mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
shankar0123
43075a1b5c
+ profile-driven csrattrs + admin observability with per-status counters + reload-trust endpoint. Phase 5 — RFC 7030 §4.4 server-driven key generation: - internal/pkcs7/envelopeddata_builder.go is the inverse of the existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1 v1.5 keyTrans + per-call random IV. Round-trip pinned in test (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the original plaintext byte-for-byte). - ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client CSR → require RSA pubkey for keyTrans → resolve per-profile algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in- memory keygen → re-build CSR with server pubkey → run existing issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a synthetic recipient cert wrapping the device's CSR-supplied pubkey → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey- Encipherment / ErrServerKeygenUnsupportedAlgorithm / ErrServerKeygenDisabled. - ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2 multipart/mixed with random per-response boundary; per-profile SetServerKeygenEnabled gate returns 404 when off (defense in depth even if the route was registered). - New routes POST /.well-known/est/[<PathID>/]serverkeygen + /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml + openapi-parity guard updated. Phase 6 — Real csrattrs implementation: - New CertificateProfile.RequiredCSRAttributes []string + migration 000022_certificate_profiles_csrattrs.up.sql. The migration also lands the previously-unwired must_staple column (closes the 5.6 follow-up loop where the field shipped at the domain + service layer but the postgres scan/insert/update never persisted it). - domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-* EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985 PKCS#10 attributes + Microsoft Intune device-serial OID. - ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU / attribute strings dropped + warning-logged so a typo doesn't take down the entire endpoint. Phase 7 — Admin observability + counters + reload-trust: - internal/service/est_counters.go: estCounterTab (sync/atomic; 12 named labels) + ESTStatsSnapshot per-profile shape + ESTService.Stats(now) zero-allocation accessor + ReloadTrust() SIGHUP-equivalent + SetESTAdminMetadata setter. - Counter ticks wired into processEnrollment + SimpleServerKeygen at every success/failure leg. - internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim: Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both endpoints admin-gated (M-008 triplet pinned + admin_est.go added to AdminGatedHandlers). - New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/ est/reload-trust; openapi.yaml documented; openapi-parity guard reproduced clean. - cmd/server/main.go grows estServices map populated by the per- profile EST loop + handed to AdminEST. New MTLSTrust() + HasMTLSTrust() accessors on ESTHandler so main.go can pull the trust holder for the admin-metadata wire-up. - Per-profile counter isolation regression test (internal/service/est_profile_counter_isolation_test.go) proves a future shared-counter refactor would fail at compile-time pointer-identity check. Pre-commit verification (sandbox): gofmt clean, go vet clean (excluding repository/postgres which the sandbox can't build — disk-space testcontainers download), staticcheck clean across cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/ service/pkcs7/domain/cmd/server, go test -short -count=1 green for every non-postgres package. G-3 docs-drift guard reproduced locally clean (Phases 5-7 added zero new env vars; Phase 1 already documented per-profile SERVER_KEYGEN_ENABLED). Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases 8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation / docs/est.md / release prep) remain — post-2.1.0 work.
193 lines
8.2 KiB
Go
193 lines
8.2 KiB
Go
package router
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/handler"
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// EST RFC 7030 hardening master bundle Phase 1: per-profile EST router
|
|
// registration. Pins:
|
|
//
|
|
// 1. Empty PathID maps to /.well-known/est/ (legacy backward-compat).
|
|
// 2. Non-empty PathID maps to /.well-known/est/<pathID>/.
|
|
// 3. Multi-profile registration produces 4N routes (cacerts + simpleenroll
|
|
// + simplereenroll + csrattrs per profile).
|
|
// 4. Each registered route reaches the right handler instance — no
|
|
// cross-profile bleed-through (proven by the per-profile mock
|
|
// GetCACerts response carrying the profile tag).
|
|
//
|
|
// The mock service is a minimal ESTService implementation that records
|
|
// which profile served the request via the GetCACerts response — the test
|
|
// asserts it sees the right per-profile string echoed back, which would
|
|
// only happen if the right handler was wired to the right path.
|
|
|
|
// estProfileMockService is a per-profile-tagged mock ESTService for
|
|
// router-level tests. The CA cert PEM string carries the profile tag so
|
|
// the caller can verify which profile's handler served a given request.
|
|
type estProfileMockService struct {
|
|
tag string
|
|
}
|
|
|
|
func (s *estProfileMockService) GetCACerts(_ context.Context) (string, error) {
|
|
// Return a syntactically-valid PEM that embeds the profile tag in the
|
|
// cert body. The handler converts this PEM to PKCS#7 via PEMToDERChain
|
|
// — for the cross-bleed test we only need to confirm the right service
|
|
// was reached. Use a minimal PEM that won't parse as a real cert (the
|
|
// test asserts on the error path, which still routes through the right
|
|
// service mock).
