metacrypt

mc/metacrypt

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	bbe382dc10	Migrate module path from kyle/ to mc/ org All import paths updated to git.wntrmute.dev/mc/. Bumps mcdsl to v1.2.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 02:05:59 -07:00
Kyle Isom	64d921827e	Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6 , #22 ) Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-16 18:27:44 -07:00
Kyle Isom	167db48eb4	Add ACME (RFC 8555) server and Go client library Implements full ACME protocol support in Metacrypt: - internal/acme: core types, JWS verification (ES256/384/512 + RS256), nonce store, per-mount handler, all RFC 8555 protocol endpoints, HTTP-01 and DNS-01 challenge validation, EAB management - internal/server/acme.go: management REST routes (EAB create, config, list accounts/orders) + ACME protocol route dispatch - proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig, ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC - clients/go: new Go module with MCIAS-auth bootstrap, ACME account registration, certificate issuance/renewal, HTTP-01 and DNS-01 challenge providers - .claude/launch.json: dev server configuration EAB is required for all account creation; MCIAS-authenticated users obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.	2026-03-15 08:09:12 -07:00

Author

SHA1

Message

Date

Kyle Isom

bbe382dc10

Migrate module path from kyle/ to mc/ org

All import paths updated to git.wntrmute.dev/mc/. Bumps mcdsl to v1.2.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-27 02:05:59 -07:00

Kyle Isom

64d921827e

Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6 , #22 )

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-16 18:27:44 -07:00

Kyle Isom

167db48eb4

Add ACME (RFC 8555) server and Go client library

Implements full ACME protocol support in Metacrypt:

- internal/acme: core types, JWS verification (ES256/384/512 + RS256),
  nonce store, per-mount handler, all RFC 8555 protocol endpoints,
  HTTP-01 and DNS-01 challenge validation, EAB management
- internal/server/acme.go: management REST routes (EAB create, config,
  list accounts/orders) + ACME protocol route dispatch
- proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig,
  ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC
- clients/go: new Go module with MCIAS-auth bootstrap, ACME account
  registration, certificate issuance/renewal, HTTP-01 and DNS-01
  challenge providers
- .claude/launch.json: dev server configuration

EAB is required for all account creation; MCIAS-authenticated users
obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.

2026-03-15 08:09:12 -07:00

3 Commits