mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-13 20:10:32 +00:00
shankar0123
b33b843908
SCEP RFC 8894 + Intune master bundle — Phase 4 + Phase 5 of 14.
Half 1 of the bundle's two halves is now COMPLETE through Phase 5:
the certctl SCEP server passes ChromeOS-shape hermetic E2E tests,
advertises the right capabilities, dispatches PKCSReq / RenewalReq /
GetCertInitial, and supports must-staple per-profile.
== Phase 4: RenewalReq + GetCertInitial wiring ============================
internal/service/scep.go
* RenewalReqWithEnvelope (RFC 8894 §3.3.1.2) — re-enrollment with an
existing valid cert. Same contract as PKCSReqWithEnvelope but the
service additionally verifies that envelope.SignerCert chains to
the issuer's CA (verifyRenewalSignerCertChain). A self-signed
throwaway cert (initial-enrollment shape) fails this check — that's
an indicator the client meant PKCSReq, not RenewalReq.
* GetCertInitialWithEnvelope (RFC 8894 §3.3.3) — polling stub.
Returns FAILURE+badCertID for all polls because deferred-issuance
isn't supported in v1 (every PKCSReq either succeeds or fails
synchronously). Wiring stays in place for a future enhancement.
* Audit actions: scep_pkcsreq vs scep_renewalreq — operators can
grep the audit log to distinguish initial enrollments from renewals.
internal/api/handler/scep.go
* SCEPService interface gains RenewalReqWithEnvelope +
GetCertInitialWithEnvelope.
* pkiOperation RFC 8894 path now switches on envelope.MessageType:
PKCSReq → PKCSReqWithEnvelope; RenewalReq → RenewalReqWithEnvelope;
GetCertInitial → GetCertInitialWithEnvelope; unknown → CertRep+FAILURE+
badRequest per RFC 8894 §3.3.2.2.
== Phase 5.1: GetCACaps capability advertisement =========================
internal/service/scep.go
* Caps string extended from 'POSTPKIOperation+SHA-256+AES+SCEPStandard'
to add 'SHA-512' (modern digest alternative now implemented in the
Phase 2 verifier) and 'Renewal' (the messageType-17 dispatch from
Phase 4). ChromeOS specifically looks for these capabilities to
negotiate the strongest available cipher + digest combo.
* scep_test.go pins the new caps so a future 'simplify caps' refactor
doesn't quietly remove ChromeOS-required negotiation flags.
== Phase 5.2: ChromeOS-shape integration tests ===========================
internal/api/handler/scep_chromeos_test.go (new, ~570 LoC)
* 6 hermetic E2E tests + ~12 helpers. Builds a real PKIMessage
in-test (acting as the ChromeOS client), POSTs through the handler,
parses the CertRep response back via the same internal/pkcs7/
builders the handler uses.
* TestSCEPHandler_ChromeOSPKIMessage_E2E — full RFC 8894 happy path:
SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping
EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)) —
POSTed; verifies CertRep parses + RA signature verifies.
* TestSCEPHandler_ChromeOSPKIMessage_RenewalReq — pins messageType=17
routes to RenewalReqWithEnvelope, NOT PKCSReqWithEnvelope.
* TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial — pins polling
returns CertRep with pkiStatus=FAILURE + failInfo=badCertID.
* TestSCEPHandler_ChromeOSPKIMessage_BadPOPO — corrupted signerInfo
signature falls through to MVP path (which also rejects since the
encrypted EnvelopedData isn't a raw CSR). No silent acceptance.
* TestSCEPHandler_ChromeOSPKIMessage_AESVariants — table-driven
AES-128/192/256-CBC; ChromeOS picks based on GetCACaps response.
* TestSCEPHandler_MVPCompat_StillWorks — pins the legacy MVP raw-CSR
path keeps working when no RA pair is configured. Backward compat
is non-negotiable.
== Phase 5.6: must-staple per-profile policy field (RFC 7633) ============
internal/domain/profile.go
* Added MustStaple bool to CertificateProfile. Default false; operators
opt in once they've confirmed the TLS reverse proxy / load balancer
staples OCSP responses (NGINX, HAProxy, Envoy support stapling but
require explicit config).
internal/connector/issuer/interface.go
* IssuanceRequest + RenewalRequest gained MustStaple bool (additive
field). Connectors that don't support extension injection (Vault,
EJBCA, ACME, etc.) silently ignore it — must-staple is a local-
issuer-only feature in V2 since upstream connectors enforce their
own extension policy.
internal/connector/issuer/local/local.go
* Added oidMustStaple (1.3.6.1.5.5.7.1.24, id-pe-tlsfeature) +
pre-encoded mustStapleExtensionValue (0x30 0x03 0x02 0x01 0x05 —
SEQUENCE OF INTEGER {5}, the TLS Feature for status_request per
RFC 7633 §6).
