keysmith

Cryptographic key lifecycle as a service — zero-downtime rotation, envelope encryption, and a hardened minimal JOSE layer.

Gostdlib cryptoJOSEAES-GCM demo: deploy pending

What it is

KeySmith owns signing keys for the whole platform. Every other Meridian service either asks it to sign (idp) or verifies locally against its JWKS (everyone else). It ships as a daemon (cmd/keysmithd), a Go client with a stale-tolerant JWKS cache, and — the part other projects import directly — a zero-dependency jose package.

The architectural challenge

Key rotation breaks systems in one specific way: a verifier receives a token signed by a key it hasn’t learned yet, or a still-valid token outlives its key’s publication. KeySmith eliminates both windows with a four-state machine — pending → active → retiring → retired — where a key is published before it ever signs and stays published until every token it signed has expired.

The two timing invariants that make this airtight are validated at service construction, not documented and hoped for:

An unsafe configuration fails to boot. See ADR 0003 — rotation state machine.

Key design decisions

Security highlights

From the threat model: the JWKS endpoint is public and carries no secrets; signer and admin tokens are separate classes compared in constant time; exp/iat are server-set with a TTL cap so a stolen signer token cannot mint long-lived tokens; /v1/verify returns coarse reasons only so verification errors can’t become a forgery oracle; private-JWK serialization does not exist in the codebase (tested). Accepted residual risks — LocalKEK in process memory, single-writer file store, no HSM — are documented rather than hidden.

Verified by

Code worth reading