2015-05-23 00:04:40 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
2015-05-23 02:31:11 +00:00
|
|
|
"time"
|
2016-07-06 16:25:40 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/helper/jsonutil"
|
2015-05-23 00:04:40 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Keyring is used to manage multiple encryption keys used by
|
|
|
|
|
// the barrier. New keys can be installed and each has a sequential term.
|
|
|
|
|
// The term used to encrypt a key is prefixed to the key written out.
|
|
|
|
|
// All data is encrypted with the latest key, but storing the old keys
|
|
|
|
|
// allows for decryption of keys written previously. Along with the encryption
|
|
|
|
|
// keys, the keyring also tracks the master key. This is necessary so that
|
|
|
|
|
// when a new key is added to the keyring, we can encrypt with the master key
|
|
|
|
|
// and write out the new keyring.
|
|
|
|
|
type Keyring struct {
|
|
|
|
|
masterKey []byte
|
|
|
|
|
keys map[uint32]*Key
|
|
|
|
|
activeTerm uint32
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// EncodedKeyring is used for serialization of the keyring
|
|
|
|
|
type EncodedKeyring struct {
|
|
|
|
|
MasterKey []byte
|
|
|
|
|
Keys []*Key
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Key represents a single term, along with the key used.
|
|
|
|
|
type Key struct {
|
2015-05-23 02:31:11 +00:00
|
|
|
Term uint32
|
2015-05-27 22:23:31 +00:00
|
|
|
Version int
|
2015-05-23 02:31:11 +00:00
|
|
|
Value []byte
|
|
|
|
|
InstallTime time.Time
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
2015-05-28 22:49:52 +00:00
|
|
|
// Serialize is used to create a byte encoded key
|
|
|
|
|
func (k *Key) Serialize() ([]byte, error) {
|
2015-10-15 18:51:30 +00:00
|
|
|
return json.Marshal(k)
|
2015-05-28 22:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DeserializeKey is used to deserialize and return a new key
|
|
|
|
|
func DeserializeKey(buf []byte) (*Key, error) {
|
|
|
|
|
k := new(Key)
|
2016-07-06 16:25:40 +00:00
|
|
|
if err := jsonutil.DecodeJSON(buf, k); err != nil {
|
2015-05-28 22:49:52 +00:00
|
|
|
return nil, fmt.Errorf("deserialization failed: %v", err)
|
|
|
|
|
}
|
|
|
|
|
return k, nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-23 00:04:40 +00:00
|
|
|
// NewKeyring creates a new keyring
|
|
|
|
|
func NewKeyring() *Keyring {
|
|
|
|
|
k := &Keyring{
|
|
|
|
|
keys: make(map[uint32]*Key),
|
|
|
|
|
activeTerm: 0,
|
|
|
|
|
}
|
|
|
|
|
return k
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-27 23:58:55 +00:00
|
|
|
// Clone returns a new copy of the keyring
|
|
|
|
|
func (k *Keyring) Clone() *Keyring {
|
|
|
|
|
clone := &Keyring{
|
|
|
|
|
masterKey: k.masterKey,
|
|
|
|
|
keys: make(map[uint32]*Key, len(k.keys)),
|
|
|
|
|
activeTerm: k.activeTerm,
|
|
|
|
|
}
|
|
|
|
|
for idx, key := range k.keys {
|
|
|
|
|
clone.keys[idx] = key
|
|
|
|
|
}
|
|
|
|
|
return clone
|
|
|
|
|
}
|
2015-05-23 00:04:40 +00:00
|
|
|
|
2015-05-27 23:58:55 +00:00
|
|
|
// AddKey adds a new key to the keyring
|
|
|
|
|
func (k *Keyring) AddKey(key *Key) (*Keyring, error) {
|
2015-10-15 18:51:30 +00:00
|
|
|
// Ensure there is no conflict
|
2015-05-23 02:31:11 +00:00
|
|
|
if exist, ok := k.keys[key.Term]; ok {
|
|
|
|
|
if !bytes.Equal(key.Value, exist.Value) {
|
2015-05-27 23:58:55 +00:00
|
|
|
return nil, fmt.Errorf("Conflicting key for term %d already installed", key.Term)
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
2015-05-27 23:58:55 +00:00
|
|
|
return k, nil
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
2015-05-27 19:12:16 +00:00
|
|
|
// Add a time if none
|
|
|
|
|
if key.InstallTime.IsZero() {
|
|
|
|
|
key.InstallTime = time.Now()
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-27 23:58:55 +00:00
|
|
|
// Make a new keyring
|
|
|
|
|
clone := k.Clone()
|
|
|
|
|
|
2015-05-23 00:04:40 +00:00
|
|
|
// Install the new key
|
2015-05-27 23:58:55 +00:00
|
|
|
clone.keys[key.Term] = key
|
2015-05-23 00:04:40 +00:00
|
|
|
|
|
|
|
|
// Update the active term if newer
|
2015-05-27 23:58:55 +00:00