|
|
return "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n", nil
|
|
}
|
|
|
|
func (s *estProfileMockService) SimpleEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) {
|
|
return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil
|
|
}
|
|
|
|
func (s *estProfileMockService) SimpleReEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) {
|
|
return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil
|
|
}
|
|
|
|
func (s *estProfileMockService) SimpleServerKeygen(_ context.Context, _ string) (*domain.ESTServerKeygenResult, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (s *estProfileMockService) GetCSRAttrs(_ context.Context) ([]byte, error) {
|
|
// Return non-empty bytes so the handler returns 200 + the body. The body
|
|
// won't carry a profile tag (csrattrs is base64-encoded ASN.1; sticking
|
|
// a literal in here would not survive the encoding round-trip), but the
|
|
// 200 vs 204 status itself is enough to prove the right service was
|
|
// reached — the legacy mock returns 204 (nil bytes), this mock returns
|
|
// 200, and a wrong-handler bleed would produce the wrong status.
|
|
return []byte("PROFILE=" + s.tag), nil
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_LegacyEmptyPathIDMapsToRoot(t *testing.T) {
|
|
r := New()
|
|
svc := &estProfileMockService{tag: "legacy"}
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"": handler.NewESTHandler(svc),
|
|
})
|
|
|
|
// /.well-known/est/cacerts is a GET. The handler will fail at the
|
|
// PEM-to-DER step because our mock returns a malformed PEM, but the
|
|
// service WAS reached (the 500 we get back is from the handler's
|
|
// pkcs7 conversion, not from a routing error). Use csrattrs instead
|
|
// — it's GET and our mock returns clean bytes.
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("GET /.well-known/est/csrattrs — code %d, want 200 (legacy root should be registered; body=%q)", w.Code, w.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_NonEmptyPathIDMapsToSubpath(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}),
|
|
})
|
|
|
|
// /.well-known/est/corp/csrattrs should reach the corp handler.
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/corp/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("GET /.well-known/est/corp/csrattrs — code %d, want 200 (per-profile route should be registered; body=%q)", w.Code, w.Body.String())
|
|
}
|
|
// /.well-known/est/ root must NOT be registered when only non-empty PathIDs exist.
|
|
req = httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w = httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("/.well-known/est/csrattrs without legacy profile — code %d, want 404 or 405 (no handler should be registered)", w.Code)
|
|
}
|
|
}
|
|
|
|
// TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed pins the
|
|
// load-bearing dispatch invariant: each profile's PathID routes to its OWN
|
|
// handler instance. A regression that mis-wired the dispatch would surface
|
|
// as profile A's traffic hitting profile B's mock, observable here because
|
|
// each mock embeds its tag in the response.
|
|
func TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"": handler.NewESTHandler(&estProfileMockService{tag: "default"}),
|
|
"corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}),
|
|
"iot": handler.NewESTHandler(&estProfileMockService{tag: "iot"}),
|
|
})
|
|
|
|
cases := []struct {
|
|
path string
|
|
wantTag string
|
|
}{
|
|
{"/.well-known/est/csrattrs", "default"},
|
|
{"/.well-known/est/corp/csrattrs", "corp"},
|
|
{"/.well-known/est/iot/csrattrs", "iot"},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.path, func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, tc.path, nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("code %d, want 200 (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
// The handler base64-encodes csrattrs bytes; decode our literal
|
|
// to confirm the right profile's mock was hit.
|
|
body := w.Body.String()
|
|
// PROFILE=<tag> is emitted by the mock; the handler base64-
|
|
// encodes the bytes in the body. Two checks: status was 200
|
|
// (above) AND the base64-decoded body would carry the tag.
|
|
// We don't decode here — the SCEP equivalent uses substring
|
|
// match against the raw body too; for EST the raw body IS
|
|
// base64 of "PROFILE=<tag>". Decode-and-match is the
|
|
// same verification operation; substring against the raw
|
|
// base64 works because each profile's tag has a unique
|
|
// base64 prefix.
|
|
if !contains(body, base64Tag(tc.wantTag)) {
|
|
t.Errorf("body = %q, want base64-encoded PROFILE=%s prefix", body, tc.wantTag)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_EmptyMapRegistersNoRoutes(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{})
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("/.well-known/est/csrattrs with no profiles registered — code %d, want 404 or 405", w.Code)
|
|
}
|
|
}
|
|
|
|
// base64Tag returns the base64-encoded form of "PROFILE=<tag>" — used by
|
|
// the cross-bleed test to verify the mock's response made it through the
|
|
// handler's base64 encoding step. Local helper to avoid importing
|
|
// encoding/base64 just for this; the encoding is tiny and stable.
|
|
func base64Tag(tag string) string {
|
|
// stdlib produces "UFJPRklMRT0=" for "PROFILE=" — but each tag
|
|
// changes the suffix, so we match on the stable prefix only.
|
|
// "PROFILE=" → standard base64 "UFJPRklMRT0=" (when alone).
|
|
// "PROFILE=corp" → "UFJPRklMRT1jb3Jw"
|
|
// "PROFILE=iot" → "UFJPRklMRT1pb3Q="
|
|
// "PROFILE=default" → "UFJPRklMRT1kZWZhdWx0"
|
|
// All share the prefix "UFJPRklMRT" (= base64 of "PROFILE"). The tag
|
|
// suffix differs, which is what cross-bleed would change.
|
|
switch tag {
|
|
case "default":
|
|
return "UFJPRklMRT1kZWZhdWx0"
|
|
case "corp":
|
|
return "UFJPRklMRT1jb3Jw"
|
|
case "iot":
|
|
return "UFJPRklMRT1pb3Q"
|
|
}
|
|
return "UFJPRklMRT" // safe fallback prefix
|
|
}
|