2015-04-16 00:08:12 +00:00
|
|
|
package transit
|
|
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2015-04-16 00:08:12 +00:00
|
|
|
"encoding/base64"
|
2021-05-27 19:05:20 +00:00
|
|
|
"encoding/json"
|
2015-06-18 01:51:05 +00:00
|
|
|
"fmt"
|
2021-11-15 21:53:22 +00:00
|
|
|
"net/http"
|
2020-11-23 19:55:08 +00:00
|
|
|
"reflect"
|
2015-04-16 00:08:12 +00:00
|
|
|
|
2022-01-27 18:06:34 +00:00
|
|
|
"github.com/hashicorp/vault/helper/constants"
|
|
|
|
|
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/errutil"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2017-02-06 19:56:16 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
2015-04-16 00:08:12 +00:00
|
|
|
)
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
// BatchRequestItem represents a request item for batch processing
|
|
|
|
|
type BatchRequestItem struct {
|
|
|
|
|
// Context for key derivation. This is required for derived keys.
|
2017-02-06 19:56:16 +00:00
|
|
|
Context string `json:"context" structs:"context" mapstructure:"context"`
|
|
|
|
|
|
|
|
|
|
// DecodedContext is the base64 decoded version of Context
|
|
|
|
|
DecodedContext []byte
|
2017-02-02 19:24:20 +00:00
|
|
|
|
|
|
|
|
// Plaintext for encryption
|
|
|
|
|
Plaintext string `json:"plaintext" structs:"plaintext" mapstructure:"plaintext"`
|
|
|
|
|
|
|
|
|
|
// Ciphertext for decryption
|
|
|
|
|
Ciphertext string `json:"ciphertext" structs:"ciphertext" mapstructure:"ciphertext"`
|
|
|
|
|
|
|
|
|
|
// Nonce to be used when v1 convergent encryption is used
|
2017-02-06 19:56:16 +00:00
|
|
|
Nonce string `json:"nonce" structs:"nonce" mapstructure:"nonce"`
|
|
|
|
|
|
2017-06-06 20:02:54 +00:00
|
|
|
// The key version to be used for encryption
|
|
|
|
|
KeyVersion int `json:"key_version" structs:"key_version" mapstructure:"key_version"`
|
|
|
|
|
|
2017-02-06 19:56:16 +00:00
|
|
|
// DecodedNonce is the base64 decoded version of Nonce
|
|
|
|
|
DecodedNonce []byte
|
2022-10-24 17:41:02 +00:00
|
|
|
|
|
|
|
|
// Associated Data for AEAD ciphers
|
|
|
|
|
AssociatedData string `json:"associated_data" struct:"associated_data" mapstructure:"associated_data"`
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
|
|
|
|
|
2020-09-22 13:43:07 +00:00
|
|
|
// EncryptBatchResponseItem represents a response item for batch processing
|
|
|
|
|
type EncryptBatchResponseItem struct {
|
2017-02-02 19:24:20 +00:00
|
|
|
// Ciphertext for the plaintext present in the corresponding batch
|
|
|
|
|
// request item
|
|
|
|
|
Ciphertext string `json:"ciphertext,omitempty" structs:"ciphertext" mapstructure:"ciphertext"`
|
|
|
|
|
|
2020-06-01 17:16:01 +00:00
|
|
|
// KeyVersion defines the key version used to encrypt plaintext.