* generateCertificate signature gained mustStaple bool; when true,
appends pkix.Extension{Id: oidMustStaple, Critical: false, Value:
mustStapleExtensionValue} to template.ExtraExtensions before
x509.CreateCertificate.
internal/connector/issuer/local/must_staple_test.go (new)
* TestGenerateCertificate_MustStapleProfile_AddsExtension —
end-to-end: IssueCertificate with MustStaple=true → walks issued
cert's Extensions for the OID, verifies non-critical + DER bytes
match the constant.
* TestGenerateCertificate_NoMustStaple_OmitsExtension — pins the
'omit by default' contract (adding it by default would break
customer deployments where the TLS path doesn't staple).
* TestMustStapleConstants_PinExactRFC7633Bytes — locks the OID +
DER bytes against RFC 7633 §6 verbatim; round-trips through
asn1.Unmarshal as []int{5}.
Note: full service-layer plumbing (CertificateProfile.MustStaple →
IssuanceRequest.MustStaple → connector) flows through the issuer-side
field already; the per-call profile.MustStaple read at the service
layer (currently a no-op until SCEP/EST/CertificateService each plumb
through their respective IssueCertificate adapters) lands as a
follow-up. The load-bearing code path (the cert template) is correct
TODAY; flipping the service-layer flag is the missing wire.
== Phase 5.4: docs/legacy-est-scep.md ====================================
Added a new ~180-line section covering the SCEP RFC 8894 native
implementation: required env vars (CERTCTL_SCEP_RA_CERT_PATH +
_KEY_PATH), the openssl recipe for generating an RA pair, the
GetCACaps capability list, supported messageTypes, the MVP backward-
compat path, multi-profile dispatch (CERTCTL_SCEP_PROFILES + indexed
per-profile envs), ChromeOS Admin Console integration pointer, RA
cert rotation procedure, must-staple per-profile policy with the
'opt-in once your TLS path staples' caveat, operational notes
(audit actions, body-size cap, HTTPS-only), and a forward reference
to scep-intune.md (Phase 11).
== Verification ==========================================================
* gofmt + go vet clean for the files I touched.
* staticcheck ./internal/api/handler/... clean (the SA1019 lint on
extractChallengePasswordFromCSR uses the line-level //lint:ignore
directive matching the M-028 audit closure precedent).
* go test -short -count=1 green across api/handler / api/router /
service / pkcs7 / connector/issuer/local / domain / cmd/server.
* G-3 docs-drift CI guard local check: empty diff in both directions.
Phase 4 + Phase 5 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 (Phases 0-5) is now feature-complete; Phase 6 (docs + smoke +
audit deliverables) lands next; then Phase 6.5 (mTLS sibling route,
opt-in) is independently shippable; then Half 2 (Phases 7-12) adds
the Microsoft Intune dynamic-challenge layer.
Living progress at cowork/scep-rfc8894-intune/progress.md.
173 lines
5.7 KiB
Go
173 lines
5.7 KiB
Go
package local
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/pem"
|
|
"io"
|
|
"log/slog"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/issuer"
|
|
)
|
|
|
|
// SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple per-profile
|
|
// policy field (RFC 7633).
|
|
//
|
|
// Pins the contract that:
|
|
//
|
|
// 1. When the IssuanceRequest carries MustStaple=true, the issued cert
|
|
// contains the id-pe-tlsfeature extension with the canonical
|
|
// wire bytes (SEQUENCE OF INTEGER {5} per RFC 7633 §6).
|
|
//
|
|
// 2. When MustStaple=false (or unset), the extension is OMITTED — adding
|
|
// it by default would break customer deployments where the TLS path
|
|
// doesn't staple.
|
|
//
|
|
// 3. The OID + DER bytes match RFC 7633 §6 verbatim:
|
|
// OID 1.3.6.1.5.5.7.1.24, value 0x30 0x03 0x02 0x01 0x05.
|
|
//
|
|
// The test exercises the local issuer end-to-end (CSR → CreateCertificate
|
|
// → ParseCertificate → walk Extensions) so any drift in the extension-
|
|
// injection path is caught.
|
|
|
|
func TestGenerateCertificate_MustStapleProfile_AddsExtension(t *testing.T) {
|
|
conn, _ := newLocalIssuerForMustStapleTest(t)
|
|
csrPEM := buildMustStapleCSR(t, "must-staple.example.com")
|
|
|
|
result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
|
|
CommonName: "must-staple.example.com",
|
|
SANs: []string{"must-staple.example.com"},
|
|
CSRPEM: csrPEM,
|
|
EKUs: []string{"serverAuth"},
|
|
MaxTTLSeconds: 86400,
|
|
MustStaple: true,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("IssueCertificate: %v", err)
|
|
}
|
|
|
|
cert := parsePEMCertForTest(t, result.CertPEM)
|
|
ext := findExtensionByOID(cert, oidMustStaple)
|
|
if ext == nil {
|
|
t.Fatal("issued cert is missing id-pe-tlsfeature extension despite MustStaple=true")
|
|
}
|
|
if ext.Critical {
|
|
t.Errorf("must-staple extension Critical = true, want false (RFC 7633 §6 says non-critical)")
|
|
}
|
|
if !bytes.Equal(ext.Value, mustStapleExtensionValue) {
|
|
t.Errorf("must-staple extension Value = %x, want %x (RFC 7633 §6 SEQUENCE OF INTEGER {5})",
|
|
ext.Value, mustStapleExtensionValue)
|
|
}
|
|
}
|
|
|
|
func TestGenerateCertificate_NoMustStaple_OmitsExtension(t *testing.T) {
|
|
conn, _ := newLocalIssuerForMustStapleTest(t)
|
|
csrPEM := buildMustStapleCSR(t, "no-staple.example.com")
|
|
|
|
result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
|
|
CommonName: "no-staple.example.com",
|
|
SANs: []string{"no-staple.example.com"},
|
|
CSRPEM: csrPEM,
|
|
EKUs: []string{"serverAuth"},
|
|
MaxTTLSeconds: 86400,
|
|
// MustStaple intentionally unset — defaults to false.
