mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-10 05:38:55 +00:00
shankar0123
a808948397
EST RFC 7030 hardening master bundle Phases 0 + 1 of 13. Lays the
foundation for the remaining hardening phases (mTLS auth, HTTP Basic
auth, channel binding, server-keygen, admin observability, GUI, libest
e2e) without changing existing operator behavior — backward-compat
shim preserves the v2.0.66 single-issuer flat env-var setup.
WHAT LANDS:
Phase 0 — Frozen decisions
9 frozen decisions documented in
cowork/est-rfc7030-hardening-prompt.md::Phase 0 frozen decisions
(auth modes mTLS+Basic at GA; RFC 9266 channel binding; multi-profile
env-var family CERTCTL_EST_PROFILES; mTLS sibling URL
/.well-known/est-mtls/<pathID>; serverkeygen ships V2; fullcmc
deferred; renewal device-driven per RFC 7030 §4.2.2; csrattrs
algorithm allow-list profile-derived; libest as e2e reference).
Phase 1 — Multi-profile config + per-profile dispatch
internal/config/config.go: extended ESTConfig with Profiles slice;
added ESTProfileConfig struct with all field contracts (PathID +
IssuerID + ProfileID + EnrollmentPassword + MTLSEnabled +
MTLSClientCATrustBundlePath + ChannelBindingRequired +
AllowedAuthModes + RateLimitPerPrincipal24h + ServerKeygenEnabled).
Forward-looking fields (mTLS, HTTP Basic, channel binding,
rate limit, server-keygen) are dormant in Phase 1 — Phase 2-5 wire
the corresponding handlers; Validate() gates ensure operators can't
set incoherent combinations (MTLSEnabled=true without bundle path,
basic auth without password, mtls auth mode without MTLSEnabled,
ChannelBindingRequired without mTLS, ServerKeygenEnabled without
ProfileID).
loadESTProfilesFromEnv: mirrors loadSCEPProfilesFromEnv exactly.
Reads CERTCTL_EST_PROFILES=corp,iot,wifi and per-profile env vars
CERTCTL_EST_PROFILE_<NAME>_*. Lowercase PathID, uppercase env-var
name. parseAuthModes handles comma-separated normalization.
mergeESTLegacyIntoProfiles: back-compat shim. When CERTCTL_EST_PROFILES
is unset AND CERTCTL_EST_ENABLED=true, synthesizes a single-element
Profiles[0] with PathID="" so existing /.well-known/est/
operators see no behavior change.
validESTPathID + validESTAuthMode: shape validators. PathID matches
[a-z0-9-]+ with no leading/trailing hyphen (mirrors validSCEPPathID
exactly). Auth mode is one of {mtls, basic}.
Per-profile Validate(): refuses every documented misconfiguration
with operator-greppable error messages naming the offending profile
index + PathID + field. Mirrors the SCEP audit-closure pattern.
internal/api/router/router.go: refactored RegisterESTHandlers from
single-handler to map[string]ESTHandler. Empty PathID maps to legacy
/.well-known/est/ root (literal-string r.Register calls preserve
openapi-parity scanner behavior). Non-empty PathIDs dynamic-register
/.well-known/est/<pathID>/{cacerts,simpleenroll,simplereenroll,csrattrs}.
Mirrors the SCEP per-profile dispatch from commit fdd424b.
cmd/server/main.go: refactored EST startup block to iterate
cfg.EST.Profiles. Per-profile preflight (issuer-in-registry,
preflightEnrollmentIssuer L-005 gate) runs in the loop with
per-profile structured logging including PathID. Failures log the
offending PathID so multi-profile deploys can pinpoint which broke
startup. Mirrors the SCEP per-profile loop from commit fdd424b.
Updated 3 callers of the old single-handler signature:
- internal/api/router/router_test.go::TestRegisterESTHandlers_AllPaths
- internal/integration/lifecycle_test.go::setupTestServer
- internal/integration/negative_test.go::setupTestServer
Each wraps the existing single ESTHandler in a single-element
map[string]handler.ESTHandler{"": estHandler} preserving exact
legacy behavior.
