Add SSH CA engine with host/user cert signing, profiles, and KRL

Implement the complete SSH CA engine following the CA engine pattern: - Engine core (initialize, unseal, seal, HandleRequest) with ed25519/ecdsa key support - Host and user certificate signing with TTL enforcement and policy checks - Signing profiles with extensions, critical options, and principal restrictions - Certificate CRUD (list, get, revoke, delete) with proper auth enforcement - OpenSSH KRL generation rebuilt on revoke/delete operations - gRPC service (SSHCAService) with all RPCs and interceptor registration - REST routes for public endpoints (CA pubkey, KRL) and authenticated operations - Comprehensive test suite (15 tests covering lifecycle, signing, profiles, KRL, auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:43:32 -07:00
parent 64d921827e
commit 5ae37da300
10 changed files with 6007 additions and 20 deletions
--- a/gen/metacrypt/v2/sshca.pb.go
+++ b/gen/metacrypt/v2/sshca.pb.go
--- a/gen/metacrypt/v2/sshca_grpc.pb.go
+++ b/gen/metacrypt/v2/sshca_grpc.pb.go
@@ -0,0 +1,615 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.1
+// - protoc             v3.20.3
+// source: proto/metacrypt/v2/sshca.proto
+
+package metacryptv2
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	SSHCAService_GetCAPublicKey_FullMethodName = "/metacrypt.v2.SSHCAService/GetCAPublicKey"
+	SSHCAService_SignHost_FullMethodName       = "/metacrypt.v2.SSHCAService/SignHost"
+	SSHCAService_SignUser_FullMethodName       = "/metacrypt.v2.SSHCAService/SignUser"
+	SSHCAService_CreateProfile_FullMethodName  = "/metacrypt.v2.SSHCAService/CreateProfile"
+	SSHCAService_UpdateProfile_FullMethodName  = "/metacrypt.v2.SSHCAService/UpdateProfile"
+	SSHCAService_GetProfile_FullMethodName     = "/metacrypt.v2.SSHCAService/GetProfile"
+	SSHCAService_ListProfiles_FullMethodName   = "/metacrypt.v2.SSHCAService/ListProfiles"
+	SSHCAService_DeleteProfile_FullMethodName  = "/metacrypt.v2.SSHCAService/DeleteProfile"
+	SSHCAService_GetCert_FullMethodName        = "/metacrypt.v2.SSHCAService/GetCert"
+	SSHCAService_ListCerts_FullMethodName      = "/metacrypt.v2.SSHCAService/ListCerts"
+	SSHCAService_RevokeCert_FullMethodName     = "/metacrypt.v2.SSHCAService/RevokeCert"
+	SSHCAService_DeleteCert_FullMethodName     = "/metacrypt.v2.SSHCAService/DeleteCert"
+	SSHCAService_GetKRL_FullMethodName         = "/metacrypt.v2.SSHCAService/GetKRL"
+)
+
+// SSHCAServiceClient is the client API for SSHCAService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+//
+// SSHCAService provides typed, authenticated access to SSH CA engine operations.
+// All RPCs require the service to be unsealed unless noted. Write operations
+// require authentication. Admin-only operations additionally require admin
+// privileges.
+type SSHCAServiceClient interface {
+	// GetCAPublicKey returns the SSH CA public key for a mount. No auth required.
+	GetCAPublicKey(ctx context.Context, in *SSHGetCAPublicKeyRequest, opts ...grpc.CallOption) (*SSHGetCAPublicKeyResponse, error)
+	// SignHost signs an SSH host certificate. Auth required (user+policy).
+	SignHost(ctx context.Context, in *SSHSignHostRequest, opts ...grpc.CallOption) (*SSHSignHostResponse, error)
+	// SignUser signs an SSH user certificate. Auth required (user+policy).
+	SignUser(ctx context.Context, in *SSHSignUserRequest, opts ...grpc.CallOption) (*SSHSignUserResponse, error)
+	// CreateProfile creates a new signing profile. Admin only.
+	CreateProfile(ctx context.Context, in *SSHCreateProfileRequest, opts ...grpc.CallOption) (*SSHCreateProfileResponse, error)
+	// UpdateProfile updates an existing signing profile. Admin only.
+	UpdateProfile(ctx context.Context, in *SSHUpdateProfileRequest, opts ...grpc.CallOption) (*SSHUpdateProfileResponse, error)
+	// GetProfile retrieves a signing profile by name. Auth required.
+	GetProfile(ctx context.Context, in *SSHGetProfileRequest, opts ...grpc.CallOption) (*SSHGetProfileResponse, error)
+	// ListProfiles lists all signing profiles. Auth required.
