Implement CA/PKI engine with two-tier X.509 certificate issuance
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).
Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry
CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen
Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
for unauthenticated TLS trust bootstrapping
Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
13
Dockerfile
13
Dockerfile
@@ -13,22 +13,23 @@ FROM alpine:3.21
|
||||
|
||||
RUN apk add --no-cache ca-certificates tzdata \
|
||||
&& addgroup -S metacrypt \
|
||||
&& adduser -S -G metacrypt -h /metacrypt -s /sbin/nologin metacrypt
|
||||
&& adduser -S -G metacrypt -h /srv/metacrypt -s /sbin/nologin metacrypt \
|
||||
&& mkdir -p /srv/metacrypt && chown metacrypt:metacrypt /srv/metacrypt
|
||||
|
||||
COPY --from=builder /metacrypt /usr/local/bin/metacrypt
|
||||
COPY web/ /metacrypt/web/
|
||||
COPY web/ /srv/metacrypt/web/
|
||||
|
||||
# /data is the single volume mount point.
|
||||
# /srv/metacrypt is the single volume mount point.
|
||||
# It must contain:
|
||||
# metacrypt.toml — configuration file
|
||||
# certs/ — TLS certificate and key
|
||||
# metacrypt.db — created automatically on first run
|
||||
VOLUME /data
|
||||
WORKDIR /data
|
||||
VOLUME /srv/metacrypt
|
||||
WORKDIR /srv/metacrypt
|
||||
|
||||
EXPOSE 8443
|
||||
|
||||
USER metacrypt
|
||||
|
||||
ENTRYPOINT ["metacrypt"]
|
||||
CMD ["server", "--config", "/data/metacrypt.toml"]
|
||||
CMD ["server", "--config", "/srv/metacrypt/metacrypt.toml"]
|
||||
|
||||
Reference in New Issue
Block a user