mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:21:31 +00:00
shankar0123
7e4d423561
Phase 7 of the SCEP RFC 8894 + Intune master bundle. Adds the
internal/scep/intune package that validates Microsoft Intune Certificate
Connector signed challenges embedded in SCEP CSR challengePassword
attributes. This is the parsing/validation foundation; Phase 8 wires it
into the SCEP service dispatcher.
What's included:
* doc.go — package architecture (Intune cloud → Connector → certctl
SCEP server) + 'what this package is NOT' guard rails. We do NOT
implement full JOSE: no JKU / kid / x5c trust, no JWKS fetch.
Trust anchor is operator-supplied at startup and pinned. The
package does NOT call Microsoft's API directly — the Connector
already did that; we validate its signed attestation.
* trust_anchor.go — LoadTrustAnchor(path) reads a PEM bundle of
Intune Connector signing certs. Skips non-CERTIFICATE PEM blocks
(operators sometimes paste chains with the priv key by mistake).
Rejects empty bundles + expired certs at startup with an
operator-actionable message including the cert subject. SIGHUP
reload lands in Phase 8.5; today it's load-once-at-boot.
* claim.go — ChallengeClaim struct + DeviceMatchesCSR helper.
Set-equality semantics for SAN-DNS/SAN-RFC822/SAN-UPN: the CSR
must carry EXACTLY the claim's elements, no extras and no missing.
Empty claim slice = no constraint on that dimension.
Per-dimension typed errors (ErrClaimCNMismatch /
ErrClaimSANDNSMismatch / ErrClaimSANRFC822Mismatch /
ErrClaimSANUPNMismatch) so audit logs surface the failure
dimension without string-matching. extractUPNSans is stubbed to
return nil with documented fail-closed behavior — non-empty UPN
claims fail the equalSets check (correct behavior; the rare deploy
that pins UPN SANs hot-fixes the ASN.1 walker per the inline
comment).
* replay.go — ReplayCache: bounded in-memory cache of seen nonces
with TTL. Sized for 100,000 entries (60-min Connector validity ×
25 RPS Intune fleet steady-state ≈ 90,000 challenges/hour with
headroom). sync.Map for concurrent read/write; janitor goroutine
wakes every TTL/4 to evict expired entries; at-cap O(N)
oldest-eviction (rarely fires; janitor keeps the cache below
cap). Redis-backed variant deferred to V3-Pro.
* challenge.go — the load-bearing piece:
- ParseChallenge(raw) splits the JWT-like compact serialization
into header/payload/signature and base64url-decodes each.
Tolerates both padded + unpadded encodings (some Connector
builds emit padded; RFC 7515 §2 says unpadded; we accept both).
Validates the header parses as JSON before returning so the
malformed-signal lands earlier in the pipeline.
- ValidateChallenge(raw, trust, expectedAudience, now):
1. ParseChallenge
2. JWS signature verify over (segment0 || '.' || segment1)
— re-derived from the raw on-wire bytes, NOT
re-base64-encoded, per RFC 7515 §3.1 (re-encoding could
produce a byte-different input than what was signed)
3. Signature alg dispatch:
RS256: rsa.VerifyPKCS1v15(SHA-256)
ES256: tries fixed-width r||s (JOSE-canonical) first,
falls back to ASN.1 DER (older Connectors)
alg=none: explicit reject with audit-log-friendly
message (RFC 7515 §3.6 attack vector)
HS*/PS*: rejected as 'unsupported alg' (no shared
secret in our threat model)
4. Version-detection prelude (versionedChallenge struct +
versionUnmarshalers map). Today's format is v1 (no
explicit version field; absence IS the v1 signal). Adding
v2 = adding a parser + a registration line; v1 path stays
untouched. Defends against the inevitable Microsoft format
change at ~30 LoC + 2 tests cost vs. a P0 incident.
5. Time bounds (iat / exp); audience pin (skipped when
expectedAudience == "").
Replay protection is the CALLER's job (handler glues parser +
cache; validator stays stateless + testable).
* Typed errors: ErrChallengeMalformed / ErrChallengeSignature /
ErrChallengeExpired / ErrChallengeNotYetValid /
ErrChallengeWrongAudience / ErrChallengeReplay /
ErrChallengeUnknownVersion. errors.Is-friendly so the handler
can audit failure dimension.
Tests (94.8% coverage):
* challenge_test.go (18 tests): happy-path RS256 + ES256
fixed-width + ES256 DER; TamperedSignature; TamperedPayload;
Expired; NotYetValid; WrongAudience; EmptyExpectedAudience
disables check; RotatedTrustAnchor; EmptyTrustBundle;
AlgNoneRejected; UnsupportedAlg (HS256); MissingAlg;
VersionV1ExplicitOK; VersionUnknownRejected;
MixedTrustBundle iter (skip key-type mismatches without
surfacing as Signature err); NonJSONPayloadButValidSignature;
Malformed cases (empty, missing dots, bad base64, non-JSON
header — 9 sub-cases); PaddedBase64Tolerated.
* claim_test.go (13 tests): per-dimension matching across CN +
SAN-DNS + SAN-RFC822 + SAN-UPN; nil guards; case-insensitive DNS
(RFC 4343); dedupe set-equality; empty claim = no constraint;
UPN stub canary; normaliseSet edge cases; equalSets length
mismatch.
* replay_test.go (11 tests): first-fresh; duplicate-rejected;
past-TTL-fresh; Sweep-evicts-expired; empty-nonce
short-circuits; at-cap LRU eviction; default-cap=100k;
Close-idempotent; TTL=0 disables janitor; concurrent-race-free
(50 goroutines × 200 inserts); empty-nonce twice is fresh both
times (we don't cache empties).
* trust_anchor_test.go: HappyPath single + multi cert; SkipsNonCertBlocks
(priv key + cert mix); EmptyBundleRejected; OnlyKeyBlocksRejected;
ExpiredCertRejected (with subject CN in error); MalformedCertRejected;
LoadTrustAnchor disk + EmptyPath + MissingFile.
* fuzz_test.go: FuzzParseChallenge with seed corpus covering both
the well-formed and the obvious-malformed shapes. Survived 187k
execs in 21s without panic on the local burst; CI runs 5 min.
Verification:
* gofmt -l ./internal/scep/intune: clean
* go vet ./internal/scep/intune/...: clean
* staticcheck ./internal/scep/intune/...: clean
* go test -count=1 -cover ./internal/scep/intune/...: 94.8%
(target was ≥85%)
* go vet ./internal/... ./cmd/...: clean (no rest-of-repo regressions)
* No new CERTCTL_* env vars (those land in Phase 8 with the
config gate); G-3 docs-drift CI guard not triggered.
* No new HTTP routes; openapi-parity guard not triggered.
Phase 8 will:
- Add SCEPProfileConfig.Intune* env vars + preflight gate
- Wire the validator into the SCEP service dispatcher
(Intune-shaped challenges → validator; static → existing path)
- Trust-anchor SIGHUP reload mirroring cmd/server/tls.go::watchSIGHUP
- Per-claim rate limit + audit metrics
Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 7
cowork/scep-rfc8894-intune/progress.md
160 lines
5.5 KiB
Go
160 lines
5.5 KiB
Go
package intune
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"errors"
|
|
"testing"
|
|
)
|
|
|
|
// Each TestDeviceMatchesCSR_* covers a single dimension (CN / SAN-DNS /
|
|
// SAN-RFC822 / SAN-UPN) with both happy-path and mismatch fixtures so the
|
|
// per-dimension typed errors stay wired up over future refactors.
|
|
|
|
func newCSRFixture(cn string, dns, email []string) *x509.CertificateRequest {
|
|
return &x509.CertificateRequest{
|
|
Subject: pkix.Name{CommonName: cn},
|
|
DNSNames: dns,
|
|
EmailAddresses: email,
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_HappyPath_AllDimensions(t *testing.T) {
|
|
csr := newCSRFixture("DEVICE-001", []string{"a.example.com", "b.example.com"},
|
|
[]string{"alice@example.com"})
|
|
c := &ChallengeClaim{
|
|
DeviceName: "DEVICE-001",
|
|
SANDNS: []string{"b.example.com", "a.example.com"}, // reversed; set-equality
|
|
SANRFC822: []string{"alice@example.com"},
|
|
}
|
|
if err := c.DeviceMatchesCSR(csr); err != nil {
|
|
t.Fatalf("happy-path match should succeed: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_NilGuards(t *testing.T) {
|
|
var nilClaim *ChallengeClaim
|
|
if err := nilClaim.DeviceMatchesCSR(&x509.CertificateRequest{}); err == nil {
|
|
t.Errorf("nil claim should error")
|
|
}
|
|
c := &ChallengeClaim{}
|
|
if err := c.DeviceMatchesCSR(nil); err == nil {
|
|
t.Errorf("nil CSR should error")
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_CNMismatch(t *testing.T) {
|
|
csr := newCSRFixture("ATTACKER-DEVICE", nil, nil)
|
|
c := &ChallengeClaim{DeviceName: "DEVICE-001"}
|
|
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimCNMismatch) {
|
|