NEW TESTS:
internal/config/config_est_profiles_test.go (12 tests):
- LegacyFlatFields_SynthesizeSingleProfile (back-compat shim)
- DisabledNoLegacyShim
- MultipleProfiles_LoadFromEnv (3 profiles: corp+mtls+basic+keygen,
iot+basic, wifi+mtls; verifies every field round-trips)
- StructuredFormBeatsLegacy
- PathIDValidation (12 sub-cases: empty/valid/leading-hyphen/
trailing-hyphen/uppercase/slash/dot/underscore/space/percent)
- DuplicatePathID_Refuses
- MissingPerProfileIssuerID
- MTLSEnabledRequiresBundlePath
- ChannelBindingWithoutMTLS_Refuses (cross-check)
- BasicAuthInModesRequiresPassword (cross-check)
- MTLSAuthModeRequiresMTLSEnabled (cross-check)
- UnknownAuthModeRefused
- NegativeRateLimitRefused
- ServerKeygenRequiresProfileID
- DisabledIgnoresProfiles
- ParseAuthModes_Normalization (8 sub-cases)
internal/api/router/router_est_profiles_test.go (4 tests):
- LegacyEmptyPathIDMapsToRoot
- NonEmptyPathIDMapsToSubpath
- MultipleProfilesNoCrossBleed (the load-bearing dispatch invariant —
each profile's PathID routes to its OWN handler instance,
proven via per-profile-tagged mock responses with base64 prefix
matching)
- EmptyMapRegistersNoRoutes
VERIFICATION (sandbox, Go 1.25.9):
gofmt -l — clean for all changed files
staticcheck — clean for config + router + handler +
integration + cmd/server packages
go vet — clean for the same packages
go test -short -count=1 — green for config, router, handler,
service, integration, cmd/server
NEXT (Phase 2): mTLS client cert auth + TrustAnchorHolder + RFC 9266
tls-exporter channel binding. Phase 1's Validate gates already refuse
the incoherent configurations Phase 2 must defend against; Phase 2
adds the actual TLS-listener wiring + handler-side cert validation +
channel-binding extraction.
Spec preserved at cowork/est-rfc7030-hardening-prompt.md.
189 lines
8.0 KiB
Go
189 lines
8.0 KiB
Go
package router
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/handler"
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// EST RFC 7030 hardening master bundle Phase 1: per-profile EST router
|
|
// registration. Pins:
|
|
//
|
|
// 1. Empty PathID maps to /.well-known/est/ (legacy backward-compat).
|
|
// 2. Non-empty PathID maps to /.well-known/est/<pathID>/.
|
|
// 3. Multi-profile registration produces 4N routes (cacerts + simpleenroll
|
|
// + simplereenroll + csrattrs per profile).
|
|
// 4. Each registered route reaches the right handler instance — no
|
|
// cross-profile bleed-through (proven by the per-profile mock
|
|
// GetCACerts response carrying the profile tag).
|
|
//
|
|
// The mock service is a minimal ESTService implementation that records
|
|
// which profile served the request via the GetCACerts response — the test
|
|
// asserts it sees the right per-profile string echoed back, which would
|
|
// only happen if the right handler was wired to the right path.
|
|
|
|
// estProfileMockService is a per-profile-tagged mock ESTService for
|
|
// router-level tests. The CA cert PEM string carries the profile tag so
|
|
// the caller can verify which profile's handler served a given request.
|
|
type estProfileMockService struct {
|
|
tag string
|
|
}
|
|
|
|
func (s *estProfileMockService) GetCACerts(_ context.Context) (string, error) {
|
|
// Return a syntactically-valid PEM that embeds the profile tag in the
|
|
// cert body. The handler converts this PEM to PKCS#7 via PEMToDERChain
|
|
// — for the cross-bleed test we only need to confirm the right service
|
|
// was reached. Use a minimal PEM that won't parse as a real cert (the
|
|
// test asserts on the error path, which still routes through the right
|
|
// service mock).
|
|
return "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n", nil
|
|
}
|
|
|
|
func (s *estProfileMockService) SimpleEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) {
|
|
return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil
|
|
}
|
|
|
|
func (s *estProfileMockService) SimpleReEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) {
|
|
return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil
|
|
}
|
|
|
|
func (s *estProfileMockService) GetCSRAttrs(_ context.Context) ([]byte, error) {
|
|
// Return non-empty bytes so the handler returns 200 + the body. The body
|
|
// won't carry a profile tag (csrattrs is base64-encoded ASN.1; sticking
|
|
// a literal in here would not survive the encoding round-trip), but the
|
|
// 200 vs 204 status itself is enough to prove the right service was
|
|
// reached — the legacy mock returns 204 (nil bytes), this mock returns
|
|
// 200, and a wrong-handler bleed would produce the wrong status.
|
|
return []byte("PROFILE=" + s.tag), nil
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_LegacyEmptyPathIDMapsToRoot(t *testing.T) {
|
|
r := New()
|
|
svc := &estProfileMockService{tag: "legacy"}
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"": handler.NewESTHandler(svc),
|
|
})
|
|
|
|
// /.well-known/est/cacerts is a GET. The handler will fail at the
|
|
// PEM-to-DER step because our mock returns a malformed PEM, but the
|
|
// service WAS reached (the 500 we get back is from the handler's
|
|
// pkcs7 conversion, not from a routing error). Use csrattrs instead
|
|
// — it's GET and our mock returns clean bytes.
