2015-09-14 20:28:46 +00:00
|
|
|
package transit
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2015-09-14 20:28:46 +00:00
|
|
|
"encoding/base64"
|
|
|
|
"fmt"
|
2022-01-27 18:06:34 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
"github.com/hashicorp/vault/helper/constants"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/errutil"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2017-02-06 19:56:16 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
2015-09-14 20:28:46 +00:00
|
|
|
)
|
|
|
|
|
2016-01-27 21:24:11 +00:00
|
|
|
func (b *backend) pathRewrap() *framework.Path {
|
2015-09-14 20:28:46 +00:00
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "rewrap/" + framework.GenericNameRegex("name"),
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
2021-04-08 16:43:39 +00:00
|
|
|
"name": {
|
2015-09-14 20:28:46 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the key",
|
|
|
|
},
|
|
|
|
|
2021-04-08 16:43:39 +00:00
|
|
|
"ciphertext": {
|
2015-09-14 20:28:46 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Ciphertext value to rewrap",
|
|
|
|
},
|
|
|
|
|
2021-04-08 16:43:39 +00:00
|
|
|
"context": {
|
2015-09-14 20:28:46 +00:00
|
|
|
Type: framework.TypeString,
|
2017-02-02 19:24:20 +00:00
|
|
|
Description: "Base64 encoded context for key derivation. Required for derived keys.",
|
2015-09-14 20:28:46 +00:00
|
|
|
},
|
2016-08-05 21:52:44 +00:00
|
|
|
|
2021-04-08 16:43:39 +00:00
|
|
|
"nonce": {
|
2016-08-05 21:52:44 +00:00
|
|
|
Type: framework.TypeString,
|
2016-08-07 19:53:40 +00:00
|
|
|
Description: "Nonce for when convergent encryption is used",
|
2016-08-05 21:52:44 +00:00
|
|
|
},
|
2017-06-06 20:02:54 +00:00
|
|
|
|
2021-04-08 16:43:39 +00:00
|
|
|
"key_version": {
|
2017-06-06 20:02:54 +00:00
|
|
|
Type: framework.TypeInt,
|
|
|
|
Description: `The version of the key to use for encryption.
|
|
|
|
Must be 0 (for latest) or a value greater than or equal
|
|
|
|
to the min_encryption_version configured on the key.`,
|
|
|
|
},
|
2015-09-14 20:28:46 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2016-01-27 21:24:11 +00:00
|
|
|
logical.UpdateOperation: b.pathRewrapWrite,
|
2015-09-14 20:28:46 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathRewrapHelpSyn,
|
|
|
|
HelpDescription: pathRewrapHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2017-02-06 19:56:16 +00:00
|
|
|
batchInputRaw := d.Raw["batch_input"]
|
2017-02-02 19:24:20 +00:00
|
|
|
var batchInputItems []BatchRequestItem
|
|
|
|
var err error
|
2017-02-06 19:56:16 +00:00
|
|
|
if batchInputRaw != nil {
|
|
|
|
err = mapstructure.Decode(batchInputRaw, &batchInputItems)
|
2017-02-02 19:24:20 +00:00
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("failed to parse batch input: %w", err)
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
2015-09-14 20:28:46 +00:00
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
if len(batchInputItems) == 0 {
|
|
|
|
return logical.ErrorResponse("missing batch input to process"), logical.ErrInvalidRequest
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
ciphertext := d.Get("ciphertext").(string)
|
|
|
|
if len(ciphertext) == 0 {
|
|
|
|
return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest
|
|
|
|
}
|
2016-08-05 21:52:44 +00:00
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
batchInputItems = make([]BatchRequestItem, 1)
|
|
|
|
batchInputItems[0] = BatchRequestItem{
|
|
|
|
Ciphertext: ciphertext,
|
2017-02-06 19:56:16 +00:00
|
|
|
Context: d.Get("context").(string),
|
|
|
|
Nonce: d.Get("nonce").(string),
|
2017-06-06 20:02:54 +00:00
|
|
|
KeyVersion: d.Get("key_version").(int),
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-22 13:43:07 +00:00
|
|
|
batchResponseItems := make([]EncryptBatchResponseItem, len(batchInputItems))
|
2017-02-02 19:24:20 +00:00
|
|
|
contextSet := len(batchInputItems[0].Context) != 0
|
|
|
|
|
|
|
|
for i, item := range batchInputItems {
|
|
|
|
if (len(item.Context) == 0 && contextSet) || (len(item.Context) != 0 && !contextSet) {
|
|
|
|
return logical.ErrorResponse("context should be set either in all the request blocks or in none"), logical.ErrInvalidRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
if item.Ciphertext == "" {
|
|
|
|
batchResponseItems[i].Error = "missing ciphertext to decrypt"
|
|
|
|
continue
|
2016-08-05 21:52:44 +00:00
|
|
|
}
|
2017-02-06 19:56:16 +00:00
|
|
|
|
|
|
|
// Decode the context
|
|
|
|
if len(item.Context) != 0 {
|
|
|
|
batchInputItems[i].DecodedContext, err = base64.StdEncoding.DecodeString(item.Context)
|
|
|
|
