Kyle Isom
8f77050a84
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).
Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry
CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen
Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
for unauthenticated TLS trust bootstrapping
Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
39 lines
1.3 KiB
TOML
39 lines
1.3 KiB
TOML
# Metacrypt production configuration
|
|
# Copy to /srv/metacrypt/metacrypt.toml and adjust for your environment.
|
|
|
|
[server]
|
|
# Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
|
|
listen_addr = ":8443"
|
|
|
|
# TLS certificate and key. Metacrypt always terminates TLS.
|
|
tls_cert = "/srv/metacrypt/certs/server.crt"
|
|
tls_key = "/srv/metacrypt/certs/server.key"
|
|
|
|
[database]
|
|
# SQLite database path. Created automatically on first run.
|
|
# The directory must be writable by the metacrypt user.
|
|
path = "/srv/metacrypt/metacrypt.db"
|
|
|
|
[mcias]
|
|
# MCIAS server URL for authentication.
|
|
server_url = "https://mcias.metacircular.net:8443"
|
|
|
|
# CA certificate for verifying the MCIAS server's TLS certificate.
|
|
# Omit if MCIAS uses a publicly trusted certificate.
|
|
# ca_cert = "/srv/metacrypt/certs/mcias-ca.crt"
|
|
|
|
[seal]
|
|
# Argon2id parameters for key derivation.
|
|
# These are applied during initialization and stored alongside the encrypted
|
|
# master key. Changing them here after init has no effect.
|
|
#
|
|
# Defaults are tuned for server hardware (3 iterations, 128 MiB, 4 threads).
|
|
# Increase argon2_memory on machines with more RAM for stronger protection.
|
|
# argon2_time = 3
|
|
# argon2_memory = 131072 # KiB (128 MiB)
|
|
# argon2_threads = 4
|
|
|
|
[log]
|
|
# Log level: debug, info, warn, error
|
|
level = "info"
|