|
|
|
|
|
KeyVersion int `json:"key_version,omitempty" structs:"key_version" mapstructure:"key_version"`
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
// Error, if set represents a failure encountered while encrypting a
|
|
|
|
|
// corresponding batch request item
|
|
|
|
|
Error string `json:"error,omitempty" structs:"error" mapstructure:"error"`
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-24 17:41:02 +00:00
|
|
|
type AssocDataFactory struct {
|
|
|
|
|
Encoded string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a AssocDataFactory) GetAssociatedData() ([]byte, error) {
|
|
|
|
|
return base64.StdEncoding.DecodeString(a.Encoded)
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathEncrypt() *framework.Path {
|
2015-04-16 00:08:12 +00:00
|
|
|
return &framework.Path{
|
2015-08-21 07:56:13 +00:00
|
|
|
Pattern: "encrypt/" + framework.GenericNameRegex("name"),
|
2015-04-16 00:08:12 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
2020-06-10 17:31:46 +00:00
|
|
|
"name": {
|
2015-04-16 00:08:12 +00:00
|
|
|
Type: framework.TypeString,
|
2022-08-26 16:25:02 +00:00
|
|
|
Description: "Name of the key",
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
|
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"plaintext": {
|
2015-04-16 00:08:12 +00:00
|
|
|
Type: framework.TypeString,
|
2017-02-02 19:24:20 +00:00
|
|
|
Description: "Base64 encoded plaintext value to be encrypted",
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
2015-07-05 21:12:07 +00:00
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"context": {
|
2015-07-05 21:12:07 +00:00
|
|
|
Type: framework.TypeString,
|
2017-02-02 19:24:20 +00:00
|
|
|
Description: "Base64 encoded context for key derivation. Required if key derivation is enabled",
|
2015-07-05 21:12:07 +00:00
|
|
|
},
|
2016-08-05 21:52:44 +00:00
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"nonce": {
|
2017-02-02 19:24:20 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
|
Description: `
|
|
|
|
|
Base64 encoded nonce value. Must be provided if convergent encryption is
|
|
|
|
|
enabled for this key and the key was generated with Vault 0.6.1. Not required
|
|
|
|
|
for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long
|
|
|
|
|
and the user must ensure that for any given context (and thus, any given
|
|
|
|
|
encryption key) this nonce value is **never reused**.
|
|
|
|
|
`,
|
2016-08-05 21:52:44 +00:00
|
|
|
},
|
2016-09-21 14:29:42 +00:00
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"type": {
|
2016-09-21 14:29:42 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
|
Default: "aes256-gcm96",
|
2017-02-02 19:24:20 +00:00
|
|
|
Description: `
|
|
|
|
|
This parameter is required when encryption key is expected to be created.
|
|
|
|
|
When performing an upsert operation, the type of key to create. Currently,
|
2019-10-03 20:11:43 +00:00
|
|
|
"aes128-gcm96" (symmetric) and "aes256-gcm96" (symmetric) are the only types supported. Defaults to "aes256-gcm96".`,
|
2016-09-21 14:29:42 +00:00
|
|
|
},
|
|
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"convergent_encryption": {
|
2016-09-21 14:29:42 +00:00
|
|
|
Type: framework.TypeBool,
|
2017-02-02 19:24:20 +00:00
|
|
|
Description: `
|
|
|
|
|
This parameter will only be used when a key is expected to be created. Whether
|
|
|
|
|
to support convergent encryption. This is only supported when using a key with
|
|
|
|
|
key derivation enabled and will require all requests to carry both a context
|
|
|
|
|
and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly
|
|
|
|
|
generated nonce. As a result, when the same context and nonce are supplied, the
|
|
|
|
|
same ciphertext is generated. It is *very important* when using this mode that
|
|
|
|
|
you ensure that all nonces are unique for a given context. Failing to do so
|
|
|
|
|
will severely impact the ciphertext's security.`,
|
|
|
|
|
},
|
2017-06-06 20:02:54 +00:00
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
"key_version": {
|
2017-06-06 20:02:54 +00:00
|
|
|
Type: framework.TypeInt,
|
|
|
|
|
Description: `The version of the key to use for encryption.