t.Fatalf("got %v, want ErrClaimCNMismatch", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_EmptyClaimCN_NoConstraint(t *testing.T) {
|
|
csr := newCSRFixture("any-cn-is-fine", nil, nil)
|
|
c := &ChallengeClaim{} // no DeviceName pinned
|
|
if err := c.DeviceMatchesCSR(csr); err != nil {
|
|
t.Fatalf("empty claim CN must impose no constraint: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANDNSMismatch_Missing(t *testing.T) {
|
|
csr := newCSRFixture("d", []string{"a.example.com"}, nil) // missing b
|
|
c := &ChallengeClaim{SANDNS: []string{"a.example.com", "b.example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
|
|
t.Fatalf("got %v, want ErrClaimSANDNSMismatch", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANDNSMismatch_Extra(t *testing.T) {
|
|
csr := newCSRFixture("d", []string{"a.example.com", "evil.example.com"}, nil)
|
|
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
|
|
t.Fatalf("got %v, want ErrClaimSANDNSMismatch (CSR carries extra SAN)", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANDNSMatch_CaseInsensitive(t *testing.T) {
|
|
csr := newCSRFixture("d", []string{"A.Example.COM"}, nil)
|
|
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); err != nil {
|
|
t.Fatalf("DNS comparison must be case-insensitive (RFC 4343): %v", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANDNSDedupe(t *testing.T) {
|
|
// CSR with duplicate SAN entries should still match a claim that
|
|
// only lists each unique value once. The "set" in set-equality is
|
|
// the cert's effective SAN set, not the multiset.
|
|
csr := newCSRFixture("d", []string{"a.example.com", "a.example.com"}, nil)
|
|
c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); err != nil {
|
|
t.Fatalf("dedup-equality must hold: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_EmptyClaimSAN_NoConstraint(t *testing.T) {
|
|
csr := newCSRFixture("d", []string{"any.example.com"}, nil)
|
|
c := &ChallengeClaim{} // no SANDNS pinned
|
|
if err := c.DeviceMatchesCSR(csr); err != nil {
|
|
t.Fatalf("empty claim SANDNS must impose no constraint: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANRFC822Mismatch(t *testing.T) {
|
|
csr := newCSRFixture("d", nil, []string{"bob@example.com"})
|
|
c := &ChallengeClaim{SANRFC822: []string{"alice@example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANRFC822Mismatch) {
|
|
t.Fatalf("got %v, want ErrClaimSANRFC822Mismatch", err)
|
|
}
|
|
}
|
|
|
|
func TestDeviceMatchesCSR_SANUPNMismatch_NoExtractor(t *testing.T) {
|
|
// extractUPNSans currently returns nil; any non-empty SANUPN claim
|
|
// is therefore a guaranteed mismatch (correct fail-closed behavior).
|
|
csr := newCSRFixture("d", nil, nil)
|
|
c := &ChallengeClaim{SANUPN: []string{"alice@corp.example.com"}}
|
|
if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANUPNMismatch) {
|
|
t.Fatalf("got %v, want ErrClaimSANUPNMismatch (UPN extractor stubbed)", err)
|
|
}
|
|
}
|
|
|
|
func TestNormaliseSet_EdgeCases(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
in []string
|
|
want []string
|
|
}{
|
|
{"empty", nil, []string{}},
|
|
{"trim space", []string{" hello "}, []string{"hello"}},
|
|
{"drop empty after trim", []string{" ", "x"}, []string{"x"}},
|
|
{"lowercase", []string{"HELLO", "World"}, []string{"hello", "world"}},
|
|
{"dedupe", []string{"a", "a", "b"}, []string{"a", "b"}},
|
|
{"sort", []string{"c", "a", "b"}, []string{"a", "b", "c"}},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
got := normaliseSet(tc.in)
|
|
if !equalSets(got, tc.want) {
|
|
t.Errorf("normaliseSet(%v) = %v, want %v", tc.in, got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestEqualSets_LengthMismatch(t *testing.T) {
|
|
if equalSets([]string{"a", "b"}, []string{"a"}) {
|
|
t.Errorf("different-length sets must not compare equal")
|
|
}
|
|
}
|
|
|
|
func TestExtractUPNSans_StubReturnsEmpty(t *testing.T) {
|
|
// Pin the documented stub behavior. If/when ExtractUPNSans is
|
|
// implemented for real, this test is the canary that flags the
|
|
// behavioral change.
|
|
if got := extractUPNSans(&x509.CertificateRequest{}); len(got) != 0 {
|
|
t.Errorf("extractUPNSans stub must return empty slice; got %v", got)
|
|
}
|
|
}
|