open-vault/builtin/logical/transit/path_decrypt.go

package transit

import (
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"strings"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathDecrypt() *framework.Path {
	return &framework.Path{
		Pattern: `decrypt/(?P<name>\w+)`,
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the policy",
			},

			"ciphertext": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Ciphertext value to decrypt",
			},

			"context": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Context for key derivation. Required for derived keys.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation: pathDecryptWrite,
		},

		HelpSynopsis:    pathDecryptHelpSyn,
		HelpDescription: pathDecryptHelpDesc,
	}
}

func pathDecryptWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	value := d.Get("ciphertext").(string)
	if len(value) == 0 {
		return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest
	}
	context := d.Get("context").(string)

	// Get the policy
	p, err := getPolicy(req, name)
	if err != nil {
		return nil, err
	}

	// Error if invalid policy
	if p == nil {
		return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
	}

	// Derive the key that should be used
	key, err := p.DeriveKey([]byte(context))
	if err != nil {
		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
	}

	// Guard against a potentially invalid cipher-mode
	switch p.CipherMode {
	case "aes-gcm":
	default:
		return logical.ErrorResponse("unsupported cipher mode"), logical.ErrInvalidRequest
	}

	// Verify the prefix
	if !strings.HasPrefix(value, "vault:v0:") {
		return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest
	}

	// Decode the base64
	decoded, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(value, "vault:v0:"))
	if err != nil {
		return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest
	}

	// Setup the cipher
	aesCipher, err := aes.NewCipher(key)
	if err != nil {
		return nil, err
	}

	// Setup the GCM AEAD
	gcm, err := cipher.NewGCM(aesCipher)
	if err != nil {
		return nil, err
	}

	// Extract the nonce and ciphertext
	nonce := decoded[:gcm.NonceSize()]
	ciphertext := decoded[gcm.NonceSize():]

	// Verify and Decrypt
	plain, err := gcm.Open(nil, nonce, ciphertext, nil)
	if err != nil {
		return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest
	}

	// Generate the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"plaintext": base64.StdEncoding.EncodeToString(plain),
		},
	}
	return resp, nil
}

const pathDecryptHelpSyn = `Decrypt a ciphertext value using a named key`

const pathDecryptHelpDesc = `
This path uses the named key from the request path to decrypt a user
provided ciphertext. The plaintext is returned base64 encoded.
`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"encoding/base64"`
			`"strings"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathDecrypt() *framework.Path {`
			`return &framework.Path{`
			Pattern: `decrypt/(?P<name>\w+)`,
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the policy",`
			`},`

			`"ciphertext": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Ciphertext value to decrypt",`
			`},`
secret/transit: check for context for derived keys 2015-07-05 21:12:07 +00:00
			`"context": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Context for key derivation. Required for derived keys.",`
			`},`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.WriteOperation: pathDecryptWrite,`
			`},`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			`HelpSynopsis: pathDecryptHelpSyn,`
			`HelpDescription: pathDecryptHelpDesc,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
			`}`

			`func pathDecryptWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := d.Get("name").(string)`
			`value := d.Get("ciphertext").(string)`
			`if len(value) == 0 {`
			`return logical.ErrorResponse("missing ciphertext to decrypt"), logical.ErrInvalidRequest`
			`}`
secret/transit: check for context for derived keys 2015-07-05 21:12:07 +00:00			`context := d.Get("context").(string)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00
			`// Get the policy`
			`p, err := getPolicy(req, name)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Error if invalid policy`
			`if p == nil {`
			`return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest`
			`}`

secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`// Derive the key that should be used`
			`key, err := p.DeriveKey([]byte(context))`
			`if err != nil {`
			`return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest`
secret/transit: check for context for derived keys 2015-07-05 21:12:07 +00:00			`}`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`// Guard against a potentially invalid cipher-mode`
			`switch p.CipherMode {`
			`case "aes-gcm":`
			`default:`
			`return logical.ErrorResponse("unsupported cipher mode"), logical.ErrInvalidRequest`
			`}`

			`// Verify the prefix`
			`if !strings.HasPrefix(value, "vault:v0:") {`
			`return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest`
			`}`

			`// Decode the base64`
			`decoded, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(value, "vault:v0:"))`
			`if err != nil {`
			`return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest`
			`}`

			`// Setup the cipher`
secret/transit: support key derivation in encrypt/decrypt 2015-07-05 21:19:24 +00:00			`aesCipher, err := aes.NewCipher(key)`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// Setup the GCM AEAD`
			`gcm, err := cipher.NewGCM(aesCipher)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Extract the nonce and ciphertext`
			`nonce := decoded[:gcm.NonceSize()]`
			`ciphertext := decoded[gcm.NonceSize():]`

			`// Verify and Decrypt`
			`plain, err := gcm.Open(nil, nonce, ciphertext, nil)`
			`if err != nil {`
			`return logical.ErrorResponse("invalid ciphertext"), logical.ErrInvalidRequest`
			`}`

			`// Generate the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
			`"plaintext": base64.StdEncoding.EncodeToString(plain),`
			`},`
			`}`
			`return resp, nil`
			`}`
secret/transit: Adding more help. Fixes #41 2015-04-27 19:47:09 +00:00
			const pathDecryptHelpSyn = `Decrypt a ciphertext value using a named key`

			const pathDecryptHelpDesc = `
			`This path uses the named key from the request path to decrypt a user`
			`provided ciphertext. The plaintext is returned base64 encoded.`
			`