Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00
parent 128f5abc4d
commit a80323e320
29 changed files with 5061 additions and 647 deletions
--- a/internal/barrier/barrier.go
+++ b/internal/barrier/barrier.go
@@ -16,8 +16,19 @@ var (
 	ErrSealed      = errors.New("barrier: sealed")
 	ErrNotFound    = errors.New("barrier: entry not found")
 	ErrKeyNotFound = errors.New("barrier: key not found")
+	ErrInvalidPath = errors.New("barrier: invalid path")
 )

+// validatePath rejects paths containing ".." segments to prevent path traversal.
+func validatePath(p string) error {
+	for _, seg := range strings.Split(p, "/") {
+		if seg == ".." {
+			return fmt.Errorf("%w: %q", ErrInvalidPath, p)
+		}
+	}
+	return nil
+}
+
 // Barrier is the encrypted storage barrier interface.
 type Barrier interface {
 	// Unseal opens the barrier with the given master encryption key.
@@ -137,11 +148,12 @@ func resolveKeyID(path string) string {
 }

 func (b *AESGCMBarrier) Get(ctx context.Context, path string) ([]byte, error) {
+	if err := validatePath(path); err != nil {
+		return nil, err
+	}
 	b.mu.RLock()
-	mek := b.mek
-	keys := b.keys
-	b.mu.RUnlock()
-	if mek == nil {
+	defer b.mu.RUnlock()
+	if b.mek == nil {
 		return nil, ErrSealed
 	}

@@ -161,7 +173,7 @@ func (b *AESGCMBarrier) Get(ctx context.Context, path string) ([]byte, error) {
 		if err != nil {
 			return nil, fmt.Errorf("barrier: extract key ID %q: %w", path, err)
 		}
-		dek, ok := keys[keyID]
+		dek, ok := b.keys[keyID]
 		if !ok {
 			return nil, fmt.Errorf("barrier: %w: %q for path %q", ErrKeyNotFound, keyID, path)
 		}
@@ -173,7 +185,7 @@ func (b *AESGCMBarrier) Get(ctx context.Context, path string) ([]byte, error) {
 	}

 	// v1 ciphertext — use MEK directly (backward compat).
-	pt, err := crypto.Decrypt(mek, encrypted, []byte(path))
+	pt, err := crypto.Decrypt(b.mek, encrypted, []byte(path))
 	if err != nil {
 		return nil, fmt.Errorf("barrier: decrypt %q: %w", path, err)
 	}
@@ -181,11 +193,12 @@ func (b *AESGCMBarrier) Get(ctx context.Context, path string) ([]byte, error) {
 }

 func (b *AESGCMBarrier) Put(ctx context.Context, path string, value []byte) error {
+	if err := validatePath(path); err != nil {
+		return err
+	}
 	b.mu.RLock()
-	mek := b.mek
-	keys := b.keys
-	b.mu.RUnlock()
-	if mek == nil {
+	defer b.mu.RUnlock()
+	if b.mek == nil {
 		return ErrSealed
 	}

@@ -194,12 +207,12 @@ func (b *AESGCMBarrier) Put(ctx context.Context, path string, value []byte) erro
 	var encrypted []byte
 	var err error

-	if dek, ok := keys[keyID]; ok {
+	if dek, ok := b.keys[keyID]; ok {
 		// Use v2 format with the appropriate DEK.
 		encrypted, err = crypto.EncryptV2(dek, keyID, value, []byte(path))
 	} else {
 		// No DEK registered for this key ID — fall back to MEK with v1 format.
-		encrypted, err = crypto.Encrypt(mek, value, []byte(path))
+		encrypted, err = crypto.Encrypt(b.mek, value, []byte(path))
 	}
 	if err != nil {
 		return fmt.Errorf("barrier: encrypt %q: %w", path, err)
@@ -216,10 +229,12 @@ func (b *AESGCMBarrier) Put(ctx context.Context, path string, value []byte) erro
 }

 func (b *AESGCMBarrier) Delete(ctx context.Context, path string) error {
+	if err := validatePath(path); err != nil {
+		return err
+	}
 	b.mu.RLock()
-	mek := b.mek
-	b.mu.RUnlock()
-	if mek == nil {
+	defer b.mu.RUnlock()
+	if b.mek == nil {
 		return ErrSealed
 	}

@@ -232,10 +247,12 @@ func (b *AESGCMBarrier) Delete(ctx context.Context, path string) error {
 }

 func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error) {
+	if err := validatePath(prefix); err != nil {
+		return nil, err
+	}
 	b.mu.RLock()
-	mek := b.mek
-	b.mu.RUnlock()
-	if mek == nil {
+	defer b.mu.RUnlock()
+	if b.mek == nil {
 		return nil, ErrSealed
 	}

@@ -605,7 +622,8 @@ func (b *AESGCMBarrier) createKeyLockedTx(ctx context.Context, tx *sql.Tx, keyID
 }

 // ReWrapKeys re-encrypts all DEKs with a new MEK. Called during MEK rotation.
-// The new MEK is already set in b.mek by the caller.
+// This method manages its own transaction. For atomic MEK rotation where
+// the seal_config update must be in the same transaction, use ReWrapKeysTx.
 func (b *AESGCMBarrier) ReWrapKeys(ctx context.Context, newMEK []byte) error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -620,6 +638,30 @@ func (b *AESGCMBarrier) ReWrapKeys(ctx context.Context, newMEK []byte) error {
 	}
 	defer func() { _ = tx.Rollback() }()

+	if err := b.reWrapKeysLocked(ctx, tx, newMEK); err != nil {
+		return err
+	}
+
+	if err := tx.Commit(); err != nil {
+		return fmt.Errorf("barrier: commit re-wrap: %w", err)
+	}
+
+	b.swapMEKLocked(newMEK)
+	return nil
+}
+
+// ReWrapKeysTx re-encrypts all DEKs with a new MEK within the given
+// transaction. The caller is responsible for committing the transaction
+// and then calling SwapMEK to update the in-memory state.
+// The barrier mutex must be held by the caller.
+func (b *AESGCMBarrier) ReWrapKeysTx(ctx context.Context, tx *sql.Tx, newMEK []byte) error {
+	if b.mek == nil {
+		return ErrSealed
+	}
+	return b.reWrapKeysLocked(ctx, tx, newMEK)
+}
+
+func (b *AESGCMBarrier) reWrapKeysLocked(ctx context.Context, tx *sql.Tx, newMEK []byte) error {
 	for keyID, dek := range b.keys {
 		encDEK, err := crypto.Encrypt(newMEK, dek, []byte(keyID))
 		if err != nil {
@@ -632,15 +674,19 @@ func (b *AESGCMBarrier) ReWrapKeys(ctx context.Context, newMEK []byte) error {
 			return fmt.Errorf("barrier: update key %q: %w", keyID, err)
 		}
 	}
+	return nil
+}

-	if err := tx.Commit(); err != nil {
-		return fmt.Errorf("barrier: commit re-wrap: %w", err)
-	}
+// SwapMEK updates the in-memory MEK after a committed transaction.
+func (b *AESGCMBarrier) SwapMEK(newMEK []byte) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.swapMEKLocked(newMEK)
+}

-	// Update the MEK in memory.
+func (b *AESGCMBarrier) swapMEKLocked(newMEK []byte) {
 	crypto.Zeroize(b.mek)
 	k := make([]byte, len(newMEK))
 	copy(k, newMEK)
 	b.mek = k
-	return nil
 }