gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
69a508dfcf64264ba6bcfa2f52faab644b7b893b
certctl/internal/service/est_profile_counter_isolation_test.go
T
shankar0123 43075a1b5c EST RFC 7030 hardening master bundle Phases 5-7: end-to-end serverkeygen 
+ profile-driven csrattrs + admin observability with per-status
counters + reload-trust endpoint.

Phase 5 — RFC 7030 §4.4 server-driven key generation:
- internal/pkcs7/envelopeddata_builder.go is the inverse of the
  existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1
  v1.5 keyTrans + per-call random IV. Round-trip pinned in test
  (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the
  original plaintext byte-for-byte).
- ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client
  CSR → require RSA pubkey for keyTrans → resolve per-profile
  algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in-
  memory keygen → re-build CSR with server pubkey → run existing
  issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a
  synthetic recipient cert wrapping the device's CSR-supplied pubkey
  → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM
  + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey-
  Encipherment / ErrServerKeygenUnsupportedAlgorithm /
  ErrServerKeygenDisabled.
- ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2
  multipart/mixed with random per-response boundary; per-profile
  SetServerKeygenEnabled gate returns 404 when off (defense in depth
  even if the route was registered).
- New routes POST /.well-known/est/[<PathID>/]serverkeygen +
  /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml +
  openapi-parity guard updated.

Phase 6 — Real csrattrs implementation:
- New CertificateProfile.RequiredCSRAttributes []string + migration
  000022_certificate_profiles_csrattrs.up.sql. The migration also
  lands the previously-unwired must_staple column (closes the 5.6
  follow-up loop where the field shipped at the domain + service
  layer but the postgres scan/insert/update never persisted it).
- domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-*
  EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985
  PKCS#10 attributes + Microsoft Intune device-serial OID.
- ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a
  profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU /
  attribute strings dropped + warning-logged so a typo doesn't take
  down the entire endpoint.

Phase 7 — Admin observability + counters + reload-trust:
- internal/service/est_counters.go: estCounterTab (sync/atomic; 12
  named labels) + ESTStatsSnapshot per-profile shape +
  ESTService.Stats(now) zero-allocation accessor + ReloadTrust()
  SIGHUP-equivalent + SetESTAdminMetadata setter.
- Counter ticks wired into processEnrollment + SimpleServerKeygen at
  every success/failure leg.
- internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim:
  Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both
  endpoints admin-gated (M-008 triplet pinned + admin_est.go added
  to AdminGatedHandlers).
- New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/
  est/reload-trust; openapi.yaml documented; openapi-parity guard
  reproduced clean.
- cmd/server/main.go grows estServices map populated by the per-
  profile EST loop + handed to AdminEST. New MTLSTrust() +
  HasMTLSTrust() accessors on ESTHandler so main.go can pull the
  trust holder for the admin-metadata wire-up.
- Per-profile counter isolation regression test
  (internal/service/est_profile_counter_isolation_test.go) proves
  a future shared-counter refactor would fail at compile-time
  pointer-identity check.

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean across
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
service/pkcs7/domain/cmd/server, go test -short -count=1 green
for every non-postgres package. G-3 docs-drift guard reproduced
locally clean (Phases 5-7 added zero new env vars; Phase 1
already documented per-profile SERVER_KEYGEN_ENABLED).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation /
docs/est.md / release prep) remain — post-2.1.0 work.
2026-04-29 23:57:45 +00:00

76 lines
2.9 KiB
Go
Raw Blame History

package service
import (
"context"
"errors"
"io"
"log/slog"
"testing"
"time"
)
// EST RFC 7030 hardening master bundle Phase 7.3 — per-profile counter
// isolation regression test. Mirrors the SCEP equivalent at
// internal/api/handler/scep_profile_counter_isolation_test.go.
//
// Why this test exists: the future-bug class it guards against is a
// cmd/server/main.go refactor that constructs a SINGLE shared
// *estCounterTab and injects it into every per-profile ESTService —
// that would compile cleanly, pass every existing route-level test,
// and silently inflate one profile's counters with another's traffic.
func TestESTService_PerProfileCountersIsolated(t *testing.T) {
silent := slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{Level: slog.LevelError + 10}))
// Two services with separate issuers + counter tabs. NewESTService
// allocates a fresh estCounterTab per instance (Phase 7.1 contract);
// this test pins that contract.
corpSvc := NewESTService("iss-corp", &mockIssuerConnector{}, nil, silent)
iotSvc := NewESTService("iss-iot", &mockIssuerConnector{Err: errors.New("issuer down")}, nil, silent)
ctx := context.Background()
// CORP: drive 3 successful enrollments. Each ticks
// success_simpleenroll on CORP's tab; IOT's tab MUST stay zero
// for that label.
for i := 0; i < 3; i++ {
csrPEM := generateCSRPEM(t, "device-corp.example.com", []string{"device-corp.example.com"})
if _, err := corpSvc.SimpleEnroll(ctx, csrPEM); err != nil {
t.Fatalf("corp enroll #%d: %v", i, err)
}
}
// IOT: drive 2 enrollments. Each fails issuance (mock returns err
// from IssueCertificate); each ticks issuer_error on IOT's tab.
for i := 0; i < 2; i++ {
csrPEM := generateCSRPEM(t, "device-iot.example.com", []string{"device-iot.example.com"})
if _, err := iotSvc.SimpleEnroll(ctx, csrPEM); err == nil {
t.Fatalf("iot enroll #%d: expected issuer error", i)
}
}
// CORP snapshot: success=3, issuer_error=0.
corpSnap := corpSvc.Stats(time.Now()).Counters
if got := corpSnap[estCounterSuccessSimpleEnroll]; got != 3 {
t.Errorf("corp success_simpleenroll = %d, want 3", got)
}
if got := corpSnap[estCounterIssuerError]; got != 0 {
t.Errorf("corp issuer_error = %d, want 0 (no IOT bleed)", got)
}
// IOT snapshot: success=0, issuer_error=2.
iotSnap := iotSvc.Stats(time.Now()).Counters
if got := iotSnap[estCounterSuccessSimpleEnroll]; got != 0 {
t.Errorf("iot success_simpleenroll = %d, want 0 (no CORP bleed)", got)
}
if got := iotSnap[estCounterIssuerError]; got != 2 {
t.Errorf("iot issuer_error = %d, want 2", got)
}
// Sanity: the two services' counter tabs MUST be distinct *estCounterTab
// pointers. If a future refactor introduces a shared tab, this assertion
// catches it before the snapshot bleed becomes silent.
if corpSvc.counters == iotSvc.counters {
t.Fatal("corp + iot share the same *estCounterTab — per-profile isolation broken")
}
}
Reference in New Issue View Git Blame Copy Permalink