2015-04-16 00:08:12 +00:00
|
|
|
package transit
|
|
|
|
|
|
|
|
import (
|
2016-09-21 14:29:42 +00:00
|
|
|
"crypto/elliptic"
|
2017-11-03 14:45:53 +00:00
|
|
|
"crypto/x509"
|
2017-06-05 19:00:39 +00:00
|
|
|
"encoding/base64"
|
2017-11-03 14:45:53 +00:00
|
|
|
"encoding/pem"
|
2015-07-05 21:19:24 +00:00
|
|
|
"fmt"
|
2015-09-17 22:49:50 +00:00
|
|
|
"strconv"
|
2017-06-05 19:00:39 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"golang.org/x/crypto/ed25519"
|
2015-04-16 00:08:12 +00:00
|
|
|
|
2017-07-05 15:25:10 +00:00
|
|
|
"github.com/fatih/structs"
|
2016-10-26 23:52:31 +00:00
|
|
|
"github.com/hashicorp/vault/helper/keysutil"
|
2015-04-16 00:08:12 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
2016-10-18 14:13:01 +00:00
|
|
|
func (b *backend) pathListKeys() *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "keys/?$",
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ListOperation: b.pathKeysList,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathPolicyHelpSyn,
|
|
|
|
HelpDescription: pathPolicyHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathKeys() *framework.Path {
|
2015-04-16 00:08:12 +00:00
|
|
|
return &framework.Path{
|
2015-08-21 07:56:13 +00:00
|
|
|
Pattern: "keys/" + framework.GenericNameRegex("name"),
|
2015-04-16 00:08:12 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
2015-04-27 20:52:47 +00:00
|
|
|
Description: "Name of the key",
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
2015-07-05 21:11:02 +00:00
|
|
|
|
2016-09-21 14:29:42 +00:00
|
|
|
"type": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: "aes256-gcm96",
|
2017-11-03 14:45:53 +00:00
|
|
|
Description: `
|
|
|
|
The type of key to create. Currently, "aes256-gcm96" (symmetric), "ecdsa-p256"
|
|
|
|
(asymmetric), 'ed25519' (asymmetric), 'rsa-2048' (asymmetric), 'rsa-4096'
|
|
|
|
(asymmetric) are supported. Defaults to "aes256-gcm96".
|
|
|
|
`,
|
2016-09-21 14:29:42 +00:00
|
|
|
},
|
|
|
|
|
2015-07-05 21:11:02 +00:00
|
|
|
"derived": &framework.FieldSchema{
|
2016-08-05 21:52:44 +00:00
|
|
|
Type: framework.TypeBool,
|
|
|
|
Description: `Enables key derivation mode. This
|
2016-09-21 14:29:42 +00:00
|
|
|
allows for per-transaction unique
|
|
|
|
keys for encryption operations.`,
|
2015-07-05 21:11:02 +00:00
|
|
|
},
|
2016-06-20 17:17:48 +00:00
|
|
|
|
|
|
|
"convergent_encryption": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeBool,
|
2016-08-05 21:52:44 +00:00
|
|
|
Description: `Whether to support convergent encryption.
|
2016-06-20 17:17:48 +00:00
|
|
|
This is only supported when using a key with
|
|
|
|
key derivation enabled and will require all
|
2016-08-05 21:52:44 +00:00
|
|
|
requests to carry both a context and 96-bit
|
2016-08-07 19:53:40 +00:00
|
|
|
(12-byte) nonce. The given nonce will be used
|
|
|
|
in place of a randomly generated nonce. As a
|
|
|
|
result, when the same context and nonce are
|
|
|
|
supplied, the same ciphertext is generated. It
|
|
|
|
is *very important* when using this mode that
|
|
|
|
you ensure that all nonces are unique for a
|
|
|
|
given context. Failing to do so will severely
|
|
|
|
impact the ciphertext's security.`,
|
2016-06-20 17:17:48 +00:00
|
|
|
},
|
2017-01-23 16:04:43 +00:00
|
|
|
|
|
|
|
"exportable": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeBool,
|
|
|
|
Description: `Enables keys to be exportable.
|
|
|
|
This allows for all the valid keys
|
|
|
|
in the key ring to be exported.`,
|
|
|
|
},
|
2017-06-05 19:00:39 +00:00
|
|
|
|
|
|
|
"context": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: `Base64 encoded context for key derivation.
