mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-12 19:40:27 +00:00
Shankar
0861aa9482
Phase 7 of the SCEP RFC 8894 + Intune master bundle. Adds the
internal/scep/intune package that validates Microsoft Intune Certificate
Connector signed challenges embedded in SCEP CSR challengePassword
attributes. This is the parsing/validation foundation; Phase 8 wires it
into the SCEP service dispatcher.
What's included:
* doc.go — package architecture (Intune cloud → Connector → certctl
SCEP server) + 'what this package is NOT' guard rails. We do NOT
implement full JOSE: no JKU / kid / x5c trust, no JWKS fetch.
Trust anchor is operator-supplied at startup and pinned. The
package does NOT call Microsoft's API directly — the Connector
already did that; we validate its signed attestation.
* trust_anchor.go — LoadTrustAnchor(path) reads a PEM bundle of
Intune Connector signing certs. Skips non-CERTIFICATE PEM blocks
(operators sometimes paste chains with the priv key by mistake).
Rejects empty bundles + expired certs at startup with an
operator-actionable message including the cert subject. SIGHUP
reload lands in Phase 8.5; today it's load-once-at-boot.
* claim.go — ChallengeClaim struct + DeviceMatchesCSR helper.
Set-equality semantics for SAN-DNS/SAN-RFC822/SAN-UPN: the CSR
must carry EXACTLY the claim's elements, no extras and no missing.
Empty claim slice = no constraint on that dimension.
Per-dimension typed errors (ErrClaimCNMismatch /
ErrClaimSANDNSMismatch / ErrClaimSANRFC822Mismatch /
ErrClaimSANUPNMismatch) so audit logs surface the failure
dimension without string-matching. extractUPNSans is stubbed to
return nil with documented fail-closed behavior — non-empty UPN
claims fail the equalSets check (correct behavior; the rare deploy
that pins UPN SANs hot-fixes the ASN.1 walker per the inline
comment).
* replay.go — ReplayCache: bounded in-memory cache of seen nonces
with TTL. Sized for 100,000 entries (60-min Connector validity ×
25 RPS Intune fleet steady-state ≈ 90,000 challenges/hour with
headroom). sync.Map for concurrent read/write; janitor goroutine
wakes every TTL/4 to evict expired entries; at-cap O(N)
oldest-eviction (rarely fires; janitor keeps the cache below
cap). Redis-backed variant deferred to V3-Pro.
* challenge.go — the load-bearing piece:
- ParseChallenge(raw) splits the JWT-like compact serialization
into header/payload/signature and base64url-decodes each.
Tolerates both padded + unpadded encodings (some Connector
builds emit padded; RFC 7515 §2 says unpadded; we accept both).
Validates the header parses as JSON before returning so the
malformed-signal lands earlier in the pipeline.
- ValidateChallenge(raw, trust, expectedAudience, now):
1. ParseChallenge
2. JWS signature verify over (segment0 || '.' || segment1)
— re-derived from the raw on-wire bytes, NOT
re-base64-encoded, per RFC 7515 §3.1 (re-encoding could
produce a byte-different input than what was signed)
3. Signature alg dispatch:
RS256: rsa.VerifyPKCS1v15(SHA-256)
ES256: tries fixed-width r||s (JOSE-canonical) first,
falls back to ASN.1 DER (older Connectors)
alg=none: explicit reject with audit-log-friendly
message (RFC 7515 §3.6 attack vector)
HS*/PS*: rejected as 'unsupported alg' (no shared
secret in our threat model)
4. Version-detection prelude (versionedChallenge struct +
versionUnmarshalers map). Today's format is v1 (no
explicit version field; absence IS the v1 signal). Adding
v2 = adding a parser + a registration line; v1 path stays
untouched. Defends against the inevitable Microsoft format
change at ~30 LoC + 2 tests cost vs. a P0 incident.
5. Time bounds (iat / exp); audience pin (skipped when
expectedAudience == "").
Replay protection is the CALLER's job (handler glues parser +
cache; validator stays stateless + testable).
* Typed errors: ErrChallengeMalformed / ErrChallengeSignature /
ErrChallengeExpired / ErrChallengeNotYetValid /
ErrChallengeWrongAudience / ErrChallengeReplay /
ErrChallengeUnknownVersion. errors.Is-friendly so the handler
can audit failure dimension.
