mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:01:37 +00:00
shankar0123
2a384c690e
Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.
This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.
Shared (internal/secret/):
- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
NewRefFromString without callers having to know the field type
changed. Null and missing keys leave the receiver nil; non-string
payloads (numbers, bools) are rejected with a typed error. Pinned
by TestRef_UnmarshalJSON: string_value, null, missing_key,
number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
goes through "[redacted]" intentionally — JSON-marshal-then-
unmarshal of a Config with secrets is NOT a supported test pattern;
callers that construct a rawConfig must use a JSON literal with
the real values).
Per-connector migration:
- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
to call Token.Use; the Bearer header string is built inside the
callback and the buffer is zeroed on return. mTLS path is
unaffected.
- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
→ *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
Extracted setAuthHeaders helper consolidates the four duplicated
triple-Set sites (ValidateConfig probe, IssueCertificate,
RevokeCertificate, pollCertificateOnce) so any future header-shape
change applies once. ValidateConfig now pulls from the local cfg
(post-Unmarshal) so the helper takes a *Config rather than the
receiver — needed because ValidateConfig writes the validated cfg
onto c.config only AFTER the probe succeeds.
- Sectigo (sectigo.go): Config.Login + Config.Password: string →
*secret.Ref. CustomerURI stays plain string (org identifier, not
a credential). setAuthHeaders rewritten to call Login.Use +
Password.Use; ValidateConfig's inline header writes use the same
pattern (the ValidateConfig probe writes to a local cfg, not
c.config, so it can't share setAuthHeaders without rewiring — the
inline form is fine, kept consistent in shape).
Test migration:
- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
Password.
Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.
Out of scope (intentional):
- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
`EJBCAConfig` env-var-loader structs are still plain strings —
those types are the env-load shape, not the steady-state runtime
shape. The seed path in service/issuer.go json-marshals them into
a map[string]interface{} which the factory then UnmarshalJSON's
into the connector Config; the new UnmarshalJSON on *Ref handles
the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
will pick them up. The audit explicitly named EJBCA / GlobalSign /
Sectigo as the Phase 2 scope (RESULTS.md L633).
Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
issuerfactory, service, api/handler: green
Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.
172 lines
6.0 KiB
Go
172 lines
6.0 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
// Package secret provides Ref, an opaque handle to a credential.
|
|
//
|
|
// Closes the #6 acquisition-readiness blocker from the 2026-05-01
|
|
// issuer coverage audit. Pre-fix, GlobalSign / EJBCA / Sectigo stored
|
|
// API keys / OAuth tokens / 3-header credentials as plain Go strings
|
|
// on the Connector struct. Encrypted at rest via
|
|
// internal/crypto/encryption.go (AES-256-GCM v3 + PBKDF2-600k), they
|
|
// sat in process memory in the clear after load and were written to
|
|
// HTTP headers on every API call. DEBUG-level HTTP request logging
|
|
// leaked them into logs.
|
|
//
|
|
// Ref defeats casual heap-dump extraction and accidental log leaks:
|
|
//
|
|
// - The bytes are never marshalled into a string. Use(fn) is the
|
|
// only access path; Ref.String() returns "[redacted]".
|
|
// - The buffer passed to fn is zeroed (overwritten with 0 bytes)
|
|
// after fn returns. The credential is present in the heap only
|
|
// for the duration of fn.
|
|
// - MarshalJSON returns "[redacted]" so JSON-encoding a config
|
|
// struct (e.g., GET /issuers response) doesn't leak.
|
|
//
|
|
// Ref is paired with the request-logging middleware filter in
|
|
// internal/api/middleware/redact.go which strips known credential
|
|
// headers (Authorization, X-API-Key, X-DC-DEVKEY, X-Vault-Token,
|
|
// customerUri, login, password) from outbound DEBUG logs as a
|
|
// belt-and-braces defense against third-party HTTP clients (AWS SDK
|
|
// at DEBUG, etc.) that format headers themselves.
|
|
package secret
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
)
|
|
|
|
// Ref is an opaque handle to a credential. Use Use(fn) or WriteTo(w)
|
|
// to obtain the underlying bytes; do not store the slice beyond the
|
|
// callback's return — the buffer is zeroed and may be reused.
|
|
type Ref struct {
|
|
// src returns a fresh copy of the credential bytes on every
|
|
// invocation. Production: a closure that decrypts an at-rest
|
|
// blob. Test: a closure that returns a copy of a static []byte.
|
|
src func() ([]byte, error)
|
|
}
|
|
|
|
// NewRef constructs a Ref backed by the supplied source. The source
|
|
// closure is called every time Use / WriteTo is invoked; it must
|
|
// return a fresh slice (the caller will zero it).
|
|
func NewRef(src func() ([]byte, error)) *Ref {
|
|
return &Ref{src: src}
|
|
}
|
|
|
|
// NewRefFromString is a convenience for tests / config-loading paths
|
|
// that have a plaintext string already. The source returns a copy of
|
|
// the string's bytes on every invocation; the original string still
|
|
// lives in the caller's memory (immutable Go string semantics) — the
|
|
// caller should drop the reference once it has been wrapped in a Ref.
