mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:21:31 +00:00
shankar0123
7e4d423561
Phase 7 of the SCEP RFC 8894 + Intune master bundle. Adds the
internal/scep/intune package that validates Microsoft Intune Certificate
Connector signed challenges embedded in SCEP CSR challengePassword
attributes. This is the parsing/validation foundation; Phase 8 wires it
into the SCEP service dispatcher.
What's included:
* doc.go — package architecture (Intune cloud → Connector → certctl
SCEP server) + 'what this package is NOT' guard rails. We do NOT
implement full JOSE: no JKU / kid / x5c trust, no JWKS fetch.
Trust anchor is operator-supplied at startup and pinned. The
package does NOT call Microsoft's API directly — the Connector
already did that; we validate its signed attestation.
* trust_anchor.go — LoadTrustAnchor(path) reads a PEM bundle of
Intune Connector signing certs. Skips non-CERTIFICATE PEM blocks
(operators sometimes paste chains with the priv key by mistake).
Rejects empty bundles + expired certs at startup with an
operator-actionable message including the cert subject. SIGHUP
reload lands in Phase 8.5; today it's load-once-at-boot.
* claim.go — ChallengeClaim struct + DeviceMatchesCSR helper.
Set-equality semantics for SAN-DNS/SAN-RFC822/SAN-UPN: the CSR
must carry EXACTLY the claim's elements, no extras and no missing.
Empty claim slice = no constraint on that dimension.
Per-dimension typed errors (ErrClaimCNMismatch /
ErrClaimSANDNSMismatch / ErrClaimSANRFC822Mismatch /
ErrClaimSANUPNMismatch) so audit logs surface the failure
dimension without string-matching. extractUPNSans is stubbed to
return nil with documented fail-closed behavior — non-empty UPN
claims fail the equalSets check (correct behavior; the rare deploy
that pins UPN SANs hot-fixes the ASN.1 walker per the inline
comment).
* replay.go — ReplayCache: bounded in-memory cache of seen nonces
with TTL. Sized for 100,000 entries (60-min Connector validity ×
25 RPS Intune fleet steady-state ≈ 90,000 challenges/hour with
headroom). sync.Map for concurrent read/write; janitor goroutine
wakes every TTL/4 to evict expired entries; at-cap O(N)
oldest-eviction (rarely fires; janitor keeps the cache below
cap). Redis-backed variant deferred to V3-Pro.
* challenge.go — the load-bearing piece:
- ParseChallenge(raw) splits the JWT-like compact serialization
into header/payload/signature and base64url-decodes each.
Tolerates both padded + unpadded encodings (some Connector
builds emit padded; RFC 7515 §2 says unpadded; we accept both).
Validates the header parses as JSON before returning so the
malformed-signal lands earlier in the pipeline.
- ValidateChallenge(raw, trust, expectedAudience, now):
1. ParseChallenge
2. JWS signature verify over (segment0 || '.' || segment1)
— re-derived from the raw on-wire bytes, NOT
re-base64-encoded, per RFC 7515 §3.1 (re-encoding could
produce a byte-different input than what was signed)
3. Signature alg dispatch:
RS256: rsa.VerifyPKCS1v15(SHA-256)
ES256: tries fixed-width r||s (JOSE-canonical) first,
falls back to ASN.1 DER (older Connectors)
alg=none: explicit reject with audit-log-friendly
message (RFC 7515 §3.6 attack vector)
HS*/PS*: rejected as 'unsupported alg' (no shared
secret in our threat model)
4. Version-detection prelude (versionedChallenge struct +
versionUnmarshalers map). Today's format is v1 (no
explicit version field; absence IS the v1 signal). Adding
v2 = adding a parser + a registration line; v1 path stays
untouched. Defends against the inevitable Microsoft format
change at ~30 LoC + 2 tests cost vs. a P0 incident.
5. Time bounds (iat / exp); audience pin (skipped when
expectedAudience == "").
Replay protection is the CALLER's job (handler glues parser +
cache; validator stays stateless + testable).
* Typed errors: ErrChallengeMalformed / ErrChallengeSignature /
ErrChallengeExpired / ErrChallengeNotYetValid /
ErrChallengeWrongAudience / ErrChallengeReplay /
ErrChallengeUnknownVersion. errors.Is-friendly so the handler
can audit failure dimension.
