mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:01:30 +00:00
shankar0123
1dcc7455cd
Closes H-010 + L-002 + L-003 + L-012 + L-014 from
comprehensive-audit-2026-04-25; partial-closes M-028 (the local.go:682
elliptic.Marshal site only).
H-010 (CWE-1257) — local-issuer coverage 68.3% -> 86.7%
* internal/connector/issuer/local/bundle9_coverage_test.go (NEW)
Adds ~30 subtests across CSR-acceptance failure paths, parsePrivateKey
four-format coverage, resolveEKUsAndKeyUsage all-EKU + fallback,
hashPublicKey RSA + ECDSA P-256/P-384/P-521 + unsupported curve,
ecdsaToECDH byte-identical round-trip pin, loadCAFromDisk
expired/non-CA/missing/happy, validateCSRUnicode all rejection arms,
marshalPrivateKeyAndZeroize / ensureKeyDirSecure all branches,
ValidateConfig 5 arms, MaxTTLSeconds cap.
* .github/workflows/ci.yml — flips local-issuer floor 60% -> 85% hard
with explicit "add tests, do not lower the gate" comment.
L-002 (CWE-226) — agent + local-CA private-key zeroization
* internal/connector/issuer/local/keymem.go (NEW)
* cmd/agent/keymem.go (NEW)
marshalPrivateKeyAndZeroize wraps x509.MarshalECPrivateKey with
defer clear(der). Agent additionally defer clear(privKeyPEM) on the
encoded buffer. Bounds heap-resident exposure of the private scalar
to the duration of PEM-encode + os.WriteFile.
L-003 (CWE-732) — 0700 key-directory hardening
* internal/connector/issuer/local/keystore.go (NEW)
* cmd/agent/keymem.go (NEW)
ensureKeyDirSecure / ensureAgentKeyDirSecure create dir tree at 0700,
accept owner-only modes, chmod-tighten permissive leaves with
re-stat verification, refuse empty/root/dot. Wired ahead of every
os.WriteFile(keyPath, ..., 0600) site in cmd/agent/main.go.
L-012 (CWE-1007 + CWE-176) — Unicode safety in CN/SAN
* internal/validation/unicode.go (NEW)
* internal/validation/unicode_test.go (NEW, 8 test functions)
ValidateUnicodeSafe rejects RTL/LTR overrides U+202A..U+202E +
U+2066..U+2069, zero-width U+200B..U+200D + U+2060 + U+FEFF,
control chars <0x20 + 0x7F..0x9F, and per-DNS-label
Latin+non-Latin-letter mixes (Cyrillic-а-in-apple homograph).
Pure-IDN labels allowed. Errors cite codepoint + byte offset.
Wired into IssueCertificate + RenewCertificate via
validateCSRUnicode covering CSR Subject CommonName + DNSNames +
EmailAddresses + request-side additional SANs.
L-014 — CA-key-in-process threat-model documentation
* internal/connector/issuer/local/local.go file-header doc comment
Documents what the bundled defense-in-depth measures DO and DO NOT
protect against; directs operators with stricter requirements to
HSM/PKCS#11/cloud-KMS-backed signing (V3 Pro KMS-issuance roadmap
entry as the source-of-truth fix).
M-028 (CWE-477) PARTIAL — 1 of 6 SA1019 sites
* internal/connector/issuer/local/local.go::ecdsaToECDH (NEW helper)
Replaces deprecated elliptic.Marshal(k.Curve, k.X, k.Y) inside
hashPublicKey with crypto/ecdh.PublicKey.Bytes(). Dispatches on
Curve.Params().Name to avoid importing crypto/elliptic for sentinel
comparisons. Supports P-256/P-384/P-521; P-224 returns
unsupported-curve error and the caller falls back to a stable X+Y
big.Int.Bytes() hash (so SKI generation never panics).
* TestHashPublicKey_ECDSA_RoundTripPin — byte-identical regression
oracle that pins the new output to the legacy elliptic.Marshal
output across all three supported curves (with explicit
//nolint:staticcheck on the SA1019 reference). Migration cannot
silently change the SubjectKeyId of every previously-issued cert.