+	ListProfiles(ctx context.Context, in *SSHListProfilesRequest, opts ...grpc.CallOption) (*SSHListProfilesResponse, error)
+	// DeleteProfile removes a signing profile. Admin only.
+	DeleteProfile(ctx context.Context, in *SSHDeleteProfileRequest, opts ...grpc.CallOption) (*SSHDeleteProfileResponse, error)
+	// GetCert retrieves an SSH certificate record by serial. Auth required.
+	GetCert(ctx context.Context, in *SSHGetCertRequest, opts ...grpc.CallOption) (*SSHGetCertResponse, error)
+	// ListCerts lists all SSH certificate records for a mount. Auth required.
+	ListCerts(ctx context.Context, in *SSHListCertsRequest, opts ...grpc.CallOption) (*SSHListCertsResponse, error)
+	// RevokeCert marks an SSH certificate as revoked by serial. Admin only.
+	RevokeCert(ctx context.Context, in *SSHRevokeCertRequest, opts ...grpc.CallOption) (*SSHRevokeCertResponse, error)
+	// DeleteCert permanently removes an SSH certificate record. Admin only.
+	DeleteCert(ctx context.Context, in *SSHDeleteCertRequest, opts ...grpc.CallOption) (*SSHDeleteCertResponse, error)
+	// GetKRL returns the current Key Revocation List in OpenSSH KRL format.
+	// No auth required.
+	GetKRL(ctx context.Context, in *SSHGetKRLRequest, opts ...grpc.CallOption) (*SSHGetKRLResponse, error)
+}
+
+type sSHCAServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSSHCAServiceClient(cc grpc.ClientConnInterface) SSHCAServiceClient {
+	return &sSHCAServiceClient{cc}
+}
+
+func (c *sSHCAServiceClient) GetCAPublicKey(ctx context.Context, in *SSHGetCAPublicKeyRequest, opts ...grpc.CallOption) (*SSHGetCAPublicKeyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHGetCAPublicKeyResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_GetCAPublicKey_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) SignHost(ctx context.Context, in *SSHSignHostRequest, opts ...grpc.CallOption) (*SSHSignHostResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHSignHostResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_SignHost_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) SignUser(ctx context.Context, in *SSHSignUserRequest, opts ...grpc.CallOption) (*SSHSignUserResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHSignUserResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_SignUser_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) CreateProfile(ctx context.Context, in *SSHCreateProfileRequest, opts ...grpc.CallOption) (*SSHCreateProfileResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHCreateProfileResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_CreateProfile_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) UpdateProfile(ctx context.Context, in *SSHUpdateProfileRequest, opts ...grpc.CallOption) (*SSHUpdateProfileResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHUpdateProfileResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_UpdateProfile_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) GetProfile(ctx context.Context, in *SSHGetProfileRequest, opts ...grpc.CallOption) (*SSHGetProfileResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHGetProfileResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_GetProfile_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) ListProfiles(ctx context.Context, in *SSHListProfilesRequest, opts ...grpc.CallOption) (*SSHListProfilesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHListProfilesResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_ListProfiles_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) DeleteProfile(ctx context.Context, in *SSHDeleteProfileRequest, opts ...grpc.CallOption) (*SSHDeleteProfileResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHDeleteProfileResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_DeleteProfile_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) GetCert(ctx context.Context, in *SSHGetCertRequest, opts ...grpc.CallOption) (*SSHGetCertResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHGetCertResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_GetCert_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) ListCerts(ctx context.Context, in *SSHListCertsRequest, opts ...grpc.CallOption) (*SSHListCertsResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHListCertsResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_ListCerts_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) RevokeCert(ctx context.Context, in *SSHRevokeCertRequest, opts ...grpc.CallOption) (*SSHRevokeCertResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHRevokeCertResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_RevokeCert_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) DeleteCert(ctx context.Context, in *SSHDeleteCertRequest, opts ...grpc.CallOption) (*SSHDeleteCertResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHDeleteCertResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_DeleteCert_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHCAServiceClient) GetKRL(ctx context.Context, in *SSHGetKRLRequest, opts ...grpc.CallOption) (*SSHGetKRLResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SSHGetKRLResponse)
+	err := c.cc.Invoke(ctx, SSHCAService_GetKRL_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SSHCAServiceServer is the server API for SSHCAService service.
+// All implementations must embed UnimplementedSSHCAServiceServer
+// for forward compatibility.
+//
+// SSHCAService provides typed, authenticated access to SSH CA engine operations.
+// All RPCs require the service to be unsealed unless noted. Write operations
+// require authentication. Admin-only operations additionally require admin
+// privileges.
+type SSHCAServiceServer interface {
+	// GetCAPublicKey returns the SSH CA public key for a mount. No auth required.
