Commit 38828f6
authored
fix(security): ship real offline license + policy signing keys (SEC-H1) (#701)
* fix(security): ship real offline license + policy signing keys (SEC-H1)
The embedded "current" trust anchors for license JWTs and admin-policy
envelopes were byte-for-byte the public halves of the committed test
private keys (internal/{license,policy}/testdata). Anyone with repo
access could forge licenses of any tier/feature or sign admin policies.
The verification code was correct; the trust root was the defect.
- Replace internal/license/keys/license-pubkey-current.pem and
internal/policy/keys/policy-pubkey-current.pem with the real
Ed25519 public keys generated offline (private keys live only in the
operator vault, never in the repo or CI).
- Add a regression guard in each package (keys_guard_test.go) that fails
the build if an embedded current public key equals the testdata key.
Verified to fail loudly on the test key and pass on the real key.
- Decouple the license validator tests from the embedded key: mustRing
now builds the ring from the testdata key (what signJWT signs with),
so verification-logic tests are independent of the shipped production
key. The embedded key is covered separately by the new guard.
- Spec it: system-license-validation C-09/AC-14 and system-policy
C-10/AC-13 (both bumped to 1.1.0); annotation coverage stays 100%.
Follow-ups (not in this change): cmd/owlicgen still defaults to the test
private key for dev minting (production must pass --key <vault>); a
production policy-signing tool does not exist yet.
* test(security): decouple license/policy tests from the embedded key
Shipping the real signing keys broke every test that signs an artifact
with the testdata key and verifies it against the embedded trust anchor
(it used to be that same test key). These are DB-touching tests, so they
skipped locally without OPENWATCH_TEST_DSN and only failed in CI.
Add an internal/-scoped SetVerificationKeyForTesting(pub) to both the
license and policy packages (returns a restore func; never on a
production path) and install the testdata public key as the active
verifier from the helpers that sign with the testdata private key:
- policy: setupKeys (covers the 6 loader tests)
- server: mintTestLicenseJWT (4 license/premium tests),
mintSignedAlertThresholds (signoff)
So the binary embeds the real offline key while tests verify their own
test-signed artifacts. Verified with OPENWATCH_TEST_DSN: full
internal/{server,policy,license} suites pass.1 parent 3d6efe1 commit 38828f6
12 files changed
Lines changed: 154 additions & 9 deletions
File tree
- internal
- license
- keys
- policy
- keys
- server
- specs/system
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
68 | 68 | | |
69 | 69 | | |
70 | 70 | | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
| 2 | + | |
3 | 3 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
72 | 72 | | |
73 | 73 | | |
74 | 74 | | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
75 | 80 | | |
76 | 81 | | |
77 | | - | |
78 | | - | |
79 | | - | |
80 | | - | |
81 | | - | |
| 82 | + | |
82 | 83 | | |
83 | 84 | | |
84 | 85 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
59 | 59 | | |
60 | 60 | | |
61 | 61 | | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
| 2 | + | |
3 | 3 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
49 | 49 | | |
50 | 50 | | |
51 | 51 | | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
52 | 57 | | |
53 | 58 | | |
54 | 59 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
42 | 46 | | |
43 | 47 | | |
44 | 48 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
431 | 431 | | |
432 | 432 | | |
433 | 433 | | |
| 434 | + | |
| 435 | + | |
| 436 | + | |
| 437 | + | |
434 | 438 | | |
435 | 439 | | |
436 | 440 | | |
| |||
0 commit comments