|
|
|
|
|
Must be 0 (for latest) or a value greater than or equal
|
|
|
|
|
to the min_encryption_version configured on the key.`,
|
|
|
|
|
},
|
2022-10-24 17:41:02 +00:00
|
|
|
|
2022-09-13 17:51:09 +00:00
|
|
|
"partial_failure_response_code": {
|
|
|
|
|
Type: framework.TypeInt,
|
|
|
|
|
Description: `
|
|
|
|
|
Ordinarily, if a batch item fails to encrypt due to a bad input, but other batch items succeed,
|
|
|
|
|
the HTTP response code is 400 (Bad Request). Some applications may want to treat partial failures differently.
|
|
|
|
|
Providing the parameter returns the given response code integer instead of a 400 in this case. If all values fail
|
|
|
|
|
HTTP 400 is still returned.`,
|
|
|
|
|
},
|
2022-10-24 17:41:02 +00:00
|
|
|
|
|
|
|
|
"associated_data": {
|
|
|
|
|
Type: framework.TypeString,
|
|
|
|
|
Description: `
|
|
|
|
|
When using an AEAD cipher mode, such as AES-GCM, this parameter allows
|
|
|
|
|
passing associated data (AD/AAD) into the encryption function; this data
|
|
|
|
|
must be passed on subsequent decryption requests but can be transited in
|
|
|
|
|
plaintext. On successful decryption, both the ciphertext and the associated
|
|
|
|
|
data are attested not to have been tampered with.
|
|
|
|
|
`,
|
|
|
|
|
},
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2016-02-02 14:58:12 +00:00
|
|
|
logical.CreateOperation: b.pathEncryptWrite,
|
2016-01-27 21:24:11 +00:00
|
|
|
logical.UpdateOperation: b.pathEncryptWrite,
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
2015-04-27 19:47:09 +00:00
|
|
|
|
2016-02-02 14:58:12 +00:00
|
|
|
ExistenceCheck: b.pathEncryptExistenceCheck,
|
|
|
|
|
|
2015-04-27 19:47:09 +00:00
|
|
|
HelpSynopsis: pathEncryptHelpSyn,
|
|
|
|
|
HelpDescription: pathEncryptHelpDesc,
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-22 21:00:25 +00:00
|
|
|
func decodeEncryptBatchRequestItems(src interface{}, dst *[]BatchRequestItem) error {
|
|
|
|
|
return decodeBatchRequestItems(src, true, false, dst)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func decodeDecryptBatchRequestItems(src interface{}, dst *[]BatchRequestItem) error {
|
|
|
|
|
return decodeBatchRequestItems(src, false, true, dst)
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-10 17:31:46 +00:00
|
|
|
// decodeBatchRequestItems is a fast path alternative to mapstructure.Decode to decode []BatchRequestItem.
|
|
|
|
|
// It aims to behave as closely possible to the original mapstructure.Decode and will return the same errors.
|
2022-02-22 21:00:25 +00:00
|
|
|
// Note, however, that an error will also be returned if one of the required fields is missing.
|
2020-06-10 17:31:46 +00:00
|
|
|
// https://github.com/hashicorp/vault/pull/8775/files#r437709722
|
2022-02-22 21:00:25 +00:00
|
|
|
func decodeBatchRequestItems(src interface{}, requirePlaintext bool, requireCiphertext bool, dst *[]BatchRequestItem) error {
|
2020-06-10 17:31:46 +00:00
|
|
|
if src == nil || dst == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
items, ok := src.([]interface{})
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("source data must be an array or slice, got %T", src)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Early return should happen before allocating the array if the batch is empty.
|
|
|
|
|
// However to comply with mapstructure output it's needed to allocate an empty array.
|
|
|
|
|
sitems := len(items)
|
|
|
|
|
*dst = make([]BatchRequestItem, sitems)
|
|
|
|
|
if sitems == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// To comply with mapstructure output the same error type is needed.
