Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:27:44 -07:00
parent ac4577f778
commit 64d921827e
44 changed files with 5184 additions and 90 deletions
--- a/internal/crypto/crypto_test.go
+++ b/internal/crypto/crypto_test.go
@@ -34,7 +34,7 @@ func TestEncryptDecrypt(t *testing.T) {
 	key, _ := GenerateKey()
 	plaintext := []byte("hello, metacrypt!")

-	ciphertext, err := Encrypt(key, plaintext)
+	ciphertext, err := Encrypt(key, plaintext, nil)
 	if err != nil {
 		t.Fatalf("Encrypt: %v", err)
 	}
@@ -44,7 +44,7 @@ func TestEncryptDecrypt(t *testing.T) {
 		t.Fatalf("version byte: got %d, want %d", ciphertext[0], BarrierVersion)
 	}

-	decrypted, err := Decrypt(key, ciphertext)
+	decrypted, err := Decrypt(key, ciphertext, nil)
 	if err != nil {
 		t.Fatalf("Decrypt: %v", err)
 	}
@@ -54,13 +54,45 @@ func TestEncryptDecrypt(t *testing.T) {
 	}
 }

+func TestEncryptDecryptWithAAD(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("hello, metacrypt!")
+	aad := []byte("engine/ca/pki/root/cert.pem")
+
+	ciphertext, err := Encrypt(key, plaintext, aad)
+	if err != nil {
+		t.Fatalf("Encrypt with AAD: %v", err)
+	}
+
+	// Decrypt with correct AAD succeeds.
+	decrypted, err := Decrypt(key, ciphertext, aad)
+	if err != nil {
+		t.Fatalf("Decrypt with AAD: %v", err)
+	}
+	if !bytes.Equal(plaintext, decrypted) {
+		t.Fatalf("roundtrip failed: got %q, want %q", decrypted, plaintext)
+	}
+
+	// Decrypt with wrong AAD fails.
+	_, err = Decrypt(key, ciphertext, []byte("wrong/path"))
+	if !errors.Is(err, ErrDecryptionFailed) {
+		t.Fatalf("expected ErrDecryptionFailed with wrong AAD, got: %v", err)
+	}
+
+	// Decrypt with nil AAD fails.
+	_, err = Decrypt(key, ciphertext, nil)
+	if !errors.Is(err, ErrDecryptionFailed) {
+		t.Fatalf("expected ErrDecryptionFailed with nil AAD, got: %v", err)
+	}
+}
+
 func TestDecryptWrongKey(t *testing.T) {
 	key1, _ := GenerateKey()
 	key2, _ := GenerateKey()
 	plaintext := []byte("secret data")

-	ciphertext, _ := Encrypt(key1, plaintext)
-	_, err := Decrypt(key2, ciphertext)
+	ciphertext, _ := Encrypt(key1, plaintext, nil)
+	_, err := Decrypt(key2, ciphertext, nil)
 	if !errors.Is(err, ErrDecryptionFailed) {
 		t.Fatalf("expected ErrDecryptionFailed, got: %v", err)
 	}
@@ -68,7 +100,7 @@ func TestDecryptWrongKey(t *testing.T) {

 func TestDecryptInvalidCiphertext(t *testing.T) {
 	key, _ := GenerateKey()
-	_, err := Decrypt(key, []byte("short"))
+	_, err := Decrypt(key, []byte("short"), nil)
 	if !errors.Is(err, ErrInvalidCiphertext) {
 		t.Fatalf("expected ErrInvalidCiphertext, got: %v", err)
 	}
@@ -124,10 +156,141 @@ func TestEncryptProducesDifferentCiphertext(t *testing.T) {
 	key, _ := GenerateKey()
 	plaintext := []byte("same data")

-	ct1, _ := Encrypt(key, plaintext)
-	ct2, _ := Encrypt(key, plaintext)
+	ct1, _ := Encrypt(key, plaintext, nil)
+	ct2, _ := Encrypt(key, plaintext, nil)

