mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: mc:v1.1.0
Branches Tags
mc:master
mc:v1.3.1 mc:v1.3.0 mc:v1.1.0 mc:v1.0.0
..
compare: mc:v1.3.1
Branches Tags
mc:master
mc:v1.3.1 mc:v1.3.0 mc:v1.1.0 mc:v1.0.0

5 Commits
v1.1.0 ... v1.3.1

Author SHA1 Message Date
Kyle Isom
ae4cc8b420 Fix web UI download links for CA certs, SSH CA pubkey, and KRL 
Templates linked to /v1/ API server routes which don't exist on the
web server (separate binary). Add web server handlers that fetch data
via gRPC and serve the downloads directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-28 19:02:15 -07:00
Kyle Isom
131d3e778a Use mcdsl/terminal for all password prompts 
Replace direct golang.org/x/term calls with mcdsl/terminal across init,
unseal, migrate-aad, and migrate-barrier commands. Seal password prompts
use ReadPasswordBytes to preserve zeroization capability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-28 11:40:19 -07:00
Kyle Isom
b8dc39fd12 Standardize Makefile docker/push targets for MCR 
Add MCR and VERSION variables. Tag images with full MCR registry URL
and version. Add push target. Pass --build-arg VERSION for both images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 14:32:09 -07:00
Kyle Isom
26f397afc0 Regenerate proto files for mc/ module path 
Raw descriptor bytes in .pb.go files were corrupted by the sed-based
module path rename (string length changed, breaking protobuf binary
encoding). Regenerated with protoc to fix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 02:54:26 -07:00
Kyle Isom
28d6f9fa1f Fix ListIssuers auth: move from public to auth-required methods 
ListIssuers was miscategorized as a public gRPC method, but the CA
engine handler requires CallerInfo with user role. When called without
auth (public path), the interceptor skipped token validation, so
CallerInfo was nil and the handler returned ErrUnauthorized — which
the web UI silently swallowed, showing "No issuers configured."

Security: gRPC interceptor map correction (ListIssuers requires auth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-27 02:24:11 -07:00
50 changed files with 147 additions and 96 deletions
Expand all files Collapse all files

14
Makefile
View File

@@ -1,6 +1,8 @@
.PHONY: build test vet lint proto-lint clean docker all devserver metacrypt metacrypt-web proto binaries
.PHONY: build test vet lint proto-lint clean docker push all devserver metacrypt metacrypt-web proto binaries
LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(shell git describe --tags --always --dirty 2>/dev/null || echo dev)"
MCR := mcr.svc.mcp.metacircular.net:8443
VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(VERSION)"
binaries: metacrypt metacrypt-web
@@ -38,8 +40,12 @@ clean:
rm -f metacrypt metacrypt-web
docker:
docker build -t metacrypt -f Dockerfile.api .
docker build -t metacrypt-web -f Dockerfile.web .
docker build --build-arg VERSION=$(VERSION) -t $(MCR)/metacrypt:$(VERSION) -f Dockerfile.api .
docker build --build-arg VERSION=$(VERSION) -t $(MCR)/metacrypt-web:$(VERSION) -f Dockerfile.web .
push: docker
docker push $(MCR)/metacrypt:$(VERSION)
docker push $(MCR)/metacrypt-web:$(VERSION)
docker-compose:
docker compose -f deploy/docker/docker-compose.yml up --build

11
cmd/metacrypt/init.go
View File

@@ -5,11 +5,10 @@ import (
"fmt"
"log/slog"
"os"
"syscall"
"github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/barrier"
"git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -59,16 +58,12 @@ func runInit(cmd *cobra.Command, args []string) error {
return fmt.Errorf("already initialized")
}
fmt.Print("Enter seal password: ")
pw1, err := term.ReadPassword(int(syscall.Stdin))
fmt.Println()
pw1, err := terminal.ReadPasswordBytes("Enter seal password: ")
if err != nil {
return fmt.Errorf("reading password: %w", err)
}
fmt.Print("Confirm seal password: ")
pw2, err := term.ReadPassword(int(syscall.Stdin))
fmt.Println()
pw2, err := terminal.ReadPasswordBytes("Confirm seal password: ")
if err != nil {
return fmt.Errorf("reading password: %w", err)
}

