open-vault/builtin/logical/transit/path_keys.go

package transit

import (
	"crypto/rand"
	"encoding/json"
	"fmt"

	"github.com/hashicorp/vault/helper/kdf"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

const (
	// kdfMode is the only KDF mode currently supported
	kdfMode = "hmac-sha256-counter"
)

// Policy is the struct used to store metadata
type Policy struct {
	Name       string `json:"name"`
	Key        []byte `json:"key"`
	CipherMode string `json:"cipher"`

	// Derived keys MUST provide a context and the
	// master underlying key is never used.
	Derived bool   `json:"derived"`
	KDFMode string `json:"kdf_mode"`
}

func (p *Policy) Serialize() ([]byte, error) {
	return json.Marshal(p)
}

// DeriveKey is used to derive the encryption key that should
// be used depending on the policy. If derivation is disabled the
// raw key is used and no context is required, otherwise the KDF
// mode is used with the context to derive the proper key.
func (p *Policy) DeriveKey(context []byte) ([]byte, error) {
	// Fast-path non-derived keys
	if !p.Derived {
		return p.Key, nil
	}

	// Ensure a context is provided
	if len(context) == 0 {
		return nil, fmt.Errorf("missing 'context' for key deriviation. The key was created using a derived key, which means additional, per-request information must be included in order to encrypt or decrypt information.")
	}

	switch p.KDFMode {
	case kdfMode:
		prf := kdf.HMACSHA256PRF
		prfLen := kdf.HMACSHA256PRFLen
		return kdf.CounterMode(prf, prfLen, p.Key, context, 256)
	default:
		return nil, fmt.Errorf("unsupported key derivation mode")
	}
}

func DeserializePolicy(buf []byte) (*Policy, error) {
	p := new(Policy)
	if err := json.Unmarshal(buf, p); err != nil {
		return nil, err
	}
	return p, nil
}

func getPolicy(req *logical.Request, name string) (*Policy, error) {
	// Check if the policy already exists
	raw, err := req.Storage.Get("policy/" + name)
	if err != nil {
		return nil, err
	}
	if raw == nil {
		return nil, nil
	}

	// Decode the policy
	p, err := DeserializePolicy(raw.Value)
	if err != nil {
		return nil, err
	}
	return p, nil
}

// generatePolicy is used to create a new named policy with
// a randomly generated key
func generatePolicy(storage logical.Storage, name string, derived bool) (*Policy, error) {
	// Create the policy object
	p := &Policy{
		Name:       name,
		CipherMode: "aes-gcm",
		Derived:    derived,
	}
	if derived {
		p.KDFMode = kdfMode
	}

	// Generate a 256bit key
	p.Key = make([]byte, 32)
	_, err := rand.Read(p.Key)
	if err != nil {
		return nil, err
	}

	// Encode the policy
	buf, err := p.Serialize()
	if err != nil {
		return nil, err
	}

	// Write the policy into storage
	err = storage.Put(&logical.StorageEntry{
		Key:   "policy/" + name,
		Value: buf,
	})
	if err != nil {
		return nil, err
	}

	// Return the policy
	return p, nil
}

func pathKeys() *framework.Path {
	return &framework.Path{
		Pattern: `keys/(?P<name>\w+)`,
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the key",
			},

			"derived": &framework.FieldSchema{
				Type:        framework.TypeBool,
				Description: "Enables key derivation mode. This allows for per-transaction unique keys",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation:  pathPolicyWrite,
			logical.DeleteOperation: pathPolicyDelete,
			logical.ReadOperation:   pathPolicyRead,
		},

		HelpSynopsis:    pathPolicyHelpSyn,
		HelpDescription: pathPolicyHelpDesc,
	}
}

func pathPolicyWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	derived := d.Get("derived").(bool)

	// Check if the policy already exists
	existing, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}
	if existing != nil {
		return nil, nil
	}

	// Generate the policy
	_, err = generatePolicy(req.Storage, name, derived)
	return nil, err
}

func pathPolicyRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	p, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}
	if p == nil {
		return nil, nil
	}

	// Return the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"name":        p.Name,
			"cipher_mode": p.CipherMode,
			"derived":     p.Derived,
		},
	}
	if p.Derived {
		resp.Data["kdf_mode"] = p.KDFMode
	}
	return resp, nil
}

func pathPolicyDelete(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	err := req.Storage.Delete("policy/" + name)
	if err != nil {
		return nil, err
	}
	return nil, nil
}

const pathPolicyHelpSyn = `Managed named encrption keys`

const pathPolicyHelpDesc = `
This path is used to manage the named keys that are available.
Doing a write with no value against a new named key will create
it using a randomly generated key.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
			`"crypto/rand"`
			`"encoding/json"`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`"fmt"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`"github.com/hashicorp/vault/helper/kdf"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`const (`
			`// kdfMode is the only KDF mode currently supported`
			`kdfMode = "hmac-sha256-counter"`
			`)`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`// Policy is the struct used to store metadata`
			`type Policy struct {`
			Name string `json:"name"`
			Key []byte `json:"key"`
			CipherMode string `json:"cipher"`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00
			`// Derived keys MUST provide a context and the`
			`// master underlying key is never used.`
			Derived bool `json:"derived"`
			KDFMode string `json:"kdf_mode"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

