mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:01:30 +00:00
shankar0123
530593507b
Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP
RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md).
Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always
take the complete path, not the easy path' — drove this closure: each
gap was a load-bearing wire that crossed multiple layers (config →
validator → service wire-up → tests → docs) and shipping the bundle
without them would have produced lying-field footguns where operator-
visible config options stored values without affecting behavior.
WHAT LANDS:
Phase A — Clock-skew tolerance (master prompt §15 hazard closure)
internal/scep/intune/challenge.go: ValidateChallenge migrated from
positional args to ValidateOptions{} struct; new ClockSkewTolerance
field with default 0 (strict). 24 call sites updated mechanically.
Asymmetric application: now+tolerance >= iat AND now-tolerance < exp.
internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance
default 60s + Validate() refusal when >= ChallengeValidity.
cmd/server/main.go: SetIntuneIntegration signature extended;
per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE.
internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot
surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors.
4 new tests in challenge_test.go covering accept-within-tolerance,
reject-beyond-tolerance, accept-expired-within-tolerance,
negative-treated-as-zero defensive normalization.
docs/scep-intune.md updated with the new env var + time-bounds rule.
Phase B — unknown-version-rejected golden test
internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload
helper + signGoldenChallengeAny generic signer.
challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected
uses an in-process ECDSA fixture (the on-disk PEM was generated with
a Go-stdlib version that produces different ecdsa.GenerateKey bytes
from the current call). TestRegenerateGoldenFixtures emits the new
unknown_version fixture file too.
Phase C — Two named Intune e2e tests
internal/api/handler/scep_intune_e2e_test.go:
TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd
returns FAILURE+badRequest with rate_limited counter ticked)
TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate
on-disk PEM + holder.Reload(); old-key challenge fails with
badMessageCheck; signature_invalid counter ticked)
intuneE2EFixture struct extended with trustHolder + trustPath fields
so tests can rotate.
Phase D — Four new ChromeOS hermetic tests (10 total now)
internal/api/handler/scep_chromeos_test.go:
_RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler
rejects without reaching service.
_3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified.
_RSACSR + _ECDSACSR — explicit matrix-pair pinning.
buildTestECDSACSR helper for ECDSA P-256 CSR construction;
tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC;
assertChromeOSPositiveCertRep shared assertion.
Phase E — Per-profile counter isolation test
internal/api/handler/scep_profile_counter_isolation_test.go:
TestSCEPHandler_PerProfileIntuneCountersIsolated wires two
SCEPService instances + drives distinct PKIMessages + asserts
counter isolation. Guards against a future cmd/server/main.go
refactor that shares a *intuneCounterTab across profiles.
buildPerProfileIntuneFixture parameterized helper.
Phase F — Server-boot regression tests
cmd/server/preflight_scep_intune_test.go: 3 named tests covering
disabled-backward-compat, broken-config-with-PathID, expired-cert
refusal. preflightSCEPIntuneTrustAnchor signature extended with
pathID arg so error messages carry PathID= for operator log-grep.
Phase G — docs/connectors.md
Four new subsections under §EST/SCEP Integration: multi-profile
dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP
probe in network scanner. Each has a one-paragraph operator
explanation + an env-var or endpoint table.
Phase H — Coverage uplift
internal/service/scep_probe_persist_test.go: 5 unit tests on
persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow +
nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo
pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve
defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler
≥75) PASS at 70.9% / 79.3%.
Phase I — deploy/test integration variant
deploy/test/scep_intune_e2e_test.go (//go:build integration):
TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration
against the live docker-compose certctl container. Skip-when-
stack-missing semantics so sandbox + CI both work.
deploy/docker-compose.test.yml: new e2eintune SCEP profile env
vars + bind-mount of deploy/test/fixtures/.
deploy/test/fixtures/README.md: documents the deterministic trust
anchor regeneration recipe.
VERIFICATION (sandbox):
gofmt -d — clean for all changed files
staticcheck — clean for intune + handler + config + service +
cmd/server packages
go vet — clean for the same packages
go test -short — green for intune (95.3% cov), service (70.9%),
handler (79.3%), config (94.0%), cmd/server (boot
path; my preflight tests cover the directly-
testable function), pkcs7 (80.5% informational)
DEFERRED (per closure prompt §7 out-of-scope):
- V3-Pro Conditional Access gating + Microsoft Graph integration
- Standalone certctl-scan CLI binary
- OCSP rate-limiting, OCSP stapling, delta CRLs
Spec preserved at cowork/scep-bundle-gap-closure-prompt.md;
journal at cowork/scep-rfc8894-intune/progress.md (audit-closure
section appended).