8
cmd/metacrypt/migrate_aad.go
View File

@@ -4,12 +4,10 @@ import (
"context"
"database/sql"
"fmt"
"os"
"syscall"
"github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto"
"git.wntrmute.dev/mc/metacrypt/internal/db"
@@ -52,9 +50,7 @@ func runMigrateAAD(cmd *cobra.Command, args []string) error {
defer func() { _ = database.Close() }()
// Read unseal password.
fmt.Fprint(os.Stderr, "Unseal password: ")
passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
fmt.Fprintln(os.Stderr)
passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
if err != nil {
return fmt.Errorf("read password: %w", err)
}

8
cmd/metacrypt/migrate_barrier.go
View File

@@ -4,12 +4,10 @@ import (
"context"
"database/sql"
"fmt"
"os"
"syscall"
"github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/barrier"
"git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -62,9 +60,7 @@ func runMigrateBarrier(cmd *cobra.Command, args []string) error {
}
// Read unseal password.
fmt.Fprint(os.Stderr, "Unseal password: ")
passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
fmt.Fprintln(os.Stderr)
passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
if err != nil {
return fmt.Errorf("read password: %w", err)
}

10
cmd/metacrypt/unseal.go
View File

@@ -11,10 +11,10 @@ import (
"os"
"github.com/spf13/cobra"
"golang.org/x/term"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"git.wntrmute.dev/mc/mcdsl/terminal"
metacryptv1 "git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1"
)
@@ -43,17 +43,15 @@ func runUnseal(cmd *cobra.Command, args []string) error {
return fmt.Errorf("one of --grpc-addr or --addr is required")
}
fmt.Print("Unseal password: ")
passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec
fmt.Println()
password, err := terminal.ReadPassword("Unseal password: ")
if err != nil {
return fmt.Errorf("read password: %w", err)
}
if unsealGRPCAddr != "" {
return unsealViaGRPC(unsealGRPCAddr, unsealCACert, string(passwordBytes))
return unsealViaGRPC(unsealGRPCAddr, unsealCACert, password)
}
return unsealViaREST(unsealAddr, unsealCACert, string(passwordBytes))
return unsealViaREST(unsealAddr, unsealCACert, password)
}
func buildTLSConfig(caCertPath string) (*tls.Config, error) {

4
gen/metacrypt/v1/acme.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/acme.proto
package metacryptv1
@@ -600,7 +600,7 @@ const file_proto_metacrypt_v1_acme_proto_rawDesc = "" +
"\tSetConfig\x12\x1e.metacrypt.v1.SetConfigRequest\x1a\x1f.metacrypt.v1.SetConfigResponse\x12U\n" +
"\fListAccounts\x12!.metacrypt.v1.ListAccountsRequest\x1a\".metacrypt.v1.ListAccountsResponse\x12O\n" +
"\n" +
"ListOrders\x12\x1f.metacrypt.v1.ListOrdersRequest\x1a .metacrypt.v1.ListOrdersResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"ListOrders\x12\x1f.metacrypt.v1.ListOrdersRequest\x1a .metacrypt.v1.ListOrdersResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_acme_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/acme_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/acme.proto
package metacryptv1

4
gen/metacrypt/v1/auth.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/auth.proto
package metacryptv1
@@ -324,7 +324,7 @@ const file_proto_metacrypt_v1_auth_proto_rawDesc = "" +
"\vAuthService\x12@\n" +
"\x05Login\x12\x1a.metacrypt.v1.LoginRequest\x1a\x1b.metacrypt.v1.LoginResponse\x12C\n" +
"\x06Logout\x12\x1b.metacrypt.v1.LogoutRequest\x1a\x1c.metacrypt.v1.LogoutResponse\x12L\n" +
"\tTokenInfo\x12\x1e.metacrypt.v1.TokenInfoRequest\x1a\x1f.metacrypt.v1.TokenInfoResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\tTokenInfo\x12\x1e.metacrypt.v1.TokenInfoRequest\x1a\x1f.metacrypt.v1.TokenInfoResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_auth_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/auth_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/auth.proto
package metacryptv1

