mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26f397afc01e9221b5388385e00fc309dc7d4925
metacrypt/web/templates/transit_key_detail.html
Kyle Isom a80323e320 Add web UI for SSH CA, Transit, and User engines; full security audit and remediation 
Web UI: Added browser-based management for all three remaining engines
(SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files,
7 HTML templates, dashboard mount forms, and conditional navigation links.
Fixed REST API routes to match design specs (SSH CA cert singular paths,
Transit PATCH for update-key-config).

Security audit: Conducted full-system audit covering crypto core, all
engine implementations, API servers, policy engine, auth, deployment,
and documentation. Identified 42 new findings (#39-#80) across all
severity levels.

Remediation of all 8 High findings:
- #68: Replaced 14 JSON-injection-vulnerable error responses with safe
  json.Encoder via writeJSONError helper
- #48: Added two-layer path traversal defense (barrier validatePath
  rejects ".." segments; engine ValidateName enforces safe name pattern)
- #39: Extended RLock through entire crypto operations in barrier
  Get/Put/Delete/List to eliminate TOCTOU race with Seal
- #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite
  transaction to prevent irrecoverable data loss on crash during MEK
  rotation
- #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling
  on handleIssue and handleSignCSR
- #61: Store raw ECDH private key bytes in userState for effective
  zeroization on Seal
- #62: Fixed user engine policy resource path from mountPath to
  mountName() so policy rules match correctly
- #69: Added newPolicyChecker helper and passed service-level policy
  evaluation to all 25 typed REST handler engine.Request structs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00

104 lines
3.5 KiB
HTML
Raw Blame History

{{define "title"}} - Key: {{.Key.Name}}{{end}}
{{define "content"}}
<div class="page-header">
<h2>Key: {{.Key.Name}}</h2>
<div class="page-meta">
<a href="/transit">&larr; Transit</a>
</div>
</div>
<div class="card">
<div class="card-title">Key Details</div>
<table class="kv-table">
<tbody>
<tr><th>Name</th><td>{{.Key.Name}}</td></tr>
<tr><th>Type</th><td><code>{{.Key.Type}}</code></td></tr>
<tr><th>Current Version</th><td>{{.Key.CurrentVersion}}</td></tr>
<tr><th>Min Decryption Version</th><td>{{.Key.MinDecryptionVersion}}</td></tr>
<tr><th>Allow Deletion</th><td>{{if .Key.AllowDeletion}}yes{{else}}no{{end}}</td></tr>
</tbody>
</table>
</div>
<div class="card">
<div class="card-title">Key Versions</div>
{{if .Key.Versions}}
<div class="table-wrapper">
<table>
<thead>
<tr>
<th>Version</th>
</tr>
</thead>
<tbody>
{{range .Key.Versions}}
<tr>
<td>{{.}}</td>
</tr>
{{end}}
</tbody>
</table>
</div>
{{else}}
<p>No version information available.</p>
{{end}}
</div>
{{if .PublicKey}}
<div class="card">
<div class="card-title">Public Key</div>
<textarea rows="4" class="pem-input" readonly>{{.PublicKey}}</textarea>
</div>
{{end}}
{{if .IsAdmin}}
<div class="card">
<div class="card-title">Admin Actions</div>
<form method="post" action="/transit/key/{{.Key.Name}}/rotate" style="display:inline;">
{{csrfField}}
<button type="submit" onclick="return confirm('Rotate key {{.Key.Name}}?')">Rotate Key</button>
</form>
<details style="margin-top: 1rem;">
<summary>Update Config</summary>
<form method="post" action="/transit/key/{{.Key.Name}}/config">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="cfg_min_decrypt">Min Decryption Version</label>
<input type="number" id="cfg_min_decrypt" name="min_decryption_version" value="{{.Key.MinDecryptionVersion}}" min="0">
</div>
<div class="form-group">
<label>&nbsp;</label>
<label class="checkbox-label"><input type="checkbox" name="allow_deletion"{{if .Key.AllowDeletion}} checked{{end}}> Allow Deletion</label>
</div>
</div>
<div class="form-actions">
<button type="submit">Update Config</button>
</div>
</form>
</details>
<details style="margin-top: 1rem;">
<summary>Trim Old Versions</summary>
<form method="post" action="/transit/key/{{.Key.Name}}/trim">
{{csrfField}}
<p>Trims key versions below the current min_decryption_version.</p>
<div class="form-actions">
<button type="submit" class="btn-danger" onclick="return confirm('Trim old versions of key {{.Key.Name}}? This cannot be undone.')">Trim Versions</button>
</div>
</form>
</details>
{{if .Key.AllowDeletion}}
<div style="margin-top: 1rem;">
<form method="post" action="/transit/key/{{.Key.Name}}/delete">
{{csrfField}}
<button type="submit" class="btn-danger" onclick="return confirm('Permanently delete key {{.Key.Name}}? This cannot be undone.')">Delete Key</button>
</form>
</div>
{{end}}
</div>
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink