gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 20:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1ec42065a116f802218be2771eae8e3c8ff20c8
certctl/internal/repository
T
History
shankar0123 ea47d7c903 fix(oidc/prelogin): encrypt state/nonce/PKCE-verifier at rest (HIGH-5) 
Pre-login rows previously persisted the OIDC state, nonce, and PKCE
verifier as plaintext columns; an operator restoring an unredacted
backup of oidc_pre_login_sessions to a debug environment leaked every
in-flight handshake. If the IdP also leaked the auth code in the same
window (logged at a misconfigured TLS terminator, etc.), the attacker
could exchange code + verifier directly. RFC 7636 §7 requires verifier
confidentiality.

This commit:
- Migration 000041 adds {state,nonce,pkce_verifier}_enc BYTEA columns
  and makes the legacy plaintext columns nullable. A follow-up
  migration drops the plaintext columns once the rolling deploy
  completes.
- internal/repository/postgres/oidc_prelogin.go::Create encrypts the
  three secrets via crypto.EncryptIfKeySet (v3 magic 0x03 + per-row
  salt + nonce + AES-256-GCM tag) and writes only the encrypted
  columns; legacy plaintext stays NULL on the write path.
- LookupAndConsume prefers encrypted columns via materialize(),
  falling back to the legacy plaintext only when _enc is NULL — the
  rolling-deploy compat layer that 000042 will retire.
- NewPreLoginRepository takes encryptionKey; cmd/server/main.go threads
  cfg.Encryption.ConfigEncryptionKey in.
- Encryption key reuses CERTCTL_CONFIG_ENCRYPTION_KEY (same passphrase
  already protecting OIDC client secrets and SessionSigningKey material).
  No new env var.

Why encryption-at-rest, not HMAC: the spec's HMAC approach required
moving plaintext into the cookie (the cookie currently carries only
row ID + HMAC). Re-shaping the cookie wire format would be a larger
refactor; the audit explicitly admits encryption-at-rest is an
acceptable closure (weaker because backups still contain decryptable
ciphertext, but the encryption key is held separately from the DB
backup, and the 10-minute TTL further bounds usable secret window).

Three new regression tests in oidc_prelogin_encryption_test.go pin:
  (a) _enc columns contain v3-format ciphertext, NOT plaintext
      substrings, post-Create
  (b) legacy plaintext columns are NULL post-Create (defends against
      future patches that re-introduce plaintext writes)
  (c) LookupAndConsume round-trips state/nonce/verifier byte-for-byte
A fourth test pins the legacy-row fallback for rolling-deploy compat.

Refs: cowork/auth-bundles-audit-2026-05-10.md HIGH-5
Spec: cowork/auth-bundles-fixes-2026-05-10/09-high-5-prelogin-secret-protection.md
2026-05-10 21:17:55 +00:00
..
postgres
fix(oidc/prelogin): encrypt state/nonce/PKCE-verifier at rest (HIGH-5)
2026-05-10 21:17:55 +00:00
auth.go
auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split
2026-05-09 20:15:43 +00:00
breakglass.go
feat(gui+auth): break-glass admin GUI surface (CRIT-4 closure)
2026-05-10 20:24:52 +00:00
errors.go
domain, migrations: ApprovalRequest type + issuance_approval_requests + RequiresApproval
2026-05-04 00:55:17 +00:00
filters.go
auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split
2026-05-09 20:15:43 +00:00
interfaces.go
domain, migrations: IntermediateCA type + intermediate_cas + Issuer.HierarchyMode
2026-05-04 01:53:56 +00:00
oidc_bcl.go
fix(oidc/bcl): jti replay-cache + iat freshness check (HIGH-3 closure)
2026-05-10 20:53:29 +00:00
oidc.go
auth-bundle-2 Phase 5: OIDC + session HTTP surface (13 endpoints),
2026-05-10 06:08:27 +00:00
querier.go
repo,service: introduce WithinTx and atomic audit rows for issue/renew/revoke
2026-05-02 00:29:09 +00:00
session.go
auth-bundle-2 Phase 4: session service (cookie minting + signature
2026-05-10 05:31:24 +00:00
user.go
auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests
2026-05-10 04:18:27 +00:00