4
gen/metacrypt/v1/barrier.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/barrier.proto
package metacryptv1
@@ -455,7 +455,7 @@ const file_proto_metacrypt_v1_barrier_proto_rawDesc = "" +
"\bListKeys\x12\x1d.metacrypt.v1.ListKeysRequest\x1a\x1e.metacrypt.v1.ListKeysResponse\x12L\n" +
"\tRotateMEK\x12\x1e.metacrypt.v1.RotateMEKRequest\x1a\x1f.metacrypt.v1.RotateMEKResponse\x12L\n" +
"\tRotateKey\x12\x1e.metacrypt.v1.RotateKeyRequest\x1a\x1f.metacrypt.v1.RotateKeyResponse\x12T\n" +
"\aMigrate\x12#.metacrypt.v1.MigrateBarrierRequest\x1a$.metacrypt.v1.MigrateBarrierResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\aMigrate\x12#.metacrypt.v1.MigrateBarrierRequest\x1a$.metacrypt.v1.MigrateBarrierResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_barrier_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/barrier_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/barrier.proto
package metacryptv1

4
gen/metacrypt/v1/common.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/common.proto
package metacryptv1
@@ -24,7 +24,7 @@ var File_proto_metacrypt_v1_common_proto protoreflect.FileDescriptor
const file_proto_metacrypt_v1_common_proto_rawDesc = "" +
"\n" +
"\x1fproto/metacrypt/v1/common.proto\x12\fmetacrypt.v1B>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\x1fproto/metacrypt/v1/common.proto\x12\fmetacrypt.v1B<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var file_proto_metacrypt_v1_common_proto_goTypes = []any{}
var file_proto_metacrypt_v1_common_proto_depIdxs = []int32{

4
gen/metacrypt/v1/engine.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/engine.proto
package metacryptv1
@@ -483,7 +483,7 @@ const file_proto_metacrypt_v1_engine_proto_rawDesc = "" +
"\aUnmount\x12\x1c.metacrypt.v1.UnmountRequest\x1a\x1d.metacrypt.v1.UnmountResponse\x12O\n" +
"\n" +
"ListMounts\x12\x1f.metacrypt.v1.ListMountsRequest\x1a .metacrypt.v1.ListMountsResponse\x12F\n" +
"\aExecute\x12\x1c.metacrypt.v1.ExecuteRequest\x1a\x1d.metacrypt.v1.ExecuteResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\aExecute\x12\x1c.metacrypt.v1.ExecuteRequest\x1a\x1d.metacrypt.v1.ExecuteResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_engine_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/engine_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/engine.proto
package metacryptv1

4
gen/metacrypt/v1/pki.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/pki.proto
package metacryptv1
@@ -324,7 +324,7 @@ const file_proto_metacrypt_v1_pki_proto_rawDesc = "" +
"PKIService\x12R\n" +
"\vGetRootCert\x12 .metacrypt.v1.GetRootCertRequest\x1a!.metacrypt.v1.GetRootCertResponse\x12I\n" +
"\bGetChain\x12\x1d.metacrypt.v1.GetChainRequest\x1a\x1e.metacrypt.v1.GetChainResponse\x12X\n" +
"\rGetIssuerCert\x12\".metacrypt.v1.GetIssuerCertRequest\x1a#.metacrypt.v1.GetIssuerCertResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\rGetIssuerCert\x12\".metacrypt.v1.GetIssuerCertRequest\x1a#.metacrypt.v1.GetIssuerCertResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_pki_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/pki_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/pki.proto
package metacryptv1

