gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:31:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
36d79cd1fff8eb2d38f64a57f4749fc2fd455f2e
certctl/internal/pkcs7/envelopeddata_builder.go
T
shankar0123 43075a1b5c EST RFC 7030 hardening master bundle Phases 5-7: end-to-end serverkeygen 
+ profile-driven csrattrs + admin observability with per-status
counters + reload-trust endpoint.

Phase 5 — RFC 7030 §4.4 server-driven key generation:
- internal/pkcs7/envelopeddata_builder.go is the inverse of the
  existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1
  v1.5 keyTrans + per-call random IV. Round-trip pinned in test
  (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the
  original plaintext byte-for-byte).
- ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client
  CSR → require RSA pubkey for keyTrans → resolve per-profile
  algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in-
  memory keygen → re-build CSR with server pubkey → run existing
  issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a
  synthetic recipient cert wrapping the device's CSR-supplied pubkey
  → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM
  + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey-
  Encipherment / ErrServerKeygenUnsupportedAlgorithm /
  ErrServerKeygenDisabled.
- ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2
  multipart/mixed with random per-response boundary; per-profile
  SetServerKeygenEnabled gate returns 404 when off (defense in depth
  even if the route was registered).
- New routes POST /.well-known/est/[<PathID>/]serverkeygen +
  /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml +
  openapi-parity guard updated.

Phase 6 — Real csrattrs implementation:
- New CertificateProfile.RequiredCSRAttributes []string + migration
  000022_certificate_profiles_csrattrs.up.sql. The migration also
  lands the previously-unwired must_staple column (closes the 5.6
  follow-up loop where the field shipped at the domain + service
  layer but the postgres scan/insert/update never persisted it).
- domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-*
  EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985
  PKCS#10 attributes + Microsoft Intune device-serial OID.
- ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a
  profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU /
  attribute strings dropped + warning-logged so a typo doesn't take
  down the entire endpoint.

Phase 7 — Admin observability + counters + reload-trust:
- internal/service/est_counters.go: estCounterTab (sync/atomic; 12
  named labels) + ESTStatsSnapshot per-profile shape +
  ESTService.Stats(now) zero-allocation accessor + ReloadTrust()
  SIGHUP-equivalent + SetESTAdminMetadata setter.
- Counter ticks wired into processEnrollment + SimpleServerKeygen at
  every success/failure leg.
- internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim:
  Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both
  endpoints admin-gated (M-008 triplet pinned + admin_est.go added
  to AdminGatedHandlers).
- New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/
  est/reload-trust; openapi.yaml documented; openapi-parity guard
  reproduced clean.
- cmd/server/main.go grows estServices map populated by the per-
  profile EST loop + handed to AdminEST. New MTLSTrust() +
  HasMTLSTrust() accessors on ESTHandler so main.go can pull the
  trust holder for the admin-metadata wire-up.
- Per-profile counter isolation regression test
  (internal/service/est_profile_counter_isolation_test.go) proves
  a future shared-counter refactor would fail at compile-time
  pointer-identity check.

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean across
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
service/pkcs7/domain/cmd/server, go test -short -count=1 green
for every non-postgres package. G-3 docs-drift guard reproduced
locally clean (Phases 5-7 added zero new env vars; Phase 1
already documented per-profile SERVER_KEYGEN_ENABLED).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation /
docs/est.md / release prep) remain — post-2.1.0 work.
2026-04-29 23:57:45 +00:00