|
|
|
|
|
var errs mapstructure.Error
|
|
|
|
|
|
|
|
|
|
for i, iitem := range items {
|
|
|
|
|
item, ok := iitem.(map[string]interface{})
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("[%d] expected a map, got '%T'", i, iitem)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, has := item["context"]; has {
|
2020-11-23 19:55:08 +00:00
|
|
|
if !reflect.ValueOf(v).IsValid() {
|
|
|
|
|
} else if casted, ok := v.(string); ok {
|
2020-06-10 17:31:46 +00:00
|
|
|
(*dst)[i].Context = casted
|
|
|
|
|
} else {
|
2021-02-18 20:40:18 +00:00
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].context' expected type 'string', got unconvertible type '%T'", i, item["context"]))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, has := item["ciphertext"]; has {
|
2020-11-23 19:55:08 +00:00
|
|
|
if !reflect.ValueOf(v).IsValid() {
|
|
|
|
|
} else if casted, ok := v.(string); ok {
|
2020-06-10 17:31:46 +00:00
|
|
|
(*dst)[i].Ciphertext = casted
|
|
|
|
|
} else {
|
2021-02-18 20:40:18 +00:00
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].ciphertext' expected type 'string', got unconvertible type '%T'", i, item["ciphertext"]))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
2022-02-22 21:00:25 +00:00
|
|
|
} else if requireCiphertext {
|
|
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].ciphertext' missing ciphertext to decrypt", i))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, has := item["plaintext"]; has {
|
|
|
|
|
if casted, ok := v.(string); ok {
|
|
|
|
|
(*dst)[i].Plaintext = casted
|
|
|
|
|
} else {
|
2021-02-18 20:40:18 +00:00
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].plaintext' expected type 'string', got unconvertible type '%T'", i, item["plaintext"]))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
2022-02-22 21:00:25 +00:00
|
|
|
} else if requirePlaintext {
|
|
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].plaintext' missing plaintext to encrypt", i))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, has := item["nonce"]; has {
|
2020-11-23 19:55:08 +00:00
|
|
|
if !reflect.ValueOf(v).IsValid() {
|
|
|
|
|
} else if casted, ok := v.(string); ok {
|
2020-06-10 17:31:46 +00:00
|
|
|
(*dst)[i].Nonce = casted
|
|
|
|
|
} else {
|
2021-02-18 20:40:18 +00:00
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].nonce' expected type 'string', got unconvertible type '%T'", i, item["nonce"]))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, has := item["key_version"]; has {
|
2020-11-23 19:55:08 +00:00
|
|
|
if !reflect.ValueOf(v).IsValid() {
|
|
|
|
|
} else if casted, ok := v.(int); ok {
|
2020-06-10 17:31:46 +00:00
|
|
|
(*dst)[i].KeyVersion = casted
|
2021-05-27 19:05:20 +00:00
|
|
|
} else if js, ok := v.(json.Number); ok {
|
|
|
|
|
// https://github.com/hashicorp/vault/issues/10232
|
|
|
|
|
// Because API server parses json request with UseNumber=true, logical.Request.Data can include json.Number for a number field.