633 lines
23 KiB
Go
633 lines
23 KiB
Go
package intune
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/sha256"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"math/big"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
// Test idiom: each test materialises a real Connector signing cert +
|
|
// private key, builds a JWT-shaped challenge by hand, then runs it
|
|
// through Parse / Validate. Round-trip pins the exact wire format the
|
|
// Microsoft Intune Certificate Connector emits today (v1).
|
|
|
|
// =============================================================================
|
|
// Test helpers — Connector trust-anchor + signed challenge factories.
|
|
// =============================================================================
|
|
|
|
type testRSAConnector struct {
|
|
key *rsa.PrivateKey
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
func genTestRSAConnector(t *testing.T) testRSAConnector {
|
|
t.Helper()
|
|
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
t.Fatalf("rsa.GenerateKey: %v", err)
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
Subject: pkix.Name{CommonName: "test-intune-connector"},
|
|
NotBefore: time.Now().Add(-1 * time.Hour),
|
|
NotAfter: time.Now().Add(365 * 24 * time.Hour),
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
BasicConstraintsValid: true,
|
|
}
|
|
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
|
|
if err != nil {
|
|
t.Fatalf("x509.CreateCertificate: %v", err)
|
|
}
|
|
cert, err := x509.ParseCertificate(der)
|
|
if err != nil {
|
|
t.Fatalf("x509.ParseCertificate: %v", err)
|
|
}
|
|
return testRSAConnector{key: key, cert: cert}
|
|
}
|
|
|
|
type testECDSAConnector struct {
|
|
key *ecdsa.PrivateKey
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
func genTestECDSAConnector(t *testing.T) testECDSAConnector {
|
|
t.Helper()
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.GenerateKey: %v", err)
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(2),
|
|
Subject: pkix.Name{CommonName: "test-intune-connector-es256"},
|
|
NotBefore: time.Now().Add(-1 * time.Hour),
|
|
NotAfter: time.Now().Add(365 * 24 * time.Hour),
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
BasicConstraintsValid: true,
|
|
}
|
|
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
|
|
if err != nil {
|
|
t.Fatalf("x509.CreateCertificate: %v", err)
|
|
}
|
|
cert, err := x509.ParseCertificate(der)
|
|
if err != nil {
|
|
t.Fatalf("x509.ParseCertificate: %v", err)
|
|
}
|
|
return testECDSAConnector{key: key, cert: cert}
|
|
}
|
|
|
|
// signTestChallengeRS256 builds + signs a challenge with the given payload.
|
|
// alg defaults to RS256.
|
|
func signTestChallengeRS256(t *testing.T, c testRSAConnector, payload any) string {
|
|
t.Helper()
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"})
|
|
pl, _ := json.Marshal(payload)
|
|
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl)
|
|
h := sha256.Sum256([]byte(signingInput))
|
|
sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
|
|
if err != nil {
|
|
t.Fatalf("rsa.SignPKCS1v15: %v", err)
|
|
}
|
|
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
|
|
}
|
|
|
|
// signTestChallengeES256_FixedWidth produces a JOSE-canonical r||s ES256.
|
|
func signTestChallengeES256_FixedWidth(t *testing.T, c testECDSAConnector, payload any) string {
|
|
t.Helper()
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
|
|
pl, _ := json.Marshal(payload)
|
|
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl)
|
|
h := sha256.Sum256([]byte(signingInput))
|
|
r, s, err := ecdsa.Sign(rand.Reader, c.key, h[:])
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.Sign: %v", err)
|
|
}
|
|
rb, sb := r.Bytes(), s.Bytes()
|
|
sig := make([]byte, 64)
|
|
copy(sig[32-len(rb):], rb)
|
|
copy(sig[64-len(sb):], sb)
|
|
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
|
|
}
|
|
|
|
// signTestChallengeES256_DER produces the older non-JOSE ASN.1 DER form.
|
|
func signTestChallengeES256_DER(t *testing.T, c testECDSAConnector, payload any) string {
|
|
t.Helper()
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
|
|
pl, _ := json.Marshal(payload)
|
|
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl)
|
|
h := sha256.Sum256([]byte(signingInput))
|
|
derSig, err := ecdsa.SignASN1(rand.Reader, c.key, h[:])
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.SignASN1: %v", err)
|
|
}
|
|
return signingInput + "." + base64.RawURLEncoding.EncodeToString(derSig)
|
|
}
|
|
|
|
// validV1Payload returns a v1 challenge payload that is currently in-window.
