diff --git a/command/agent.go b/command/agent.go index cd6daaf00..c85e4362b 100644 --- a/command/agent.go +++ b/command/agent.go @@ -593,7 +593,7 @@ func (c *AgentCommand) Run(args []string) int { c.UI.Warn(fmt.Sprintf("Failed to close persistent cache file after getting retrieval token: %s", err)) } - km, err := keymanager.NewPassthroughKeyManager(token) + km, err := keymanager.NewPassthroughKeyManager(ctx, token) if err != nil { c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err)) return 1 @@ -657,7 +657,7 @@ func (c *AgentCommand) Run(args []string) int { } } } else { - km, err := keymanager.NewPassthroughKeyManager(nil) + km, err := keymanager.NewPassthroughKeyManager(ctx, nil) if err != nil { c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err)) return 1 @@ -675,7 +675,7 @@ func (c *AgentCommand) Run(args []string) int { cacheLogger.Info("configured persistent storage", "path", config.Cache.Persist.Path) // Stash the key material in bolt - token, err := km.RetrievalToken() + token, err := km.RetrievalToken(ctx) if err != nil { c.UI.Error(fmt.Sprintf("Error getting persistent key: %s", err)) return 1 diff --git a/command/agent/cache/cacheboltdb/bolt.go b/command/agent/cache/cacheboltdb/bolt.go index c91b47a0d..72cb7f3b8 100644 --- a/command/agent/cache/cacheboltdb/bolt.go +++ b/command/agent/cache/cacheboltdb/bolt.go @@ -10,7 +10,7 @@ import ( "github.com/golang/protobuf/proto" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-multierror" bolt "go.etcd.io/bbolt" ) @@ -228,7 +228,7 @@ func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) { // Set an index (token or lease) in bolt storage func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error { - blob, err := b.wrapper.Encrypt(ctx, plaintext, []byte(b.aad)) + blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad))) if err != nil { return fmt.Errorf("error encrypting %s index: %w", indexType, err) } @@ -296,12 +296,12 @@ func (b *BoltStorage) Delete(id string, indexType string) error { } func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) { - var blob wrapping.EncryptedBlobInfo + var blob wrapping.BlobInfo if err := proto.Unmarshal(ciphertext, &blob); err != nil { return nil, err } - return b.wrapper.Decrypt(ctx, &blob, []byte(b.aad)) + return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad))) } // GetByType returns a list of stored items of the specified type diff --git a/command/agent/cache/cacheboltdb/bolt_test.go b/command/agent/cache/cacheboltdb/bolt_test.go index ceb621005..d6f5a742e 100644 --- a/command/agent/cache/cacheboltdb/bolt_test.go +++ b/command/agent/cache/cacheboltdb/bolt_test.go @@ -22,7 +22,7 @@ import ( func getTestKeyManager(t *testing.T) keymanager.KeyManager { t.Helper() - km, err := keymanager.NewPassthroughKeyManager(nil) + km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil) require.NoError(t, err) return km @@ -286,7 +286,7 @@ func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) { // Manually insert some items into the v1 schema. err = db.Update(func(tx *bolt.Tx) error { - blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"), []byte("")) + blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents")) if err != nil { return fmt.Errorf("error encrypting contents: %w", err) } diff --git a/command/agent/cache/keymanager/manager.go b/command/agent/cache/keymanager/manager.go index c69598623..ff4d0f2c0 100644 --- a/command/agent/cache/keymanager/manager.go +++ b/command/agent/cache/keymanager/manager.go @@ -1,6 +1,10 @@ package keymanager -import wrapping "github.com/hashicorp/go-kms-wrapping" +import ( + "context" + + wrapping "github.com/hashicorp/go-kms-wrapping/v2" +) const ( KeyID = "root" @@ -12,5 +16,5 @@ type KeyManager interface { // RetrievalToken is the material returned which can be used to source back the // encryption key. Depending on the implementation, the token can be the // encryption key itself or a token/identifier used to exchange the token. - RetrievalToken() ([]byte, error) + RetrievalToken(ctx context.Context) ([]byte, error) } diff --git a/command/agent/cache/keymanager/passthrough.go b/command/agent/cache/keymanager/passthrough.go index 447dd4150..68a1fc221 100644 --- a/command/agent/cache/keymanager/passthrough.go +++ b/command/agent/cache/keymanager/passthrough.go @@ -1,11 +1,12 @@ package keymanager import ( + "context" "crypto/rand" "fmt" - wrapping "github.com/hashicorp/go-kms-wrapping" - "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" ) var _ KeyManager = (*PassthroughKeyManager)(nil) @@ -17,7 +18,7 @@ type PassthroughKeyManager struct { // NewPassthroughKeyManager returns a new instance of the Kube encryption key. // If a key is provided, it