4
gen/metacrypt/v1/policy.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/policy.proto
package metacryptv1
@@ -481,7 +481,7 @@ const file_proto_metacrypt_v1_policy_proto_rawDesc = "" +
"\fCreatePolicy\x12!.metacrypt.v1.CreatePolicyRequest\x1a\".metacrypt.v1.CreatePolicyResponse\x12U\n" +
"\fListPolicies\x12!.metacrypt.v1.ListPoliciesRequest\x1a\".metacrypt.v1.ListPoliciesResponse\x12L\n" +
"\tGetPolicy\x12\x1e.metacrypt.v1.GetPolicyRequest\x1a\x1f.metacrypt.v1.GetPolicyResponse\x12U\n" +
"\fDeletePolicy\x12!.metacrypt.v1.DeletePolicyRequest\x1a\".metacrypt.v1.DeletePolicyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\fDeletePolicy\x12!.metacrypt.v1.DeletePolicyRequest\x1a\".metacrypt.v1.DeletePolicyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_policy_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/policy_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/policy.proto
package metacryptv1

4
gen/metacrypt/v1/system.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v1/system.proto
package metacryptv1
@@ -380,7 +380,7 @@ const file_proto_metacrypt_v1_system_proto_rawDesc = "" +
"\x06Status\x12\x1b.metacrypt.v1.StatusRequest\x1a\x1c.metacrypt.v1.StatusResponse\x12=\n" +
"\x04Init\x12\x19.metacrypt.v1.InitRequest\x1a\x1a.metacrypt.v1.InitResponse\x12C\n" +
"\x06Unseal\x12\x1b.metacrypt.v1.UnsealRequest\x1a\x1c.metacrypt.v1.UnsealResponse\x12=\n" +
"\x04Seal\x12\x19.metacrypt.v1.SealRequest\x1a\x1a.metacrypt.v1.SealResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
"\x04Seal\x12\x19.metacrypt.v1.SealRequest\x1a\x1a.metacrypt.v1.SealResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
var (
file_proto_metacrypt_v1_system_proto_rawDescOnce sync.Once

2
gen/metacrypt/v1/system_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v1/system.proto
package metacryptv1

4
gen/metacrypt/v2/acme.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/acme.proto
package metacryptv2
@@ -592,7 +592,7 @@ const file_proto_metacrypt_v2_acme_proto_rawDesc = "" +
"\tSetConfig\x12\x1e.metacrypt.v2.SetConfigRequest\x1a\x1f.metacrypt.v2.SetConfigResponse\x12U\n" +
"\fListAccounts\x12!.metacrypt.v2.ListAccountsRequest\x1a\".metacrypt.v2.ListAccountsResponse\x12O\n" +
"\n" +
"ListOrders\x12\x1f.metacrypt.v2.ListOrdersRequest\x1a .metacrypt.v2.ListOrdersResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"ListOrders\x12\x1f.metacrypt.v2.ListOrdersRequest\x1a .metacrypt.v2.ListOrdersResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_acme_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/acme_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/acme.proto
package metacryptv2

4
gen/metacrypt/v2/auth.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/auth.proto
package metacryptv2
@@ -325,7 +325,7 @@ const file_proto_metacrypt_v2_auth_proto_rawDesc = "" +
"\vAuthService\x12@\n" +
"\x05Login\x12\x1a.metacrypt.v2.LoginRequest\x1a\x1b.metacrypt.v2.LoginResponse\x12C\n" +
"\x06Logout\x12\x1b.metacrypt.v2.LogoutRequest\x1a\x1c.metacrypt.v2.LogoutResponse\x12L\n" +
"\tTokenInfo\x12\x1e.metacrypt.v2.TokenInfoRequest\x1a\x1f.metacrypt.v2.TokenInfoResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\tTokenInfo\x12\x1e.metacrypt.v2.TokenInfoRequest\x1a\x1f.metacrypt.v2.TokenInfoResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_auth_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/auth_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/auth.proto
package metacryptv2

4
gen/metacrypt/v2/barrier.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/barrier.proto
package metacryptv2
@@ -455,7 +455,7 @@ const file_proto_metacrypt_v2_barrier_proto_rawDesc = "" +
"\bListKeys\x12\x1d.metacrypt.v2.ListKeysRequest\x1a\x1e.metacrypt.v2.ListKeysResponse\x12L\n" +
"\tRotateMEK\x12\x1e.metacrypt.v2.RotateMEKRequest\x1a\x1f.metacrypt.v2.RotateMEKResponse\x12L\n" +
"\tRotateKey\x12\x1e.metacrypt.v2.RotateKeyRequest\x1a\x1f.metacrypt.v2.RotateKeyResponse\x12T\n" +
"\aMigrate\x12#.metacrypt.v2.MigrateBarrierRequest\x1a$.metacrypt.v2.MigrateBarrierResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\aMigrate\x12#.metacrypt.v2.MigrateBarrierRequest\x1a$.metacrypt.v2.MigrateBarrierResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_barrier_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/barrier_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/barrier.proto
package metacryptv2

