atomic map swap after CRUD operations - Issuer type validation against domain constants on Create - Audit trail for test connection results - Conditional seeding for step-ca/OpenSSL (only when env vars set) - GUI: source badge, connection test status on issuer detail page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-04 00:20:13 -04:00

4 Commits