will be used as the encryption key for the wrapper, // otherwise one will be generated. -func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) { +func NewPassthroughKeyManager(ctx context.Context, key []byte) (*PassthroughKeyManager, error) { var rootKey []byte = nil switch len(key) { case 0: @@ -33,13 +34,13 @@ func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) { return nil, fmt.Errorf("invalid key size, should be 32, got %d", len(key)) } - wrapper := aead.NewWrapper(nil) + wrapper := aead.NewWrapper() - if _, err := wrapper.SetConfig(map[string]string{"key_id": KeyID}); err != nil { + if _, err := wrapper.SetConfig(ctx, wrapping.WithConfigMap(map[string]string{"key_id": KeyID})); err != nil { return nil, err } - if err := wrapper.SetAESGCMKeyBytes(rootKey); err != nil { + if err := wrapper.SetAesGcmKeyBytes(rootKey); err != nil { return nil, err } @@ -58,10 +59,10 @@ func (w *PassthroughKeyManager) Wrapper() wrapping.Wrapper { // RetrievalToken returns the key that was used on the wrapper since this key // manager is simply a passthrough and does not provide a mechanism to abstract // this key. -func (w *PassthroughKeyManager) RetrievalToken() ([]byte, error) { +func (w *PassthroughKeyManager) RetrievalToken(ctx context.Context) ([]byte, error) { if w.wrapper == nil { return nil, fmt.Errorf("unable to get wrapper for token retrieval") } - return w.wrapper.GetKeyBytes(), nil + return w.wrapper.KeyBytes(ctx) } diff --git a/command/agent/cache/keymanager/passthrough_test.go b/command/agent/cache/keymanager/passthrough_test.go index 794f15bc2..084a71a14 100644 --- a/command/agent/cache/keymanager/passthrough_test.go +++ b/command/agent/cache/keymanager/passthrough_test.go @@ -2,6 +2,7 @@ package keymanager import ( "bytes" + "context" "testing" "github.com/stretchr/testify/require" @@ -30,9 +31,10 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) { }, } + ctx := context.Background() for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - m, err := NewPassthroughKeyManager(tc.key) + m, err := NewPassthroughKeyManager(ctx, tc.key) if tc.wantErr { require.Error(t, err) return @@ -43,7 +45,7 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) { t.Fatalf("expected non-nil wrapper from the key manager") } - token, err := m.RetrievalToken() + token, err := m.RetrievalToken(ctx) if err != nil { t.Fatalf("unable to retrieve token: %s", err) } diff --git a/command/agent/cache/lease_cache_test.go b/command/agent/cache/lease_cache_test.go index 4dbe23392..1501fcfe5 100644 --- a/command/agent/cache/lease_cache_test.go +++ b/command/agent/cache/lease_cache_test.go @@ -699,7 +699,7 @@ func TestLeaseCache_Concurrent_Cacheable(t *testing.T) { func setupBoltStorage(t *testing.T) (tempCacheDir string, boltStorage *cacheboltdb.BoltStorage) { t.Helper() - km, err := keymanager.NewPassthroughKeyManager(nil) + km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil) require.NoError(t, err) tempCacheDir, err = ioutil.TempDir("", "agent-cache-test") diff --git a/command/operator_diagnose.go b/command/operator_diagnose.go index 40136d174..cdabf1390 100644 --- a/command/operator_diagnose.go +++ b/command/operator_diagnose.go @@ -13,7 +13,7 @@ import ( "golang.org/x/term" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/docker/docker/pkg/ioutils" "github.com/hashicorp/consul/api" @@ -455,7 +455,7 @@ func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error } // Ensure that the seal finalizer is called, even if using verify-only defer func(seal *vault.Seal) { - sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType()) + sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType().String()) finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal") err = (*seal).Finalize(finalizeSealContext) if err != nil { @@ -675,7 +675,7 @@ SEALFAIL: if barrierSeal == nil { return fmt.Errorf("Diagnose could not create a barrier seal object.") } - if barrierSeal.BarrierType() == wrapping.Shamir { + if barrierSeal.BarrierType() == wrapping.WrapperTypeShamir { diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.") return nil } diff --git a/command/server.go b/command/server.go index 32b48325b..8e6fdf37d 100644 --- a/command/server.go +++ b/command/server.go @@ -24,8 +24,8 @@ import ( systemd "github.com/coreos/go-systemd/daemon" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-secure-stdlib/gatedwriter" "github.com/hashicorp/go-secure-stdlib/mlock" @@ -556,7 +556,7 @@ func (c *ServerCommand) runRecoveryMode() int { var wrapper wrapping.Wrapper if len(config.Seals) == 0 { - config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir}) + config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()}) } if len(config.Seals) > 