|
|
|
|
|
if casted, err := js.Int64(); err == nil {
|
|
|
|
|
(*dst)[i].KeyVersion = int(casted)
|
|
|
|
|
} else {
|
|
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf(`error decoding %T into [%d].key_version: strconv.ParseInt: parsing "%s": invalid syntax`, v, i, v))
|
|
|
|
|
}
|
2020-06-10 17:31:46 +00:00
|
|
|
} else {
|
2021-02-18 20:40:18 +00:00
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].key_version' expected type 'int', got unconvertible type '%T'", i, item["key_version"]))
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
}
|
2022-10-24 17:41:02 +00:00
|
|
|
|
|
|
|
|
if v, has := item["associated_data"]; has {
|
|
|
|
|
if !reflect.ValueOf(v).IsValid() {
|
|
|
|
|
} else if casted, ok := v.(string); ok {
|
|
|
|
|
(*dst)[i].AssociatedData = casted
|
|
|
|
|
} else {
|
|
|
|
|
errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].associated_data' expected type 'string', got unconvertible type '%T'", i, item["associated_data"]))
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-10 17:31:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(errs.Errors) > 0 {
|
|
|
|
|
return &errs
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathEncryptExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
|
2016-02-02 14:58:12 +00:00
|
|
|
name := d.Get("name").(string)
|
2021-09-13 21:44:56 +00:00
|
|
|
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
|
2018-06-12 16:24:12 +00:00
|
|
|
Storage: req.Storage,
|
|
|
|
|
Name: name,
|
2019-10-17 17:33:00 +00:00
|
|
|
}, b.GetRandomReader())
|
2016-02-02 14:58:12 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
2018-06-12 16:24:12 +00:00
|
|
|
if p != nil && b.System().CachingDisabled() {
|
|
|
|
|
p.Unlock()
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-26 15:39:19 +00:00
|
|
|
return p != nil, nil
|
2016-02-02 14:58:12 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2015-04-16 00:08:12 +00:00
|
|
|
name := d.Get("name").(string)
|
2016-09-13 16:00:04 +00:00
|
|
|
var err error
|
2017-02-06 19:56:16 +00:00
|
|
|
batchInputRaw := d.Raw["batch_input"]
|
2017-02-02 19:24:20 +00:00
|
|
|
var batchInputItems []BatchRequestItem
|
2017-02-06 19:56:16 +00:00
|
|
|
if batchInputRaw != nil {
|
2022-02-22 21:00:25 +00:00
|
|
|
err = decodeEncryptBatchRequestItems(batchInputRaw, &batchInputItems)
|
2015-07-05 21:37:51 +00:00
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("failed to parse batch input: %w", err)
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(batchInputItems) == 0 {
|
|
|
|
|
return logical.ErrorResponse("missing batch input to process"), logical.ErrInvalidRequest
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2022-03-18 20:10:38 +00:00
|
|
|
valueRaw, ok, err := d.GetOkErr("plaintext")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
2022-02-22 21:00:25 +00:00
|
|
|
if !ok {
|
2022-03-18 20:10:38 +00:00
|
|
|
return logical.ErrorResponse("missing plaintext to encrypt"), logical.ErrInvalidRequest
|
2022-02-22 21:00:25 +00:00
|
|
|
}
|
2017-02-02 19:24:20 +00:00
|
|
|
|
|
|
|
|
batchInputItems = make([]BatchRequestItem, 1)
|
|
|
|
|
batchInputItems[0] = BatchRequestItem{
|
2022-10-24 17:41:02 +00:00
|
|
|
Plaintext: valueRaw.(string),
|
|
|
|
|
Context: d.Get("context").(string),
|
|
|
|
|
Nonce: d.Get("nonce").(string),
|
|
|
|
|
KeyVersion: d.Get("key_version").(int),
|
|
|
|
|
AssociatedData: d.Get("associated_data").(string),
|
2015-07-05 21:37:51 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-22 13:43:07 +00:00
|
|
|
batchResponseItems := make([]EncryptBatchResponseItem, len(batchInputItems))
|
2017-02-02 19:24:20 +00:00
|
|
|
contextSet := len(batchInputItems[0].Context) != 0
|
|
|
|
|
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch := false
|
|
|
|
|
internalErrorInBatch := false
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
// Before processing the batch request items, get the policy. If the
|
|
|
|
|
// policy is supposed to be upserted, then determine if 'derived' is to
|
|
|
|
|
// be set or not, based on the presence of 'context' field in all the
|
|
|
|
|
// input items.
