Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00
parent 128f5abc4d
commit a80323e320
29 changed files with 5061 additions and 647 deletions
--- a/internal/engine/ca/ca.go
+++ b/internal/engine/ca/ca.go
@@ -634,6 +634,9 @@ func (e *CAEngine) handleCreateIssuer(ctx context.Context, req *engine.Request)
 	if name == "" {
 		return nil, fmt.Errorf("ca: issuer name is required")
 	}
+	if err := engine.ValidateName(name); err != nil {
+		return nil, fmt.Errorf("ca: %w", err)
+	}

 	e.mu.Lock()
 	defer e.mu.Unlock()
@@ -873,10 +876,13 @@ func (e *CAEngine) handleIssue(ctx context.Context, req *engine.Request) (*engin
 		return nil, fmt.Errorf("%w: %s", ErrUnknownProfile, profileName)
 	}

-	// Apply user overrides.
-	if v, ok := req.Data["ttl"].(string); ok && v != "" {
-		profile.Expiry = v
+	// Validate and apply TTL against issuer MaxTTL.
+	requestedTTL, _ := req.Data["ttl"].(string)
+	ttl, err := resolveTTL(requestedTTL, is.config.MaxTTL)
+	if err != nil {
+		return nil, err
 	}
+	profile.Expiry = ttl.String()
 	if v, ok := req.Data["key_usages"].([]interface{}); ok {
 		profile.KeyUse = toStringSlice(v)
 	}
@@ -1259,10 +1265,6 @@ func (e *CAEngine) handleSignCSR(ctx context.Context, req *engine.Request) (*eng
 		return nil, fmt.Errorf("%w: %s", ErrUnknownProfile, profileName)
 	}

-	if v, ok := req.Data["ttl"].(string); ok && v != "" {
-		profile.Expiry = v
-	}
-
 	e.mu.Lock()
 	defer e.mu.Unlock()

@@ -1275,6 +1277,14 @@ func (e *CAEngine) handleSignCSR(ctx context.Context, req *engine.Request) (*eng
 		return nil, ErrIssuerNotFound
 	}

+	// Validate and apply TTL against issuer MaxTTL.
+	requestedTTL, _ := req.Data["ttl"].(string)
+	ttl, err := resolveTTL(requestedTTL, is.config.MaxTTL)
+	if err != nil {
+		return nil, err
+	}
+	profile.Expiry = ttl.String()
+
 	// Authorization: admins bypass; otherwise check identifiers from the CSR.
 	if !req.CallerInfo.IsAdmin {
 		sans := append(csr.DNSNames, ipStrings(csr.IPAddresses)...)
@@ -1497,6 +1507,25 @@ func zeroizeKey(key crypto.PrivateKey) {
 	}
 }

+// resolveTTL parses and validates a requested TTL against the issuer's MaxTTL.
+func resolveTTL(requested, issuerMaxTTL string) (time.Duration, error) {
+	maxTTL, err := time.ParseDuration(issuerMaxTTL)
+	if err != nil || maxTTL <= 0 {
+		maxTTL = 2160 * time.Hour // 90 days fallback
+	}
+	if requested != "" {
+		ttl, err := time.ParseDuration(requested)
+		if err != nil {
+			return 0, fmt.Errorf("ca: invalid TTL %q: %w", requested, err)
+		}
+		if ttl > maxTTL {
+			return 0, fmt.Errorf("ca: requested TTL %s exceeds issuer maximum %s", ttl, maxTTL)
+		}
+		return ttl, nil
+	}
+	return maxTTL, nil
+}
+
 func toStringSlice(v []interface{}) []string {
 	s := make([]string, 0, len(v))
 	for _, item := range v {
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"regexp"
 	"strings"
 	"sync"

@@ -28,8 +29,21 @@ var (
 	ErrMountExists   = errors.New("engine: mount already exists")
 	ErrMountNotFound = errors.New("engine: mount not found")
 	ErrUnknownType   = errors.New("engine: unknown engine type")
+	ErrInvalidName   = errors.New("engine: invalid name")
 )

+var validName = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._-]*$`)
+
+// ValidateName checks that a user-provided name is safe for use in barrier
+// paths. Names must be 1-128 characters, start with an alphanumeric, and
+// contain only alphanumerics, dots, hyphens, and underscores.
+func ValidateName(name string) error {
+	if name == "" || len(name) > 128 || !validName.MatchString(name) {
+		return fmt.Errorf("%w: %q", ErrInvalidName, name)
+	}
+	return nil
+}
+
 // CallerInfo carries authentication context into engines.
 type CallerInfo struct {
 	Username string
@@ -131,6 +145,10 @@ const mountsPrefix = "engine/_mounts/"

 // Mount creates and initializes a new engine mount.
 func (r *Registry) Mount(ctx context.Context, name string, engineType EngineType, config map[string]interface{}) error {
+	if err := ValidateName(name); err != nil {
+		return err
+	}
+
 	r.mu.Lock()
 	defer r.mu.Unlock()