|
|
|
|
When reading a key with key derivation enabled,
|
|
|
|
if the key type supports public keys, this will
|
|
|
|
return the public key for the given context.`,
|
|
|
|
},
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2016-01-27 21:24:11 +00:00
|
|
|
logical.UpdateOperation: b.pathPolicyWrite,
|
|
|
|
logical.DeleteOperation: b.pathPolicyDelete,
|
|
|
|
logical.ReadOperation: b.pathPolicyRead,
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
2015-04-27 19:47:09 +00:00
|
|
|
|
|
|
|
HelpSynopsis: pathPolicyHelpSyn,
|
|
|
|
HelpDescription: pathPolicyHelpDesc,
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-18 14:13:01 +00:00
|
|
|
func (b *backend) pathKeysList(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
entries, err := req.Storage.List("policy/")
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return logical.ListResponse(entries), nil
|
|
|
|
}
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathPolicyWrite(
|
2015-04-16 00:08:12 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
name := d.Get("name").(string)
|
2015-07-05 21:11:02 +00:00
|
|
|
derived := d.Get("derived").(bool)
|
2016-06-20 17:17:48 +00:00
|
|
|
convergent := d.Get("convergent_encryption").(bool)
|
2016-09-21 14:29:42 +00:00
|
|
|
keyType := d.Get("type").(string)
|
2017-01-23 16:04:43 +00:00
|
|
|
exportable := d.Get("exportable").(bool)
|
2016-06-20 17:17:48 +00:00
|
|
|
|
|
|
|
if !derived && convergent {
|
|
|
|
return logical.ErrorResponse("convergent encryption requires derivation to be enabled"), nil
|
|
|
|
}
|
2015-04-16 00:08:12 +00:00
|
|
|
|
2016-10-26 23:52:31 +00:00
|
|
|
polReq := keysutil.PolicyRequest{
|
|
|
|
Storage: req.Storage,
|
|
|
|
Name: name,
|
|
|
|
Derived: derived,
|
|
|
|
Convergent: convergent,
|
2017-01-23 16:04:43 +00:00
|
|
|
Exportable: exportable,
|
2016-09-21 14:29:42 +00:00
|
|
|
}
|
|
|
|
switch keyType {
|
|
|
|
case "aes256-gcm96":
|
2016-10-26 23:52:31 +00:00
|
|
|
polReq.KeyType = keysutil.KeyType_AES256_GCM96
|
2016-09-21 14:29:42 +00:00
|
|
|
case "ecdsa-p256":
|
2016-10-26 23:52:31 +00:00
|
|
|
polReq.KeyType = keysutil.KeyType_ECDSA_P256
|
2017-06-05 19:00:39 +00:00
|
|
|
case "ed25519":
|
|
|
|
polReq.KeyType = keysutil.KeyType_ED25519
|
2017-11-03 14:45:53 +00:00
|
|
|
case "rsa-2048":
|
|
|
|
polReq.KeyType = keysutil.KeyType_RSA2048
|
|
|
|
case "rsa-4096":
|
|
|
|
polReq.KeyType = keysutil.KeyType_RSA4096
|
2016-09-21 14:29:42 +00:00
|
|
|
default:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("unknown key type %v", keyType)), logical.ErrInvalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
p, lock, upserted, err := b.lm.GetPolicyUpsert(polReq)
|
2016-05-03 03:46:39 +00:00
|
|
|
if lock != nil {
|
|
|
|
defer lock.RUnlock()
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if p == nil {
|
|
|
|
return nil, fmt.Errorf("error generating key: returned policy was nil")
|
|
|
|
}
|
|
|
|
|
|
|
|
resp := &logical.Response{}
|
|
|
|
if !upserted {
|
|
|
|
resp.AddWarning(fmt.Sprintf("key %s already existed", name))
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
2015-04-16 00:08:12 +00:00
|
|
|
}
|
|
|
|
|
2017-06-05 19:00:39 +00:00
|
|
|
// Built-in helper type for returning asymmetric keys
|
|
|
|
type asymKey struct {
|
2017-07-05 15:25:10 +00:00
|
|
|
Name string `json:"name" structs:"name" mapstructure:"name"`
|
|
|
|
PublicKey string `json:"public_key" structs:"public_key" mapstructure:"public_key"`
|
|
|
|
CreationTime time.Time `json:"creation_time" structs:"creation_time" mapstructure:"creation_time"`
|
2017-06-05 19:00:39 +00:00
|
|
|
}
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathPolicyRead(
|
2015-04-16 00:08:12 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
name := d.Get("name").(string)
|
2015-09-14 20:28:46 +00:00
|
|
|
|
2016-05-03 03:46:39 +00:00
|
|
|
p, lock, err := b.lm.GetPolicyShared(req.Storage, name)
|
|
|
|
if lock != nil {
|
|
|
|
defer lock.RUnlock()
|
|
|
|
}
|
2015-04-16 00:08:12 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
if p == nil {
|
2015-04-16 00:08:12 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Return the response
|
|
|
|
resp := &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
2016-04-26 15:39:19 +00:00
|
|
|
"name": p.Name,
|
2016-09-21 14:29:42 +00:00
|
|
|
"type": p.Type.String(),
|
2016-04-26 15:39:19 +00:00
|
|
|
"derived": p.Derived,
|
|
|
|
"deletion_allowed": p.DeletionAllowed,
|
|
|
|
"min_decryption_version": p.MinDecryptionVersion,
|
2017-06-08 18:07:18 +00:00
|
|
|
"min_encryption_version": p.MinEncryptionVersion,
|
2016-04-26 15:39:19 +00:00
|
|
|
"latest_version": p.LatestVersion,
|
2017-01-23 16:04:43 +00:00
|
|
|
"exportable": p.Exportable,
|
2017-01-11 16:05:06 +00:00
|
|
|
"supports_encryption": p.Type.EncryptionSupported(),
|
|
|
|
"supports_decryption": p.Type.DecryptionSupported(),
|
|
|
|
"supports_signing": p.Type.SigningSupported(),
|
|
|
|
"supports_derivation": p.Type.DerivationSupported(),
|
2015-04-16 00:08:12 +00:00
|
|
|
},
|
|
|
|
}
|
2016-09-21 14:29:42 +00:00
|
|
|
|
2016-04-26 15:39:19 +00:00
|
|
|
if p.Derived {
|
2016-08-30 20:29:09 +00:00
|
|
|
switch p.KDF {
|
2016-10-26 23:52:31 +00:00
|
|
|
case keysutil.Kdf_hmac_sha256_counter:
|
2016-08-30 20:29:09 +00:00
|
|
|
resp.Data["kdf"] = "hmac-sha256-counter"
|
|
|
|
resp.Data["kdf_mode"] = "hmac-sha256-counter"
|
2016-10-26 23:52:31 +00:00
|
|
|
case keysutil.Kdf_hkdf_sha256:
|
2016-08-30 20:29:09 +00:00
|
|
|
resp.Data["kdf"] = "hkdf_sha256"
|
|
|
|
}
|
2016-06-20 17:17:48 +00:00
|
|
|
resp.Data["convergent_encryption"] = p.ConvergentEncryption
|
2016-08-26 18:11:03 +00:00
|
|
|
if p.ConvergentEncryption {
|
|
|
|
resp.Data["convergent_encryption_version"] = p.ConvergentVersion
|
|
|
|
}
|
2015-07-06 01:58:31 +00:00
|
|
|
}
|
2015-09-17 22:49:50 +00:00
|
|
|
|
2017-06-05 19:00:39 +00:00
|
|
|
contextRaw := d.Get("context").(string)
|
|
|
|
var context []byte
|
|
|
|
if len(contextRaw) != 0 {
|
|
|
|
context, err = base64.StdEncoding.DecodeString(contextRaw)
|
|
|
|
if err != nil {
|
|
|
|
return logical.ErrorResponse("failed to base64-decode context"), logical.ErrInvalidRequest
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-21 14:29:42 +00:00
|
|
|
switch p.Type {
|
2016-10-26 23:52:31 +00:00
|
|
|
case keysutil.KeyType_AES256_GCM96:
|
2016-09-21 14:29:42 +00:00
|
|
|
retKeys := map[string]int64{}
|
|
|
|
for k, v := range p.Keys {
|
2017-12-06 23:24:00 +00:00
|
|
|
retKeys[k] = v.DeprecatedCreationTime
|
2016-09-21 14:29:42 +00:00
|
|
|
}
|
|
|
|
resp.Data["keys"] = retKeys
|
|
|
|
|
2017-11-03 14:45:53 +00:00
|
|
|
case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ED25519, keysutil.KeyType_RSA2048, keysutil.KeyType_RSA4096:
|