if err != nil {
|
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decode the nonce
|
|
|
|
if len(item.Nonce) != 0 {
|
|
|
|
batchInputItems[i].DecodedNonce, err = base64.StdEncoding.DecodeString(item.Nonce)
|
|
|
|
if err != nil {
|
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
2016-08-05 21:52:44 +00:00
|
|
|
}
|
|
|
|
|
2015-09-14 20:28:46 +00:00
|
|
|
// Get the policy
|
2021-09-13 21:44:56 +00:00
|
|
|
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
|
2018-06-12 16:24:12 +00:00
|
|
|
Storage: req.Storage,
|
|
|
|
Name: d.Get("name").(string),
|
2019-10-17 17:33:00 +00:00
|
|
|
}, b.GetRandomReader())
|
2015-09-14 20:28:46 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-26 15:39:19 +00:00
|
|
|
if p == nil {
|
2017-05-12 18:14:00 +00:00
|
|
|
return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
2018-06-12 16:24:12 +00:00
|
|
|
if !b.System().CachingDisabled() {
|
|
|
|
p.Lock(false)
|
|
|
|
}
|
2015-09-14 20:28:46 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
warnAboutNonceUsage := false
|
2017-02-02 19:24:20 +00:00
|
|
|
for i, item := range batchInputItems {
|
|
|
|
if batchResponseItems[i].Error != "" {
|
|
|
|
continue
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
|
|
|
|
2017-02-06 19:56:16 +00:00
|
|
|
plaintext, err := p.Decrypt(item.DecodedContext, item.DecodedNonce, item.Ciphertext)
|
2017-02-02 19:24:20 +00:00
|
|
|
if err != nil {
|
|
|
|
switch err.(type) {
|
|
|
|
case errutil.UserError:
|
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
continue
|
|
|
|
default:
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2017-02-02 19:24:20 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
2015-09-14 20:28:46 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
|
|
|
|
warnAboutNonceUsage = true
|
|
|
|
}
|
|
|
|
|
2017-06-06 20:02:54 +00:00
|
|
|
ciphertext, err := p.Encrypt(item.KeyVersion, item.DecodedContext, item.DecodedNonce, plaintext)
|
2017-02-02 19:24:20 +00:00
|
|
|
if err != nil {
|
|
|
|
switch err.(type) {
|
|
|
|
case errutil.UserError:
|
|
|
|
batchResponseItems[i].Error = err.Error()
|
|
|
|
continue
|
|
|
|
case errutil.InternalError:
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2017-02-02 19:24:20 +00:00
|
|
|
return nil, err
|
|
|
|
default:
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2017-02-02 19:24:20 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
if ciphertext == "" {
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2017-02-02 19:24:20 +00:00
|
|
|
return nil, fmt.Errorf("empty ciphertext returned for input item %d", i)
|
|
|
|
}
|
|
|
|
|
2020-06-01 17:16:01 +00:00
|
|
|
keyVersion := item.KeyVersion
|
|
|
|
if keyVersion == 0 {
|
|
|
|
keyVersion = p.LatestVersion
|
|
|
|
}
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
batchResponseItems[i].Ciphertext = ciphertext
|
2020-06-01 17:16:01 +00:00
|
|
|
batchResponseItems[i].KeyVersion = keyVersion
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
|
|
|
|
2017-02-02 19:24:20 +00:00
|
|
|
resp := &logical.Response{}
|
2017-02-06 19:56:16 +00:00
|
|
|
if batchInputRaw != nil {
|
2017-02-02 19:24:20 +00:00
|
|
|
resp.Data = map[string]interface{}{
|
2017-02-06 19:56:16 +00:00
|
|
|
"batch_results": batchResponseItems,
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if batchResponseItems[0].Error != "" {
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2017-02-02 19:24:20 +00:00
|
|
|
return logical.ErrorResponse(batchResponseItems[0].Error), logical.ErrInvalidRequest
|
|
|
|
}
|
|
|
|
resp.Data = map[string]interface{}{
|
2020-06-01 17:16:01 +00:00
|
|
|
"ciphertext": batchResponseItems[0].Ciphertext,
|
|
|
|
"key_version": batchResponseItems[0].KeyVersion,
|
2017-02-02 19:24:20 +00:00
|
|
|
}
|
2015-09-14 20:28:46 +00:00
|
|
|
}
|
2017-02-02 19:24:20 +00:00
|
|
|
|
2021-12-08 19:37:25 +00:00
|
|
|
if constants.IsFIPS() && warnAboutNonceUsage {
|
|
|
|
resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
|
|
|
|
}
|
|
|
|
|
2018-06-12 16:24:12 +00:00
|
|
|
p.Unlock()
|
2015-09-14 20:28:46 +00:00
|
|
|
return resp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathRewrapHelpSyn = `Rewrap ciphertext`
|
|
|
|
|
|
|
|
const pathRewrapHelpDesc = `
|
2017-02-02 19:24:20 +00:00
|
|
|
After key rotation, this function can be used to rewrap the given ciphertext or
|
|
|
|
a batch of given ciphertext blocks with the latest version of the named key.
|
|
|
|
If the given ciphertext is already using the latest version of the key, this
|
|
|
|
function is a no-op.
|
2015-09-14 20:28:46 +00:00
|
|
|
`
|