|
|
|
if key.Term > clone.activeTerm {
|
|
|
|
|
clone.activeTerm = key.Term
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
2015-05-27 23:58:55 +00:00
|
|
|
return clone, nil
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
2015-06-02 14:04:05 +00:00
|
|
|
// RemoveKey removes a key from the keyring
|
2015-05-27 23:58:55 +00:00
|
|
|
func (k *Keyring) RemoveKey(term uint32) (*Keyring, error) {
|
2015-05-23 00:04:40 +00:00
|
|
|
// Ensure this is not the active key
|
|
|
|
|
if term == k.activeTerm {
|
2015-05-27 23:58:55 +00:00
|
|
|
return nil, fmt.Errorf("Cannot remove active key")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if this term does not exist
|
|
|
|
|
if _, ok := k.keys[term]; !ok {
|
|
|
|
|
return k, nil
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Delete the key
|
2015-05-27 23:58:55 +00:00
|
|
|
clone := k.Clone()
|
|
|
|
|
delete(clone.keys, term)
|
|
|
|
|
return clone, nil
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ActiveTerm returns the currently active term
|
|
|
|
|
func (k *Keyring) ActiveTerm() uint32 {
|
|
|
|
|
return k.activeTerm
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ActiveKey returns the active encryption key, or nil
|
|
|
|
|
func (k *Keyring) ActiveKey() *Key {
|
|
|
|
|
return k.keys[k.activeTerm]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TermKey returns the key for the given term, or nil
|
|
|
|
|
func (k *Keyring) TermKey(term uint32) *Key {
|
|
|
|
|
return k.keys[term]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// SetMasterKey is used to update the master key
|
2015-05-27 23:58:55 +00:00
|
|
|
func (k *Keyring) SetMasterKey(val []byte) *Keyring {
|
2015-05-28 18:38:59 +00:00
|
|
|
valCopy := make([]byte, len(val))
|
|
|
|
|
copy(valCopy, val)
|
2015-05-27 23:58:55 +00:00
|
|
|
clone := k.Clone()
|
2015-05-28 18:38:59 +00:00
|
|
|
clone.masterKey = valCopy
|
2015-05-27 23:58:55 +00:00
|
|
|
return clone
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MasterKey returns the master key
|
|
|
|
|
func (k *Keyring) MasterKey() []byte {
|
|
|
|
|
return k.masterKey
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Serialize is used to create a byte encoded keyring
|
|
|
|
|
func (k *Keyring) Serialize() ([]byte, error) {
|
|
|
|
|
// Create the encoded entry
|
|
|
|
|
enc := EncodedKeyring{
|
|
|
|
|
MasterKey: k.masterKey,
|
|
|
|
|
}
|
|
|
|
|
for _, key := range k.keys {
|
|
|
|
|
enc.Keys = append(enc.Keys, key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// JSON encode the keyring
|
|
|
|
|
buf, err := json.Marshal(enc)
|
|
|
|
|
return buf, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DeserializeKeyring is used to deserialize and return a new keyring
|
|
|
|
|
func DeserializeKeyring(buf []byte) (*Keyring, error) {
|
|
|
|
|
// Deserialize the keyring
|
|
|
|
|
var enc EncodedKeyring
|
2016-07-06 16:25:40 +00:00
|
|
|
if err := jsonutil.DecodeJSON(buf, &enc); err != nil {
|
2015-05-23 00:04:40 +00:00
|
|
|
return nil, fmt.Errorf("deserialization failed: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create a new keyring
|
|
|
|
|
k := NewKeyring()
|
2015-05-27 23:58:55 +00:00
|
|
|
k.masterKey = enc.MasterKey
|
2015-05-23 00:04:40 +00:00
|
|
|
for _, key := range enc.Keys {
|
2015-05-27 23:58:55 +00:00
|
|
|
k.keys[key.Term] = key
|
|
|
|
|
if key.Term > k.activeTerm {
|
|
|
|
|
k.activeTerm = key.Term
|
2015-05-23 00:04:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return k, nil
|
|
|
|
|
}
|
2016-05-27 20:47:40 +00:00
|
|
|
|
|
|
|
|
// N.B.:
|
|
|
|
|
// Since Go 1.5 these are not reliable; see the documentation around the memzero
|
|
|
|
|
// function. These are best-effort.
|
|
|
|
|
func (k *Keyring) Zeroize(keysToo bool) {
|
|
|
|
|
if k == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if k.masterKey != nil {
|
|
|
|
|
memzero(k.masterKey)
|
|
|
|
|
}
|
|
|
|
|
if !keysToo || k.keys == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
for _, key := range k.keys {
|
|
|
|
|
memzero(key.Value)
|
|
|
|
|
}
|
|
|
|
|
}
|