|
|
|
|
|
for i, item := range batchInputItems {
|
|
|
|
|
if (len(item.Context) == 0 && contextSet) || (len(item.Context) != 0 && !contextSet) {
|
|
|
|
|
return logical.ErrorResponse("context should be set either in all the request blocks or in none"), logical.ErrInvalidRequest
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err := base64.StdEncoding.DecodeString(item.Plaintext)
|
2016-08-05 21:52:44 +00:00
|
|
|
if err != nil {
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch = true
|
2017-10-20 15:21:45 +00:00
|
|
|
batchResponseItems[i].Error = err.Error()
|
2017-02-02 19:24:20 +00:00
|
|
|
continue
|
2016-08-05 21:52:44 +00:00
|
|
|
}
|
2017-02-06 19:56:16 +00:00
|
|
|
|
|
|
|
|
// Decode the context
|
|
|
|
|
if len(item.Context) != 0 {
|
|
|
|
|
batchInputItems[i].DecodedContext, err = base64.StdEncoding.DecodeString(item.Context)
|
|
|
|
|
if err != nil {
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch = true
|
2017-02-06 19:56:16 +00:00
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Decode the nonce
|
|
|
|
|
if len(item.Nonce) != 0 {
|
|
|
|
|
batchInputItems[i].DecodedNonce, err = base64.StdEncoding.DecodeString(item.Nonce)
|
|
|
|
|
if err != nil {
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch = true
|
2017-02-06 19:56:16 +00:00
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-08-05 21:52:44 +00:00
|
|
|
}
|
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
// Get the policy
|
2016-10-26 23:52:31 +00:00
|
|
|
var p *keysutil.Policy
|
2016-04-26 15:39:19 +00:00
|
|
|
var upserted bool
|
2018-06-12 16:24:12 +00:00
|
|
|
var polReq keysutil.PolicyRequest
|
2020-06-01 17:16:01 +00:00
|
|
|
|
2016-04-26 15:39:19 +00:00
|
|
|
if req.Operation == logical.CreateOperation {
|
2016-09-21 14:29:42 +00:00
|
|
|
convergent := d.Get("convergent_encryption").(bool)
|
2017-02-02 19:24:20 +00:00
|
|
|
if convergent && !contextSet {
|
2016-09-21 14:29:42 +00:00
|
|
|
return logical.ErrorResponse("convergent encryption requires derivation to be enabled, so context is required"), nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-12 16:24:12 +00:00
|
|
|
polReq = keysutil.PolicyRequest{
|
|
|
|
|
Upsert: true,
|
2016-10-26 23:52:31 +00:00
|
|
|
Storage: req.Storage,
|
|
|
|
|
Name: name,
|
2017-02-02 19:24:20 +00:00
|
|
|
Derived: contextSet,
|
2016-10-26 23:52:31 +00:00
|
|
|
Convergent: convergent,
|
2016-09-21 14:29:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
keyType := d.Get("type").(string)
|
|
|
|
|
switch keyType {
|
2019-10-03 20:11:43 +00:00
|
|
|
case "aes128-gcm96":
|
|
|
|
|
polReq.KeyType = keysutil.KeyType_AES128_GCM96
|
2016-09-21 14:29:42 +00:00
|
|
|
case "aes256-gcm96":
|
2016-10-26 23:52:31 +00:00
|
|
|
polReq.KeyType = keysutil.KeyType_AES256_GCM96
|
2018-02-14 16:59:46 +00:00
|
|
|
case "chacha20-poly1305":
|
|
|
|
|
polReq.KeyType = keysutil.KeyType_ChaCha20_Poly1305
|
2019-10-03 16:32:43 +00:00
|
|
|
case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521":
|
2016-09-21 14:29:42 +00:00
|
|
|
return logical.ErrorResponse(fmt.Sprintf("key type %v not supported for this operation", keyType)), logical.ErrInvalidRequest
|
|
|
|
|
default:
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("unknown key type %v", keyType)), logical.ErrInvalidRequest
|
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
} else {
|
2018-06-12 16:24:12 +00:00
|
|
|
polReq = keysutil.PolicyRequest{
|
|
|
|
|
Storage: req.Storage,
|
|
|
|
|
Name: name,
|
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
}
|
2020-06-01 17:16:01 +00:00
|
|
|
|
2021-09-13 21:44:56 +00:00
|
|
|
p, upserted, err = b.GetPolicy(ctx, polReq, b.GetRandomReader())
|
2016-01-27 21:24:11 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
if p == nil {
|
2017-05-12 18:14:00 +00:00
|
|
|
return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
2018-06-12 16:24:12 +00:00
|
|
|
if !b.System().CachingDisabled() {
|
|
|
|
|
p.Lock(false)
|
|
|
|
|
}
|
2015-04-16 00:08:12 +00:00
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
// Process batch request items. If encryption of any request
|
|
|
|
|
// item fails, respectively mark the error in the response
|
|
|
|
|
// collection and continue to process other items.