+	GetCAPublicKey(context.Context, *SSHGetCAPublicKeyRequest) (*SSHGetCAPublicKeyResponse, error)
+	// SignHost signs an SSH host certificate. Auth required (user+policy).
+	SignHost(context.Context, *SSHSignHostRequest) (*SSHSignHostResponse, error)
+	// SignUser signs an SSH user certificate. Auth required (user+policy).
+	SignUser(context.Context, *SSHSignUserRequest) (*SSHSignUserResponse, error)
+	// CreateProfile creates a new signing profile. Admin only.
+	CreateProfile(context.Context, *SSHCreateProfileRequest) (*SSHCreateProfileResponse, error)
+	// UpdateProfile updates an existing signing profile. Admin only.
+	UpdateProfile(context.Context, *SSHUpdateProfileRequest) (*SSHUpdateProfileResponse, error)
+	// GetProfile retrieves a signing profile by name. Auth required.
+	GetProfile(context.Context, *SSHGetProfileRequest) (*SSHGetProfileResponse, error)
+	// ListProfiles lists all signing profiles. Auth required.
+	ListProfiles(context.Context, *SSHListProfilesRequest) (*SSHListProfilesResponse, error)
+	// DeleteProfile removes a signing profile. Admin only.
+	DeleteProfile(context.Context, *SSHDeleteProfileRequest) (*SSHDeleteProfileResponse, error)
+	// GetCert retrieves an SSH certificate record by serial. Auth required.
+	GetCert(context.Context, *SSHGetCertRequest) (*SSHGetCertResponse, error)
+	// ListCerts lists all SSH certificate records for a mount. Auth required.
+	ListCerts(context.Context, *SSHListCertsRequest) (*SSHListCertsResponse, error)
+	// RevokeCert marks an SSH certificate as revoked by serial. Admin only.
+	RevokeCert(context.Context, *SSHRevokeCertRequest) (*SSHRevokeCertResponse, error)
+	// DeleteCert permanently removes an SSH certificate record. Admin only.
+	DeleteCert(context.Context, *SSHDeleteCertRequest) (*SSHDeleteCertResponse, error)
+	// GetKRL returns the current Key Revocation List in OpenSSH KRL format.
+	// No auth required.
+	GetKRL(context.Context, *SSHGetKRLRequest) (*SSHGetKRLResponse, error)
+	mustEmbedUnimplementedSSHCAServiceServer()
+}
+
+// UnimplementedSSHCAServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedSSHCAServiceServer struct{}
+
+func (UnimplementedSSHCAServiceServer) GetCAPublicKey(context.Context, *SSHGetCAPublicKeyRequest) (*SSHGetCAPublicKeyResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetCAPublicKey not implemented")
+}
+func (UnimplementedSSHCAServiceServer) SignHost(context.Context, *SSHSignHostRequest) (*SSHSignHostResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method SignHost not implemented")
+}
+func (UnimplementedSSHCAServiceServer) SignUser(context.Context, *SSHSignUserRequest) (*SSHSignUserResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method SignUser not implemented")
+}
+func (UnimplementedSSHCAServiceServer) CreateProfile(context.Context, *SSHCreateProfileRequest) (*SSHCreateProfileResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method CreateProfile not implemented")
+}
+func (UnimplementedSSHCAServiceServer) UpdateProfile(context.Context, *SSHUpdateProfileRequest) (*SSHUpdateProfileResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method UpdateProfile not implemented")
+}
+func (UnimplementedSSHCAServiceServer) GetProfile(context.Context, *SSHGetProfileRequest) (*SSHGetProfileResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetProfile not implemented")
+}
+func (UnimplementedSSHCAServiceServer) ListProfiles(context.Context, *SSHListProfilesRequest) (*SSHListProfilesResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListProfiles not implemented")
+}
+func (UnimplementedSSHCAServiceServer) DeleteProfile(context.Context, *SSHDeleteProfileRequest) (*SSHDeleteProfileResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method DeleteProfile not implemented")
+}
+func (UnimplementedSSHCAServiceServer) GetCert(context.Context, *SSHGetCertRequest) (*SSHGetCertResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetCert not implemented")
+}
+func (UnimplementedSSHCAServiceServer) ListCerts(context.Context, *SSHListCertsRequest) (*SSHListCertsResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListCerts not implemented")
+}
+func (UnimplementedSSHCAServiceServer) RevokeCert(context.Context, *SSHRevokeCertRequest) (*SSHRevokeCertResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method RevokeCert not implemented")
+}
+func (UnimplementedSSHCAServiceServer) DeleteCert(context.Context, *SSHDeleteCertRequest) (*SSHDeleteCertResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method DeleteCert not implemented")
+}
+func (UnimplementedSSHCAServiceServer) GetKRL(context.Context, *SSHGetKRLRequest) (*SSHGetKRLResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetKRL not implemented")
+}
+func (UnimplementedSSHCAServiceServer) mustEmbedUnimplementedSSHCAServiceServer() {}
+func (UnimplementedSSHCAServiceServer) testEmbeddedByValue()                      {}
+
+// UnsafeSSHCAServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SSHCAServiceServer will
+// result in compilation errors.