1 { @@ -565,7 +565,7 @@ func (c *ServerCommand) runRecoveryMode() int { } configSeal := config.Seals[0] - sealType := wrapping.Shamir + sealType := wrapping.WrapperTypeShamir.String() if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" { sealType = os.Getenv("VAULT_SEAL_TYPE") configSeal.Type = sealType @@ -578,9 +578,7 @@ func (c *ServerCommand) runRecoveryMode() int { var seal vault.Seal defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("shamir"), - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType)) wrapper, sealConfigError = configutil.ConfigureWrapper(configSeal, &infoKeys, &info, sealLogger) @@ -594,9 +592,12 @@ func (c *ServerCommand) runRecoveryMode() int { if wrapper == nil { seal = defaultSeal } else { - seal = vault.NewAutoSeal(&vaultseal.Access{ + seal, err = vault.NewAutoSeal(&vaultseal.Access{ Wrapper: wrapper, }) + if err != nil { + c.UI.Error(fmt.Sprintf("error creating auto seal: %v", err)) + } } barrierSeal = seal @@ -2350,24 +2351,28 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma var wrapper wrapping.Wrapper var barrierWrapper wrapping.Wrapper if c.flagDevAutoSeal { - barrierSeal = vault.NewAutoSeal(vaultseal.NewTestSeal(nil)) + var err error + barrierSeal, err = vault.NewAutoSeal(vaultseal.NewTestSeal(nil)) + if err != nil { + return nil, nil, nil, nil, nil, err + } return barrierSeal, nil, nil, nil, nil, nil } // Handle the case where no seal is provided switch len(config.Seals) { case 0: - config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir}) + config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()}) case 1: // If there's only one seal and it's disabled assume they want to // migrate to a shamir seal and simply didn't provide it if config.Seals[0].Disabled { - config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir}) + config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()}) } } var createdSeals []vault.Seal = make([]vault.Seal, len(config.Seals)) for _, configSeal := range config.Seals { - sealType := wrapping.Shamir + sealType := wrapping.WrapperTypeShamir.String() if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" { sealType = os.Getenv("VAULT_SEAL_TYPE") configSeal.Type = sealType @@ -2379,9 +2384,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType)) c.allLoggers = append(c.allLoggers, sealLogger) defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("shamir"), - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) var sealInfoKeys []string sealInfoMap := map[string]string{} @@ -2395,9 +2398,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma if wrapper == nil { seal = defaultSeal } else { - seal = vault.NewAutoSeal(&vaultseal.Access{ + var err error + seal, err = vault.NewAutoSeal(&vaultseal.Access{ Wrapper: wrapper, }) + if err != nil { + return nil, nil, nil, nil, nil, err + } } infoPrefix := "" if configSeal.Disabled { diff --git a/command/server/server_seal_transit_acc_test.go b/command/server/server_seal_transit_acc_test.go index e7d4d00e5..3f13aee93 100644 --- a/command/server/server_seal_transit_acc_test.go +++ b/command/server/server_seal_transit_acc_test.go @@ -26,7 +26,7 @@ func TestTransitWrapper_Lifecycle(t *testing.T) { "key_name": config.keyName, } - kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig}) + kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig}) if err != nil { t.Fatalf("error setting wrapper config: %v", err) } @@ -72,7 +72,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) { "mount_path": config.mountPath, "key_name": config.keyName, } - kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig}) + kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig}) if err != nil { t.Fatalf("error setting wrapper config: %v", err) } diff --git a/go.mod b/go.mod index af05c59b3..b237c911d 100644 --- a/go.mod +++ b/go.mod @@ -25,13 +25,13 @@ require ( github.com/SAP/go-hdb v0.14.1 github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a github.com/aerospike/aerospike-client-go/v5 v5.6.0 - github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f + github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 github.com/armon/go-metrics v0.4.0 github.com/armon/go-radix v1.0.0 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a - github.com/aws/aws-sdk-go v1.43.4 + github.com/aws/aws-sdk-go v1.43.8 github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a github.com/cenkalti/backoff/v3 v3.2.2 github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0 @@ -66,7 +66,15 @@ require ( github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192 github.com/hashicorp/go-gcp-common v0.8.0 github.com/hashicorp/go-hclog v1.2.2 - github.com/hashicorp/go-kms-wrapping v0.7.0 + github.com/hashicorp/go-kms-wrapping v0.7.1 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d + github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4 + github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 + github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0 + github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 + github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0 + github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 + github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 github.com/hashicorp/go-memdb v1.3.3 github.com/hashicorp/go-msgpack v1.1.5 github.com/hashicorp/go-multierror v1.1.1 @@ -203,7 +211,7 @@ require ( cloud.google.com/go/kms v1.4.0 // indirect code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect github.com/Azure/azure-pipeline-go v0.2.3 // indirect - github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go v62.0.0+incompatible // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect @@ -341,6 +349,7 @@ require ( github.com/opencontainers/image-spec v1.0.2 // indirect github.com/opencontainers/runc v1.0.2 // indirect github.com/openlyinc/pointy v1.1.2 // indirect + github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect @@ -356,6 +365,7 @@ require ( github.com/sirupsen/logrus v1.8.1 // indirect github.com/snowflakedb/gosnowflake v1.6.3 // indirect github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect + github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stretchr/objx v0.4.0 // indirect github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect @@ -387,7 +397,7 @@ require ( google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/ini.v1 v1.62.0 // indirect + gopkg.in/ini.v1 v1.66.2 // indirect gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect gopkg.in/resty.v1 v1.12.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index f0a894956..90567faed 100644 --- a/go.sum +++ b/go.sum @@ -75,8 +75,8 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v36.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v58.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v61.4.0+incompatible h1:BF2Pm3aQWIa6q9KmxyF1JYKYXtVw67vtvu2Wd54NGuY= -github.com/Azure/azure-sdk-for-go v61.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw= +github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0= github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8= @@ -212,8 +212,9 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= -github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f h1:oRD16bhpKNAanfcDDVU+J0NXqsgHIvGbbe/sy+r6Rs0= github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ= +github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499 h1:P2FUu1/xkj4abuHcqdRQO9ZAYc9hSWG5c5gifsU/Ogc= +github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU= github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c= github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= @@ -242,8 +243,8 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.43.4 h1:EtsGbtOB+1548T6Nb62XCOofgXtMHwf+WZh5gQc3xTY= -github.com/aws/aws-sdk-go v1.43.4/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc= +github.com/aws/aws-sdk-go v1.43.8 h1:8a/M9C4l5CxFNM6IuNx4F1p+ITJEX12VxWxUQo61cbc= +github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go-v2 v1.8.0 h1:HcN6yDnHV9S7D69E7To0aUppJhiJNEzQSNcUxc7r3qo= github.com/aws/aws-sdk-go-v2 v1.8.0/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0= github.com/aws/aws-sdk-go-v2/config v1.6.0 h1:rtoCnNObhVm7me+v9sA2aY+NtHNZjjWWC3ifXVci+wE= @@ -878,10 +879,26 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-kms-wrapping v0.7.0 h1:UBagVJn4nSNOSjjtpkR370VOEBLnGMXfQcIlE/WL/7o= -github.com/hashicorp/go-kms-wrapping v0.7.0/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= +github.com/hashicorp/go-kms-wrapping v0.7.1 h1:SPdvddcmGjYkFrMROhRuW3VkOeVsNuEbpmfT7B1qSGM= +github.com/hashicorp/go-kms-wrapping v0.7.1/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d h1:mOtPXWIp4cWKNt9S55IuYAdyUgNtCfUAEVIjcXDx59E= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d/go.mod h1:sDQAfwJGv25uGPZA04x87ERglCG6avnRcBT9wYoMII8= +github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4 h1:ws2CPDuXMKwaBb2z/duBCdnB9pSxlN2nuDZWXcVj6RU= +github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4/go.mod h1:dDxt3GXi5QONVHYrJi2+EjsJLCUs59FktZQA8ZMnm+U= +github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI= +github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0 h1:RnTa2yQXHPP7CocgTAciNXcn5OG4wsqqENlMuUTXl74= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0/go.mod h1:3D5UB9fjot4oUTYGQ5gGmhLJKreyLZeI0XB+NxcLTKs= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 