 	if bytes.Equal(ct1, ct2) {
 		t.Fatal("two encryptions of same plaintext produced identical ciphertext (nonce reuse)")
 	}
 }
+
+func TestV2EncryptDecryptRoundtrip(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("v2 test data")
+	keyID := "engine/ca/prod"
+	aad := []byte("engine/ca/prod/config.json")
+
+	ciphertext, err := EncryptV2(key, keyID, plaintext, aad)
+	if err != nil {
+		t.Fatalf("EncryptV2: %v", err)
+	}
+
+	if ciphertext[0] != BarrierVersionV2 {
+		t.Fatalf("version byte: got %d, want %d", ciphertext[0], BarrierVersionV2)
+	}
+
+	pt, gotKeyID, err := DecryptV2(key, ciphertext, aad)
+	if err != nil {
+		t.Fatalf("DecryptV2: %v", err)
+	}
+	if gotKeyID != keyID {
+		t.Fatalf("key ID: got %q, want %q", gotKeyID, keyID)
+	}
+	if !bytes.Equal(plaintext, pt) {
+		t.Fatalf("roundtrip failed: got %q, want %q", pt, plaintext)
+	}
+}
+
+func TestV2DecryptV1Compat(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("v1 legacy data")
+
+	// Encrypt with v1.
+	v1ct, err := Encrypt(key, plaintext, nil)
+	if err != nil {
+		t.Fatalf("Encrypt v1: %v", err)
+	}
+
+	// DecryptV2 should handle v1 ciphertext.
+	pt, keyID, err := DecryptV2(key, v1ct, nil)
+	if err != nil {
+		t.Fatalf("DecryptV2 with v1 ciphertext: %v", err)
+	}
+	if keyID != "" {
+		t.Fatalf("expected empty key ID for v1, got %q", keyID)
+	}
+	if !bytes.Equal(plaintext, pt) {
+		t.Fatalf("roundtrip failed: got %q, want %q", pt, plaintext)
+	}
+}
+
+func TestV2WrongAAD(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("data")
+	aad := []byte("correct/path")
+
+	ct, _ := EncryptV2(key, "system", plaintext, aad)
+
+	_, _, err := DecryptV2(key, ct, []byte("wrong/path"))
+	if !errors.Is(err, ErrDecryptionFailed) {
+		t.Fatalf("expected ErrDecryptionFailed with wrong AAD, got: %v", err)
+	}
+}
+
+func TestV2WrongKey(t *testing.T) {
+	key1, _ := GenerateKey()
+	key2, _ := GenerateKey()
+	plaintext := []byte("data")
+
+	ct, _ := EncryptV2(key1, "system", plaintext, nil)
+
+	_, _, err := DecryptV2(key2, ct, nil)
+	if !errors.Is(err, ErrDecryptionFailed) {
+		t.Fatalf("expected ErrDecryptionFailed, got: %v", err)
+	}
+}
+
+func TestExtractKeyID(t *testing.T) {
+	key, _ := GenerateKey()
+
+	// v1: empty key ID.
+	v1ct, _ := Encrypt(key, []byte("data"), nil)
+	kid, err := ExtractKeyID(v1ct)
+	if err != nil {
+		t.Fatalf("ExtractKeyID v1: %v", err)
+	}
+	if kid != "" {
+		t.Fatalf("expected empty key ID for v1, got %q", kid)
+	}
+
+	// v2: embedded key ID.
+	v2ct, _ := EncryptV2(key, "engine/transit/main", []byte("data"), nil)
+	kid, err = ExtractKeyID(v2ct)
+	if err != nil {
+		t.Fatalf("ExtractKeyID v2: %v", err)
+	}
+	if kid != "engine/transit/main" {
+		t.Fatalf("key ID: got %q, want %q", kid, "engine/transit/main")
+	}
+}
+
+func TestV2KeyIDTooLong(t *testing.T) {
+	key, _ := GenerateKey()
+	longID := string(make([]byte, MaxKeyIDLen+1))
+
+	_, err := EncryptV2(key, longID, []byte("data"), nil)
+	if !errors.Is(err, ErrKeyIDTooLong) {
+		t.Fatalf("expected ErrKeyIDTooLong, got: %v", err)
+	}
+}
+
+func TestV2EmptyKeyID(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("data with empty key id")
+
+	ct, err := EncryptV2(key, "", plaintext, nil)
+	if err != nil {
+		t.Fatalf("EncryptV2 empty key ID: %v", err)
+	}
+
+	pt, keyID, err := DecryptV2(key, ct, nil)
+	if err != nil {
+		t.Fatalf("DecryptV2 empty key ID: %v", err)
+	}
+	if keyID != "" {
+		t.Fatalf("expected empty key ID, got %q", keyID)
+	}
+	if !bytes.Equal(plaintext, pt) {
+		t.Fatalf("roundtrip failed")
+	}
+}