2017-07-05 15:25:10 +00:00
|
|
|
retKeys := map[string]map[string]interface{}{}
|
2016-09-21 14:29:42 +00:00
|
|
|
for k, v := range p.Keys {
|
2017-06-05 19:00:39 +00:00
|
|
|
key := asymKey{
|
|
|
|
PublicKey: v.FormattedPublicKey,
|
|
|
|
CreationTime: v.CreationTime,
|
|
|
|
}
|
|
|
|
if key.CreationTime.IsZero() {
|
|
|
|
key.CreationTime = time.Unix(v.DeprecatedCreationTime, 0)
|
2016-09-21 14:29:42 +00:00
|
|
|
}
|
2017-06-05 19:00:39 +00:00
|
|
|
|
|
|
|
switch p.Type {
|
|
|
|
case keysutil.KeyType_ECDSA_P256:
|
|
|
|
key.Name = elliptic.P256().Params().Name
|
|
|
|
case keysutil.KeyType_ED25519:
|
|
|
|
if p.Derived {
|
|
|
|
if len(context) == 0 {
|
|
|
|
key.PublicKey = ""
|
|
|
|
} else {
|
2017-12-06 23:24:00 +00:00
|
|
|
ver, err := strconv.Atoi(k)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("invalid version %q: %v", k, err)
|
|
|
|
}
|
|
|
|
derived, err := p.DeriveKey(context, ver)
|
2017-06-05 19:00:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to derive key to return public component")
|
|
|
|
}
|
|
|
|
pubKey := ed25519.PrivateKey(derived).Public().(ed25519.PublicKey)
|
|
|
|
key.PublicKey = base64.StdEncoding.EncodeToString(pubKey)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
key.Name = "ed25519"
|
2017-11-03 14:45:53 +00:00
|
|
|
case keysutil.KeyType_RSA2048, keysutil.KeyType_RSA4096:
|
|
|
|
key.Name = "rsa-2048"
|
|
|
|
if p.Type == keysutil.KeyType_RSA4096 {
|
|
|
|
key.Name = "rsa-4096"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Encode the RSA public key in PEM format to return over the
|
|
|
|
// API
|
|
|
|
derBytes, err := x509.MarshalPKIXPublicKey(v.RSAKey.Public())
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error marshaling RSA public key: %v", err)
|
|
|
|
}
|
|
|
|
pemBlock := &pem.Block{
|
|
|
|
Type: "PUBLIC KEY",
|
|
|
|
Bytes: derBytes,
|
|
|
|
}
|
|
|
|
pemBytes := pem.EncodeToMemory(pemBlock)
|
|
|
|
if pemBytes == nil || len(pemBytes) == 0 {
|
|
|
|
return nil, fmt.Errorf("failed to PEM-encode RSA public key")
|
|
|
|
}
|
|
|
|
key.PublicKey = string(pemBytes)
|
2017-06-05 19:00:39 +00:00
|
|
|
}
|
|
|
|
|
2017-12-06 23:24:00 +00:00
|
|
|
retKeys[k] = structs.New(key).Map()
|
2016-09-21 14:29:42 +00:00
|
|
|
}
|
|
|
|
resp.Data["keys"] = retKeys
|
2015-09-17 22:49:50 +00:00
|
|
|
}
|
|
|
|
|
2015-04-16 00:08:12 +00:00
|
|
|
return resp, nil
|
|
|
|
}
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathPolicyDelete(
|
2015-04-16 00:08:12 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
name := d.Get("name").(string)
|
|
|
|
|
2016-05-03 03:46:39 +00:00
|
|
|
// Delete does its own locking
|
|
|
|
err := b.lm.DeletePolicy(req.Storage, name)
|
2016-01-27 17:02:32 +00:00
|
|
|
if err != nil {
|
2016-01-27 21:24:11 +00:00
|
|
|
return logical.ErrorResponse(fmt.Sprintf("error deleting policy %s: %s", name, err)), err
|
2016-01-27 17:02:32 +00:00
|
|
|
}
|
|
|
|
|
2015-04-16 00:08:12 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2015-04-27 19:47:09 +00:00
|
|
|
|
2015-09-14 20:28:46 +00:00
|
|
|
const pathPolicyHelpSyn = `Managed named encryption keys`
|
2015-04-27 19:47:09 +00:00
|
|
|
|
|
|
|
const pathPolicyHelpDesc = `
|
|
|
|
This path is used to manage the named keys that are available.
|
|
|
|
Doing a write with no value against a new named key will create
|
|
|
|
it using a randomly generated key.
|
|
|
|
`
|