4
gen/metacrypt/v2/ca.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/ca.proto
package metacryptv2
@@ -2075,7 +2075,7 @@ const file_proto_metacrypt_v2_ca_proto_rawDesc = "" +
"\n" +
"RevokeCert\x12\x1f.metacrypt.v2.RevokeCertRequest\x1a .metacrypt.v2.RevokeCertResponse\x12O\n" +
"\n" +
"DeleteCert\x12\x1f.metacrypt.v2.DeleteCertRequest\x1a .metacrypt.v2.DeleteCertResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"DeleteCert\x12\x1f.metacrypt.v2.DeleteCertRequest\x1a .metacrypt.v2.DeleteCertResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_ca_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/ca_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/ca.proto
package metacryptv2

4
gen/metacrypt/v2/common.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/common.proto
package metacryptv2
@@ -24,7 +24,7 @@ var File_proto_metacrypt_v2_common_proto protoreflect.FileDescriptor
const file_proto_metacrypt_v2_common_proto_rawDesc = "" +
"\n" +
"\x1fproto/metacrypt/v2/common.proto\x12\fmetacrypt.v2B>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\x1fproto/metacrypt/v2/common.proto\x12\fmetacrypt.v2B<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var file_proto_metacrypt_v2_common_proto_goTypes = []any{}
var file_proto_metacrypt_v2_common_proto_depIdxs = []int32{

4
gen/metacrypt/v2/engine.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/engine.proto
package metacryptv2
@@ -366,7 +366,7 @@ const file_proto_metacrypt_v2_engine_proto_rawDesc = "" +
"\x05Mount\x12\x1a.metacrypt.v2.MountRequest\x1a\x1b.metacrypt.v2.MountResponse\x12F\n" +
"\aUnmount\x12\x1c.metacrypt.v2.UnmountRequest\x1a\x1d.metacrypt.v2.UnmountResponse\x12O\n" +
"\n" +
"ListMounts\x12\x1f.metacrypt.v2.ListMountsRequest\x1a .metacrypt.v2.ListMountsResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"ListMounts\x12\x1f.metacrypt.v2.ListMountsRequest\x1a .metacrypt.v2.ListMountsResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_engine_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/engine_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/engine.proto
package metacryptv2

4
gen/metacrypt/v2/pki.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/pki.proto
package metacryptv2
@@ -426,7 +426,7 @@ const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
"\vGetRootCert\x12 .metacrypt.v2.GetRootCertRequest\x1a!.metacrypt.v2.GetRootCertResponse\x12I\n" +
"\bGetChain\x12\x1d.metacrypt.v2.GetChainRequest\x1a\x1e.metacrypt.v2.GetChainResponse\x12X\n" +
"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponse\x12C\n" +
"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_pki_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/pki_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/pki.proto
package metacryptv2

4
gen/metacrypt/v2/policy.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/policy.proto
package metacryptv2
@@ -481,7 +481,7 @@ const file_proto_metacrypt_v2_policy_proto_rawDesc = "" +
"\fCreatePolicy\x12!.metacrypt.v2.CreatePolicyRequest\x1a\".metacrypt.v2.CreatePolicyResponse\x12U\n" +
"\fListPolicies\x12!.metacrypt.v2.ListPoliciesRequest\x1a\".metacrypt.v2.ListPoliciesResponse\x12L\n" +
"\tGetPolicy\x12\x1e.metacrypt.v2.GetPolicyRequest\x1a\x1f.metacrypt.v2.GetPolicyResponse\x12U\n" +
"\fDeletePolicy\x12!.metacrypt.v2.DeletePolicyRequest\x1a\".metacrypt.v2.DeletePolicyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\fDeletePolicy\x12!.metacrypt.v2.DeletePolicyRequest\x1a\".metacrypt.v2.DeletePolicyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_policy_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/policy_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/policy.proto
package metacryptv2