|
2021-12-08 19:37:25 +00:00
|
|
|
warnAboutNonceUsage := false
|
2022-09-13 17:51:09 +00:00
|
|
|
successesInBatch := false
|
2017-02-02 19:24:20 +00:00
|
|
|
for i, item := range batchInputItems {
|
|
|
|
|
if batchResponseItems[i].Error != "" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
|
|
|
|
|
warnAboutNonceUsage = true
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-24 17:41:02 +00:00
|
|
|
var factory interface{}
|
|
|
|
|
if item.AssociatedData != "" {
|
|
|
|
|
if !p.Type.AssociatedDataSupported() {
|
|
|
|
|
batchResponseItems[i].Error = fmt.Sprintf("'[%d].associated_data' provided for non-AEAD cipher suite %v", i, p.Type.String())
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
factory = AssocDataFactory{item.AssociatedData}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ciphertext, err := p.EncryptWithFactory(item.KeyVersion, item.DecodedContext, item.DecodedNonce, item.Plaintext, factory)
|
2017-02-02 19:24:20 +00:00
|
|
|
if err != nil {
|
|
|
|
|
switch err.(type) {
|
2021-11-15 21:53:22 +00:00
|
|
|
case errutil.InternalError:
|
|
|
|
|
internalErrorInBatch = true
|
2017-02-02 19:24:20 +00:00
|
|
|
default:
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch = true
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
2021-11-15 21:53:22 +00:00
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
|
continue
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ciphertext == "" {
|
2021-11-15 21:53:22 +00:00
|
|
|
userErrorInBatch = true
|
|
|
|
|
batchResponseItems[i].Error = fmt.Sprintf("empty ciphertext returned for input item %d", i)
|
|
|
|
|
continue
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
2015-04-16 00:08:12 +00:00
|
|
|
|
2022-09-13 17:51:09 +00:00
|
|
|
successesInBatch = true
|
2020-06-01 17:16:01 +00:00
|
|
|
keyVersion := item.KeyVersion
|
|
|
|
|
if keyVersion == 0 {
|
|
|
|
|
keyVersion = p.LatestVersion
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
batchResponseItems[i].Ciphertext = ciphertext
|
2020-06-01 17:16:01 +00:00
|
|
|
batchResponseItems[i].KeyVersion = keyVersion
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
resp := &logical.Response{}
|
2017-02-06 19:56:16 +00:00
|
|
|
if batchInputRaw != nil {
|
2017-02-02 19:24:20 +00:00
|
|
|
resp.Data = map[string]interface{}{
|
2017-02-06 19:56:16 +00:00
|
|
|
"batch_results": batchResponseItems,
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if batchResponseItems[0].Error != "" {
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2021-11-15 21:53:22 +00:00
|
|
|
|
|
|
|
|
if internalErrorInBatch {
|
|
|
|
|
return nil, errutil.InternalError{Err: batchResponseItems[0].Error}
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
return logical.ErrorResponse(batchResponseItems[0].Error), logical.ErrInvalidRequest
|
|
|
|
|
}
|
2020-06-01 17:16:01 +00:00
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
resp.Data = map[string]interface{}{
|
2020-06-01 17:16:01 +00:00
|
|
|
"ciphertext": batchResponseItems[0].Ciphertext,
|
|
|
|
|
"key_version": batchResponseItems[0].KeyVersion,
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
if constants.IsFIPS() && warnAboutNonceUsage {
|
|
|
|
|
resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-26 15:39:19 +00:00
|
|
|
if req.Operation == logical.CreateOperation && !upserted {
|
|
|
|
|
resp.AddWarning("Attempted creation of the key during the encrypt operation, but it was created beforehand")
|
|
|
|
|
}
|
2018-06-12 16:24:12 +00:00
|
|
|
|
|
|
|
|
p.Unlock()
|
2021-11-15 21:53:22 +00:00
|
|
|
|
2022-09-13 17:51:09 +00:00
|
|
|
return batchRequestResponse(d, resp, req, successesInBatch, userErrorInBatch, internalErrorInBatch)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Depending on the errors in the batch, different status codes should be returned. User errors
|
|
|
|
|
// will return a 400 and precede internal errors which return a 500. The reasoning behind this is
|
|
|
|
|
// that user errors are non-retryable without making changes to the request, and should be surfaced
|
|
|
|
|
// to the user first.