			`func (p *Policy) Serialize() ([]byte, error) {`
			`return json.Marshal(p)`
			`}`

secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`// DeriveKey is used to derive the encryption key that should`
			`// be used depending on the policy. If derivation is disabled the`
			`// raw key is used and no context is required, otherwise the KDF`
			`// mode is used with the context to derive the proper key.`
			`func (p *Policy) DeriveKey(context []byte) ([]byte, error) {`
			`// Fast-path non-derived keys`
			`if !p.Derived {`
			`return p.Key, nil`
			`}`

			`// Ensure a context is provided`
			`if len(context) == 0 {`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`return nil, fmt.Errorf("missing 'context' for key deriviation. The key was created using a derived key, which means additional, per-request information must be included in order to encrypt or decrypt information.")`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`}`

			`switch p.KDFMode {`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`case kdfMode:`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`prf := kdf.HMACSHA256PRF`
			`prfLen := kdf.HMACSHA256PRFLen`
			`return kdf.CounterMode(prf, prfLen, p.Key, context, 256)`
			`default:`
			`return nil, fmt.Errorf("unsupported key derivation mode")`
			`}`
			`}`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`func DeserializePolicy(buf []byte) (*Policy, error) {`
			`p := new(Policy)`
			`if err := json.Unmarshal(buf, p); err != nil {`
			`return nil, err`
			`}`
			`return p, nil`
			`}`

			`func getPolicy(req logical.Request, name string) (Policy, error) {`
			`// Check if the policy already exists`
			`raw, err := req.Storage.Get("policy/" + name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if raw == nil {`
			`return nil, nil`
			`}`

			`// Decode the policy`
			`p, err := DeserializePolicy(raw.Value)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return p, nil`
			`}`

secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`// generatePolicy is used to create a new named policy with`
			`// a randomly generated key`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`func generatePolicy(storage logical.Storage, name string, derived bool) (*Policy, error) {`
secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`// Create the policy object`
			`p := &Policy{`
			`Name: name,`
			`CipherMode: "aes-gcm",`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`Derived: derived,`
			`}`
			`if derived {`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`p.KDFMode = kdfMode`
secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`}`

			`// Generate a 256bit key`
			`p.Key = make([]byte, 32)`
			`_, err := rand.Read(p.Key)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Encode the policy`
			`buf, err := p.Serialize()`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Write the policy into storage`
			`err = storage.Put(&logical.StorageEntry{`
			`Key: "policy/" + name,`
			`Value: buf,`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Return the policy`
			`return p, nil`
			`}`

secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`func pathKeys() *framework.Path {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return &framework.Path{`
secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			Pattern: `keys/(?P<name>\w+)`,
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
secret/transit: rename policy to keys 2015-04-27 20:52:47 +00:00			`Description: "Name of the key",`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00
			`"derived": &framework.FieldSchema{`
			`Type: framework.TypeBool,`
			`Description: "Enables key derivation mode. This allows for per-transaction unique keys",`
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.WriteOperation: pathPolicyWrite,`
			`logical.DeleteOperation: pathPolicyDelete,`
			`logical.ReadOperation: pathPolicyRead,`
			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathPolicyHelpSyn,`
			`HelpDescription: pathPolicyHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

			`func pathPolicyWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`derived := d.Get("derived").(bool)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`// Check if the policy already exists`
			`existing, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if existing != nil {`
			`return nil, nil`
			`}`

secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`// Generate the policy`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`_, err = generatePolicy(req.Storage, name, derived)`
secret/transit: allow policies to be upserted 2015-06-18 01:51:05 +00:00			`return nil, err`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

			`func pathPolicyRead(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
			`p, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if p == nil {`
			`return nil, nil`
			`}`

			`// Return the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
			`"name": p.Name,`
			`"cipher_mode": p.CipherMode,`
secret/transit: support derived keys 2015-07-05 21:11:02 +00:00			`"derived": p.Derived,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`
			`}`
secret/transit: address PR feedback 2015-07-06 01:58:31 +00:00			`if p.Derived {`
			`resp.Data["kdf_mode"] = p.KDFMode`
			`}`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`return resp, nil`
			`}`

			`func pathPolicyDelete(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`

			`err := req.Storage.Delete("policy/" + name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return nil, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathPolicyHelpSyn = `Managed named encrption keys`

			const pathPolicyHelpDesc = `
			`This path is used to manage the named keys that are available.`
			`Doing a write with no value against a new named key will create`
			`it using a randomly generated key.`
			`