4
gen/metacrypt/v2/sshca.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/sshca.proto
package metacryptv2
@@ -1919,7 +1919,7 @@ const file_proto_metacrypt_v2_sshca_proto_rawDesc = "" +
"RevokeCert\x12\".metacrypt.v2.SSHRevokeCertRequest\x1a#.metacrypt.v2.SSHRevokeCertResponse\x12U\n" +
"\n" +
"DeleteCert\x12\".metacrypt.v2.SSHDeleteCertRequest\x1a#.metacrypt.v2.SSHDeleteCertResponse\x12I\n" +
"\x06GetKRL\x12\x1e.metacrypt.v2.SSHGetKRLRequest\x1a\x1f.metacrypt.v2.SSHGetKRLResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\x06GetKRL\x12\x1e.metacrypt.v2.SSHGetKRLRequest\x1a\x1f.metacrypt.v2.SSHGetKRLResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_sshca_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/sshca_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/sshca.proto
package metacryptv2

4
gen/metacrypt/v2/system.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/system.proto
package metacryptv2
@@ -380,7 +380,7 @@ const file_proto_metacrypt_v2_system_proto_rawDesc = "" +
"\x06Status\x12\x1b.metacrypt.v2.StatusRequest\x1a\x1c.metacrypt.v2.StatusResponse\x12=\n" +
"\x04Init\x12\x19.metacrypt.v2.InitRequest\x1a\x1a.metacrypt.v2.InitResponse\x12C\n" +
"\x06Unseal\x12\x1b.metacrypt.v2.UnsealRequest\x1a\x1c.metacrypt.v2.UnsealResponse\x12=\n" +
"\x04Seal\x12\x19.metacrypt.v2.SealRequest\x1a\x1a.metacrypt.v2.SealResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\x04Seal\x12\x19.metacrypt.v2.SealRequest\x1a\x1a.metacrypt.v2.SealResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_system_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/system_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/system.proto
package metacryptv2

4
gen/metacrypt/v2/transit.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/transit.proto
package metacryptv2
@@ -2075,7 +2075,7 @@ const file_proto_metacrypt_v2_transit_proto_rawDesc = "" +
"\x04Sign\x12 .metacrypt.v2.TransitSignRequest\x1a!.metacrypt.v2.TransitSignResponse\x12Q\n" +
"\x06Verify\x12\".metacrypt.v2.TransitVerifyRequest\x1a#.metacrypt.v2.TransitVerifyResponse\x12K\n" +
"\x04Hmac\x12 .metacrypt.v2.TransitHmacRequest\x1a!.metacrypt.v2.TransitHmacResponse\x12c\n" +
"\fGetPublicKey\x12(.metacrypt.v2.GetTransitPublicKeyRequest\x1a).metacrypt.v2.GetTransitPublicKeyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"\fGetPublicKey\x12(.metacrypt.v2.GetTransitPublicKeyRequest\x1a).metacrypt.v2.GetTransitPublicKeyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_transit_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/transit_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/transit.proto
package metacryptv2

4
gen/metacrypt/v2/user.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.36.11
// protoc v3.20.3
// protoc v6.32.1
// source: proto/metacrypt/v2/user.proto
package metacryptv2
@@ -1023,7 +1023,7 @@ const file_proto_metacrypt_v2_user_proto_rawDesc = "" +
"\tReEncrypt\x12\".metacrypt.v2.UserReEncryptRequest\x1a#.metacrypt.v2.UserReEncryptResponse\x12T\n" +
"\tRotateKey\x12\".metacrypt.v2.UserRotateKeyRequest\x1a#.metacrypt.v2.UserRotateKeyResponse\x12W\n" +
"\n" +
"DeleteUser\x12#.metacrypt.v2.UserDeleteUserRequest\x1a$.metacrypt.v2.UserDeleteUserResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
"DeleteUser\x12#.metacrypt.v2.UserDeleteUserRequest\x1a$.metacrypt.v2.UserDeleteUserResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
var (
file_proto_metacrypt_v2_user_proto_rawDescOnce sync.Once

