mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26f397afc01e9221b5388385e00fc309dc7d4925
metacrypt/web/templates/pki.html
Kyle Isom 64d921827e Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22) 
Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:27:44 -07:00

270 lines
12 KiB
HTML
Raw Blame History

{{define "title"}} - PKI: {{.MountName}}{{end}}
{{define "content"}}
<div class="page-header">
<h2>PKI: {{.MountName}}</h2>
<div class="page-meta">
<a href="/dashboard">&larr; Dashboard</a>
</div>
</div>
{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
<div class="card">
<div class="card-title">Root CA</div>
{{if .HasRoot}}
<table class="kv-table">
<tbody>
<tr><th>Common Name</th><td>{{.RootCN}}</td></tr>
<tr><th>Organization</th><td>{{.RootOrg}}</td></tr>
<tr><th>Valid From</th><td>{{.RootNotBefore}}</td></tr>
<tr>
<th>Valid Until</th>
<td>
{{.RootNotAfter}}
{{if .RootExpired}}&ensp;<span class="badge badge-danger">Expired</span>{{end}}
</td>
</tr>
</tbody>
</table>
<p style="margin-top: 1rem; margin-bottom: 0;">
<a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
</p>
{{else}}
<p>No root CA configured.</p>
{{end}}
</div>
{{if .IsAdmin}}
{{if or (not .HasRoot) .RootExpired}}
<div class="card">
<div class="card-title">Import Root CA</div>
<p>{{if .RootExpired}}The current root CA has expired. Import a new one to continue issuing certificates.{{else}}No root CA is present. Import one to get started.{{end}}</p>
<form method="post" action="/pki/import-root" enctype="multipart/form-data">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="cert_file">Certificate PEM file</label>
<input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
</div>
<div class="form-group">
<label for="key_file">Private Key PEM file</label>
<input type="file" id="key_file" name="key_file" accept=".pem,.key">
</div>
</div>
<details>
<summary>Or paste PEM directly</summary>
<div class="form-group">
<label for="cert_pem">Certificate PEM</label>
<textarea id="cert_pem" name="cert_pem" rows="6" class="pem-input" placeholder="-----BEGIN CERTIFICATE-----"></textarea>
</div>
<div class="form-group">
<label for="key_pem">Private Key PEM</label>
<textarea id="key_pem" name="key_pem" rows="6" class="pem-input" placeholder="-----BEGIN PRIVATE KEY-----"></textarea>
</div>
</details>
<div class="form-actions">
<button type="submit">Import Root CA</button>
</div>
</form>
</div>
{{end}}
{{end}}
<div class="card">
<div class="card-title">Issuers</div>
{{if .Issuers}}
<div class="table-wrapper">
<table>
<thead>
<tr>
<th>Name</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
{{range .Issuers}}
<tr>
<td><a href="/pki/issuer/{{.}}">{{.}}</a></td>
<td><a href="/pki/{{.}}" download="{{.}}.pem">Download Cert (PEM)</a></td>
</tr>
{{end}}
</tbody>
</table>
</div>
{{else}}
<p>No issuers configured.</p>
{{end}}
</div>
{{if and .HasRoot .Issuers}}
<div class="card">
<div class="card-title">Issue Certificate</div>
<form method="post" action="/pki/issue">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="issue_cn">Common Name</label>
<input type="text" id="issue_cn" name="common_name" placeholder="example.com" required>
</div>
<div class="form-group">
<label for="issue_issuer">Issuer</label>
<select id="issue_issuer" name="issuer" required>
<option value="">— select issuer —</option>
{{range .Issuers}}<option value="{{.}}">{{.}}</option>{{end}}
</select>
</div>
</div>
<div class="form-row">
<div class="form-group">
<label for="issue_profile">Profile</label>
<select id="issue_profile" name="profile">
<option value="server">server (default)</option>
<option value="client">client</option>
<option value="peer">peer</option>
</select>
</div>
<div class="form-group">
<label for="issue_ttl">TTL <small style="text-transform:none;letter-spacing:0;">(optional)</small></label>
<input type="text" id="issue_ttl" name="ttl" placeholder="2160h">
</div>
</div>
<details>
<summary>Subject Alternative Names</summary>
<div class="form-row">
<div class="form-group">
<label for="issue_dns">DNS Names <small style="text-transform:none;letter-spacing:0;">(one per line)</small></label>
<textarea id="issue_dns" name="dns_names" rows="3" placeholder="example.com&#10;www.example.com"></textarea>
</div>
<div class="form-group">
<label for="issue_ips">IP Addresses <small style="text-transform:none;letter-spacing:0;">(one per line)</small></label>
<textarea id="issue_ips" name="ip_addresses" rows="3" placeholder="10.0.0.1"></textarea>
</div>