238 lines
9.8 KiB
Go
Raw Blame History

// EnvelopedData BUILDER (inverse of envelopeddata.go's parser+decryptor).
//
// EST RFC 7030 hardening master bundle Phase 5.2.
//
// The SCEP path landed the parser/decryptor; the EST `serverkeygen`
// endpoint (RFC 7030 §4.4) needs the BUILDER so the server can encrypt
// the server-generated private key TO the client's CSR-supplied
// key-encipherment public key, then return it as a CMS EnvelopedData.
//
// Wire shape produced (matches the parser's input, RFC 5652 §6.1):
//
// ContentInfo ::= SEQUENCE {
// contentType OBJECT IDENTIFIER, -- 1.2.840.113549.1.7.3 (envelopedData)
// content [0] EXPLICIT EnvelopedData
// }
// EnvelopedData ::= SEQUENCE {
// version INTEGER (0), -- v0 (no originatorInfo + no ori)
// recipientInfos SET SIZE(1) OF KeyTransRecipientInfo,
// encryptedContentInfo EncryptedContentInfo
// }
// KeyTransRecipientInfo ::= SEQUENCE {
// version INTEGER (0), -- v0 (IssuerAndSerialNumber rid)
// rid IssuerAndSerialNumber, -- recipient cert's issuer + serial
// keyEncryptionAlgorithm AlgorithmIdentifier, -- rsaEncryption (PKCS#1 v1.5 keyTrans)
// encryptedKey OCTET STRING -- AES key wrapped to recipient pubkey
// }
// EncryptedContentInfo ::= SEQUENCE {
// contentType OBJECT IDENTIFIER, -- pkcs7-data (1.2.840.113549.1.7.1)
// contentEncryptionAlgorithm AlgorithmIdentifier, -- aes-256-cbc with IV in parameters
// encryptedContent [0] IMPLICIT OCTET STRING
// }
//
// Algorithm choices (locked at GA):
//
// - Content cipher: AES-256-CBC. Strongest of the parser-supported ciphers
// (parser also accepts AES-128, AES-192, DES-EDE3-CBC for legacy SCEP
// interop; the BUILDER emits only AES-256). Random 16-byte IV per call.
// - Key transport: RSA PKCS#1 v1.5 (rsaEncryption OID). Mirror of what
// the parser supports — adding OAEP would mean parsing OAEP parameters
// in the parser too, deferred to V3.
// - Content-type carrier: pkcs7-data (1.2.840.113549.1.7.1). The
// plaintext bytes ARE the inner content directly; the parser's
// decryptCBC strips PKCS#7 padding so the BUILDER's PKCS#7-pad here
// round-trips correctly.
package pkcs7
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"fmt"
"io"
)
// ErrBuildEnvelopedData is the umbrella build-time error. Unlike the
// decrypt path (which deliberately collapses every internal failure to
// one sentinel to close padding-oracle / Bleichenbacher leaks), the
// BUILDER's errors are caller-introspectable — the caller is local
// server code, not an attacker.
var ErrBuildEnvelopedData = errors.New("envelopedData: build failed")
// BuildEnvelopedData produces the CMS EnvelopedData wire bytes for the
// given plaintext, encrypted to the supplied recipient cert.
//
// Inputs:
// - plaintext: the bytes to encrypt (e.g. a marshaled PKCS#8 private key
// for the EST serverkeygen path).
// - recipientCert: the cert whose pubkey wraps the AES key. MUST be RSA
// (the parser/decryptor only supports rsaEncryption keyTrans).
// - rng: source of random bytes for the AES key + IV. Pass nil to use
// crypto/rand.Reader. Tests can inject a deterministic reader so
// fixture round-trips are reproducible.
//
// Output: DER bytes of the outer ContentInfo. Suitable for direct embed
// in the EST serverkeygen multipart body's `application/pkcs7-mime;
// smime-type=enveloped-data` part.
//
// Behavior contract pinned by envelopeddata_builder_test.go:
// - Round-trip: BuildEnvelopedData → ParseEnvelopedData → Decrypt
// returns the original plaintext byte-for-byte.
// - Algorithm ID: AES-256-CBC (OID 2.16.840.1.101.3.4.1.42); IV is a
// random 16-byte value carried in the algorithm parameters as an
// OCTET STRING per RFC 3565 §2.3.
// - Recipient: exactly one KeyTransRecipientInfo whose IssuerAndSerial
// matches recipientCert.RawIssuer + recipientCert.SerialNumber.
func BuildEnvelopedData(plaintext []byte, recipientCert *x509.Certificate, rng io.Reader) ([]byte, error) {
if len(plaintext) == 0 {
return nil, fmt.Errorf("%w: empty plaintext", ErrBuildEnvelopedData)
}
if recipientCert == nil {
return nil, fmt.Errorf("%w: nil recipient cert", ErrBuildEnvelopedData)
}
rsaPub, ok := recipientCert.PublicKey.(*rsa.PublicKey)
if !ok {
return nil, fmt.Errorf("%w: recipient cert pubkey is not RSA (PKCS#1 v1.5 keyTrans only)", ErrBuildEnvelopedData)
}
if rng == nil {
rng = rand.Reader
}
// 1. Generate the symmetric key + IV. AES-256-CBC needs a 32-byte key
// + 16-byte IV. Both come from the RNG; AES-CBC requires an IV
// unique-per-message (not strictly random, but a CSPRNG-derived value
// is the simplest correct choice).
symKey := make([]byte, 32)
if _, err := io.ReadFull(rng, symKey); err != nil {
return nil, fmt.Errorf("%w: gen sym key: %w", ErrBuildEnvelopedData, err)
}
iv := make([]byte, aes.BlockSize) // aes.BlockSize == 16
if _, err := io.ReadFull(rng, iv); err != nil {
return nil, fmt.Errorf("%w: gen iv: %w", ErrBuildEnvelopedData, err)
}
// 2. PKCS#7-pad + AES-256-CBC encrypt the plaintext.
padded := pkcs7Pad(plaintext, aes.BlockSize)
block, err := aes.NewCipher(symKey)
if err != nil {
return nil, fmt.Errorf("%w: aes.NewCipher: %w", ErrBuildEnvelopedData, err)
}
ciphertext := make([]byte, len(padded))
cipher.NewCBCEncrypter(block, iv).CryptBlocks(ciphertext, padded)
// 3. Wrap the symmetric key with the recipient's RSA pubkey using
// PKCS#1 v1.5 keyTrans. Matches the parser's rsa.DecryptPKCS1v15
// expectation. NOTE: rsa.EncryptPKCS1v15 takes the plaintext (the
// AES key bytes) directly — no extra ASN.1 wrapping.
wrappedKey, err := rsa.EncryptPKCS1v15(rng, rsaPub, symKey)
if err != nil {
return nil, fmt.Errorf("%w: rsa.EncryptPKCS1v15: %w", ErrBuildEnvelopedData, err)
}
// 4. Build the AlgorithmIdentifier for AES-256-CBC. RFC 3565 §2.3:
// the parameters field is an OCTET STRING carrying the IV.
ivOctet, err := asn1.Marshal(iv) // marshal as OCTET STRING
if err != nil {
return nil, fmt.Errorf("%w: marshal iv: %w", ErrBuildEnvelopedData, err)
}
contentEncAlg := pkix.AlgorithmIdentifier{
Algorithm: OIDAES256CBC,
Parameters: asn1.RawValue{FullBytes: ivOctet},
}
// 5. Build the IssuerAndSerialNumber rid. The recipient cert's
// RawIssuer is the DER of its issuer DN (already canonicalised by
// the cert's encoder); we splice it as a RawValue so re-serialisation
// preserves byte-for-byte equality with what the recipient sees in
// its own cert.
issuerAndSerial := issuerAndSerialASN1{
Issuer: asn1.RawValue{FullBytes: recipientCert.RawIssuer},
SerialNumber: recipientCert.SerialNumber,
}
iasDER, err := asn1.Marshal(issuerAndSerial)
if err != nil {
return nil, fmt.Errorf("%w: marshal IssuerAndSerial: %w", ErrBuildEnvelopedData, err)
}
// 6. Build the KeyTransRecipientInfo SEQUENCE.
ktri := keyTransRecipientInfoASN1{
Version: 0, // v0 with IssuerAndSerial rid
RID: asn1.RawValue{FullBytes: iasDER},
KeyEncryptionAlg: pkix.AlgorithmIdentifier{Algorithm: OIDRSAEncryption, Parameters: asn1.NullRawValue},
EncryptedKey: wrappedKey,
}
ktriDER, err := asn1.Marshal(ktri)
if err != nil {
return nil, fmt.Errorf("%w: marshal KTRI: %w", ErrBuildEnvelopedData, err)
}
// 7. Build the EncryptedContentInfo. encryptedContent is [0] IMPLICIT
// OCTET STRING; we marshal as a context-specific RawValue with class
// CONTEXT-SPECIFIC + tag 0 + the raw ciphertext bytes (no inner
// OCTET STRING tag since IMPLICIT replaces it).
encContent := asn1.RawValue{
Class: asn1.ClassContextSpecific,
Tag: 0,
IsCompound: false,
Bytes: ciphertext,
}
enci := encryptedContentInfoASN1{
ContentType: OIDDataContent,
ContentEncryptionAlgorithm: contentEncAlg,
EncryptedContent: encContent,
}
// 8. Compose the EnvelopedData SEQUENCE. The parser's struct uses
// `[]asn1.RawValue` for RecipientInfos with `set` tag; we mirror
// that shape so the parse round-trip exercises the same code path.
enveloped := envelopedDataASN1{
Version: 0, // v0 (no originatorInfo, no [1] unprotectedAttrs)
RecipientInfos: []asn1.RawValue{{FullBytes: ktriDER}},
EncryptedContentInfo: enci,
// UnprotectedAttrs intentionally left zero-value; asn1.Marshal
// omits OPTIONAL fields whose RawValue is empty.
}
envelopedDER, err := asn1.Marshal(enveloped)
if err != nil {
return nil, fmt.Errorf("%w: marshal EnvelopedData: %w", ErrBuildEnvelopedData, err)
}
// 9. Wrap in the outer ContentInfo so peelContentInfo on the read
// side picks it up cleanly. RFC 5652 §3 — content is [0] EXPLICIT.
wrapped, err := asn1.Marshal(contentInfoASN1{
ContentType: OIDEnvelopedData,
Content: asn1.RawValue{Class: asn1.ClassContextSpecific, Tag: 0, IsCompound: true, Bytes: envelopedDER},
})
if err != nil {
return nil, fmt.Errorf("%w: marshal ContentInfo: %w", ErrBuildEnvelopedData, err)
}
return wrapped, nil
}
// contentInfoASN1 is the outer CMS ContentInfo wrapper. envelopeddata.go's
// peelContentInfo is the read-side complement.
type contentInfoASN1 struct {
ContentType asn1.ObjectIdentifier
Content asn1.RawValue `asn1:"explicit,tag:0"`
}
// pkcs7Pad applies PKCS#7 padding (RFC 5652 §6.3 references RFC 2315 §10.3).
// blockSize bytes' worth of (blockSize - len(in) % blockSize) is appended;
// when the input is already a block-multiple, a full block of `blockSize`
// padding bytes is appended (so unpad always has something to strip).
func pkcs7Pad(in []byte, blockSize int) []byte {
padLen := blockSize - (len(in) % blockSize)
out := make([]byte, len(in)+padLen)
copy(out, in)
for i := len(in); i < len(out); i++ {
out[i] = byte(padLen)
}
return out
}
Reference in New Issue View Git Blame Copy Permalink