Tests (94.8% coverage):
* challenge_test.go (18 tests): happy-path RS256 + ES256
fixed-width + ES256 DER; TamperedSignature; TamperedPayload;
Expired; NotYetValid; WrongAudience; EmptyExpectedAudience
disables check; RotatedTrustAnchor; EmptyTrustBundle;
AlgNoneRejected; UnsupportedAlg (HS256); MissingAlg;
VersionV1ExplicitOK; VersionUnknownRejected;
MixedTrustBundle iter (skip key-type mismatches without
surfacing as Signature err); NonJSONPayloadButValidSignature;
Malformed cases (empty, missing dots, bad base64, non-JSON
header — 9 sub-cases); PaddedBase64Tolerated.
* claim_test.go (13 tests): per-dimension matching across CN +
SAN-DNS + SAN-RFC822 + SAN-UPN; nil guards; case-insensitive DNS
(RFC 4343); dedupe set-equality; empty claim = no constraint;
UPN stub canary; normaliseSet edge cases; equalSets length
mismatch.
* replay_test.go (11 tests): first-fresh; duplicate-rejected;
past-TTL-fresh; Sweep-evicts-expired; empty-nonce
short-circuits; at-cap LRU eviction; default-cap=100k;
Close-idempotent; TTL=0 disables janitor; concurrent-race-free
(50 goroutines × 200 inserts); empty-nonce twice is fresh both
times (we don't cache empties).
* trust_anchor_test.go: HappyPath single + multi cert; SkipsNonCertBlocks
(priv key + cert mix); EmptyBundleRejected; OnlyKeyBlocksRejected;
ExpiredCertRejected (with subject CN in error); MalformedCertRejected;
LoadTrustAnchor disk + EmptyPath + MissingFile.
* fuzz_test.go: FuzzParseChallenge with seed corpus covering both
the well-formed and the obvious-malformed shapes. Survived 187k
execs in 21s without panic on the local burst; CI runs 5 min.
Verification:
* gofmt -l ./internal/scep/intune: clean
* go vet ./internal/scep/intune/...: clean
* staticcheck ./internal/scep/intune/...: clean
* go test -count=1 -cover ./internal/scep/intune/...: 94.8%
(target was ≥85%)
* go vet ./internal/... ./cmd/...: clean (no rest-of-repo regressions)
* No new CERTCTL_* env vars (those land in Phase 8 with the
config gate); G-3 docs-drift CI guard not triggered.
* No new HTTP routes; openapi-parity guard not triggered.
Phase 8 will:
- Add SCEPProfileConfig.Intune* env vars + preflight gate
- Wire the validator into the SCEP service dispatcher
(Intune-shaped challenges → validator; static → existing path)
- Trust-anchor SIGHUP reload mirroring cmd/server/tls.go::watchSIGHUP
- Per-claim rate limit + audit metrics
Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 7
cowork/scep-rfc8894-intune/progress.md
152 lines
4.2 KiB
Go
152 lines
4.2 KiB
Go
package intune
|
|
|
|
import (
|
|
"fmt"
|
|
"sync"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestReplayCache_FirstInsertFresh(t *testing.T) {
|
|
c := NewReplayCache(60*time.Minute, 100)
|
|
defer c.Close()
|
|
if !c.CheckAndInsert("nonce-1", time.Now()) {
|
|
t.Fatalf("first insert must report fresh")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_DuplicateRejected(t *testing.T) {
|
|
c := NewReplayCache(60*time.Minute, 100)
|
|
defer c.Close()
|
|
now := time.Now()
|
|
if !c.CheckAndInsert("nonce-1", now) {
|
|
t.Fatalf("first insert must report fresh")
|
|
}
|
|
if c.CheckAndInsert("nonce-1", now) {
|
|
t.Fatalf("second insert must report replay")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_PastTTLTreatedAsFresh(t *testing.T) {
|
|
// TTL=0 disables the janitor; we drive expiry by passing future timestamps.
|
|
c := NewReplayCache(10*time.Minute, 100)
|
|
defer c.Close()
|
|
|
|
t0 := time.Now()
|
|
if !c.CheckAndInsert("nonce-1", t0) {
|
|
t.Fatalf("first insert must report fresh")
|
|
}
|
|
// Same nonce, but observation time is past expiry → fresh again.