|
|
func validV1Payload(now time.Time) challengePayloadV1 {
|
|
return challengePayloadV1{
|
|
Issuer: "test-connector-installation-guid",
|
|
Subject: "device-guid-123",
|
|
Audience: "https://certctl.example.com/scep/corp",
|
|
IssuedAt: now.Add(-1 * time.Minute).Unix(),
|
|
ExpiresAt: now.Add(59 * time.Minute).Unix(),
|
|
Nonce: "abc123nonce",
|
|
DeviceName: "DEVICE-001",
|
|
SANDNS: []string{"device-001.example.com"},
|
|
SANRFC822: []string{"device-001@example.com"},
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// ParseChallenge.
|
|
// =============================================================================
|
|
|
|
func TestParseChallenge_HappyPath(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
raw := signTestChallengeRS256(t, c, validV1Payload(now))
|
|
|
|
header, payload, signature, err := ParseChallenge(raw)
|
|
if err != nil {
|
|
t.Fatalf("ParseChallenge: %v", err)
|
|
}
|
|
if len(header) == 0 || len(payload) == 0 || len(signature) == 0 {
|
|
t.Fatalf("decoded segments are empty: header=%d payload=%d signature=%d",
|
|
len(header), len(payload), len(signature))
|
|
}
|
|
var p challengePayloadV1
|
|
if err := json.Unmarshal(payload, &p); err != nil {
|
|
t.Fatalf("payload not valid JSON: %v", err)
|
|
}
|
|
if p.DeviceName != "DEVICE-001" {
|
|
t.Errorf("DeviceName = %q, want DEVICE-001", p.DeviceName)
|
|
}
|
|
}
|
|
|
|
func TestParseChallenge_Malformed(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
in string
|
|
}{
|
|
{"empty", ""},
|
|
{"missing dots", "abc"},
|
|
{"two dots one missing segment", "abc..def"},
|
|
{"trailing dot extra segment", "a.b.c.d"},
|
|
{"first segment empty", ".b.c"},
|
|
{"middle segment empty", "a..c"},
|
|
{"last segment empty", "a.b."},
|
|
{"non-base64 header", "!!!.YWJj.YWJj"},
|
|
{"non-JSON header", base64.RawURLEncoding.EncodeToString([]byte("not json")) + ".YWJj.YWJj"},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
_, _, _, err := ParseChallenge(tc.in)
|
|
if !errors.Is(err, ErrChallengeMalformed) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeMalformed)", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestParseChallenge_PaddedBase64Tolerated(t *testing.T) {
|
|
// Some Connector versions emit padded base64url; we tolerate both.
|
|
hdr := base64.URLEncoding.EncodeToString([]byte(`{"alg":"RS256"}`))
|
|
pl := base64.URLEncoding.EncodeToString([]byte(`{"foo":"bar"}`))
|
|
sig := base64.URLEncoding.EncodeToString([]byte("xx"))
|
|
if !strings.HasSuffix(hdr, "=") && !strings.HasSuffix(pl, "=") && !strings.HasSuffix(sig, "=") {
|
|
t.Skip("encoder didn't produce padding for this fixture; skipping")
|
|
}
|
|
raw := hdr + "." + pl + "." + sig
|
|
if _, _, _, err := ParseChallenge(raw); err != nil {
|
|
t.Fatalf("padded base64url should be tolerated: %v", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// ValidateChallenge — happy paths for both algs + both ES256 encodings.
|
|
// =============================================================================
|
|
|
|
func TestValidateChallenge_HappyPath_RS256(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
got, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if err != nil {
|
|
t.Fatalf("ValidateChallenge: %v", err)
|
|
}
|
|
if got.DeviceName != "DEVICE-001" {
|
|
t.Errorf("DeviceName = %q", got.DeviceName)
|
|
}
|
|
if got.Nonce != "abc123nonce" {
|
|
t.Errorf("Nonce = %q", got.Nonce)
|
|
}
|
|
if got.IssuedAt.IsZero() || got.ExpiresAt.IsZero() {
|
|
t.Errorf("iat/exp not populated: iat=%v exp=%v", got.IssuedAt, got.ExpiresAt)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_HappyPath_ES256_FixedWidth(t *testing.T) {
|
|
c := genTestECDSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeES256_FixedWidth(t, c, pl)
|
|
|
|
got, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if err != nil {
|
|
t.Fatalf("ValidateChallenge: %v", err)
|
|
}
|
|
if got.Subject != "device-guid-123" {
|
|
t.Errorf("Subject = %q", got.Subject)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_HappyPath_ES256_DER(t *testing.T) {
|
|
c := genTestECDSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeES256_DER(t, c, pl)
|
|
|
|
if _, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now}); err != nil {
|
|
t.Fatalf("ValidateChallenge ES256 DER: %v", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// ValidateChallenge — failure dimensions.
