Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -45,11 +45,13 @@
|
||||
{{if not .Cert.Revoked}}
|
||||
<form method="POST" action="/pki/cert/{{.Cert.Serial}}/revoke"
|
||||
onsubmit="return confirm('Revoke certificate {{.Cert.Serial}}? This cannot be undone.');">
|
||||
{{csrfField}}
|
||||
<button type="submit" class="btn btn-danger">Revoke Certificate</button>
|
||||
</form>
|
||||
{{end}}
|
||||
<form method="POST" action="/pki/cert/{{.Cert.Serial}}/delete"
|
||||
onsubmit="return confirm('Permanently delete certificate record {{.Cert.Serial}}? This cannot be undone.');">
|
||||
{{csrfField}}
|
||||
<button type="submit" class="btn btn-danger">Delete Record</button>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
@@ -48,6 +48,7 @@
|
||||
<details>
|
||||
<summary>Mount a CA engine</summary>
|
||||
<form method="post" action="/dashboard/mount-ca" enctype="multipart/form-data">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="mount_name">Mount Name</label>
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
<p>Set the seal password for this instance. This password will be required to unseal the service after each restart.</p>
|
||||
{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
|
||||
<form method="POST" action="/init">
|
||||
{{csrfField}}
|
||||
<div class="form-group">
|
||||
<label for="password">Seal Password</label>
|
||||
<input type="password" id="password" name="password" required autofocus autocomplete="new-password">
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
<p>Authenticate with your MCIAS credentials.</p>
|
||||
{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
|
||||
<form method="POST" action="/login">
|
||||
{{csrfField}}
|
||||
<div class="form-group">
|
||||
<label for="username">Username</label>
|
||||
<input type="text" id="username" name="username" required autofocus autocomplete="username">
|
||||
|
||||
@@ -40,6 +40,7 @@
|
||||
<div class="card-title">Import Root CA</div>
|
||||
<p>{{if .RootExpired}}The current root CA has expired. Import a new one to continue issuing certificates.{{else}}No root CA is present. Import one to get started.{{end}}</p>
|
||||
<form method="post" action="/pki/import-root" enctype="multipart/form-data">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="cert_file">Certificate PEM file</label>
|
||||
@@ -99,6 +100,7 @@
|
||||
<div class="card">
|
||||
<div class="card-title">Issue Certificate</div>
|
||||
<form method="post" action="/pki/issue">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="issue_cn">Common Name</label>
|
||||
@@ -191,6 +193,7 @@
|
||||
</div>
|
||||
{{else}}
|
||||
<form method="post" action="/pki/sign-csr">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="sign_issuer">Issuer</label>
|
||||
@@ -228,6 +231,7 @@
|
||||
<div class="card-title">Create Issuer</div>
|
||||
{{if .IssuerError}}<div class="error">{{.IssuerError}}</div>{{end}}
|
||||
<form method="post" action="/pki/create-issuer">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="issuer_name">Issuer Name</label>
|
||||
|
||||
@@ -38,6 +38,7 @@
|
||||
<td>{{if .Actions}}{{range $i, $a := .Actions}}{{if $i}}, {{end}}{{$a}}{{end}}{{else}}<em>any</em>{{end}}</td>
|
||||
<td>
|
||||
<form method="post" action="/policy/delete" style="display:inline">
|
||||
{{csrfField}}
|
||||
<input type="hidden" name="id" value="{{.ID}}">
|
||||
<button type="submit" class="btn-danger btn-sm" onclick="return confirm('Delete rule {{.ID}}?')">Delete</button>
|
||||
</form>
|
||||
@@ -57,6 +58,7 @@
|
||||
<details>
|
||||
<summary>Add a new policy rule</summary>
|
||||
<form method="post" action="/policy">
|
||||
{{csrfField}}
|
||||
<div class="form-row">
|
||||
<div class="form-group">
|
||||
<label for="rule_id">Rule ID <span class="required">*</span></label>
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
<p>The service is sealed. Enter the seal password to restore access.</p>
|
||||
{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
|
||||
<form method="POST" action="/unseal">
|
||||
{{csrfField}}
|
||||
<div class="form-group">
|
||||
<label for="password">Seal Password</label>
|
||||
<input type="password" id="password" name="password" required autofocus autocomplete="current-password">
|
||||
|
||||
Reference in New Issue
Block a user