Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -284,28 +284,40 @@ func (m *Manager) RotateMEK(ctx context.Context, password []byte) error {
|
||||
return fmt.Errorf("seal: generate new mek: %w", err)
|
||||
}
|
||||
|
||||
// Re-wrap all DEKs with new MEK.
|
||||
if err := m.barrier.ReWrapKeys(ctx, newMEK); err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: re-wrap keys: %w", err)
|
||||
}
|
||||
|
||||
// Encrypt new MEK with KWK.
|
||||
// Encrypt new MEK with KWK before starting the transaction.
|
||||
newEncMEK, err := crypto.Encrypt(kwk, newMEK, nil)
|
||||
if err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: encrypt new mek: %w", err)
|
||||
}
|
||||
|
||||
// Update seal_config.
|
||||
_, err = m.db.ExecContext(ctx,
|
||||
// Re-wrap DEKs and update seal_config in a single atomic transaction.
|
||||
tx, err := m.db.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: begin tx: %w", err)
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
if err := m.barrier.ReWrapKeysTx(ctx, tx, newMEK); err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: re-wrap keys: %w", err)
|
||||
}
|
||||
|
||||
_, err = tx.ExecContext(ctx,
|
||||
"UPDATE seal_config SET encrypted_mek = ? WHERE id = 1", newEncMEK)
|
||||
if err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: update seal config: %w", err)
|
||||
}
|
||||
|
||||
// Swap in-memory MEK.
|
||||
if err := tx.Commit(); err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: commit mek rotation: %w", err)
|
||||
}
|
||||
|
||||
// Only after commit: swap in-memory state.
|
||||
m.barrier.SwapMEK(newMEK)
|
||||
crypto.Zeroize(m.mek)
|
||||
m.mek = newMEK
|
||||
m.logger.Info("MEK rotated successfully")
|
||||
|
||||
Reference in New Issue
Block a user