|
|
|
|
|
func batchRequestResponse(d *framework.FieldData, resp *logical.Response, req *logical.Request, successesInBatch, userErrorInBatch, internalErrorInBatch bool) (*logical.Response, error) {
|
2021-11-15 21:53:22 +00:00
|
|
|
switch {
|
|
|
|
|
case userErrorInBatch:
|
2022-09-13 17:51:09 +00:00
|
|
|
code := http.StatusBadRequest
|
|
|
|
|
if successesInBatch {
|
|
|
|
|
if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok {
|
|
|
|
|
code = codeRaw.(int)
|
|
|
|
|
if code < 1 || code > 599 {
|
|
|
|
|
resp.AddWarning("invalid HTTP response code override from partial_failure_response_code, reverting to HTTP 400")
|
|
|
|
|
code = http.StatusBadRequest
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return logical.RespondWithStatusCode(resp, req, code)
|
2021-11-15 21:53:22 +00:00
|
|
|
case internalErrorInBatch:
|
|
|
|
|
return logical.RespondWithStatusCode(resp, req, http.StatusInternalServerError)
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-16 00:08:12 +00:00
|
|
|
return resp, nil
|
|
|
|
|
}
|
2015-04-27 19:47:09 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
// shouldWarnAboutNonceUsage attempts to determine if we will use a provided nonce or not. Ideally this
|
|
|
|
|
// would be information returned through p.Encrypt but that would require an SDK api change and this is
|
|
|
|
|
// transit specific
|
|
|
|
|
func shouldWarnAboutNonceUsage(p *keysutil.Policy, userSuppliedNonce []byte) bool {
|
|
|
|
|
if len(userSuppliedNonce) == 0 {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var supportedKeyType bool
|
|
|
|
|
switch p.Type {
|
|
|
|
|
case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305:
|
|
|
|
|
supportedKeyType = true
|
|
|
|
|
default:
|
|
|
|
|
supportedKeyType = false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if supportedKeyType && p.ConvergentEncryption && p.ConvergentVersion == 1 {
|
|
|
|
|
// We only use the user supplied nonce for v1 convergent encryption keys
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if supportedKeyType && !p.ConvergentEncryption {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
const pathEncryptHelpSyn = `Encrypt a plaintext value or a batch of plaintext
|
|
|
|
|
blocks using a named key`
|
2015-04-27 19:47:09 +00:00
|
|
|
|
|
|
|
|
const pathEncryptHelpDesc = `
|
2017-02-02 19:24:20 +00:00
|
|
|
This path uses the named key from the request path to encrypt a user provided
|
|
|
|
|
plaintext or a batch of plaintext blocks. The plaintext must be base64 encoded.
|
2015-04-27 19:47:09 +00:00
|
|
|
`
|
