Replaces math/rand-based agent API key generation in internal/service/agent.go
with crypto/rand.Read over a 32-byte buffer encoded with base64.RawURLEncoding,
yielding a 43-character URL-safe unpadded ASCII string (256 bits of entropy).
generateAPIKey now returns (string, error); Register and RegisterAgent propagate
entropy-source failures. hashAPIKey is unchanged — the SHA-256 hashed-at-rest
invariant is preserved.
Fixes C-1 (CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator)
from certctl-audit-report.md.
Changes:
- internal/service/agent.go: new imports (crypto/rand, encoding/base64);
generateAPIKey rewritten to return (string, error); Register and RegisterAgent
updated to propagate the error.
- internal/service/agent_test.go: TestGenerateAPIKey_Properties regression test
(non-empty, length 43, valid base64url, 32 decoded bytes, no collisions over
64 calls). No entropy-failure test — Go 1.24+ (issue #66821) makes crypto/rand
errors fatal, so that branch is defensively unreachable.
Verification:
- go build ./cmd/server/... ./cmd/agent/... ./cmd/mcp-server/... ./cmd/cli/... → pass
- go vet ./... → pass
- go test -race (CI scope, 43 packages) → pass
- golangci-lint v2.11.4 run ./... → 0 issues
- govulncheck ./... → 0 vulnerabilities in certctl code
- Coverage: service 68.9% / handler 83.6% / domain 82.0% / middleware 63.8%
(all above CI gates 55/60/40/30)
- grep math/rand in internal/ and cmd/ → zero production hits
- No caller assumes the old 32-char length or legacy charset
shankar0123
b219e5d68a