--- a/internal/engine/sshca/sshca.go
+++ b/internal/engine/sshca/sshca.go
@@ -547,6 +547,9 @@ func (e *SSHCAEngine) handleCreateProfile(ctx context.Context, req *engine.Reque
 	if name == "" {
 		return nil, fmt.Errorf("sshca: name is required")
 	}
+	if err := engine.ValidateName(name); err != nil {
+		return nil, fmt.Errorf("sshca: %w", err)
+	}

 	// Check if profile already exists.
 	_, err := e.barrier.Get(ctx, e.mountPath+"profiles/"+name+".json")
--- a/internal/engine/transit/transit.go
+++ b/internal/engine/transit/transit.go
@@ -382,6 +382,9 @@ func (e *TransitEngine) handleCreateKey(ctx context.Context, req *engine.Request
 	if name == "" {
 		return nil, fmt.Errorf("transit: name is required")
 	}
+	if err := engine.ValidateName(name); err != nil {
+		return nil, fmt.Errorf("transit: %w", err)
+	}
 	if keyType == "" {
 		keyType = "aes256-gcm"
 	}
--- a/internal/engine/user/user.go
+++ b/internal/engine/user/user.go
@@ -47,9 +47,10 @@ var (

 // userState holds in-memory state for a loaded user.
 type userState struct {
-	privKey *ecdh.PrivateKey
-	pubKey  *ecdh.PublicKey
-	config  *UserKeyConfig
+	privKey   *ecdh.PrivateKey
+	privBytes []byte // raw private key bytes, retained for zeroization
+	pubKey    *ecdh.PublicKey
+	config    *UserKeyConfig
 }

 // UserEngine implements the user-to-user encryption engine.
@@ -68,6 +69,16 @@ func NewUserEngine() engine.Engine {
 	}
 }

+// mountName extracts the mount name from the full mount path.
+// mountPath is "engine/user/{name}/".
+func (e *UserEngine) mountName() string {
+	parts := strings.Split(strings.TrimSuffix(e.mountPath, "/"), "/")
+	if len(parts) >= 3 {
+		return parts[2]
+	}
+	return e.mountPath
+}
+
 func (e *UserEngine) Type() engine.EngineType {
 	return engine.EngineTypeUser
 }
@@ -154,12 +165,13 @@ func (e *UserEngine) Seal() error {
 	e.mu.Lock()
 	defer e.mu.Unlock()

-	// Zeroize all private keys.
+	// Zeroize all private key material.
 	for _, u := range e.users {
-		if u.privKey != nil {
-			raw := u.privKey.Bytes()
-			crypto.Zeroize(raw)
+		if u.privBytes != nil {
+			crypto.Zeroize(u.privBytes)
+			u.privBytes = nil
 		}
+		u.privKey = nil
 	}
 	e.users = nil
 	e.config = nil
@@ -249,6 +261,9 @@ func (e *UserEngine) handleProvision(ctx context.Context, req *engine.Request) (
 	if username == "" {
 		return nil, fmt.Errorf("user: username is required")
 	}
+	if err := engine.ValidateName(username); err != nil {
+		return nil, fmt.Errorf("user: %w", err)
+	}

 	e.mu.Lock()
 	defer e.mu.Unlock()
@@ -349,13 +364,18 @@ func (e *UserEngine) handleEncrypt(ctx context.Context, req *engine.Request) (*e
 	if len(recipientNames) > maxRecipients {
 		return nil, ErrTooMany
 	}
+	for _, r := range recipientNames {
+		if err := engine.ValidateName(r); err != nil {
+			return nil, fmt.Errorf("user: invalid recipient: %w", err)
+		}
+	}

 	sender := req.CallerInfo.Username

 	// Policy check for each recipient.
 	if req.CheckPolicy != nil {
 		for _, r := range recipientNames {
-			resource := fmt.Sprintf("user/%s/recipient/%s", e.mountPath, r)
+			resource := fmt.Sprintf("user/%s/recipient/%s", e.mountName(), r)
 			effect, matched := req.CheckPolicy(resource, "write")
 			if matched && effect == "deny" {
 				return nil, fmt.Errorf("user: forbidden: policy denies encryption to recipient %s", r)
@@ -715,8 +735,9 @@ func (e *UserEngine) createUser(ctx context.Context, username string, autoProvis
 	}

 	u := &userState{
-		privKey: priv,
-		pubKey:  priv.PublicKey(),
+		privKey:   priv,
+		privBytes: priv.Bytes(), // retain copy for zeroization on Seal
+		pubKey:    priv.PublicKey(),
 		config: &UserKeyConfig{
 			Algorithm:       e.config.KeyAlgorithm,
 			CreatedAt:       time.Now().UTC(),
@@ -789,9 +810,10 @@ func (e *UserEngine) loadUser(ctx context.Context, username string) error {
 	}

 	e.users[username] = &userState{
-		privKey: priv,
-		pubKey:  priv.PublicKey(),
-		config:  &cfg,
+		privKey:   priv,
+		privBytes: privBytes, // retained for zeroization on Seal
+		pubKey:    priv.PublicKey(),
+		config:    &cfg,
 	}
 	return nil
 }