Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -634,6 +634,9 @@ func (e *CAEngine) handleCreateIssuer(ctx context.Context, req *engine.Request)
|
||||
if name == "" {
|
||||
return nil, fmt.Errorf("ca: issuer name is required")
|
||||
}
|
||||
if err := engine.ValidateName(name); err != nil {
|
||||
return nil, fmt.Errorf("ca: %w", err)
|
||||
}
|
||||
|
||||
e.mu.Lock()
|
||||
defer e.mu.Unlock()
|
||||
@@ -873,10 +876,13 @@ func (e *CAEngine) handleIssue(ctx context.Context, req *engine.Request) (*engin
|
||||
return nil, fmt.Errorf("%w: %s", ErrUnknownProfile, profileName)
|
||||
}
|
||||
|
||||
// Apply user overrides.
|
||||
if v, ok := req.Data["ttl"].(string); ok && v != "" {
|
||||
profile.Expiry = v
|
||||
// Validate and apply TTL against issuer MaxTTL.
|
||||
requestedTTL, _ := req.Data["ttl"].(string)
|
||||
ttl, err := resolveTTL(requestedTTL, is.config.MaxTTL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
profile.Expiry = ttl.String()
|
||||
if v, ok := req.Data["key_usages"].([]interface{}); ok {
|
||||
profile.KeyUse = toStringSlice(v)
|
||||
}
|
||||
@@ -1259,10 +1265,6 @@ func (e *CAEngine) handleSignCSR(ctx context.Context, req *engine.Request) (*eng
|
||||
return nil, fmt.Errorf("%w: %s", ErrUnknownProfile, profileName)
|
||||
}
|
||||
|
||||
if v, ok := req.Data["ttl"].(string); ok && v != "" {
|
||||
profile.Expiry = v
|
||||
}
|
||||
|
||||
e.mu.Lock()
|
||||
defer e.mu.Unlock()
|
||||
|
||||
@@ -1275,6 +1277,14 @@ func (e *CAEngine) handleSignCSR(ctx context.Context, req *engine.Request) (*eng
|
||||
return nil, ErrIssuerNotFound
|
||||
}
|
||||
|
||||
// Validate and apply TTL against issuer MaxTTL.
|
||||
requestedTTL, _ := req.Data["ttl"].(string)
|
||||
ttl, err := resolveTTL(requestedTTL, is.config.MaxTTL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
profile.Expiry = ttl.String()
|
||||
|
||||
// Authorization: admins bypass; otherwise check identifiers from the CSR.
|
||||
if !req.CallerInfo.IsAdmin {
|
||||
sans := append(csr.DNSNames, ipStrings(csr.IPAddresses)...)
|
||||
@@ -1497,6 +1507,25 @@ func zeroizeKey(key crypto.PrivateKey) {
|
||||
}
|
||||
}
|
||||
|
||||
// resolveTTL parses and validates a requested TTL against the issuer's MaxTTL.
|
||||
func resolveTTL(requested, issuerMaxTTL string) (time.Duration, error) {
|
||||
maxTTL, err := time.ParseDuration(issuerMaxTTL)
|
||||
if err != nil || maxTTL <= 0 {
|
||||
maxTTL = 2160 * time.Hour // 90 days fallback
|
||||
}
|
||||
if requested != "" {
|
||||
ttl, err := time.ParseDuration(requested)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("ca: invalid TTL %q: %w", requested, err)
|
||||
}
|
||||
if ttl > maxTTL {
|
||||
return 0, fmt.Errorf("ca: requested TTL %s exceeds issuer maximum %s", ttl, maxTTL)
|
||||
}
|
||||
return ttl, nil
|
||||
}
|
||||
return maxTTL, nil
|
||||
}
|
||||
|
||||
func toStringSlice(v []interface{}) []string {
|
||||
s := make([]string, 0, len(v))
|
||||
for _, item := range v {
|
||||
|
||||
Reference in New Issue
Block a user