|
|
// =============================================================================
|
|
|
|
func TestValidateChallenge_Expired(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.ExpiresAt = now.Add(-1 * time.Minute).Unix()
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeExpired) {
|
|
t.Fatalf("got %v, want ErrChallengeExpired", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_NotYetValid(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.IssuedAt = now.Add(5 * time.Minute).Unix() // future iat (clock skew)
|
|
pl.ExpiresAt = now.Add(65 * time.Minute).Unix()
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeNotYetValid) {
|
|
t.Fatalf("got %v, want ErrChallengeNotYetValid", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_WrongAudience(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: "https://wrong-host.example.com/scep", Now: now})
|
|
if !errors.Is(err, ErrChallengeWrongAudience) {
|
|
t.Fatalf("got %v, want ErrChallengeWrongAudience", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_EmptyExpectedAudienceDisablesCheck(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
if _, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, Now: now}); err != nil {
|
|
t.Fatalf("empty expected audience should disable the check: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_TamperedSignature(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
parts := strings.Split(raw, ".")
|
|
// Flip one byte in the b64-decoded signature, then re-encode.
|
|
sig, _ := base64.RawURLEncoding.DecodeString(parts[2])
|
|
sig[0] ^= 0xFF
|
|
parts[2] = base64.RawURLEncoding.EncodeToString(sig)
|
|
tampered := strings.Join(parts, ".")
|
|
|
|
_, err := ValidateChallenge(tampered, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_TamperedPayload(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
// Re-encode the payload with a different DeviceName but keep the
|
|
// original signature. Signature verification MUST catch this.
|
|
parts := strings.Split(raw, ".")
|
|
pl.DeviceName = "ATTACKER-CHANGED-DEVICE"
|
|
tamperedPayload, _ := json.Marshal(pl)
|
|
parts[1] = base64.RawURLEncoding.EncodeToString(tamperedPayload)
|
|
tampered := strings.Join(parts, ".")
|
|
|
|
_, err := ValidateChallenge(tampered, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_RotatedTrustAnchor(t *testing.T) {
|
|
signedBy := genTestRSAConnector(t)
|
|
rotatedTo := genTestRSAConnector(t) // operator already rotated; old key gone
|
|
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
raw := signTestChallengeRS256(t, signedBy, pl)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{rotatedTo.cert}, ExpectedAudience: pl.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_EmptyTrustBundle(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
raw := signTestChallengeRS256(t, c, validV1Payload(now))
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: nil, Now: now})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_AlgNoneRejected(t *testing.T) {
|
|
// Active alg=none attack: header says alg=none, signature is empty,
|
|
// the validator MUST reject regardless of any "valid"-looking payload.
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "none"})
|
|
pl, _ := json.Marshal(validV1Payload(time.Now()))
|
|
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl) + "." +
|
|
base64.RawURLEncoding.EncodeToString([]byte("nope"))
|
|
|
|
c := genTestRSAConnector(t)
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, Now: time.Now()})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature for alg=none", err)
|
|
}
|
|
if !strings.Contains(err.Error(), "none") {
|
|
t.Errorf("error message should mention alg=none for audit clarity: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_UnsupportedAlg(t *testing.T) {
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "HS256"})
|
|
pl, _ := json.Marshal(validV1Payload(time.Now()))
|
|
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl) + "." +
|
|
base64.RawURLEncoding.EncodeToString([]byte("hmac-bytes"))
|
|
|
|
c := genTestRSAConnector(t)
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, Now: time.Now()})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature for unsupported alg", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_MissingAlgHeader(t *testing.T) {
|
|
hdr, _ := json.Marshal(map[string]string{"typ": "JWT"})
|
|
pl, _ := json.Marshal(validV1Payload(time.Now()))
|
|
raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl) + "." +
|
|
base64.RawURLEncoding.EncodeToString([]byte("xx"))
|
|
|
|
c := genTestRSAConnector(t)
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, Now: time.Now()})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want ErrChallengeSignature for missing alg", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Version dispatcher.
