Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

gen/metacrypt/v2/pki.pb.go

@@ -301,6 +301,102 @@ func (x *GetIssuerCertResponse) GetCertPem() []byte {
 	return nil
 }
 
+type GetCRLRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Mount         string                 `protobuf:"bytes,1,opt,name=mount,proto3" json:"mount,omitempty"`
+	Issuer        string                 `protobuf:"bytes,2,opt,name=issuer,proto3" json:"issuer,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetCRLRequest) Reset() {
+	*x = GetCRLRequest{}
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetCRLRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetCRLRequest) ProtoMessage() {}
+
+func (x *GetCRLRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetCRLRequest.ProtoReflect.Descriptor instead.
+func (*GetCRLRequest) Descriptor() ([]byte, []int) {
+	return file_proto_metacrypt_v2_pki_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *GetCRLRequest) GetMount() string {
+	if x != nil {
+		return x.Mount
+	}
+	return ""
+}
+
+func (x *GetCRLRequest) GetIssuer() string {
+	if x != nil {
+		return x.Issuer
+	}
+	return ""
+}
+
+type GetCRLResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	CrlDer        []byte                 `protobuf:"bytes,1,opt,name=crl_der,json=crlDer,proto3" json:"crl_der,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetCRLResponse) Reset() {
+	*x = GetCRLResponse{}
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetCRLResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetCRLResponse) ProtoMessage() {}
+
+func (x *GetCRLResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetCRLResponse.ProtoReflect.Descriptor instead.
+func (*GetCRLResponse) Descriptor() ([]byte, []int) {
+	return file_proto_metacrypt_v2_pki_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GetCRLResponse) GetCrlDer() []byte {
+	if x != nil {
+		return x.CrlDer
+	}
+	return nil
+}
+
 var File_proto_metacrypt_v2_pki_proto protoreflect.FileDescriptor
 
 const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
@@ -319,12 +415,18 @@ const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
 	"\x05mount\x18\x01 \x01(\tR\x05mount\x12\x16\n" +
 	"\x06issuer\x18\x02 \x01(\tR\x06issuer\"2\n" +
 	"\x15GetIssuerCertResponse\x12\x19\n" +
-	"\bcert_pem\x18\x01 \x01(\fR\acertPem2\x85\x02\n" +
+	"\bcert_pem\x18\x01 \x01(\fR\acertPem\"=\n" +
+	"\rGetCRLRequest\x12\x14\n" +
+	"\x05mount\x18\x01 \x01(\tR\x05mount\x12\x16\n" +
+	"\x06issuer\x18\x02 \x01(\tR\x06issuer\")\n" +
+	"\x0eGetCRLResponse\x12\x17\n" +
+	"\acrl_der\x18\x01 \x01(\fR\x06crlDer2\xca\x02\n" +
 	"\n" +
 	"PKIService\x12R\n" +
 	"\vGetRootCert\x12 .metacrypt.v2.GetRootCertRequest\x1a!.metacrypt.v2.GetRootCertResponse\x12I\n" +
 	"\bGetChain\x12\x1d.metacrypt.v2.GetChainRequest\x1a\x1e.metacrypt.v2.GetChainResponse\x12X\n" +
-	"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponseB>Z<git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponse\x12C\n" +
+	"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB>Z<git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 
 var (
 	file_proto_metacrypt_v2_pki_proto_rawDescOnce sync.Once
@@ -338,7 +440,7 @@ func file_proto_metacrypt_v2_pki_proto_rawDescGZIP() []byte {
 	return file_proto_metacrypt_v2_pki_proto_rawDescData
 }
 
-var file_proto_metacrypt_v2_pki_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_proto_metacrypt_v2_pki_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_proto_metacrypt_v2_pki_proto_goTypes = []any{
 	(*GetRootCertRequest)(nil),    // 0: metacrypt.v2.GetRootCertRequest
 	(*GetRootCertResponse)(nil),   // 1: metacrypt.v2.GetRootCertResponse
@@ -346,16 +448,20 @@ var file_proto_metacrypt_v2_pki_proto_goTypes = []any{
 	(*GetChainResponse)(nil),      // 3: metacrypt.v2.GetChainResponse
 	(*GetIssuerCertRequest)(nil),  // 4: metacrypt.v2.GetIssuerCertRequest
 	(*GetIssuerCertResponse)(nil), // 5: metacrypt.v2.GetIssuerCertResponse
+	(*GetCRLRequest)(nil),         // 6: metacrypt.v2.GetCRLRequest
+	(*GetCRLResponse)(nil),        // 7: metacrypt.v2.GetCRLResponse
 }
 var file_proto_metacrypt_v2_pki_proto_depIdxs = []int32{
 	0, // 0: metacrypt.v2.PKIService.GetRootCert:input_type -> metacrypt.v2.GetRootCertRequest
 	2, // 1: metacrypt.v2.PKIService.GetChain:input_type -> metacrypt.v2.GetChainRequest
 	4, // 2: metacrypt.v2.PKIService.GetIssuerCert:input_type -> metacrypt.v2.GetIssuerCertRequest
-	1, // 3: metacrypt.v2.PKIService.GetRootCert:output_type -> metacrypt.v2.GetRootCertResponse
-	3, // 4: metacrypt.v2.PKIService.GetChain:output_type -> metacrypt.v2.GetChainResponse
-	5, // 5: metacrypt.v2.PKIService.GetIssuerCert:output_type -> metacrypt.v2.GetIssuerCertResponse
-	3, // [3:6] is the sub-list for method output_type
-	0, // [0:3] is the sub-list for method input_type
+	6, // 3: metacrypt.v2.PKIService.GetCRL:input_type -> metacrypt.v2.GetCRLRequest
+	1, // 4: metacrypt.v2.PKIService.GetRootCert:output_type -> metacrypt.v2.GetRootCertResponse
+	3, // 5: metacrypt.v2.PKIService.GetChain:output_type -> metacrypt.v2.GetChainResponse
+	5, // 6: metacrypt.v2.PKIService.GetIssuerCert:output_type -> metacrypt.v2.GetIssuerCertResponse
+	7, // 7: metacrypt.v2.PKIService.GetCRL:output_type -> metacrypt.v2.GetCRLResponse
+	4, // [4:8] is the sub-list for method output_type
+	0, // [0:4] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
 	0, // [0:0] is the sub-list for extension extendee
 	0, // [0:0] is the sub-list for field type_name
@@ -372,7 +478,7 @@ func file_proto_metacrypt_v2_pki_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_metacrypt_v2_pki_proto_rawDesc), len(file_proto_metacrypt_v2_pki_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   6,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