2
gen/metacrypt/v2/user_grpc.pb.go
View File

@@ -1,7 +1,7 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.6.1
// - protoc v3.20.3
// - protoc v6.32.1
// source: proto/metacrypt/v2/user.proto
package metacryptv2

4
go.mod
View File

@@ -4,12 +4,11 @@ go 1.25.7
require (
git.wntrmute.dev/kyle/goutils v1.21.0
git.wntrmute.dev/mc/mcdsl v1.2.0
git.wntrmute.dev/mc/mcdsl v1.4.0
github.com/go-chi/chi/v5 v5.2.5
github.com/spf13/cobra v1.10.2
github.com/spf13/viper v1.21.0
golang.org/x/crypto v0.49.0
golang.org/x/term v0.41.0
google.golang.org/grpc v1.79.3
google.golang.org/protobuf v1.36.11
)
@@ -33,6 +32,7 @@ require (
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/net v0.51.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/term v0.41.0 // indirect
golang.org/x/text v0.35.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
modernc.org/libc v1.70.0 // indirect

4
go.sum
View File

@@ -1,7 +1,7 @@
git.wntrmute.dev/kyle/goutils v1.21.0 h1:ZR7ovV400hsF09zc8tkdHs6vyen8TDJ7flong/dnFXM=
git.wntrmute.dev/kyle/goutils v1.21.0/go.mod h1:JQ8NL5lHSEYl719UMf20p4G1ei70RVGma0hjjNXCR2c=
git.wntrmute.dev/mc/mcdsl v1.2.0 h1:41hep7/PNZJfN0SN/nM+rQpyF1GSZcvNNjyVG81DI7U=
git.wntrmute.dev/mc/mcdsl v1.2.0/go.mod h1:lXYrAt74ZUix6rx9oVN8d2zH1YJoyp4uxPVKQ+SSxuM=
git.wntrmute.dev/mc/mcdsl v1.4.0 h1:PsEIyskcjBduwHSRwNB/U/uSeU/cv3C8MVr0SRjBRLg=
git.wntrmute.dev/mc/mcdsl v1.4.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=

2
internal/grpcserver/server.go
View File

@@ -160,7 +160,6 @@ func publicMethods() map[string]bool {
// CA read-only — public certificates and chains.
"/metacrypt.v2.CAService/GetRoot": true,
"/metacrypt.v2.CAService/GetIssuer": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/GetChain": true,
// SSH CA — public key and key revocation list.
"/metacrypt.v2.SSHCAService/GetCAPublicKey": true,
@@ -175,6 +174,7 @@ func authRequiredMethods() map[string]bool {
"/metacrypt.v2.AuthService/Logout": true,
"/metacrypt.v2.AuthService/TokenInfo": true,
"/metacrypt.v2.EngineService/ListMounts": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/IssueCert": true,
"/metacrypt.v2.CAService/GetCert": true,
"/metacrypt.v2.CAService/ListCerts": true,

