Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -47,9 +47,10 @@ var (
|
||||
|
||||
// userState holds in-memory state for a loaded user.
|
||||
type userState struct {
|
||||
privKey *ecdh.PrivateKey
|
||||
pubKey *ecdh.PublicKey
|
||||
config *UserKeyConfig
|
||||
privKey *ecdh.PrivateKey
|
||||
privBytes []byte // raw private key bytes, retained for zeroization
|
||||
pubKey *ecdh.PublicKey
|
||||
config *UserKeyConfig
|
||||
}
|
||||
|
||||
// UserEngine implements the user-to-user encryption engine.
|
||||
@@ -68,6 +69,16 @@ func NewUserEngine() engine.Engine {
|
||||
}
|
||||
}
|
||||
|
||||
// mountName extracts the mount name from the full mount path.
|
||||
// mountPath is "engine/user/{name}/".
|
||||
func (e *UserEngine) mountName() string {
|
||||
parts := strings.Split(strings.TrimSuffix(e.mountPath, "/"), "/")
|
||||
if len(parts) >= 3 {
|
||||
return parts[2]
|
||||
}
|
||||
return e.mountPath
|
||||
}
|
||||
|
||||
func (e *UserEngine) Type() engine.EngineType {
|
||||
return engine.EngineTypeUser
|
||||
}
|
||||
@@ -154,12 +165,13 @@ func (e *UserEngine) Seal() error {
|
||||
e.mu.Lock()
|
||||
defer e.mu.Unlock()
|
||||
|
||||
// Zeroize all private keys.
|
||||
// Zeroize all private key material.
|
||||
for _, u := range e.users {
|
||||
if u.privKey != nil {
|
||||
raw := u.privKey.Bytes()
|
||||
crypto.Zeroize(raw)
|
||||
if u.privBytes != nil {
|
||||
crypto.Zeroize(u.privBytes)
|
||||
u.privBytes = nil
|
||||
}
|
||||
u.privKey = nil
|
||||
}
|
||||
e.users = nil
|
||||
e.config = nil
|
||||
@@ -249,6 +261,9 @@ func (e *UserEngine) handleProvision(ctx context.Context, req *engine.Request) (
|
||||
if username == "" {
|
||||
return nil, fmt.Errorf("user: username is required")
|
||||
}
|
||||
if err := engine.ValidateName(username); err != nil {
|
||||
return nil, fmt.Errorf("user: %w", err)
|
||||
}
|
||||
|
||||
e.mu.Lock()
|
||||
defer e.mu.Unlock()
|
||||
@@ -349,13 +364,18 @@ func (e *UserEngine) handleEncrypt(ctx context.Context, req *engine.Request) (*e
|
||||
if len(recipientNames) > maxRecipients {
|
||||
return nil, ErrTooMany
|
||||
}
|
||||
for _, r := range recipientNames {
|
||||
if err := engine.ValidateName(r); err != nil {
|
||||
return nil, fmt.Errorf("user: invalid recipient: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
sender := req.CallerInfo.Username
|
||||
|
||||
// Policy check for each recipient.
|
||||
if req.CheckPolicy != nil {
|
||||
for _, r := range recipientNames {
|
||||
resource := fmt.Sprintf("user/%s/recipient/%s", e.mountPath, r)
|
||||
resource := fmt.Sprintf("user/%s/recipient/%s", e.mountName(), r)
|
||||
effect, matched := req.CheckPolicy(resource, "write")
|
||||
if matched && effect == "deny" {
|
||||
return nil, fmt.Errorf("user: forbidden: policy denies encryption to recipient %s", r)
|
||||
@@ -715,8 +735,9 @@ func (e *UserEngine) createUser(ctx context.Context, username string, autoProvis
|
||||
}
|
||||
|
||||
u := &userState{
|
||||
privKey: priv,
|
||||
pubKey: priv.PublicKey(),
|
||||
privKey: priv,
|
||||
privBytes: priv.Bytes(), // retain copy for zeroization on Seal
|
||||
pubKey: priv.PublicKey(),
|
||||
config: &UserKeyConfig{
|
||||
Algorithm: e.config.KeyAlgorithm,
|
||||
CreatedAt: time.Now().UTC(),
|
||||
@@ -789,9 +810,10 @@ func (e *UserEngine) loadUser(ctx context.Context, username string) error {
|
||||
}
|
||||
|
||||
e.users[username] = &userState{
|
||||
privKey: priv,
|
||||
pubKey: priv.PublicKey(),
|
||||
config: &cfg,
|
||||
privKey: priv,
|
||||
privBytes: privBytes, // retained for zeroization on Seal
|
||||
pubKey: priv.PublicKey(),
|
||||
config: &cfg,
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user