Add user-to-user encryption engine with ECDH key exchange and AES-256-GCM

Implements the complete user engine for multi-recipient envelope encryption: - ECDH key agreement (X25519, P-256, P-384) with HKDF-derived wrapping keys - Per-message random DEK wrapped individually for each recipient - 9 operations: register, provision, get-public-key, list-users, encrypt, decrypt, re-encrypt, rotate-key, delete-user - Auto-provisioning of sender and recipients on encrypt - Role-based authorization (admin-only provision/delete, user-only decrypt) - gRPC UserService with proto definitions and REST API routes - 16 comprehensive tests covering lifecycle, crypto roundtrips, multi-recipient, key rotation, auth enforcement, and algorithm variants Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:44:11 -07:00
parent ac4577f778
commit be3b9d7fe0
10 changed files with 4004 additions and 1 deletions
--- a/internal/grpcserver/server.go
+++ b/internal/grpcserver/server.go
@@ -81,6 +81,7 @@ func (s *GRPCServer) Start() error {
 	pb.RegisterPKIServiceServer(s.srv, &pkiServer{s: s})
 	pb.RegisterCAServiceServer(s.srv, &caServer{s: s})
 	pb.RegisterPolicyServiceServer(s.srv, &policyServer{s: s})
+	pb.RegisterUserServiceServer(s.srv, &userServer{s: s})
 	pb.RegisterACMEServiceServer(s.srv, &acmeServer{s: s})

 	lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
@@ -133,6 +134,15 @@ func sealRequiredMethods() map[string]bool {
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
 		"/metacrypt.v2.PolicyService/DeletePolicy": true,
+		"/metacrypt.v2.UserService/Register":       true,
+		"/metacrypt.v2.UserService/Provision":      true,
+		"/metacrypt.v2.UserService/GetPublicKey":   true,
+		"/metacrypt.v2.UserService/ListUsers":      true,
+		"/metacrypt.v2.UserService/Encrypt":        true,
+		"/metacrypt.v2.UserService/Decrypt":        true,
+		"/metacrypt.v2.UserService/ReEncrypt":      true,
+		"/metacrypt.v2.UserService/RotateKey":      true,
+		"/metacrypt.v2.UserService/DeleteUser":     true,
 		"/metacrypt.v2.ACMEService/CreateEAB":      true,
 		"/metacrypt.v2.ACMEService/SetConfig":      true,
 		"/metacrypt.v2.ACMEService/ListAccounts":   true,
@@ -163,6 +173,15 @@ func authRequiredMethods() map[string]bool {
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
 		"/metacrypt.v2.PolicyService/DeletePolicy": true,
+		"/metacrypt.v2.UserService/Register":       true,
+		"/metacrypt.v2.UserService/Provision":      true,
+		"/metacrypt.v2.UserService/GetPublicKey":   true,
+		"/metacrypt.v2.UserService/ListUsers":      true,
+		"/metacrypt.v2.UserService/Encrypt":        true,
+		"/metacrypt.v2.UserService/Decrypt":        true,
+		"/metacrypt.v2.UserService/ReEncrypt":      true,
+		"/metacrypt.v2.UserService/RotateKey":      true,
+		"/metacrypt.v2.UserService/DeleteUser":     true,
 		"/metacrypt.v2.ACMEService/CreateEAB":      true,
 		"/metacrypt.v2.ACMEService/SetConfig":      true,
 		"/metacrypt.v2.ACMEService/ListAccounts":   true,
@@ -183,6 +202,8 @@ func adminRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/DeletePolicy": true,
+		"/metacrypt.v2.UserService/Provision":      true,
+		"/metacrypt.v2.UserService/DeleteUser":     true,
 		"/metacrypt.v2.ACMEService/SetConfig":      true,
 		"/metacrypt.v2.ACMEService/ListAccounts":   true,
 		"/metacrypt.v2.ACMEService/ListOrders":     true,