Merge transit engine branch, resolve conflicts in shared files

2026-03-16 19:50:47 -07:00
parent 5ae37da300 cbd77c58e8
commit 11929daa78
14 changed files with 7969 additions and 0 deletions
--- a/internal/engine/helpers.go
+++ b/internal/engine/helpers.go
@@ -0,0 +1,28 @@
+package engine
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+)
+
+// ZeroizeKey overwrites an asymmetric private key's sensitive material.
+func ZeroizeKey(key crypto.PrivateKey) {
+	if key == nil {
+		return
+	}
+	switch k := key.(type) {
+	case *ecdsa.PrivateKey:
+		k.D.SetInt64(0)
+	case *rsa.PrivateKey:
+		k.D.SetInt64(0)
+		for _, p := range k.Primes {
+			p.SetInt64(0)
+		}
+	case ed25519.PrivateKey:
+		for i := range k {
+			k[i] = 0
+		}
+	}
+}
--- a/internal/engine/transit/transit.go
+++ b/internal/engine/transit/transit.go
--- a/internal/engine/transit/transit_test.go
+++ b/internal/engine/transit/transit_test.go
--- a/internal/engine/transit/types.go
+++ b/internal/engine/transit/types.go
@@ -0,0 +1,15 @@
+package transit
+
+// TransitConfig is the transit engine configuration stored in the barrier.
+type TransitConfig struct {
+	MaxKeyVersions int `json:"max_key_versions"`
+}
+
+// KeyConfig is per-key configuration stored in the barrier.
+type KeyConfig struct {
+	Name                 string `json:"name"`
+	Type                 string `json:"type"` // aes256-gcm, chacha20-poly, ed25519, ecdsa-p256, ecdsa-p384, hmac-sha256, hmac-sha512
+	CurrentVersion       int    `json:"current_version"`
+	MinDecryptionVersion int    `json:"min_decryption_version"`
+	AllowDeletion        bool   `json:"allow_deletion"`
+}