Tests (94.8% coverage):
* challenge_test.go (18 tests): happy-path RS256 + ES256
fixed-width + ES256 DER; TamperedSignature; TamperedPayload;
Expired; NotYetValid; WrongAudience; EmptyExpectedAudience
disables check; RotatedTrustAnchor; EmptyTrustBundle;
AlgNoneRejected; UnsupportedAlg (HS256); MissingAlg;
VersionV1ExplicitOK; VersionUnknownRejected;
MixedTrustBundle iter (skip key-type mismatches without
surfacing as Signature err); NonJSONPayloadButValidSignature;
Malformed cases (empty, missing dots, bad base64, non-JSON
header — 9 sub-cases); PaddedBase64Tolerated.
* claim_test.go (13 tests): per-dimension matching across CN +
SAN-DNS + SAN-RFC822 + SAN-UPN; nil guards; case-insensitive DNS
(RFC 4343); dedupe set-equality; empty claim = no constraint;
UPN stub canary; normaliseSet edge cases; equalSets length
mismatch.
* replay_test.go (11 tests): first-fresh; duplicate-rejected;
past-TTL-fresh; Sweep-evicts-expired; empty-nonce
short-circuits; at-cap LRU eviction; default-cap=100k;
Close-idempotent; TTL=0 disables janitor; concurrent-race-free
(50 goroutines × 200 inserts); empty-nonce twice is fresh both
times (we don't cache empties).
* trust_anchor_test.go: HappyPath single + multi cert; SkipsNonCertBlocks
(priv key + cert mix); EmptyBundleRejected; OnlyKeyBlocksRejected;
ExpiredCertRejected (with subject CN in error); MalformedCertRejected;
LoadTrustAnchor disk + EmptyPath + MissingFile.
* fuzz_test.go: FuzzParseChallenge with seed corpus covering both
the well-formed and the obvious-malformed shapes. Survived 187k
execs in 21s without panic on the local burst; CI runs 5 min.
Verification:
* gofmt -l ./internal/scep/intune: clean
* go vet ./internal/scep/intune/...: clean
* staticcheck ./internal/scep/intune/...: clean
* go test -count=1 -cover ./internal/scep/intune/...: 94.8%
(target was ≥85%)
* go vet ./internal/... ./cmd/...: clean (no rest-of-repo regressions)
* No new CERTCTL_* env vars (those land in Phase 8 with the
config gate); G-3 docs-drift CI guard not triggered.
* No new HTTP routes; openapi-parity guard not triggered.
Phase 8 will:
- Add SCEPProfileConfig.Intune* env vars + preflight gate
- Wire the validator into the SCEP service dispatcher
(Intune-shaped challenges → validator; static → existing path)
- Trust-anchor SIGHUP reload mirroring cmd/server/tls.go::watchSIGHUP
- Per-claim rate limit + audit metrics
Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 7
cowork/scep-rfc8894-intune/progress.md
172 lines
5.4 KiB
Go
172 lines
5.4 KiB
Go
package intune
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"errors"
|
|
"math/big"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
// pemEncodeCert is a small DRY helper for the PEM bundle fixtures.
|
|
func pemEncodeCert(t *testing.T, der []byte) []byte {
|
|
t.Helper()
|
|
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
|
|
}
|
|
|
|
// freshConnectorCertDER returns a freshly-minted EC P-256 cert as raw DER
|
|
// + the matching key. Lifetime is parameterised so the same factory drives
|
|
// both the happy-path and expired-cert cases.
|
|
func freshConnectorCertDER(t *testing.T, notAfter time.Time) ([]byte, *ecdsa.PrivateKey) {
|
|
t.Helper()
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.GenerateKey: %v", err)
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(time.Now().UnixNano()),
|
|
Subject: pkix.Name{CommonName: "intune-connector-test"},
|
|
NotBefore: time.Now().Add(-1 * time.Hour),
|
|
NotAfter: notAfter,
|
|
}
|
|
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
|
|
if err != nil {
|
|
t.Fatalf("x509.CreateCertificate: %v", err)
|
|
}
|
|
return der, key
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_HappyPath_SingleCert(t *testing.T) {
|
|
der, _ := freshConnectorCertDER(t, time.Now().Add(365*24*time.Hour))
|
|
body := pemEncodeCert(t, der)
|
|
|
|
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
|
|
if err != nil {
|
|
t.Fatalf("parseTrustAnchorPEM: %v", err)
|
|
}
|
|
if len(certs) != 1 {
|
|
t.Fatalf("len(certs) = %d, want 1", len(certs))
|
|
}
|
|
if certs[0].Subject.CommonName != "intune-connector-test" {
|
|
t.Errorf("Subject.CommonName = %q", certs[0].Subject.CommonName)
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_HappyPath_MultiCert(t *testing.T) {
|
|
d1, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
|
|
d2, _ := freshConnectorCertDER(t, time.Now().Add(60*24*time.Hour))
|
|
body := append(pemEncodeCert(t, d1), pemEncodeCert(t, d2)...)
