fix(security): ship real offline license + policy signing keys (SEC-H1) (#701)

* fix(security): ship real offline license + policy signing keys (SEC-H1)

The embedded "current" trust anchors for license JWTs and admin-policy
envelopes were byte-for-byte the public halves of the committed test
private keys (internal/{license,policy}/testdata). Anyone with repo
access could forge licenses of any tier/feature or sign admin policies.
The verification code was correct; the trust root was the defect.

- Replace internal/license/keys/license-pubkey-current.pem and
  internal/policy/keys/policy-pubkey-current.pem with the real
  Ed25519 public keys generated offline (private keys live only in the
  operator vault, never in the repo or CI).
- Add a regression guard in each package (keys_guard_test.go) that fails
  the build if an embedded current public key equals the testdata key.
  Verified to fail loudly on the test key and pass on the real key.
- Decouple the license validator tests from the embedded key: mustRing
  now builds the ring from the testdata key (what signJWT signs with),
  so verification-logic tests are independent of the shipped production
  key. The embedded key is covered separately by the new guard.
- Spec it: system-license-validation C-09/AC-14 and system-policy
  C-10/AC-13 (both bumped to 1.1.0); annotation coverage stays 100%.

Follow-ups (not in this change): cmd/owlicgen still defaults to the test
private key for dev minting (production must pass --key <vault>); a
production policy-signing tool does not exist yet.

* test(security): decouple license/policy tests from the embedded key

Shipping the real signing keys broke every test that signs an artifact
with the testdata key and verifies it against the embedded trust anchor
(it used to be that same test key). These are DB-touching tests, so they
skipped locally without OPENWATCH_TEST_DSN and only failed in CI.

Add an internal/-scoped SetVerificationKeyForTesting(pub) to both the
license and policy packages (returns a restore func; never on a
production path) and install the testdata public key as the active
verifier from the helpers that sign with the testdata private key:
- policy: setupKeys (covers the 6 loader tests)
- server: mintTestLicenseJWT (4 license/premium tests),
  mintSignedAlertThresholds (signoff)

So the binary embeds the real offline key while tests verify their own
test-signed artifacts. Verified with OPENWATCH_TEST_DSN: full
internal/{server,policy,license} suites pass.

Author: remyluslosius

internal/license/keys.go

@@ -68,3 +68,18 @@ func parsePEMPublicKey(path string) (ed25519.PublicKey, error) {
 	}
 	return ed, nil
 }
+
+// SetVerificationKeyForTesting installs pub as the sole active license
+// verification key and returns a function that restores the prior keyring.
+//
+// It exists so tests (including in dependent packages such as internal/server)
+// can verify JWTs signed with the testdata key while the shipped binary embeds
+// the real, offline-generated key. internal/-scoped; never used on a production
+// code path. That the embedded trust anchor is NOT the testdata key is asserted
+// by TestEmbeddedKey_NotTestKey (system-license-validation AC-14).
+func SetVerificationKeyForTesting(pub ed25519.PublicKey) (restore func()) {
+	_ = Init()
+	prev := activeKeyring()
+	setKeyring(&publicKeyRing{current: pub})
+	return func() { setKeyring(prev) }
+}

internal/license/keys/license-pubkey-current.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAvhDPBqXoiNYumcZSyaHc9VxR0jEvrgdxupcxFSrIyKI=
+MCowBQYDK2VwAyEAYhnjz9tqHsRrDXHrCGE3d42TazqjOPJr/tLnxEwUI7c=
 -----END PUBLIC KEY-----

internal/license/keys_guard_test.go

@@ -0,0 +1,56 @@
+// @spec system-license-validation
+//
+// AC traceability:
+// @ac AC-14  (TestEmbeddedKey_NotTestKey)
+
+package license
+
+import (
+	"crypto/ed25519"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// @ac AC-14
+// AC-14: the embedded current license public key MUST NOT be the testdata
+// signing key. This guards against the SEC-H1 regression where the shipped
+// trust anchor is the committed test key, which would let anyone with repo
+// access forge license JWTs of any tier/feature.
+func TestEmbeddedKey_NotTestKey(t *testing.T) {
+	t.Run("system-license-validation/AC-14", func(t *testing.T) {
+		embedded, err := parsePEMPublicKey("keys/license-pubkey-current.pem")
+		if err != nil {
+			t.Fatalf("parse embedded current key: %v", err)
+		}
+		if embedded.Equal(testKeyPublic(t, "license-privkey-test.pem")) {
+			t.Fatal("SEC-H1 regression: embedded keys/license-pubkey-current.pem is the testdata " +
+				"key. Ship the real offline-generated public key (private key stays in the vault).")
+		}
+	})
+}
+
+// testKeyPublic derives the Ed25519 public half of a PKCS#8 test private key
+// under testdata/.
+func testKeyPublic(t *testing.T, name string) ed25519.PublicKey {
+	t.Helper()
+	raw, err := os.ReadFile(filepath.Join("testdata", name))
+	if err != nil {
+		t.Fatalf("read testdata/%s: %v", name, err)
+	}
+	block, _ := pem.Decode(raw)
+	if block == nil {
+		t.Fatalf("no PEM block in testdata/%s", name)
+	}
+	keyAny, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		t.Fatalf("parse testdata/%s: %v", name, err)
+	}
+	priv, ok := keyAny.(ed25519.PrivateKey)
+	if !ok {
+		t.Fatalf("testdata/%s is not an Ed25519 private key", name)
+	}
+	return priv.Public().(ed25519.PublicKey)
+}

internal/license/validator_test.go

@@ -72,13 +72,14 @@ func validClaims() claims {
 	}
 }
 
+// mustRing builds a key ring from the testdata signing key — the same key
+// signJWT signs with — so the verification-logic tests are independent of
+// whichever real production key is embedded in keys/license-pubkey-current.pem.
+// That the embedded key is NOT this test key is covered separately by
+// TestEmbeddedKey_NotTestKey (AC-14).
 func mustRing(t *testing.T) *publicKeyRing {
 	t.Helper()
-	ring, err := loadEmbeddedKeys()
-	if err != nil {
-		t.Fatalf("loadEmbeddedKeys: %v", err)
-	}
-	return ring
+	return &publicKeyRing{current: testKeyPublic(t, "license-privkey-test.pem")}
 }
 
 // @ac AC-01  (Valid JWT validates and returns a populated License.)

internal/policy/keys.go

@@ -59,3 +59,17 @@ func parseEmbeddedKey(path string) (ed25519.PublicKey, error) {
 func activeKeyring() *keyring {
 	return activeKeys.Load()
 }
+
+// SetVerificationKeyForTesting installs pub as the sole active admin
+// verification key and returns a function that restores the prior keyring.
+//
+// It exists so tests (including in dependent packages such as internal/server)
+// can verify policy envelopes signed with the testdata key while the shipped
+// binary embeds the real, offline-generated key. internal/-scoped; never used
+// on a production code path. That the embedded trust anchor is NOT the testdata
+// key is asserted by TestEmbeddedPolicyKey_NotTestKey (system-policy AC-13).
+func SetVerificationKeyForTesting(pub ed25519.PublicKey) (restore func()) {
+	prev := activeKeys.Load()
+	activeKeys.Store(&keyring{current: pub})
+	return func() { activeKeys.Store(prev) }
+}

internal/policy/keys/policy-pubkey-current.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAkktBggG/cH9xDqeteHtdvA4aNF4ZkGd4Icsz5PbR0PM=
+MCowBQYDK2VwAyEAZ2fs2msAyt75C3P953cuWKAom960QalQ6S84zEwY+YU=
 -----END PUBLIC KEY-----

internal/policy/keys_guard_test.go

@@ -0,0 +1,30 @@
+// @spec system-policy
+//
+// AC traceability:
+// @ac AC-13  (TestEmbeddedPolicyKey_NotTestKey)
+
+package policy
+
+import (
+	"crypto/ed25519"
+	"testing"
+)
+
+// @ac AC-13
+// AC-13: the embedded current admin-policy public key MUST NOT be the testdata
+// signing key. This guards against the SEC-H1 regression where the shipped
+// trust anchor is the committed test key, which would let anyone with repo
+// access sign forged admin-policy envelopes.
+func TestEmbeddedPolicyKey_NotTestKey(t *testing.T) {
+	t.Run("system-policy/AC-13", func(t *testing.T) {
+		embedded, err := parseEmbeddedKey("keys/policy-pubkey-current.pem")
+		if err != nil {
+			t.Fatalf("parse embedded current key: %v", err)
+		}
+		testPub := loadTestPrivKey(t).Public().(ed25519.PublicKey)
+		if embedded.Equal(testPub) {
+			t.Fatal("SEC-H1 regression: embedded keys/policy-pubkey-current.pem is the testdata " +
+				"key. Ship the real offline-generated public key (private key stays in the vault).")
+		}
+	})
+}

internal/policy/loader_test.go

@@ -49,6 +49,11 @@ func setupKeys(t *testing.T) {
 	if err := InitKeys(); err != nil {
 		t.Fatalf("InitKeys: %v", err)
 	}
+	// The binary embeds the real offline admin key, but these tests sign with
+	// the testdata key — install it as the active verifier (restored on
+	// cleanup). The embedded key is asserted real by TestEmbeddedPolicyKey_NotTestKey.
+	testPub := loadTestPrivKey(t).Public().(ed25519.PublicKey)
+	t.Cleanup(SetVerificationKeyForTesting(testPub))
 }
 
 // signAlertThresholds builds a signed policy envelope for the

internal/server/api_license_test.go

@@ -39,6 +39,10 @@ func mintTestLicenseJWT(t *testing.T, features []string) string {
 	if !ok {
 		t.Fatalf("not ed25519 key: %T", keyAny)
 	}
+	// The server verifies against the real embedded key, but this JWT is signed
+	// with the testdata key — install it as the active verifier (restored on
+	// cleanup). The embedded key is asserted real by license AC-14's guard test.
+	t.Cleanup(license.SetVerificationKeyForTesting(priv.Public().(ed25519.PublicKey)))
 	now := time.Now().Add(-1 * time.Minute)
 	mc := jwt.MapClaims{
 		"iss":         "hanalyx-openwatch-licensing",

internal/server/api_signoff_test.go

@@ -431,6 +431,10 @@ func mintSignedAlertThresholds(t *testing.T, version string, critBelow, highBelo
 	if !ok {
 		t.Fatalf("not ed25519 priv key")
 	}
+	// The server verifies against the real embedded key, but this envelope is
+	// signed with the testdata key — install it as the active verifier (after
+	// InitKeys above, restored on cleanup). Embedded key asserted real by AC-13.
+	t.Cleanup(policy.SetVerificationKeyForTesting(priv.Public().(ed25519.PublicKey)))
 	env := policy.Envelope{
 		PolicyType: policy.TypeAlertThresholds,
 		Version:    version,