</div>
</details>
<details open>
<summary>Key Usages</summary>
<div class="form-row">
<div class="form-group">
<label>Key Usages</label>
<div class="checkbox-group">
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="digital signature"> Digital Signature</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="key encipherment"> Key Encipherment</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="content commitment"> Content Commitment</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="data encipherment"> Data Encipherment</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="key agreement"> Key Agreement</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="cert sign"> Cert Sign</label>
<label class="checkbox-label"><input type="checkbox" name="key_usages" value="crl sign"> CRL Sign</label>
</div>
</div>
<div class="form-group">
<label>Extended Key Usages</label>
<div class="checkbox-group">
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="server auth"> Server Auth</label>
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="client auth"> Client Auth</label>
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="code signing"> Code Signing</label>
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="email protection"> Email Protection</label>
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="time stamping"> Time Stamping</label>
<label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="ocsp signing"> OCSP Signing</label>
</div>
</div>
</div>
</details>
<div class="form-actions">
<button type="submit">Issue Certificate</button>
</div>
</form>
</div>
{{end}}
{{if and .HasRoot .Issuers}}
<div class="card">
<div class="card-title">Sign CSR</div>
{{if .SignedCert}}
<div class="success">
<p>CSR signed successfully. Serial: <code>{{.SignedCert.Serial}}</code> &mdash; Expires: {{.SignedCert.ExpiresAt}}</p>
<div class="form-group">
<label>Certificate PEM</label>
<textarea rows="8" class="pem-input" readonly>{{.SignedCert.CertPEM}}</textarea>
</div>
<div class="form-group">
<label>Chain PEM</label>
<textarea rows="8" class="pem-input" readonly>{{.SignedCert.ChainPEM}}</textarea>
</div>
</div>
{{else}}
<form method="post" action="/pki/sign-csr">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="sign_issuer">Issuer</label>
<select id="sign_issuer" name="issuer" required>
<option value="">— select issuer —</option>
{{range .Issuers}}<option value="{{.}}">{{.}}</option>{{end}}
</select>
</div>
<div class="form-group">
<label for="sign_profile">Profile (key usage defaults)</label>
<select id="sign_profile" name="profile">
<option value="server">server (default)</option>
<option value="client">client</option>
<option value="peer">peer</option>
</select>
</div>
<div class="form-group">
<label for="sign_ttl">TTL (optional)</label>
<input type="text" id="sign_ttl" name="ttl" placeholder="2160h">
</div>
</div>
<div class="form-group">
<label for="sign_csr_pem">CSR (PEM)</label>
<textarea id="sign_csr_pem" name="csr_pem" rows="8" class="pem-input" placeholder="-----BEGIN CERTIFICATE REQUEST-----" required></textarea>
</div>
<button type="submit">Sign CSR</button>
</form>
{{end}}
</div>
{{end}}
{{if .IsAdmin}}
{{if .HasRoot}}
<div class="card">
<div class="card-title">Create Issuer</div>
{{if .IssuerError}}<div class="error">{{.IssuerError}}</div>{{end}}
<form method="post" action="/pki/create-issuer">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="issuer_name">Issuer Name</label>
<input type="text" id="issuer_name" name="name" placeholder="default" required>
</div>
<div class="form-group">
<label for="issuer_expiry">Expiry</label>
<input type="text" id="issuer_expiry" name="expiry" placeholder="26280h (3 years)">
</div>
</div>
<details>
<summary>Advanced options</summary>
<div class="form-row">
<div class="form-group">
<label for="issuer_key_alg">Key Algorithm</label>
<input type="text" id="issuer_key_alg" name="key_algorithm" placeholder="ecdsa (default)">
</div>
<div class="form-group">
<label for="issuer_key_size">Key Size</label>
<input type="text" id="issuer_key_size" name="key_size" placeholder="521 (default)">
</div>
</div>
<div class="form-group">
<label for="issuer_max_ttl">Max Leaf TTL</label>
<input type="text" id="issuer_max_ttl" name="max_ttl" placeholder="2160h (90 days)">
</div>
</details>
<div class="form-actions">
<button type="submit">Create Issuer</button>
</div>
</form>
</div>
{{end}}
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink