mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ECDH zeroization, add audit logging, and remediate high findings

Browse Source 
- Fix #61: handleRotateKey and handleDeleteUser now zeroize stored
  privBytes instead of calling Bytes() (which returns a copy). New
  state populates privBytes; old references nil'd for GC.
- Add audit logging subsystem (internal/audit) with structured event
  recording for cryptographic operations.
- Add audit log engine spec (engines/auditlog.md).
- Add ValidateName checks across all engines for path traversal (#48).
- Update AUDIT.md: all High findings resolved (0 open).
- Add REMEDIATION.md with detailed remediation tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-17 14:04:39 -07:00
parent b33d1f99a0
commit 5c5d7e184e
24 changed files with 1699 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
internal/engine/transit/transit.go
View File

@@ -450,6 +450,9 @@ func (e *TransitEngine) handleDeleteKey(ctx context.Context, req *engine.Request
if name == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(name); err != nil {
return nil, err
}
ks, ok := e.keys[name]
if !ok {
@@ -498,6 +501,9 @@ func (e *TransitEngine) handleGetKey(_ context.Context, req *engine.Request) (*e
if name == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(name); err != nil {
return nil, err
}
ks, ok := e.keys[name]
if !ok {
@@ -561,6 +567,9 @@ func (e *TransitEngine) handleRotateKey(ctx context.Context, req *engine.Request
if name == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(name); err != nil {
return nil, err
}
ks, ok := e.keys[name]
if !ok {
@@ -638,6 +647,9 @@ func (e *TransitEngine) handleUpdateKeyConfig(ctx context.Context, req *engine.R
if name == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(name); err != nil {
return nil, err
}
ks, ok := e.keys[name]
if !ok {
@@ -684,6 +696,9 @@ func (e *TransitEngine) handleTrimKey(ctx context.Context, req *engine.Request)
if name == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(name); err != nil {
return nil, err
}
ks, ok := e.keys[name]
if !ok {
@@ -1290,6 +1305,9 @@ func (e *TransitEngine) handleGetPublicKey(_ context.Context, req *engine.Reques
if keyName == "" {
return nil, fmt.Errorf("transit: name is required")
}
if err := engine.ValidateName(keyName); err != nil {
return nil, err
}
ks, ok := e.keys[keyName]
if !ok {