mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5dcb63165f60df53fd6d003edb359631436f8a6
metacrypt/web/templates/cert_detail.html
Kyle Isom 64d921827e Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22) 
Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:27:44 -07:00

61 lines
2.4 KiB
HTML
Raw Blame History

{{define "title"}} - Certificate: {{.Cert.Serial}}{{end}}
{{define "content"}}
<div class="page-header">
<h2>Certificate: {{.Cert.CommonName}}{{if .Cert.Revoked}} <span style="color:#c0392b;">[REVOKED]</span>{{end}}</h2>
<div class="page-meta">
<a href="/pki/issuer/{{.Cert.Issuer}}">&larr; Issuer: {{.Cert.Issuer}}</a>
&ensp;&middot;&ensp;
<a href="/pki/cert/{{.Cert.Serial}}/download">Download Certificate (PEM)</a>
</div>
</div>
<div class="card">
<div class="card-title">Certificate Details</div>
<table class="kv-table">
<tbody>
<tr><th>Serial</th><td><code>{{.Cert.Serial}}</code></td></tr>
<tr><th>Common Name</th><td>{{.Cert.CommonName}}</td></tr>
<tr><th>Issuer</th><td>{{.Cert.Issuer}}</td></tr>
<tr><th>Profile</th><td>{{.Cert.Profile}}</td></tr>
{{if .Cert.SANs}}
<tr><th>SANs</th><td>{{range $i, $san := .Cert.SANs}}{{if $i}}, {{end}}{{$san}}{{end}}</td></tr>
{{end}}
<tr><th>Issued By</th><td>{{.Cert.IssuedBy}}</td></tr>
<tr><th>Issued At</th><td>{{.Cert.IssuedAt}}</td></tr>
<tr><th>Expires At</th><td>{{.Cert.ExpiresAt}}</td></tr>
{{if .Cert.Revoked}}
<tr><th>Revoked At</th><td>{{.Cert.RevokedAt}}</td></tr>
<tr><th>Revoked By</th><td>{{.Cert.RevokedBy}}</td></tr>
{{end}}
</tbody>
</table>
</div>
<div class="card">
<div class="card-title">Certificate PEM</div>
<div class="form-group">
<textarea rows="12" class="pem-input" readonly>{{.Cert.CertPEM}}</textarea>
</div>
</div>
{{if .IsAdmin}}
<div class="card">
<div class="card-title">Admin Actions</div>
<div style="display:flex;gap:1rem;flex-wrap:wrap;">
{{if not .Cert.Revoked}}
<form method="POST" action="/pki/cert/{{.Cert.Serial}}/revoke"
onsubmit="return confirm('Revoke certificate {{.Cert.Serial}}? This cannot be undone.');">
{{csrfField}}
<button type="submit" class="btn btn-danger">Revoke Certificate</button>
</form>
{{end}}
<form method="POST" action="/pki/cert/{{.Cert.Serial}}/delete"
onsubmit="return confirm('Permanently delete certificate record {{.Cert.Serial}}? This cannot be undone.');">
{{csrfField}}
<button type="submit" class="btn btn-danger">Delete Record</button>
</form>
</div>
</div>
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink