feat(federation): Step-CA client service for grant certs (FED-M2-04) (#494)

2026-04-22 03:34:37 +00:00
parent bf082d95a0
commit 1038ae76e1
10 changed files with 1616 additions and 109 deletions
--- a/infra/step-ca/templates/federation.tpl
+++ b/infra/step-ca/templates/federation.tpl
@@ -5,41 +5,49 @@
  {{- /*
    Mosaic Federation X.509 Certificate Template
    ============================================
-    This template is used by the "mosaic-fed" JWK provisioner to sign
-    federation client certificates.
+    Provisioner: mosaic-fed (JWK)
+    Implemented: FED-M2-04

-    Custom OID extensions (per PRD §6):
-      1.3.6.1.4.1.99999.1  — mosaic.federation.grantId   (UUID string)
-      1.3.6.1.4.1.99999.2  — mosaic.federation.subjectUserId (UUID string)
+    This template emits two custom OID extensions carrying Mosaic federation
+    identifiers. The OTT token (built by CaService.buildOtt) MUST include the
+    claims `mosaic_grant_id` and `mosaic_subject_user_id` as top-level JWT
+    claims. step-ca exposes them under `.Token.<claim>` in this template.

-    TODO (M2-04): Wire actual OID extensions below once the CA service
-    (apps/gateway/src/federation/ca.service.ts) lands the SAN-bearing CSR
-    work and the template can be exercised end-to-end.
+    OID Registry (Mosaic Internal Arc — 1.3.6.1.4.1.99999):
+      1.3.6.1.4.1.99999.1  mosaic_grant_id        (UUID, 36 ASCII chars)
+      1.3.6.1.4.1.99999.2  mosaic_subject_user_id  (UUID, 36 ASCII chars)
+
+    DER encoding for each extension value (ASN.1 UTF8String):
+      Tag    = 0x0C  (UTF8String)
+      Length = 0x24  (decimal 36 — the fixed length of a UUID string)
+      Value  = 36 ASCII bytes of the UUID
+
+    The `printf` below builds the raw TLV bytes then base64-encodes them.
+    step-ca expects the `value` field to be base64-encoded raw DER bytes.
+
+    Fail-loud contract:
+      If either claim is missing from the token the printf will produce a
+      zero-length UUID field, making the extension malformed. step-ca will
+      reject the certificate rather than issuing one without the required OIDs.
+      Silent OID stripping is NEVER tolerated.

    Step-CA template reference:
      https://smallstep.com/docs/step-ca/templates
-
-    Expected final shape of the extensions block (placeholder — not yet
-    activated):
-
-    "extensions": [
-      {
-        "id": "1.3.6.1.4.1.99999.1",
-        "critical": false,
-        "value": {{ toJson (first .Token.mosaic_grant_id) }}
-      },
-      {
-        "id": "1.3.6.1.4.1.99999.2",
-        "critical": false,
-        "value": {{ toJson (first .Token.mosaic_subject_user_id) }}
-      }
-    ],
-
-    The provisioner must pass these values in the ACME/JWK token payload
-    (token claims `mosaic_grant_id` and `mosaic_subject_user_id`) when
-    submitting the CSR.  M2-04 owns that work.
  */ -}}

+  "extensions": [
+    {
+      "id": "1.3.6.1.4.1.99999.1",
+      "critical": false,
+      "value": "{{ printf "\x0c%c%s" (len .Token.mosaic_grant_id) .Token.mosaic_grant_id | b64enc }}"
+    },
+    {
+      "id": "1.3.6.1.4.1.99999.2",
+      "critical": false,
+      "value": "{{ printf "\x0c%c%s" (len .Token.mosaic_subject_user_id) .Token.mosaic_subject_user_id | b64enc }}"
+    }
+  ],
+
  "keyUsage": ["digitalSignature"],
  "extKeyUsage": ["clientAuth"],
  "basicConstraints": {