gen/metacrypt/v2/pki_grpc.pb.go

@@ -22,6 +22,7 @@ const (
 	PKIService_GetRootCert_FullMethodName   = "/metacrypt.v2.PKIService/GetRootCert"
 	PKIService_GetChain_FullMethodName      = "/metacrypt.v2.PKIService/GetChain"
 	PKIService_GetIssuerCert_FullMethodName = "/metacrypt.v2.PKIService/GetIssuerCert"
+	PKIService_GetCRL_FullMethodName        = "/metacrypt.v2.PKIService/GetCRL"
 )
 
 // PKIServiceClient is the client API for PKIService service.
@@ -34,6 +35,7 @@ type PKIServiceClient interface {
 	GetRootCert(ctx context.Context, in *GetRootCertRequest, opts ...grpc.CallOption) (*GetRootCertResponse, error)
 	GetChain(ctx context.Context, in *GetChainRequest, opts ...grpc.CallOption) (*GetChainResponse, error)
 	GetIssuerCert(ctx context.Context, in *GetIssuerCertRequest, opts ...grpc.CallOption) (*GetIssuerCertResponse, error)
+	GetCRL(ctx context.Context, in *GetCRLRequest, opts ...grpc.CallOption) (*GetCRLResponse, error)
 }
 
 type pKIServiceClient struct {
@@ -74,6 +76,16 @@ func (c *pKIServiceClient) GetIssuerCert(ctx context.Context, in *GetIssuerCertR
 	return out, nil
 }
 
+func (c *pKIServiceClient) GetCRL(ctx context.Context, in *GetCRLRequest, opts ...grpc.CallOption) (*GetCRLResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(GetCRLResponse)
+	err := c.cc.Invoke(ctx, PKIService_GetCRL_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // PKIServiceServer is the server API for PKIService service.
 // All implementations must embed UnimplementedPKIServiceServer
 // for forward compatibility.
@@ -84,6 +96,7 @@ type PKIServiceServer interface {
 	GetRootCert(context.Context, *GetRootCertRequest) (*GetRootCertResponse, error)
 	GetChain(context.Context, *GetChainRequest) (*GetChainResponse, error)
 	GetIssuerCert(context.Context, *GetIssuerCertRequest) (*GetIssuerCertResponse, error)
+	GetCRL(context.Context, *GetCRLRequest) (*GetCRLResponse, error)
 	mustEmbedUnimplementedPKIServiceServer()
 }
 
@@ -103,6 +116,9 @@ func (UnimplementedPKIServiceServer) GetChain(context.Context, *GetChainRequest)
 func (UnimplementedPKIServiceServer) GetIssuerCert(context.Context, *GetIssuerCertRequest) (*GetIssuerCertResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetIssuerCert not implemented")
 }
+func (UnimplementedPKIServiceServer) GetCRL(context.Context, *GetCRLRequest) (*GetCRLResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetCRL not implemented")
+}
 func (UnimplementedPKIServiceServer) mustEmbedUnimplementedPKIServiceServer() {}
 func (UnimplementedPKIServiceServer) testEmbeddedByValue()                    {}
 
@@ -178,6 +194,24 @@ func _PKIService_GetIssuerCert_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _PKIService_GetCRL_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetCRLRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(PKIServiceServer).GetCRL(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: PKIService_GetCRL_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(PKIServiceServer).GetCRL(ctx, req.(*GetCRLRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // PKIService_ServiceDesc is the grpc.ServiceDesc for PKIService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -197,6 +231,10 @@ var PKIService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetIssuerCert",
 			Handler:    _PKIService_GetIssuerCert_Handler,
 		},
+		{
+			MethodName: "GetCRL",
+			Handler:    _PKIService_GetCRL_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "proto/metacrypt/v2/pki.proto",