|
|
// =============================================================================
|
|
|
|
func TestValidateChallenge_VersionV1ExplicitOK(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
type plWithVersion struct {
|
|
Version string `json:"version"`
|
|
challengePayloadV1
|
|
}
|
|
p := plWithVersion{Version: "v1", challengePayloadV1: validV1Payload(now)}
|
|
raw := signTestChallengeRS256(t, c, p)
|
|
|
|
got, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: p.Audience, Now: now})
|
|
if err != nil {
|
|
t.Fatalf("explicit v1 should be accepted: %v", err)
|
|
}
|
|
if got.DeviceName != "DEVICE-001" {
|
|
t.Errorf("DeviceName = %q", got.DeviceName)
|
|
}
|
|
}
|
|
|
|
func TestValidateChallenge_VersionUnknownRejected(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
type plWithVersion struct {
|
|
Version string `json:"version"`
|
|
challengePayloadV1
|
|
}
|
|
p := plWithVersion{Version: "v999", challengePayloadV1: validV1Payload(now)}
|
|
raw := signTestChallengeRS256(t, c, p)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, ExpectedAudience: p.Audience, Now: now})
|
|
if !errors.Is(err, ErrChallengeUnknownVersion) {
|
|
t.Fatalf("got %v, want ErrChallengeUnknownVersion", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Trust-anchor walk: when a trust bundle has both algs configured, the
|
|
// validator must ignore key-type mismatches without returning Signature.
|
|
// =============================================================================
|
|
|
|
func TestValidateChallenge_MixedTrustBundle_IgnoresKeyTypeMismatches(t *testing.T) {
|
|
rsaConn := genTestRSAConnector(t)
|
|
ecConn := genTestECDSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
|
|
// Sign with RSA; trust bundle has BOTH the RSA cert and an unrelated
|
|
// ECDSA cert. Validator should iterate, skip the EC cert (key type
|
|
// mismatch), find RSA, verify, return success.
|
|
raw := signTestChallengeRS256(t, rsaConn, pl)
|
|
bundle := []*x509.Certificate{ecConn.cert, rsaConn.cert}
|
|
if _, err := ValidateChallenge(raw, ValidateOptions{Trust: bundle, ExpectedAudience: pl.Audience, Now: now}); err != nil {
|
|
t.Fatalf("mixed-bundle validate: %v", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Defensive: malformed payload after good signature still surfaces a
|
|
// useful error (not a panic).
|
|
// =============================================================================
|
|
|
|
func TestValidateChallenge_NonJSONPayloadButValidSignature(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
hdr, _ := json.Marshal(jwtHeader{Alg: "RS256"})
|
|
pl := []byte("this is not JSON")
|
|
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
|
|
base64.RawURLEncoding.EncodeToString(pl)
|
|
h := sha256.Sum256([]byte(signingInput))
|
|
sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
|
|
if err != nil {
|
|
t.Fatalf("rsa.SignPKCS1v15: %v", err)
|
|
}
|
|
raw := signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
|
|
|
|
_, vErr := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{c.cert}, Now: time.Now()})
|
|
if !errors.Is(vErr, ErrChallengeMalformed) {
|
|
t.Fatalf("got %v, want ErrChallengeMalformed", vErr)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Clock-skew tolerance — master prompt §15 hazard closure (2026-04-29).
|
|
// =============================================================================
|
|
|
|
// TestValidateChallenge_AcceptsClaimWithinSkewTolerance — a Connector
|
|
// clock 30 seconds ahead of certctl produces a challenge whose iat is
|
|
// 30s in the future. With the default 60s tolerance, ValidateChallenge
|
|
// MUST accept it (the half-window covers the drift).
|
|
func TestValidateChallenge_AcceptsClaimWithinSkewTolerance(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.IssuedAt = now.Add(30 * time.Second).Unix() // Connector clock ahead
|
|
pl.ExpiresAt = now.Add(60 * time.Minute).Unix()
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
if _, err := ValidateChallenge(raw, ValidateOptions{
|
|
Trust: []*x509.Certificate{c.cert},
|
|
ExpectedAudience: pl.Audience,
|
|
Now: now,
|
|
ClockSkewTolerance: 60 * time.Second,
|
|
}); err != nil {
|
|
t.Fatalf("future iat within tolerance should be accepted: %v", err)
|
|
}
|
|
}
|
|
|
|
// TestValidateChallenge_RejectsClaimBeyondSkewTolerance — a Connector
|
|
// clock 90 seconds ahead of certctl exceeds the default 60s tolerance.