h1:6joKpqCFveaNMEwC3qna67usws6DjdxqfCuQEHSM0aM= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0 h1:UE5bUOSPYqAUK+hV9ngxkQthltjhrYZHEbwqeh7hEq4= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE= +github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 h1:FnWV2E0NLj+yYdhToUQjU81ayCMgURiL2WbJ0V7u/XY= +github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY= +github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 h1:72zlIBTJd2pvYmINqotpvcI4ZXLxhRq2cVPTuqv0xqY= +github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1/go.mod h1:JytRAxdJViV+unUUWedb7uzEy5pgu7OurbqX0eHEikE= github.com/hashicorp/go-memdb v1.3.3 h1:oGfEWrFuxtIUF3W2q/Jzt6G85TrMk9ey6XfYLvVe1Wo= github.com/hashicorp/go-memdb v1.3.3/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -1403,6 +1420,8 @@ github.com/openlyinc/pointy v1.1.2/go.mod h1:w2Sytx+0FVuMKn37xpXIAyBNhFNBIJGR/v2 github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= github.com/oracle/oci-go-sdk v13.1.0+incompatible h1:inwbT0b/mMbnTfzYoW2xcU1cCMIlU6Fz973at5phRXM= github.com/oracle/oci-go-sdk v13.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM= +github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w= github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA= github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs= github.com/ory/dockertest/v3 v3.8.0 h1:i5b0cJCd801qw0cVQUOH6dSpI9fT3j5tdWu0jKu90ks= @@ -1561,6 +1580,8 @@ github.com/snowflakedb/gosnowflake v1.6.3/go.mod h1:6hLajn6yxuJ4xUHZegMekpq9rnQb github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic= github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0= +github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -2393,8 +2414,9 @@ gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:a gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI= +gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI= gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4= gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce h1:xcEWjVhvbDy+nHP67nPDDpbYrY+ILlfndk4bRioVHaU= diff --git a/helper/testhelpers/seal/sealhelper.go b/helper/testhelpers/seal/sealhelper.go index 7705126f9..4087f6fc0 100644 --- a/helper/testhelpers/seal/sealhelper.go +++ b/helper/testhelpers/seal/sealhelper.go @@ -57,7 +57,7 @@ func (tss *TransitSealServer) MakeKey(t testing.T, key string) { } } -func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal { +func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, error) { client := tss.Cores[0].Client wrapperConfig := map[string]string{ "address": client.Address(), @@ -66,7 +66,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal { "key_name": key, "tls_ca_cert": tss.CACertPEMFile, } - transitSeal, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig}) + transitSeal, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig}) if err != nil { t.Fatalf("error setting wrapper config: %v", err) } diff --git a/http/sys_init_test.go b/http/sys_init_test.go index 38a15f6cc..4953c4244 100644 --- a/http/sys_init_test.go +++ b/http/sys_init_test.go @@ -151,7 +151,10 @@ func TestSysInit_Put_ValidateParams(t *testing.T) { func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) { testSeal := seal.NewTestSeal(nil) - autoSeal := vault.NewAutoSeal(testSeal) + autoSeal, err := vault.NewAutoSeal(testSeal) + if err != nil { + t.Fatal(err) + } autoSeal.SetType("transit") // Create the transit server. diff --git a/internalshared/configutil/encrypt_decrypt.go b/internalshared/configutil/encrypt_decrypt.go index 7f0602ef0..1e9f83090 100644 --- a/internalshared/configutil/encrypt_decrypt.go +++ b/internalshared/configutil/encrypt_decrypt.go @@ -8,7 +8,7 @@ import ( "fmt" "regexp" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "google.golang.org/protobuf/proto" ) @@ -71,7 +71,7 @@ func EncryptDecrypt(rawStr string, decrypt, strip bool, wrapper wrapping.Wrapper if err != nil { return "", fmt.Errorf("error decoding encrypted parameter: %w", err) } - inBlob := new(wrapping.EncryptedBlobInfo) + inBlob := new(wrapping.BlobInfo) if err := proto.Unmarshal(inMsg, inBlob); err != nil { return "", fmt.Errorf("error unmarshaling encrypted parameter: %w", err) } diff --git a/internalshared/configutil/encrypt_decrypt_test.go b/internalshared/configutil/encrypt_decrypt_test.go index bc4a7f5fb..b9257bb6c 100644 --- a/internalshared/configutil/encrypt_decrypt_test.go +++ b/internalshared/configutil/encrypt_decrypt_test.go @@ -6,7 +6,7 @@ import ( "encoding/base64" "testing" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "google.golang.org/protobuf/proto" ) @@ -51,7 +51,7 @@ telemetry { if err != nil { t.Fatal(err) } - inBlob := new(wrapping.EncryptedBlobInfo) + inBlob := new(wrapping.BlobInfo) if