|
|
//
|
|
// Production code paths should prefer NewRef with a decrypt-on-demand
|
|
// closure so the plaintext is never present in process memory at rest.
|
|
func NewRefFromString(s string) *Ref {
|
|
return &Ref{
|
|
src: func() ([]byte, error) {
|
|
// Copy so the returned slice is independent — Use will
|
|
// zero the copy without disturbing s.
|
|
b := make([]byte, len(s))
|
|
copy(b, s)
|
|
return b, nil
|
|
},
|
|
}
|
|
}
|
|
|
|
// Use invokes fn with a freshly-allocated buffer holding the secret
|
|
// bytes. After fn returns (or panics), the buffer is overwritten with
|
|
// zeros and dropped.
|
|
//
|
|
// fn MUST NOT retain the slice beyond its return. Storing the slice
|
|
// in a struct field, sending it on a channel, or passing it to a
|
|
// goroutine that runs after Use returns are all bugs — the buffer
|
|
// will be zeroed before the consumer reads it.
|
|
func (r *Ref) Use(fn func(buf []byte) error) error {
|
|
if r == nil {
|
|
return fmt.Errorf("secret.Ref.Use: nil Ref")
|
|
}
|
|
buf, err := r.src()
|
|
if err != nil {
|
|
return fmt.Errorf("secret.Ref: source: %w", err)
|
|
}
|
|
defer zero(buf)
|
|
return fn(buf)
|
|
}
|
|
|
|
// WriteTo writes the secret bytes to w (typically an HTTP header
|
|
// writer or a CSR signing routine) and zeros the staging buffer
|
|
// afterwards. Convenience over Use for the common "set a header"
|
|
// case.
|
|
//
|
|
// Returns the byte count and any write error.
|
|
func (r *Ref) WriteTo(w io.Writer) (int64, error) {
|
|
if r == nil {
|
|
return 0, fmt.Errorf("secret.Ref.WriteTo: nil Ref")
|
|
}
|
|
buf, err := r.src()
|
|
if err != nil {
|
|
return 0, fmt.Errorf("secret.Ref: source: %w", err)
|
|
}
|
|
defer zero(buf)
|
|
n, werr := w.Write(buf)
|
|
return int64(n), werr
|
|
}
|
|
|
|
// String returns "[redacted]" — the type intentionally never
|
|
// stringifies the underlying bytes. Catches accidental leak via
|
|
// fmt.Sprintf("%v", cfg), slog attribute formatting, etc.
|
|
func (r *Ref) String() string { return "[redacted]" }
|
|
|
|
// MarshalJSON returns "[redacted]" so a config struct holding *Ref
|
|
// fields can be JSON-encoded without leaking credentials. Used by
|
|
// the API surface (GET /issuers etc.) and any operator-facing
|
|
// serialization path.
|
|
func (r *Ref) MarshalJSON() ([]byte, error) {
|
|
return []byte(`"[redacted]"`), nil
|
|
}
|
|
|
|
// UnmarshalJSON parses a JSON string into a Ref via NewRefFromString.
|
|
// Required for the production wiring path where issuer Config structs
|
|
// are JSON-deserialized from the DB-stored config blob (the factory's
|
|
// NewFromConfig in internal/connector/issuerfactory).
|
|
//
|
|
// Accepts either a JSON string ("abc") or null (treated as nil Ref).
|
|
// Other JSON shapes (numbers, objects, arrays) are rejected — a
|
|
// credential is always either a string or absent.
|
|
func (r *Ref) UnmarshalJSON(data []byte) error {
|
|
if string(data) == "null" {
|
|
// nil-Ref unmarshal is a no-op; the field on the parent
|
|
// struct stays nil and IsEmpty() reports true.
|
|
return nil
|
|
}
|
|
var s string
|
|
if err := json.Unmarshal(data, &s); err != nil {
|
|
return fmt.Errorf("secret.Ref: expected JSON string, got: %w", err)
|
|
}
|
|
*r = *NewRefFromString(s)
|
|
return nil
|
|
}
|
|
|
|
// IsEmpty reports whether the source returns an empty byte slice
|
|
// (zero-length credential). Useful for ValidateConfig paths that need
|
|
// to check "did the operator set the credential" without obtaining
|
|
// the bytes.
|
|
func (r *Ref) IsEmpty() bool {
|
|
if r == nil {
|
|
return true
|
|
}
|
|
buf, err := r.src()
|
|
if err != nil {
|
|
return true
|
|
}
|
|
defer zero(buf)
|
|
return len(buf) == 0
|
|
}
|
|
|
|
// zero overwrites b with zero bytes. Visible for testing.
|
|
func zero(b []byte) {
|
|
for i := range b {
|
|
b[i] = 0
|
|
}
|
|
}
|