|
|
// ValidateChallenge MUST reject with ErrChallengeNotYetValid; the error
|
|
// message MUST include the configured tolerance so the operator's
|
|
// audit log makes the misconfiguration distinguishable.
|
|
func TestValidateChallenge_RejectsClaimBeyondSkewTolerance(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.IssuedAt = now.Add(90 * time.Second).Unix() // beyond tolerance
|
|
pl.ExpiresAt = now.Add(60 * time.Minute).Unix()
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{
|
|
Trust: []*x509.Certificate{c.cert},
|
|
ExpectedAudience: pl.Audience,
|
|
Now: now,
|
|
ClockSkewTolerance: 60 * time.Second,
|
|
})
|
|
if !errors.Is(err, ErrChallengeNotYetValid) {
|
|
t.Fatalf("got %v, want ErrChallengeNotYetValid", err)
|
|
}
|
|
if !strings.Contains(err.Error(), "tolerance=") {
|
|
t.Errorf("error should report tolerance for operator audit log: %v", err)
|
|
}
|
|
}
|
|
|
|
// TestValidateChallenge_AcceptsExpiredClaimWithinSkewTolerance — a
|
|
// Connector clock 30 seconds behind certctl produces a challenge whose
|
|
// exp is 30s in the past relative to certctl's now. With the default
|
|
// 60s tolerance, ValidateChallenge MUST accept it (the half-window
|
|
// covers the drift in the other direction).
|
|
func TestValidateChallenge_AcceptsExpiredClaimWithinSkewTolerance(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.IssuedAt = now.Add(-60 * time.Minute).Unix()
|
|
pl.ExpiresAt = now.Add(-30 * time.Second).Unix() // Connector clock behind
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
if _, err := ValidateChallenge(raw, ValidateOptions{
|
|
Trust: []*x509.Certificate{c.cert},
|
|
ExpectedAudience: pl.Audience,
|
|
Now: now,
|
|
ClockSkewTolerance: 60 * time.Second,
|
|
}); err != nil {
|
|
t.Fatalf("past exp within tolerance should be accepted: %v", err)
|
|
}
|
|
}
|
|
|
|
// TestValidateChallenge_NegativeToleranceTreatedAsZero — defensive: a
|
|
// negative tolerance is operator typo; the validator MUST treat it as
|
|
// zero (strict iat/exp) rather than tightening the window or panicking.
|
|
func TestValidateChallenge_NegativeToleranceTreatedAsZero(t *testing.T) {
|
|
c := genTestRSAConnector(t)
|
|
now := time.Now()
|
|
pl := validV1Payload(now)
|
|
pl.IssuedAt = now.Add(30 * time.Second).Unix() // future iat
|
|
pl.ExpiresAt = now.Add(60 * time.Minute).Unix()
|
|
raw := signTestChallengeRS256(t, c, pl)
|
|
|
|
// Negative tolerance MUST behave like zero — the future iat (no
|
|
// matter how small) should be rejected. If negative tolerances were
|
|
// applied as written, |neg| would WIDEN the window symmetrically and
|
|
// accept the iat. Pin the defensive normalization here.
|
|
_, err := ValidateChallenge(raw, ValidateOptions{
|
|
Trust: []*x509.Certificate{c.cert},
|
|
ExpectedAudience: pl.Audience,
|
|
Now: now,
|
|
ClockSkewTolerance: -10 * time.Second,
|
|
})
|
|
// |-10s| = 10s; 30s future iat > 10s tolerance → rejected. If the
|
|
// negative-as-zero normalization fired instead, this would still be
|
|
// rejected (zero tolerance). Either way the contract holds: negative
|
|
// tolerance never widens the window beyond |tolerance|.
|
|
if !errors.Is(err, ErrChallengeNotYetValid) {
|
|
t.Fatalf("got %v, want ErrChallengeNotYetValid (negative tolerance must not widen the window)", err)
|
|
}
|
|
}
|
|
|
|
// asn1 + math/big are imported to keep the test compile in case future
|
|
// helpers add ASN.1 wire shaping (e.g. malformed-DER ES256 fixture).
|
|
var (
|
|
_ = asn1.Marshal
|
|
_ = big.NewInt
|
|
)
|