err := proto.Unmarshal(inMsg, inBlob); err != nil { t.Fatal(err) } @@ -89,18 +89,24 @@ telemetry { type reversingWrapper struct{} -func (r *reversingWrapper) Type() string { return "reversing" } -func (r *reversingWrapper) KeyID() string { return "reverser" } -func (r *reversingWrapper) HMACKeyID() string { return "" } -func (r *reversingWrapper) Init(_ context.Context) error { return nil } -func (r *reversingWrapper) Finalize(_ context.Context) error { return nil } -func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ []byte) (*wrapping.EncryptedBlobInfo, error) { - return &wrapping.EncryptedBlobInfo{ +func (r *reversingWrapper) Type(_ context.Context) (wrapping.WrapperType, error) { + return "reverser", nil +} +func (r *reversingWrapper) KeyId(_ context.Context) (string, error) { return "reverser", nil } +func (r *reversingWrapper) HMACKeyID() string { return "" } +func (r *reversingWrapper) Init(_ context.Context) error { return nil } +func (r *reversingWrapper) Finalize(_ context.Context) error { return nil } +func (r *reversingWrapper) SetConfig(_ context.Context, opts ...wrapping.Option) (*wrapping.WrapperConfig, error) { + return &wrapping.WrapperConfig{}, nil +} + +func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ ...wrapping.Option) (*wrapping.BlobInfo, error) { + return &wrapping.BlobInfo{ Ciphertext: r.reverse(input), }, nil } -func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.EncryptedBlobInfo, _ []byte) ([]byte, error) { +func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.BlobInfo, _ ...wrapping.Option) ([]byte, error) { return r.reverse(input.Ciphertext), nil } diff --git a/internalshared/configutil/kms.go b/internalshared/configutil/kms.go index 9f6d74899..78da77662 100644 --- a/internalshared/configutil/kms.go +++ b/internalshared/configutil/kms.go @@ -1,6 +1,7 @@ package configutil import ( + "context" "crypto/rand" "fmt" "io" @@ -8,14 +9,14 @@ import ( "github.com/hashicorp/errwrap" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" - "github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms" - "github.com/hashicorp/go-kms-wrapping/wrappers/awskms" - "github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault" - "github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms" - "github.com/hashicorp/go-kms-wrapping/wrappers/ocikms" - "github.com/hashicorp/go-kms-wrapping/wrappers/transit" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2" + "github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2" "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/hcl" @@ -159,41 +160,37 @@ func ParseKMSes(d string) ([]*KMS, error) { return result.Seals, nil } -func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger) (wrapping.Wrapper, error) { +func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger, opts ...wrapping.Option) (wrapping.Wrapper, error) { var wrapper wrapping.Wrapper var kmsInfo map[string]string var err error - opts := &wrapping.WrapperOptions{ - Logger: logger, - } - - switch configKMS.Type { - case wrapping.Shamir: + switch wrapping.WrapperType(configKMS.Type) { + case wrapping.WrapperTypeShamir: return nil, nil - case wrapping.AEAD: - wrapper, kmsInfo, err = GetAEADKMSFunc(opts, configKMS) + case wrapping.WrapperTypeAead: + wrapper, kmsInfo, err = GetAEADKMSFunc(configKMS, opts...) - case wrapping.AliCloudKMS: - wrapper, kmsInfo, err = GetAliCloudKMSFunc(opts, configKMS) + case wrapping.WrapperTypeAliCloudKms: + wrapper, kmsInfo, err = GetAliCloudKMSFunc(configKMS, opts...) - case wrapping.AWSKMS: - wrapper, kmsInfo, err = GetAWSKMSFunc(opts, configKMS) + case wrapping.WrapperTypeAwsKms: + wrapper, kmsInfo, err = GetAWSKMSFunc(configKMS, opts...) - case wrapping.AzureKeyVault: - wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(opts, configKMS) + case wrapping.WrapperTypeAzureKeyVault: + wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(configKMS, opts...) - case wrapping.GCPCKMS: - wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(opts, configKMS) + case wrapping.WrapperTypeGcpCkms: + wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(configKMS, opts...) - case wrapping.OCIKMS: - wrapper, kmsInfo, err = GetOCIKMSKMSFunc(opts, configKMS) + case wrapping.WrapperTypeOciKms: + wrapper, kmsInfo, err = GetOCIKMSKMSFunc(configKMS, opts...) - case wrapping.Transit: - wrapper, kmsInfo, err = GetTransitKMSFunc(opts, configKMS) + case wrapping.WrapperTypeTransit: + wrapper, kmsInfo, err = GetTransitKMSFunc(configKMS, opts...) - case wrapping.PKCS11: + case wrapping.WrapperTypePkcs11: return nil, fmt.Errorf("KMS type 'pkcs11' requires the Vault Enterprise HSM binary") default: @@ -214,9 +211,9 @@ func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]strin return wrapper, nil } -func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := aeadwrapper.