Add SSH CA engine with host/user cert signing, profiles, and KRL

Implement the complete SSH CA engine following the CA engine pattern: - Engine core (initialize, unseal, seal, HandleRequest) with ed25519/ecdsa key support - Host and user certificate signing with TTL enforcement and policy checks - Signing profiles with extensions, critical options, and principal restrictions - Certificate CRUD (list, get, revoke, delete) with proper auth enforcement - OpenSSH KRL generation rebuilt on revoke/delete operations - gRPC service (SSHCAService) with all RPCs and interceptor registration - REST routes for public endpoints (CA pubkey, KRL) and authenticated operations - Comprehensive test suite (15 tests covering lifecycle, signing, profiles, KRL, auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:43:32 -07:00
parent 64d921827e
commit 5ae37da300
10 changed files with 6007 additions and 20 deletions
--- a/internal/grpcserver/server.go
+++ b/internal/grpcserver/server.go
@@ -83,6 +83,7 @@ func (s *GRPCServer) Start() error {
 	pb.RegisterPolicyServiceServer(s.srv, &policyServer{s: s})
 	pb.RegisterBarrierServiceServer(s.srv, &barrierServer{s: s})
 	pb.RegisterACMEServiceServer(s.srv, &acmeServer{s: s})
+	pb.RegisterSSHCAServiceServer(s.srv, &sshcaServer{s: s})

 	lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
 	if err != nil {
@@ -142,6 +143,20 @@ func sealRequiredMethods() map[string]bool {
 		"/metacrypt.v2.BarrierService/RotateMEK":    true,
 		"/metacrypt.v2.BarrierService/RotateKey":    true,
 		"/metacrypt.v2.BarrierService/Migrate":      true,
+		// SSH CA.
+		"/metacrypt.v2.SSHCAService/GetCAPublicKey": true,
+		"/metacrypt.v2.SSHCAService/SignHost":        true,
+		"/metacrypt.v2.SSHCAService/SignUser":        true,
+		"/metacrypt.v2.SSHCAService/CreateProfile":   true,
+		"/metacrypt.v2.SSHCAService/UpdateProfile":   true,
+		"/metacrypt.v2.SSHCAService/GetProfile":      true,
+		"/metacrypt.v2.SSHCAService/ListProfiles":    true,
+		"/metacrypt.v2.SSHCAService/DeleteProfile":   true,
+		"/metacrypt.v2.SSHCAService/GetCert":         true,
+		"/metacrypt.v2.SSHCAService/ListCerts":       true,
+		"/metacrypt.v2.SSHCAService/RevokeCert":      true,
+		"/metacrypt.v2.SSHCAService/DeleteCert":      true,
+		"/metacrypt.v2.SSHCAService/GetKRL":          true,
 	}
 }

@@ -176,6 +191,18 @@ func authRequiredMethods() map[string]bool {
 		"/metacrypt.v2.BarrierService/RotateMEK":    true,
 		"/metacrypt.v2.BarrierService/RotateKey":    true,
 		"/metacrypt.v2.BarrierService/Migrate":      true,
+		// SSH CA.
+		"/metacrypt.v2.SSHCAService/SignHost":        true,
+		"/metacrypt.v2.SSHCAService/SignUser":        true,
+		"/metacrypt.v2.SSHCAService/CreateProfile":   true,
+		"/metacrypt.v2.SSHCAService/UpdateProfile":   true,
+		"/metacrypt.v2.SSHCAService/GetProfile":      true,
+		"/metacrypt.v2.SSHCAService/ListProfiles":    true,
+		"/metacrypt.v2.SSHCAService/DeleteProfile":   true,
+		"/metacrypt.v2.SSHCAService/GetCert":         true,
+		"/metacrypt.v2.SSHCAService/ListCerts":       true,
+		"/metacrypt.v2.SSHCAService/RevokeCert":      true,
+		"/metacrypt.v2.SSHCAService/DeleteCert":      true,
 	}
 }

@@ -201,5 +228,11 @@ func adminRequiredMethods() map[string]bool {
 		"/metacrypt.v2.BarrierService/RotateMEK":    true,
 		"/metacrypt.v2.BarrierService/RotateKey":    true,
 		"/metacrypt.v2.BarrierService/Migrate":      true,
+		// SSH CA.
+		"/metacrypt.v2.SSHCAService/CreateProfile":   true,
+		"/metacrypt.v2.SSHCAService/UpdateProfile":   true,
+		"/metacrypt.v2.SSHCAService/DeleteProfile":   true,
+		"/metacrypt.v2.SSHCAService/RevokeCert":      true,
+		"/metacrypt.v2.SSHCAService/DeleteCert":      true,
 	}
 }