Allow encrypting empty ciphertext values. (#1881)

Replaces #1874
This commit is contained in:
Jeff Mitchell 2016-09-13 12:00:04 -04:00 committed by GitHub
parent cb6bf54f8d
commit 197c7eae5f
3 changed files with 49 additions and 9 deletions

View file

@ -31,6 +31,8 @@ func TestBackend_basic(t *testing.T) {
testAccStepReadPolicy(t, "test", false, false),
testAccStepEncrypt(t, "test", testPlaintext, decryptData),
testAccStepDecrypt(t, "test", testPlaintext, decryptData),
testAccStepEncrypt(t, "test", "", decryptData),
testAccStepDecrypt(t, "test", "", decryptData),
testAccStepDeleteNotDisabledPolicy(t, "test"),
testAccStepEnableDeletion(t, "test"),
testAccStepDeletePolicy(t, "test"),
@ -781,6 +783,48 @@ func testConvergentEncryptionCommon(t *testing.T, ver int) {
if ciphertext3 == ciphertext5 {
t.Fatalf("expected different ciphertexts")
}
// Finally, check operations on empty values
// First, check without setting a plaintext at all
req.Data = map[string]interface{}{
"nonce": "b25ldHdvdGhyZWVl", // "onetwothreee"
"context": "pWZ6t/im3AORd0lVYE0zBdKpX6Bl3/SvFtoVTPWbdkzjG788XmMAnOlxandSdd7S",
}
resp, err = b.HandleRequest(req)
if resp == nil {
t.Fatal("expected non-nil response")
}
if !resp.IsError() {
t.Fatalf("expected error response, got: %#v", *resp)
}
// Now set plaintext to empty
req.Data = map[string]interface{}{
"plaintext": "",
"nonce": "b25ldHdvdGhyZWVl", // "onetwothreee"
"context": "pWZ6t/im3AORd0lVYE0zBdKpX6Bl3/SvFtoVTPWbdkzjG788XmMAnOlxandSdd7S",
}
resp, err = b.HandleRequest(req)
if resp == nil {
t.Fatal("expected non-nil response")
}
if resp.IsError() {
t.Fatalf("got error response: %#v", *resp)
}
ciphertext7 := resp.Data["ciphertext"].(string)
resp, err = b.HandleRequest(req)
if resp == nil {
t.Fatal("expected non-nil response")
}
if resp.IsError() {
t.Fatalf("got error response: %#v", *resp)
}
ciphertext8 := resp.Data["ciphertext"].(string)
if ciphertext7 != ciphertext8 {
t.Fatalf("expected the same ciphertext but got %s and %s", ciphertext7, ciphertext8)
}
}
func TestPolicyFuzzing(t *testing.T) {

View file

@ -2,7 +2,6 @@ package transit
import (
"encoding/base64"
"fmt"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
@ -97,10 +96,6 @@ func (b *backend) pathDecryptWrite(
}
}
if plaintext == "" {
return nil, fmt.Errorf("empty plaintext returned")
}
// Generate the response
resp := &logical.Response{
Data: map[string]interface{}{

View file

@ -63,16 +63,17 @@ func (b *backend) pathEncryptExistenceCheck(
func (b *backend) pathEncryptWrite(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
value := d.Get("plaintext").(string)
if len(value) == 0 {
valueRaw, ok := d.GetOk("plaintext")
if !ok {
return logical.ErrorResponse("missing plaintext to encrypt"), logical.ErrInvalidRequest
}
var err error
value := valueRaw.(string)
// Decode the context if any
contextRaw := d.Get("context").(string)
var context []byte
var err error
if len(contextRaw) != 0 {
context, err = base64.StdEncoding.DecodeString(contextRaw)
if err != nil {