Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
85
internal/grpcserver/barrier.go
Normal file
85
internal/grpcserver/barrier.go
Normal file
@@ -0,0 +1,85 @@
|
||||
package grpcserver
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
|
||||
)
|
||||
|
||||
type barrierServer struct {
|
||||
pb.UnimplementedBarrierServiceServer
|
||||
s *GRPCServer
|
||||
}
|
||||
|
||||
func (bs *barrierServer) ListKeys(ctx context.Context, _ *pb.ListKeysRequest) (*pb.ListKeysResponse, error) {
|
||||
keys, err := bs.s.sealMgr.Barrier().ListKeys(ctx)
|
||||
if err != nil {
|
||||
bs.s.logger.Error("grpc: list barrier keys", "error", err)
|
||||
return nil, status.Error(codes.Internal, "failed to list keys")
|
||||
}
|
||||
|
||||
resp := &pb.ListKeysResponse{}
|
||||
for _, k := range keys {
|
||||
resp.Keys = append(resp.Keys, &pb.BarrierKeyInfo{
|
||||
KeyId: k.KeyID,
|
||||
Version: int32(k.Version),
|
||||
CreatedAt: k.CreatedAt,
|
||||
RotatedAt: k.RotatedAt,
|
||||
})
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (bs *barrierServer) RotateMEK(ctx context.Context, req *pb.RotateMEKRequest) (*pb.RotateMEKResponse, error) {
|
||||
if req.Password == "" {
|
||||
return nil, status.Error(codes.InvalidArgument, "password is required")
|
||||
}
|
||||
|
||||
if err := bs.s.sealMgr.RotateMEK(ctx, []byte(req.Password)); err != nil {
|
||||
if errors.Is(err, seal.ErrInvalidPassword) {
|
||||
return nil, status.Error(codes.Unauthenticated, "invalid password")
|
||||
}
|
||||
if errors.Is(err, seal.ErrSealed) {
|
||||
return nil, status.Error(codes.FailedPrecondition, "sealed")
|
||||
}
|
||||
bs.s.logger.Error("grpc: rotate MEK", "error", err)
|
||||
return nil, status.Error(codes.Internal, "rotation failed")
|
||||
}
|
||||
|
||||
bs.s.logger.Info("audit: MEK rotated")
|
||||
return &pb.RotateMEKResponse{Ok: true}, nil
|
||||
}
|
||||
|
||||
func (bs *barrierServer) RotateKey(ctx context.Context, req *pb.RotateKeyRequest) (*pb.RotateKeyResponse, error) {
|
||||
if req.KeyId == "" {
|
||||
return nil, status.Error(codes.InvalidArgument, "key_id is required")
|
||||
}
|
||||
|
||||
if err := bs.s.sealMgr.Barrier().RotateKey(ctx, req.KeyId); err != nil {
|
||||
if errors.Is(err, barrier.ErrKeyNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "key not found")
|
||||
}
|
||||
bs.s.logger.Error("grpc: rotate key", "key_id", req.KeyId, "error", err)
|
||||
return nil, status.Error(codes.Internal, "rotation failed")
|
||||
}
|
||||
|
||||
bs.s.logger.Info("audit: DEK rotated", "key_id", req.KeyId)
|
||||
return &pb.RotateKeyResponse{Ok: true}, nil
|
||||
}
|
||||
|
||||
func (bs *barrierServer) Migrate(ctx context.Context, _ *pb.MigrateBarrierRequest) (*pb.MigrateBarrierResponse, error) {
|
||||
migrated, err := bs.s.sealMgr.Barrier().MigrateToV2(ctx)
|
||||
if err != nil {
|
||||
bs.s.logger.Error("grpc: barrier migration", "error", err)
|
||||
return nil, status.Error(codes.Internal, "migration failed")
|
||||
}
|
||||
|
||||
bs.s.logger.Info("audit: barrier migrated to v2", "entries_migrated", migrated)
|
||||
return &pb.MigrateBarrierResponse{Migrated: int32(migrated)}, nil
|
||||
}
|
||||
@@ -60,7 +60,7 @@ func (s *GRPCServer) Start() error {
|
||||
}
|
||||
tlsCfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{tlsCert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MinVersion: tls.VersionTLS13,
|
||||
}
|
||||
creds := credentials.NewTLS(tlsCfg)
|
||||
|
||||
@@ -81,6 +81,7 @@ func (s *GRPCServer) Start() error {
|
||||
pb.RegisterPKIServiceServer(s.srv, &pkiServer{s: s})
|
||||
pb.RegisterCAServiceServer(s.srv, &caServer{s: s})
|
||||
pb.RegisterPolicyServiceServer(s.srv, &policyServer{s: s})
|
||||
pb.RegisterBarrierServiceServer(s.srv, &barrierServer{s: s})
|
||||
pb.RegisterACMEServiceServer(s.srv, &acmeServer{s: s})
|
||||
|
||||
lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
|
||||
@@ -136,7 +137,11 @@ func sealRequiredMethods() map[string]bool {
|
||||
"/metacrypt.v2.ACMEService/CreateEAB": true,
|
||||
"/metacrypt.v2.ACMEService/SetConfig": true,
|
||||
"/metacrypt.v2.ACMEService/ListAccounts": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.BarrierService/ListKeys": true,
|
||||
"/metacrypt.v2.BarrierService/RotateMEK": true,
|
||||
"/metacrypt.v2.BarrierService/RotateKey": true,
|
||||
"/metacrypt.v2.BarrierService/Migrate": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -166,7 +171,11 @@ func authRequiredMethods() map[string]bool {
|
||||
"/metacrypt.v2.ACMEService/CreateEAB": true,
|
||||
"/metacrypt.v2.ACMEService/SetConfig": true,
|
||||
"/metacrypt.v2.ACMEService/ListAccounts": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.BarrierService/ListKeys": true,
|
||||
"/metacrypt.v2.BarrierService/RotateMEK": true,
|
||||
"/metacrypt.v2.BarrierService/RotateKey": true,
|
||||
"/metacrypt.v2.BarrierService/Migrate": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -182,9 +191,15 @@ func adminRequiredMethods() map[string]bool {
|
||||
"/metacrypt.v2.CAService/RevokeCert": true,
|
||||
"/metacrypt.v2.CAService/DeleteCert": true,
|
||||
"/metacrypt.v2.PolicyService/CreatePolicy": true,
|
||||
"/metacrypt.v2.PolicyService/DeletePolicy": true,
|
||||
"/metacrypt.v2.PolicyService/ListPolicies": true,
|
||||
"/metacrypt.v2.PolicyService/GetPolicy": true,
|
||||
"/metacrypt.v2.PolicyService/DeletePolicy": true,
|
||||
"/metacrypt.v2.ACMEService/SetConfig": true,
|
||||
"/metacrypt.v2.ACMEService/ListAccounts": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.ACMEService/ListOrders": true,
|
||||
"/metacrypt.v2.BarrierService/ListKeys": true,
|
||||
"/metacrypt.v2.BarrierService/RotateMEK": true,
|
||||
"/metacrypt.v2.BarrierService/RotateKey": true,
|
||||
"/metacrypt.v2.BarrierService/Migrate": true,
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user