+type UnsafeSSHCAServiceServer interface {
+	mustEmbedUnimplementedSSHCAServiceServer()
+}
+
+func RegisterSSHCAServiceServer(s grpc.ServiceRegistrar, srv SSHCAServiceServer) {
+	// If the following call panics, it indicates UnimplementedSSHCAServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&SSHCAService_ServiceDesc, srv)
+}
+
+func _SSHCAService_GetCAPublicKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHGetCAPublicKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).GetCAPublicKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_GetCAPublicKey_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).GetCAPublicKey(ctx, req.(*SSHGetCAPublicKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_SignHost_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHSignHostRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).SignHost(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_SignHost_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).SignHost(ctx, req.(*SSHSignHostRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_SignUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHSignUserRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).SignUser(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_SignUser_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).SignUser(ctx, req.(*SSHSignUserRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_CreateProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHCreateProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).CreateProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_CreateProfile_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).CreateProfile(ctx, req.(*SSHCreateProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_UpdateProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHUpdateProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).UpdateProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_UpdateProfile_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).UpdateProfile(ctx, req.(*SSHUpdateProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_GetProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHGetProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).GetProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_GetProfile_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).GetProfile(ctx, req.(*SSHGetProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_ListProfiles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHListProfilesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).ListProfiles(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_ListProfiles_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).ListProfiles(ctx, req.(*SSHListProfilesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_DeleteProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHDeleteProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).DeleteProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_DeleteProfile_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).DeleteProfile(ctx, req.(*SSHDeleteProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_GetCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHGetCertRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).GetCert(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_GetCert_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).GetCert(ctx, req.(*SSHGetCertRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_ListCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHListCertsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).ListCerts(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_ListCerts_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).ListCerts(ctx, req.(*SSHListCertsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_RevokeCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHRevokeCertRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).RevokeCert(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_RevokeCert_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).RevokeCert(ctx, req.(*SSHRevokeCertRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_DeleteCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHDeleteCertRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).DeleteCert(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_DeleteCert_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).DeleteCert(ctx, req.(*SSHDeleteCertRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSHCAService_GetKRL_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SSHGetKRLRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHCAServiceServer).GetKRL(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SSHCAService_GetKRL_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHCAServiceServer).GetKRL(ctx, req.(*SSHGetKRLRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// SSHCAService_ServiceDesc is the grpc.ServiceDesc for SSHCAService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SSHCAService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "metacrypt.v2.SSHCAService",
+	HandlerType: (*SSHCAServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetCAPublicKey",
+			Handler:    _SSHCAService_GetCAPublicKey_Handler,
+		},
+		{
+			MethodName: "SignHost",
+			Handler:    _SSHCAService_SignHost_Handler,
+		},
+		{
+			MethodName: "SignUser",
+			Handler:    _SSHCAService_SignUser_Handler,
+		},
+		{
+			MethodName: "CreateProfile",
+			Handler:    _SSHCAService_CreateProfile_Handler,
+		},
+		{
+			MethodName: "UpdateProfile",
+			Handler:    _SSHCAService_UpdateProfile_Handler,
+		},
+		{
+			MethodName: "GetProfile",
+			Handler:    _SSHCAService_GetProfile_Handler,
+		},
+		{
+			MethodName: "ListProfiles",
+			Handler:    _SSHCAService_ListProfiles_Handler,
+		},
+		{
+			MethodName: "DeleteProfile",
+			Handler:    _SSHCAService_DeleteProfile_Handler,
+		},
+		{
+			MethodName: "GetCert",
+			Handler:    _SSHCAService_GetCert_Handler,
+		},
+		{
+			MethodName: "ListCerts",
+			Handler:    _SSHCAService_ListCerts_Handler,
+		},
+		{
+			MethodName: "RevokeCert",
+			Handler:    _SSHCAService_RevokeCert_Handler,
+		},
+		{
+			MethodName: "DeleteCert",
+			Handler:    _SSHCAService_DeleteCert_Handler,
+		},
+		{
+			MethodName: "GetKRL",
+			Handler:    _SSHCAService_GetKRL_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "proto/metacrypt/v2/sshca.proto",
+}