Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"), and signs leaf certificates using configurable profiles (server, client, peer). Engine framework updates: - Add CallerInfo struct for auth context in engine requests - Add config parameter to Engine.Initialize for mount-time configuration - Export Mount.Engine field; add GetEngine/GetMount on Registry CA engine (internal/engine/ca/): - Two-tier PKI: root CA → issuers → leaf certificates - 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers, issue, get-cert, list-certs, renew - Certificate profiles with user-overridable TTL, key usages, and key algorithm - Private keys never stored in barrier; zeroized from memory on seal - Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen Server routes: - Wire up engine mount/request handlers (replace Phase 1 stubs) - Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name}) for unauthenticated TLS trust bootstrapping Also includes: ARCHITECTURE.md, deploy config updates, operational tooling. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 21:57:52 -07:00
parent 4ddd32b117
commit 8f77050a84
26 changed files with 2980 additions and 129 deletions
--- a/internal/engine/ca/profiles.go
+++ b/internal/engine/ca/profiles.go
@@ -0,0 +1,41 @@
+package ca
+
+import "git.wntrmute.dev/kyle/goutils/certlib/certgen"
+
+// Default certificate profiles.
+var defaultProfiles = map[string]certgen.Profile{
+	"server": {
+		KeyUse:       []string{"digital signature", "key encipherment"},
+		ExtKeyUsages: []string{"server auth"},
+		Expiry:       "2160h", // 90 days
+	},
+	"client": {
+		KeyUse:       []string{"digital signature"},
+		ExtKeyUsages: []string{"client auth"},
+		Expiry:       "2160h", // 90 days
+	},
+	"peer": {
+		KeyUse:       []string{"digital signature", "key encipherment"},
+		ExtKeyUsages: []string{"server auth", "client auth"},
+		Expiry:       "2160h", // 90 days
+	},
+}
+
+// GetProfile returns a copy of the named default profile.
+func GetProfile(name string) (certgen.Profile, bool) {
+	p, ok := defaultProfiles[name]
+	if !ok {
+		return certgen.Profile{}, false
+	}
+	// Return a copy so callers can modify.
+	cp := certgen.Profile{
+		IsCA:         p.IsCA,
+		PathLen:      p.PathLen,
+		Expiry:       p.Expiry,
+		KeyUse:       make([]string, len(p.KeyUse)),
+		ExtKeyUsages: make([]string, len(p.ExtKeyUsages)),
+	}
+	copy(cp.KeyUse, p.KeyUse)
+	copy(cp.ExtKeyUsages, p.ExtKeyUsages)
+	return cp, true
+}