* 5 SA1019 sites still open (test-file middleware.NewAuth × 3 +
scep.go csr.Attributes).
Audit deliverables updated:
* cowork/comprehensive-audit-2026-04-25/audit-report.md — score
20/55 -> 25/55 closed (High 6/9 -> 7/9; Low 4/19 -> 8/19).
* cowork/comprehensive-audit-2026-04-25/findings.yaml — H-010 +
L-002 + L-003 + L-012 + L-014 status open -> closed; M-028 status
open -> partial_closed; closure notes cite the Bundle-9 mechanism.
* certctl/CHANGELOG.md — Bundle-9 section under [unreleased].
74 lines
2.5 KiB
Go
74 lines
2.5 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
// Bundle-9 / Audit L-002 + L-003 (agent edition).
|
|
//
|
|
// The agent generates an ECDSA P-256 key locally and writes it to disk with
|
|
// mode 0600 in a directory it expects to be 0700. The duplication of the
|
|
// local-issuer helpers (instead of importing from internal/...) is deliberate:
|
|
//
|
|
// - cmd/agent is a separate binary with its own threat model (runs on every
|
|
// deployment target, not just the control plane). Coupling it to
|
|
// internal/connector/issuer/local would pull deployment-target footprint
|
|
// into a connector that's only relevant on the server.
|
|
// - The behavior is small and self-contained; copy-paste is cheaper than
|
|
// a refactor that introduces an internal/keystore package.
|
|
//
|
|
// If a third call site emerges, lift these into internal/keystore.
|
|
|
|
// marshalAgentKeyAndZeroize marshals an ECDSA private key to DER and invokes
|
|
// onDER with the bytes; the buffer is zeroized via builtin clear() after
|
|
// onDER returns. Caller must NOT retain the slice.
|
|
func marshalAgentKeyAndZeroize(priv *ecdsa.PrivateKey, onDER func([]byte) error) error {
|
|
if priv == nil {
|
|
return fmt.Errorf("marshalAgentKeyAndZeroize: nil private key")
|
|
}
|
|
der, err := x509.MarshalECPrivateKey(priv)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal EC private key: %w", err)
|
|
}
|
|
defer clear(der)
|
|
return onDER(der)
|
|
}
|
|
|
|
// ensureAgentKeyDirSecure creates dir (and ancestors) with mode 0700 or
|
|
// asserts an existing dir is owner-only. If a pre-existing dir is more
|
|
// permissive than 0700 we tighten it to 0700 (logging-free; this is a
|
|
// startup-style invariant, not a per-request check).
|
|
func ensureAgentKeyDirSecure(dir string) error {
|
|
if dir == "" || dir == "." || dir == "/" {
|
|
return fmt.Errorf("ensureAgentKeyDirSecure: refuse empty/root dir %q", dir)
|
|
}
|
|
clean := filepath.Clean(dir)
|
|
info, err := os.Stat(clean)
|
|
switch {
|
|
case os.IsNotExist(err):
|
|
if mkErr := os.MkdirAll(clean, 0o700); mkErr != nil {
|
|
return fmt.Errorf("create agent key dir %q: %w", clean, mkErr)
|
|
}
|
|
info, err = os.Stat(clean)
|
|
if err != nil {
|
|
return fmt.Errorf("stat newly-created agent key dir %q: %w", clean, err)
|
|
}
|
|
fallthrough
|
|
case err == nil:
|
|
mode := info.Mode().Perm()
|
|
if mode == 0o700 || mode&0o077 == 0 {
|
|
return nil
|
|
}
|
|
if chmodErr := os.Chmod(clean, 0o700); chmodErr != nil {
|
|
return fmt.Errorf("tighten agent key dir %q from %#o to 0700: %w", clean, mode, chmodErr)
|
|
}
|
|
return nil
|
|
default:
|
|
return fmt.Errorf("stat agent key dir %q: %w", clean, err)
|
|
}
|
|
}
|