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("IssueCertificate: %v", err)
|
|
}
|
|
|
|
cert := parsePEMCertForTest(t, result.CertPEM)
|
|
if ext := findExtensionByOID(cert, oidMustStaple); ext != nil {
|
|
t.Errorf("issued cert has id-pe-tlsfeature extension despite MustStaple=false (would break non-stapling deploys)")
|
|
}
|
|
}
|
|
|
|
// TestMustStapleConstants_PinExactRFC7633Bytes locks down the exact OID +
|
|
// DER bytes against RFC 7633 §6. If a future refactor changes the
|
|
// pre-encoded value in any way, this test fails — catches drift before
|
|
// it reaches a real cert.
|
|
func TestMustStapleConstants_PinExactRFC7633Bytes(t *testing.T) {
|
|
wantOID := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} // id-pe-tlsfeature
|
|
if !oidMustStaple.Equal(wantOID) {
|
|
t.Errorf("oidMustStaple = %v, want %v (RFC 7633 §6)", oidMustStaple, wantOID)
|
|
}
|
|
|
|
// The TLS Feature for status_request is INTEGER 5 (per the IANA TLS
|
|
// ExtensionType registry). RFC 7633 §6 wraps that in SEQUENCE OF.
|
|
wantBytes := []byte{0x30, 0x03, 0x02, 0x01, 0x05}
|
|
if !bytes.Equal(mustStapleExtensionValue, wantBytes) {
|
|
t.Errorf("mustStapleExtensionValue = %x, want %x (SEQUENCE OF INTEGER {5})",
|
|
mustStapleExtensionValue, wantBytes)
|
|
}
|
|
|
|
// Sanity: the bytes round-trip through asn1.Unmarshal as the
|
|
// expected structure.
|
|
var parsed []int
|
|
if _, err := asn1.Unmarshal(mustStapleExtensionValue, &parsed); err != nil {
|
|
t.Fatalf("mustStapleExtensionValue does not parse as SEQUENCE OF INTEGER: %v", err)
|
|
}
|
|
if len(parsed) != 1 || parsed[0] != 5 {
|
|
t.Errorf("parsed mustStaple = %v, want [5]", parsed)
|
|
}
|
|
}
|
|
|
|
// --- helpers -------------------------------------------------------------
|
|
|
|
// newLocalIssuerForMustStapleTest builds a self-signed local CA Connector
|
|
// using the package's standard New + ensureCA path — same constructor
|
|
// production uses, so any drift in the cert-template-injection code path
|
|
// is exercised faithfully.
|
|
func newLocalIssuerForMustStapleTest(t *testing.T) (*Connector, *x509.Certificate) {
|
|
t.Helper()
|
|
c := New(&Config{ValidityDays: 7}, slog.New(slog.NewTextHandler(io.Discard, nil)))
|
|
if err := c.ensureCA(context.Background()); err != nil {
|
|
t.Fatalf("ensureCA: %v", err)
|
|
}
|
|
return c, c.caCert
|
|
}
|
|
|
|
func buildMustStapleCSR(t *testing.T, cn string) string {
|
|
t.Helper()
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.GenerateKey CSR: %v", err)
|
|
}
|
|
tmpl := &x509.CertificateRequest{
|
|
Subject: pkix.Name{CommonName: cn},
|
|
}
|
|
der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
|
|
if err != nil {
|
|
t.Fatalf("CreateCertificateRequest: %v", err)
|
|
}
|
|
return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: der}))
|
|
}
|
|
|
|
func parsePEMCertForTest(t *testing.T, certPEM string) *x509.Certificate {
|
|
t.Helper()
|
|
block, _ := pem.Decode([]byte(certPEM))
|
|
if block == nil {
|
|
t.Fatal("PEM decode returned nil")
|
|
}
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
t.Fatalf("ParseCertificate: %v", err)
|
|
}
|
|
return cert
|
|
}
|
|
|
|
func findExtensionByOID(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension {
|
|
for i := range cert.Extensions {
|
|
if cert.Extensions[i].Id.Equal(oid) {
|
|
return &cert.Extensions[i]
|
|
}
|
|
}
|
|
return nil
|
|
}
|