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +func GetAEADKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := aeadwrapper.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), opts...) if err != nil { return nil, nil, err } @@ -226,14 +223,14 @@ func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, if len(kms.Purpose) > 0 { str = fmt.Sprintf("%v %s", kms.Purpose, str) } - info[str] = wrapperInfo["aead_type"] + info[str] = wrapperInfo.Metadata["aead_type"] } return wrapper, info, nil } -func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := alicloudkms.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +func GetAliCloudKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := alicloudkms.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { // If the error is any other than logical.KeyNotFoundError, return the error if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { @@ -242,18 +239,18 @@ func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapp } info := make(map[string]string) if wrapperInfo != nil { - info["AliCloud KMS Region"] = wrapperInfo["region"] - info["AliCloud KMS KeyID"] = wrapperInfo["kms_key_id"] - if domain, ok := wrapperInfo["domain"]; ok { + info["AliCloud KMS Region"] = wrapperInfo.Metadata["region"] + info["AliCloud KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"] + if domain, ok := wrapperInfo.Metadata["domain"]; ok { info["AliCloud KMS Domain"] = domain } } return wrapper, info, nil } -var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := awskms.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +var GetAWSKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := awskms.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { // If the error is any other than logical.KeyNotFoundError, return the error if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { @@ -262,18 +259,18 @@ var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrap } info := make(map[string]string) if wrapperInfo != nil { - info["AWS KMS Region"] = wrapperInfo["region"] - info["AWS KMS KeyID"] = wrapperInfo["kms_key_id"] - if endpoint, ok := wrapperInfo["endpoint"]; ok { + info["AWS KMS Region"] = wrapperInfo.Metadata["region"] + info["AWS KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"] + if endpoint, ok := wrapperInfo.Metadata["endpoint"]; ok { info["AWS KMS Endpoint"] = endpoint } } return wrapper, info, nil } -func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := azurekeyvault.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +func GetAzureKeyVaultKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := azurekeyvault.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { // If the error is any other than logical.KeyNotFoundError, return the error if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { @@ -282,16 +279,16 @@ func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping. } info := make(map[string]string) if wrapperInfo != nil { - info["Azure Environment"] = wrapperInfo["environment"] - info["Azure Vault Name"] = wrapperInfo["vault_name"] - info["Azure Key Name"] = wrapperInfo["key_name"] + info["Azure Environment"] = wrapperInfo.Metadata["environment"] + info["Azure Vault Name"] = wrapperInfo.Metadata["vault_name"] + info["Azure Key Name"] = wrapperInfo.Metadata["key_name"] } return wrapper, info, nil } -func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := gcpckms.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +func GetGCPCKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := gcpckms.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { // If the error is any other than logical.KeyNotFoundError, return the error if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { @@ -300,33 +297,33 @@ func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrappe } info := make(map[string]string) if wrapperInfo != nil { - info["GCP KMS Project"] = wrapperInfo["project"] - info["GCP KMS Region"] = wrapperInfo["region"] - info["GCP KMS Key Ring"] = wrapperInfo["key_ring"] - info["GCP KMS Crypto Key"] = wrapperInfo["crypto_key"] + info["GCP KMS Project"] = wrapperInfo.Metadata["project"] + info["GCP KMS Region"] = wrapperInfo.Metadata["region"] + info["GCP KMS Key Ring"] = wrapperInfo.Metadata["key_ring"] + info["GCP KMS Crypto Key"] = wrapperInfo.Metadata["crypto_key"] } return wrapper, info, nil } -func GetOCIKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := ocikms.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +func GetOCIKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := ocikms.