|
|
if !c.CheckAndInsert("nonce-1", t0.Add(11*time.Minute)) {
|
|
t.Fatalf("post-TTL re-insert must report fresh")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_SweepEvictsExpired(t *testing.T) {
|
|
c := NewReplayCache(10*time.Minute, 100)
|
|
defer c.Close()
|
|
|
|
t0 := time.Now()
|
|
c.CheckAndInsert("nonce-1", t0)
|
|
c.CheckAndInsert("nonce-2", t0)
|
|
if got := c.Len(); got != 2 {
|
|
t.Fatalf("Len = %d, want 2", got)
|
|
}
|
|
|
|
evicted := c.Sweep(t0.Add(11 * time.Minute))
|
|
if evicted != 2 {
|
|
t.Errorf("Sweep evicted %d, want 2", evicted)
|
|
}
|
|
if got := c.Len(); got != 0 {
|
|
t.Errorf("Len after sweep = %d, want 0", got)
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_EmptyNonceTreatedAsFresh(t *testing.T) {
|
|
c := NewReplayCache(10*time.Minute, 100)
|
|
defer c.Close()
|
|
if !c.CheckAndInsert("", time.Now()) {
|
|
t.Fatalf("empty nonce must short-circuit to fresh (caller validates separately)")
|
|
}
|
|
// And a second empty also returns fresh (we don't track them).
|
|
if !c.CheckAndInsert("", time.Now()) {
|
|
t.Fatalf("second empty nonce should also report fresh; we don't cache empties")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_AtCapEvictsOldest(t *testing.T) {
|
|
// Cap of 3 makes the boundary easy to hit deterministically.
|
|
c := NewReplayCache(60*time.Minute, 3)
|
|
defer c.Close()
|
|
|
|
t0 := time.Now()
|
|
// Insert 3 entries with strictly increasing expiries.
|
|
c.CheckAndInsert("oldest", t0)
|
|
c.CheckAndInsert("middle", t0.Add(1*time.Minute))
|
|
c.CheckAndInsert("newest", t0.Add(2*time.Minute))
|
|
if got := c.Len(); got != 3 {
|
|
t.Fatalf("Len = %d, want 3", got)
|
|
}
|
|
|
|
// 4th insert must evict "oldest".
|
|
c.CheckAndInsert("brand-new", t0.Add(3*time.Minute))
|
|
if got := c.Len(); got != 3 {
|
|
t.Errorf("Len after at-cap insert = %d, want 3 (cap honored)", got)
|
|
}
|
|
// "oldest" should now be re-insertable as fresh.
|
|
if !c.CheckAndInsert("oldest", t0.Add(4*time.Minute)) {
|
|
t.Errorf("oldest must have been evicted under LRU at-cap policy")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_DefaultCap(t *testing.T) {
|
|
// capHint = 0 should default to 100,000 per the documented sizing.
|
|
c := NewReplayCache(60*time.Minute, 0)
|
|
defer c.Close()
|
|
if c.cap != 100_000 {
|
|
t.Errorf("default cap = %d, want 100000", c.cap)
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_CloseIsIdempotent(t *testing.T) {
|
|
c := NewReplayCache(60*time.Minute, 10)
|
|
c.Close()
|
|
c.Close() // must not panic
|
|
}
|
|
|
|
func TestReplayCache_TTLZeroDisablesJanitor(t *testing.T) {
|
|
// TTL=0 + capHint=0 should produce a usable cache that doesn't
|
|
// background-evict; the test mostly pins that NewReplayCache returns
|
|
// without panicking and that Close still works.
|
|
c := NewReplayCache(0, 10)
|
|
defer c.Close()
|
|
// Empty nonce path is the only safe one without TTL semantics; exercise it.
|
|
if !c.CheckAndInsert("", time.Now()) {
|
|
t.Fatalf("zero-TTL cache must still serve empty-nonce fast path")
|
|
}
|
|
}
|
|
|
|
func TestReplayCache_ConcurrentInsertsRaceFree(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("race-style test under -short; run full suite for coverage")
|
|
}
|
|
c := NewReplayCache(60*time.Minute, 10000)
|
|
defer c.Close()
|
|
|
|
var wg sync.WaitGroup
|
|
for i := 0; i < 50; i++ {
|
|
wg.Add(1)
|
|
go func(id int) {
|
|
defer wg.Done()
|
|
now := time.Now()
|
|
for j := 0; j < 200; j++ {
|
|
c.CheckAndInsert(fmt.Sprintf("g%d-n%d", id, j), now)
|
|
}
|
|
}(i)
|
|
}
|
|
wg.Wait()
|
|
if got := c.Len(); got != 50*200 {
|
|
t.Errorf("Len = %d, want %d (no Insert dropped under contention)", got, 50*200)
|
|
}
|
|
}
|