|
|
|
|
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
|
|
if err != nil {
|
|
t.Fatalf("parseTrustAnchorPEM: %v", err)
|
|
}
|
|
if len(certs) != 2 {
|
|
t.Fatalf("len(certs) = %d, want 2", len(certs))
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_SkipsNonCertBlocks(t *testing.T) {
|
|
der, key := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
|
|
keyDER, err := x509.MarshalECPrivateKey(key)
|
|
if err != nil {
|
|
t.Fatalf("MarshalECPrivateKey: %v", err)
|
|
}
|
|
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
|
|
body := append(keyPEM, pemEncodeCert(t, der)...) // priv key first, cert second
|
|
|
|
certs, err := parseTrustAnchorPEM(body, "test", time.Now())
|
|
if err != nil {
|
|
t.Fatalf("parseTrustAnchorPEM should ignore non-CERTIFICATE blocks: %v", err)
|
|
}
|
|
if len(certs) != 1 {
|
|
t.Fatalf("len(certs) = %d, want 1 (priv key block must be skipped)", len(certs))
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_EmptyBundleRejected(t *testing.T) {
|
|
_, err := parseTrustAnchorPEM([]byte("nothing here"), "test", time.Now())
|
|
if err == nil || !strings.Contains(err.Error(), "no CERTIFICATE PEM blocks") {
|
|
t.Fatalf("expected 'no CERTIFICATE PEM blocks' error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_OnlyKeyBlocksRejected(t *testing.T) {
|
|
key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
keyDER, _ := x509.MarshalECPrivateKey(key)
|
|
body := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
|
|
|
|
_, err := parseTrustAnchorPEM(body, "test", time.Now())
|
|
if err == nil {
|
|
t.Fatalf("expected error for bundle with no certs, got nil")
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_ExpiredCertRejected(t *testing.T) {
|
|
der, _ := freshConnectorCertDER(t, time.Now().Add(-1*time.Hour)) // already expired
|
|
body := pemEncodeCert(t, der)
|
|
|
|
_, err := parseTrustAnchorPEM(body, "expired-bundle", time.Now())
|
|
if err == nil || !strings.Contains(err.Error(), "expired") {
|
|
t.Fatalf("expected expiry error, got %v", err)
|
|
}
|
|
// Operator-actionable message must include the subject so the audit
|
|
// log says exactly which cert to rotate.
|
|
if !strings.Contains(err.Error(), "intune-connector-test") {
|
|
t.Errorf("error must include subject CN for operator action: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestParseTrustAnchorPEM_MalformedCertRejected(t *testing.T) {
|
|
bad := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: []byte("not-a-real-asn1-cert")})
|
|
|
|
_, err := parseTrustAnchorPEM(bad, "test", time.Now())
|
|
if err == nil {
|
|
t.Fatalf("expected x509 parse error, got nil")
|
|
}
|
|
}
|
|
|
|
func TestLoadTrustAnchor_FromDisk(t *testing.T) {
|
|
der, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
|
|
body := pemEncodeCert(t, der)
|
|
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "intune-trust.pem")
|
|
if err := os.WriteFile(path, body, 0o600); err != nil {
|
|
t.Fatalf("WriteFile: %v", err)
|
|
}
|
|
certs, err := LoadTrustAnchor(path)
|
|
if err != nil {
|
|
t.Fatalf("LoadTrustAnchor: %v", err)
|
|
}
|
|
if len(certs) != 1 {
|
|
t.Fatalf("len(certs) = %d, want 1", len(certs))
|
|
}
|
|
}
|
|
|
|
func TestLoadTrustAnchor_EmptyPath(t *testing.T) {
|
|
_, err := LoadTrustAnchor("")
|
|
if err == nil || !strings.Contains(err.Error(), "empty") {
|
|
t.Fatalf("expected empty-path error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestLoadTrustAnchor_MissingFile(t *testing.T) {
|
|
_, err := LoadTrustAnchor("/tmp/does-not-exist-intune-trust.pem")
|
|
if err == nil {
|
|
t.Fatalf("expected file-not-found error, got nil")
|
|
}
|
|
// Don't string-assert on the OS error — just make sure it's surfaced.
|
|
if errors.Is(err, nil) {
|
|
t.Fatalf("error must be non-nil")
|
|
}
|
|
}
|