22
internal/webserver/routes.go
View File

@@ -50,6 +50,8 @@ func (ws *WebServer) registerRoutes(r chi.Router) {
r.Route("/sshca", func(r chi.Router) {
r.Get("/", ws.requireAuth(ws.handleSSHCA))
r.Get("/ca", ws.requireAuth(ws.handleSSHCADownload))
r.Get("/krl", ws.requireAuth(ws.handleSSHCAKRLDownload))
r.Post("/sign-user", ws.requireAuth(ws.handleSSHCASignUser))
r.Post("/sign-host", ws.requireAuth(ws.handleSSHCASignHost))
r.Get("/cert/{serial}", ws.requireAuth(ws.handleSSHCACertDetail))
@@ -91,6 +93,7 @@ func (ws *WebServer) registerRoutes(r chi.Router) {
r.Route("/pki", func(r chi.Router) {
r.Get("/", ws.requireAuth(ws.handlePKI))
r.Get("/ca", ws.requireAuth(ws.handlePKIRootCA))
r.Post("/import-root", ws.requireAuth(ws.handleImportRoot))
r.Post("/create-issuer", ws.requireAuth(ws.handleCreateIssuer))
r.Post("/issue", ws.requireAuth(ws.handleIssueCert))
@@ -475,6 +478,25 @@ func (ws *WebServer) handleCreateIssuer(w http.ResponseWriter, r *http.Request)
http.Redirect(w, r, "/pki", http.StatusFound)
}
func (ws *WebServer) handlePKIRootCA(w http.ResponseWriter, r *http.Request) {
token := extractCookie(r)
mountName, err := ws.findCAMount(r, token)
if err != nil {
http.Error(w, "no CA engine mounted", http.StatusNotFound)
return
}
certPEM, err := ws.vault.GetRootCert(r.Context(), mountName)
if err != nil || len(certPEM) == 0 {
http.Error(w, "root CA not found", http.StatusNotFound)
return
}
w.Header().Set("Content-Type", "application/x-pem-file")
w.Header().Set("Content-Disposition", "attachment; filename=root-ca.pem")
_, _ = w.Write(certPEM) //nolint:gosec
}
func (ws *WebServer) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
token := extractCookie(r)
mountName, err := ws.findCAMount(r, token)

38
internal/webserver/sshca.go
View File

@@ -40,6 +40,44 @@ func (ws *WebServer) handleSSHCA(w http.ResponseWriter, r *http.Request) {
ws.renderTemplate(w, "sshca.html", data)
}
func (ws *WebServer) handleSSHCADownload(w http.ResponseWriter, r *http.Request) {
token := extractCookie(r)
mountName, err := ws.findSSHCAMount(r, token)
if err != nil {
http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
return
}
pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName)
if err != nil || pubkey == nil {
http.Error(w, "CA public key not found", http.StatusNotFound)
return
}
w.Header().Set("Content-Type", "text/plain")
w.Header().Set("Content-Disposition", "attachment; filename=ca.pub")
_, _ = w.Write([]byte(pubkey.PublicKey)) //nolint:gosec
}
func (ws *WebServer) handleSSHCAKRLDownload(w http.ResponseWriter, r *http.Request) {
token := extractCookie(r)
mountName, err := ws.findSSHCAMount(r, token)
if err != nil {
http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
return
}
krl, err := ws.vault.GetSSHCAKRL(r.Context(), mountName)
if err != nil {
http.Error(w, "KRL not found", http.StatusNotFound)
return
}
w.Header().Set("Content-Type", "application/octet-stream")
w.Header().Set("Content-Disposition", "attachment; filename=krl.bin")
_, _ = w.Write(krl) //nolint:gosec
}
func (ws *WebServer) handleSSHCASignUser(w http.ResponseWriter, r *http.Request) {
info := tokenInfoFromContext(r.Context())
token := extractCookie(r)

2
web/templates/pki.html
View File

@@ -27,7 +27,7 @@
</tbody>
</table>
<p style="margin-top: 1rem; margin-bottom: 0;">
<a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
<a href="/pki/ca" download="root-ca.pem">Download Root CA (PEM)</a>
</p>
{{else}}
<p>No root CA configured.</p>

4
web/templates/sshca.html
View File

@@ -14,7 +14,7 @@
{{if .CAPublicKey}}
<textarea rows="3" class="pem-input" readonly>{{.CAPublicKey}}</textarea>
<p style="margin-top: 0.5rem; margin-bottom: 0;">
<a href="/v1/sshca/{{.MountName}}/ca" download="ca.pub">Download CA Public Key</a>
<a href="/sshca/ca" download="ca.pub">Download CA Public Key</a>
</p>
{{else}}
<p>CA public key not available.</p>
@@ -210,7 +210,7 @@
{{if .IsAdmin}}
<div class="card">
<div class="card-title">Key Revocation List</div>
<p><a href="/v1/sshca/{{.MountName}}/krl" download="krl.bin">Download KRL</a></p>
<p><a href="/sshca/krl" download="krl.bin">Download KRL</a></p>
</div>
{{end}}
{{end}}