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("GET /.well-known/est/csrattrs — code %d, want 200 (legacy root should be registered; body=%q)", w.Code, w.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_NonEmptyPathIDMapsToSubpath(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}),
|
|
})
|
|
|
|
// /.well-known/est/corp/csrattrs should reach the corp handler.
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/corp/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("GET /.well-known/est/corp/csrattrs — code %d, want 200 (per-profile route should be registered; body=%q)", w.Code, w.Body.String())
|
|
}
|
|
// /.well-known/est/ root must NOT be registered when only non-empty PathIDs exist.
|
|
req = httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w = httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("/.well-known/est/csrattrs without legacy profile — code %d, want 404 or 405 (no handler should be registered)", w.Code)
|
|
}
|
|
}
|
|
|
|
// TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed pins the
|
|
// load-bearing dispatch invariant: each profile's PathID routes to its OWN
|
|
// handler instance. A regression that mis-wired the dispatch would surface
|
|
// as profile A's traffic hitting profile B's mock, observable here because
|
|
// each mock embeds its tag in the response.
|
|
func TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{
|
|
"": handler.NewESTHandler(&estProfileMockService{tag: "default"}),
|
|
"corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}),
|
|
"iot": handler.NewESTHandler(&estProfileMockService{tag: "iot"}),
|
|
})
|
|
|
|
cases := []struct {
|
|
path string
|
|
wantTag string
|
|
}{
|
|
{"/.well-known/est/csrattrs", "default"},
|
|
{"/.well-known/est/corp/csrattrs", "corp"},
|
|
{"/.well-known/est/iot/csrattrs", "iot"},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.path, func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, tc.path, nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("code %d, want 200 (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
// The handler base64-encodes csrattrs bytes; decode our literal
|
|
// to confirm the right profile's mock was hit.
|
|
body := w.Body.String()
|
|
// PROFILE=<tag> is emitted by the mock; the handler base64-
|
|
// encodes the bytes in the body. Two checks: status was 200
|
|
// (above) AND the base64-decoded body would carry the tag.
|
|
// We don't decode here — the SCEP equivalent uses substring
|
|
// match against the raw body too; for EST the raw body IS
|
|
// base64 of "PROFILE=<tag>". Decode-and-match is the
|
|
// same verification operation; substring against the raw
|
|
// base64 works because each profile's tag has a unique
|
|
// base64 prefix.
|
|
if !contains(body, base64Tag(tc.wantTag)) {
|
|
t.Errorf("body = %q, want base64-encoded PROFILE=%s prefix", body, tc.wantTag)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRouter_RegisterESTHandlers_EmptyMapRegistersNoRoutes(t *testing.T) {
|
|
r := New()
|
|
r.RegisterESTHandlers(map[string]handler.ESTHandler{})
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
|
|
w := httptest.NewRecorder()
|
|
r.ServeHTTP(w, req)
|
|
if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("/.well-known/est/csrattrs with no profiles registered — code %d, want 404 or 405", w.Code)
|
|
}
|
|
}
|
|
|
|
// base64Tag returns the base64-encoded form of "PROFILE=<tag>" — used by
|
|
// the cross-bleed test to verify the mock's response made it through the
|
|
// handler's base64 encoding step. Local helper to avoid importing
|
|
// encoding/base64 just for this; the encoding is tiny and stable.
|
|
func base64Tag(tag string) string {
|
|
// stdlib produces "UFJPRklMRT0=" for "PROFILE=" — but each tag
|
|
// changes the suffix, so we match on the stable prefix only.
|
|
// "PROFILE=" → standard base64 "UFJPRklMRT0=" (when alone).
|
|
// "PROFILE=corp" → "UFJPRklMRT1jb3Jw"
|
|
// "PROFILE=iot" → "UFJPRklMRT1pb3Q="
|
|
// "PROFILE=default" → "UFJPRklMRT1kZWZhdWx0"
|
|
// All share the prefix "UFJPRklMRT" (= base64 of "PROFILE"). The tag
|
|
// suffix differs, which is what cross-bleed would change.
|
|
switch tag {
|
|
case "default":
|
|
return "UFJPRklMRT1kZWZhdWx0"
|
|
case "corp":
|
|
return "UFJPRklMRT1jb3Jw"
|
|
case "iot":
|
|
return "UFJPRklMRT1pb3Q"
|
|
}
|
|
return "UFJPRklMRT" // safe fallback prefix
|
|
}
|