mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-11 22:38:52 +00:00
shankar0123
1dcc7455cd
Closes H-010 + L-002 + L-003 + L-012 + L-014 from
comprehensive-audit-2026-04-25; partial-closes M-028 (the local.go:682
elliptic.Marshal site only).
H-010 (CWE-1257) — local-issuer coverage 68.3% -> 86.7%
* internal/connector/issuer/local/bundle9_coverage_test.go (NEW)
Adds ~30 subtests across CSR-acceptance failure paths, parsePrivateKey
four-format coverage, resolveEKUsAndKeyUsage all-EKU + fallback,
hashPublicKey RSA + ECDSA P-256/P-384/P-521 + unsupported curve,
ecdsaToECDH byte-identical round-trip pin, loadCAFromDisk
expired/non-CA/missing/happy, validateCSRUnicode all rejection arms,
marshalPrivateKeyAndZeroize / ensureKeyDirSecure all branches,
ValidateConfig 5 arms, MaxTTLSeconds cap.
* .github/workflows/ci.yml — flips local-issuer floor 60% -> 85% hard
with explicit "add tests, do not lower the gate" comment.
L-002 (CWE-226) — agent + local-CA private-key zeroization
* internal/connector/issuer/local/keymem.go (NEW)
* cmd/agent/keymem.go (NEW)
marshalPrivateKeyAndZeroize wraps x509.MarshalECPrivateKey with
defer clear(der). Agent additionally defer clear(privKeyPEM) on the
encoded buffer. Bounds heap-resident exposure of the private scalar
to the duration of PEM-encode + os.WriteFile.
L-003 (CWE-732) — 0700 key-directory hardening
* internal/connector/issuer/local/keystore.go (NEW)
* cmd/agent/keymem.go (NEW)
ensureKeyDirSecure / ensureAgentKeyDirSecure create dir tree at 0700,
accept owner-only modes, chmod-tighten permissive leaves with
re-stat verification, refuse empty/root/dot. Wired ahead of every
os.WriteFile(keyPath, ..., 0600) site in cmd/agent/main.go.
L-012 (CWE-1007 + CWE-176) — Unicode safety in CN/SAN
* internal/validation/unicode.go (NEW)
* internal/validation/unicode_test.go (NEW, 8 test functions)
ValidateUnicodeSafe rejects RTL/LTR overrides U+202A..U+202E +
U+2066..U+2069, zero-width U+200B..U+200D + U+2060 + U+FEFF,
control chars <0x20 + 0x7F..0x9F, and per-DNS-label
Latin+non-Latin-letter mixes (Cyrillic-а-in-apple homograph).
Pure-IDN labels allowed. Errors cite codepoint + byte offset.
Wired into IssueCertificate + RenewCertificate via
validateCSRUnicode covering CSR Subject CommonName + DNSNames +
EmailAddresses + request-side additional SANs.
L-014 — CA-key-in-process threat-model documentation
* internal/connector/issuer/local/local.go file-header doc comment
Documents what the bundled defense-in-depth measures DO and DO NOT
protect against; directs operators with stricter requirements to
HSM/PKCS#11/cloud-KMS-backed signing (V3 Pro KMS-issuance roadmap
entry as the source-of-truth fix).
M-028 (CWE-477) PARTIAL — 1 of 6 SA1019 sites
* internal/connector/issuer/local/local.go::ecdsaToECDH (NEW helper)
Replaces deprecated elliptic.Marshal(k.Curve, k.X, k.Y) inside
hashPublicKey with crypto/ecdh.PublicKey.Bytes(). Dispatches on
Curve.Params().Name to avoid importing crypto/elliptic for sentinel
comparisons. Supports P-256/P-384/P-521; P-224 returns
unsupported-curve error and the caller falls back to a stable X+Y
big.Int.Bytes() hash (so SKI generation never panics).
* TestHashPublicKey_ECDSA_RoundTripPin — byte-identical regression
oracle that pins the new output to the legacy elliptic.Marshal
output across all three supported curves (with explicit
//nolint:staticcheck on the SA1019 reference). Migration cannot
silently change the SubjectKeyId of every previously-issued cert.
* 5 SA1019 sites still open (test-file middleware.NewAuth × 3 +
scep.go csr.Attributes).
Audit deliverables updated:
* cowork/comprehensive-audit-2026-04-25/audit-report.md — score
20/55 -> 25/55 closed (High 6/9 -> 7/9; Low 4/19 -> 8/19).
* cowork/comprehensive-audit-2026-04-25/findings.yaml — H-010 +
L-002 + L-003 + L-012 + L-014 status open -> closed; M-028 status
open -> partial_closed; closure notes cite the Bundle-9 mechanism.
* certctl/CHANGELOG.md — Bundle-9 section under [unreleased].
55 lines
2.2 KiB
Go
55 lines
2.2 KiB
Go
package local
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/x509"
|
|
"fmt"
|
|
)
|
|
|
|
// Bundle-9 / Audit L-002 (Private-key bytes linger in heap after marshal):
|
|
//
|
|
// x509.MarshalECPrivateKey copies the private scalar into a fresh DER buffer.
|
|
// If the caller PEM-encodes that buffer, writes it to disk, and returns, the
|
|
// buffer remains in the goroutine's heap until the GC sweeps it — at which
|
|
// point the bytes may persist further (Go's GC does not zero released memory).
|
|
//
|
|
// A heap dump (debug attach, core dump, swap-out, container memory snapshot
|
|
// taken by an attacker with host access) can then recover the private key.
|
|
//
|
|
// marshalPrivateKeyAndZeroize wraps MarshalECPrivateKey + a deferred
|
|
// `clear(buf)` so the caller can copy the DER into a PEM block and the
|
|
// underlying bytes are zeroed on function return. It is the caller's
|
|
// responsibility to do the same on whatever PEM/file buffer they derive.
|
|
//
|
|
// This is a defense-in-depth measure — Go memory hygiene cannot match the
|
|
// guarantees of a process-isolated HSM. See L-014's documentation in
|
|
// local.go for the explicit threat-model carve-out around CA private keys
|
|
// resident in the server process.
|
|
|
|
// marshalPrivateKeyAndZeroize marshals an ECDSA private key to DER and
|
|
// invokes onDER with the bytes. After onDER returns, the DER buffer is
|
|
// zeroized via the builtin `clear`. This bounds the window during which
|
|
// the private scalar lives in the heap to exactly the duration of onDER.
|
|
//
|
|
// Callers that PEM-encode + write to disk should structure as:
|
|
//
|
|
// err := marshalPrivateKeyAndZeroize(priv, func(der []byte) error {
|
|
// pemBytes := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: der})
|
|
// defer clear(pemBytes)
|
|
// return os.WriteFile(path, pemBytes, 0o600)
|
|
// })
|
|
//
|
|
// onDER MUST NOT retain a reference to the slice — the bytes are zeroed
|
|
// after it returns.
|
|
func marshalPrivateKeyAndZeroize(priv *ecdsa.PrivateKey, onDER func([]byte) error) error {
|
|
if priv == nil {
|
|
return fmt.Errorf("marshalPrivateKeyAndZeroize: nil private key")
|
|
}
|
|
der, err := x509.MarshalECPrivateKey(priv)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal EC private key: %w", err)
|
|
}
|
|
defer clear(der)
|
|
return onDER(der)
|
|
}
|