open-vault/vault/seal/shamir/shamir.go

package shamir

import (
	"context"
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"errors"
	"fmt"

	log "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/go-uuid"
	"github.com/hashicorp/vault/sdk/physical"
	"github.com/hashicorp/vault/vault/seal"
)

// ShamirSeal implements the seal.Access interface for Shamir unseal
type ShamirSeal struct {
	logger log.Logger
	aead   cipher.AEAD
}

// Ensure that we are implementing AutoSealAccess
var _ seal.Access = (*ShamirSeal)(nil)

// NewSeal creates a new ShamirSeal with the provided logger
func NewSeal(logger log.Logger) *ShamirSeal {
	seal := &ShamirSeal{
		logger: logger,
	}
	return seal
}

// SetConfig sets the fields on the ShamirSeal object based on
// values from the config parameter.
func (s *ShamirSeal) SetConfig(config map[string]string) (map[string]string, error) {
	// Map that holds non-sensitive configuration info
	sealInfo := make(map[string]string)

	if config == nil || config["key"] == "" {
		return sealInfo, nil
	}

	keyB64 := config["key"]
	key, err := base64.StdEncoding.DecodeString(keyB64)
	if err != nil {
		return sealInfo, err
	}

	aesCipher, err := aes.NewCipher(key)
	if err != nil {
		return sealInfo, err
	}

	aead, err := cipher.NewGCM(aesCipher)
	if err != nil {
		return sealInfo, err
	}

	s.aead = aead

	return sealInfo, nil
}

// Init is called during core.Initialize. No-op at the moment.
func (s *ShamirSeal) Init(_ context.Context) error {
	return nil
}

// Finalize is called during shutdown. This is a no-op since
// ShamirSeal doesn't require any cleanup.
func (s *ShamirSeal) Finalize(_ context.Context) error {
	return nil
}

// SealType returns the seal type for this particular seal implementation.
func (s *ShamirSeal) SealType() string {
	return seal.Shamir
}

// KeyID returns the last known key id.
func (s *ShamirSeal) KeyID() string {
	return ""
}

// Encrypt is used to encrypt the plaintext using the aead held by the seal.
func (s *ShamirSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error) {
	if plaintext == nil {
		return nil, fmt.Errorf("given plaintext for encryption is nil")
	}

	if s.aead == nil {
		return nil, errors.New("aead is not configured in the seal")
	}

	iv, err := uuid.GenerateRandomBytes(12)
	if err != nil {
		return nil, err
	}

	ciphertext := s.aead.Seal(nil, iv, plaintext, nil)

	return &physical.EncryptedBlobInfo{
		Ciphertext: append(iv, ciphertext...),
	}, nil
}

func (s *ShamirSeal) Decrypt(_ context.Context, in *physical.EncryptedBlobInfo) ([]byte, error) {
	if in == nil {
		return nil, fmt.Errorf("given plaintext for encryption is nil")
	}

	if s.aead == nil {
		return nil, errors.New("aead is not configured in the seal")
	}

	iv, ciphertext := in.Ciphertext[:12], in.Ciphertext[12:]

	plaintext, err := s.aead.Open(nil, iv, ciphertext, nil)
	if err != nil {
		return nil, err
	}

	return plaintext, nil
}
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment 2019-06-20 19:14:58 +00:00			`package shamir`

			`import (`
			`"context"`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"encoding/base64"`
			`"errors"`
			`"fmt"`

			`log "github.com/hashicorp/go-hclog"`
			`"github.com/hashicorp/go-uuid"`
			`"github.com/hashicorp/vault/sdk/physical"`
			`"github.com/hashicorp/vault/vault/seal"`
			`)`

			`// ShamirSeal implements the seal.Access interface for Shamir unseal`
			`type ShamirSeal struct {`
			`logger log.Logger`
			`aead cipher.AEAD`
			`}`

			`// Ensure that we are implementing AutoSealAccess`
			`var _ seal.Access = (*ShamirSeal)(nil)`

			`// NewSeal creates a new ShamirSeal with the provided logger`
			`func NewSeal(logger log.Logger) *ShamirSeal {`
			`seal := &ShamirSeal{`
			`logger: logger,`
			`}`
			`return seal`
			`}`

			`// SetConfig sets the fields on the ShamirSeal object based on`
			`// values from the config parameter.`
			`func (s *ShamirSeal) SetConfig(config map[string]string) (map[string]string, error) {`
			`// Map that holds non-sensitive configuration info`
			`sealInfo := make(map[string]string)`

			`if config == nil \|\| config["key"] == "" {`
			`return sealInfo, nil`
			`}`

			`keyB64 := config["key"]`
			`key, err := base64.StdEncoding.DecodeString(keyB64)`
			`if err != nil {`
			`return sealInfo, err`
			`}`

			`aesCipher, err := aes.NewCipher(key)`
			`if err != nil {`
			`return sealInfo, err`
			`}`

			`aead, err := cipher.NewGCM(aesCipher)`
			`if err != nil {`
			`return sealInfo, err`
			`}`

			`s.aead = aead`

			`return sealInfo, nil`
			`}`

			`// Init is called during core.Initialize. No-op at the moment.`
			`func (s *ShamirSeal) Init(_ context.Context) error {`
			`return nil`
			`}`

			`// Finalize is called during shutdown. This is a no-op since`
			`// ShamirSeal doesn't require any cleanup.`
			`func (s *ShamirSeal) Finalize(_ context.Context) error {`
			`return nil`
			`}`

			`// SealType returns the seal type for this particular seal implementation.`
			`func (s *ShamirSeal) SealType() string {`
			`return seal.Shamir`
			`}`

			`// KeyID returns the last known key id.`
			`func (s *ShamirSeal) KeyID() string {`
			`return ""`
			`}`

			`// Encrypt is used to encrypt the plaintext using the aead held by the seal.`
			`func (s ShamirSeal) Encrypt(_ context.Context, plaintext []byte) (physical.EncryptedBlobInfo, error) {`
			`if plaintext == nil {`
			`return nil, fmt.Errorf("given plaintext for encryption is nil")`
			`}`

			`if s.aead == nil {`
			`return nil, errors.New("aead is not configured in the seal")`
			`}`

			`iv, err := uuid.GenerateRandomBytes(12)`
			`if err != nil {`
			`return nil, err`
			`}`

			`ciphertext := s.aead.Seal(nil, iv, plaintext, nil)`

			`return &physical.EncryptedBlobInfo{`
			`Ciphertext: append(iv, ciphertext...),`
			`}, nil`
			`}`

			`func (s ShamirSeal) Decrypt(_ context.Context, in physical.EncryptedBlobInfo) ([]byte, error) {`
			`if in == nil {`
			`return nil, fmt.Errorf("given plaintext for encryption is nil")`
			`}`

			`if s.aead == nil {`
			`return nil, errors.New("aead is not configured in the seal")`
			`}`

			`iv, ciphertext := in.Ciphertext[:12], in.Ciphertext[12:]`

			`plaintext, err := s.aead.Open(nil, iv, ciphertext, nil)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return plaintext, nil`
			`}`