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { return nil, nil, err } info := make(map[string]string) if wrapperInfo != nil { - info["OCI KMS KeyID"] = wrapperInfo[ocikms.KMSConfigKeyID] - info["OCI KMS Crypto Endpoint"] = wrapperInfo[ocikms.KMSConfigCryptoEndpoint] - info["OCI KMS Management Endpoint"] = wrapperInfo[ocikms.KMSConfigManagementEndpoint] - info["OCI KMS Principal Type"] = wrapperInfo["principal_type"] + info["OCI KMS KeyID"] = wrapperInfo.Metadata[ocikms.KmsConfigKeyId] + info["OCI KMS Crypto Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigCryptoEndpoint] + info["OCI KMS Management Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigManagementEndpoint] + info["OCI KMS Principal Type"] = wrapperInfo.Metadata["principal_type"] } return wrapper, info, nil } -var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) { - wrapper := transit.NewWrapper(opts) - wrapperInfo, err := wrapper.SetConfig(kms.Config) +var GetTransitKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) { + wrapper := transit.NewWrapper() + wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config)) if err != nil { // If the error is any other than logical.KeyNotFoundError, return the error if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { @@ -335,10 +332,10 @@ var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping. } info := make(map[string]string) if wrapperInfo != nil { - info["Transit Address"] = wrapperInfo["address"] - info["Transit Mount Path"] = wrapperInfo["mount_path"] - info["Transit Key Name"] = wrapperInfo["key_name"] - if namespace, ok := wrapperInfo["namespace"]; ok { + info["Transit Address"] = wrapperInfo.Metadata["address"] + info["Transit Mount Path"] = wrapperInfo.Metadata["mount_path"] + info["Transit Key Name"] = wrapperInfo.Metadata["key_name"] + if namespace, ok := wrapperInfo.Metadata["namespace"]; ok { info["Transit Namespace"] = namespace } } diff --git a/physical/raft/raft.go b/physical/raft/raft.go index 411437713..409ff52ee 100644 --- a/physical/raft/raft.go +++ b/physical/raft/raft.go @@ -17,7 +17,7 @@ import ( "github.com/armon/go-metrics" "github.com/golang/protobuf/proto" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-raftchunking" "github.com/hashicorp/go-secure-stdlib/tlsutil" "github.com/hashicorp/go-uuid" @@ -1801,7 +1801,7 @@ func (s sealer) Open(ctx context.Context, ct []byte) ([]byte, error) { return nil, errors.New("no seal access available") } - var eblob wrapping.EncryptedBlobInfo + var eblob wrapping.BlobInfo err := proto.Unmarshal(ct, &eblob) if err != nil { return nil, err diff --git a/vault/core.go b/vault/core.go index 763ab180d..f96b38315 100644 --- a/vault/core.go +++ b/vault/core.go @@ -22,11 +22,13 @@ import ( "sync/atomic" "time" + "github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2" + "github.com/armon/go-metrics" "github.com/hashicorp/errwrap" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-secure-stdlib/mlock" "github.com/hashicorp/go-secure-stdlib/reloadutil" @@ -93,6 +95,8 @@ const ( // forwardToActive to trigger forwarding if a perf standby encounters // an SSC Token that it does not have the WAL state for. ForwardSSCTokenToActive = "new_token" + + WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto") ) var ( @@ -190,7 +194,7 @@ type unlockInformation struct { } type raftInformation struct { - challenge *wrapping.EncryptedBlobInfo + challenge *wrapping.BlobInfo leaderClient *api.Client leaderBarrierConfig *SealConfig nonVoter bool @@ -961,10 +965,11 @@ func CreateCore(conf *CoreConfig) (*Core, error) { } if c.seal == nil { + wrapper := aeadwrapper.NewShamirWrapper() + wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir"))) + c.seal = NewDefaultSeal(&vaultseal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("shamir"), - }), + Wrapper: wrapper, }) } c.seal.SetCore(c) @@ -1368,10 +1373,10 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error { func (c *Core) unsealWithRaft(combinedKey []byte) error { ctx := context.Background() - if c.seal.BarrierType() == wrapping.Shamir { + if c.seal.BarrierType() == wrapping.WrapperTypeShamir { // If this is a legacy shamir seal this serves no purpose but it // doesn't hurt. - err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey) + err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey) if err != nil { return err } @@ -1540,7 +1545,7 @@ func (c *Core) sealMigrated(ctx context.Context) (bool, error) { return false, err } - if existBarrierSealConfig.Type != c.seal.BarrierType() { + if existBarrierSealConfig.Type != c.seal.BarrierType().String() { return false, nil } if c.seal.RecoveryKeySupported() && existRecoverySealConfig.Type != c.seal.RecoveryType() { @@ -1622,7 +1627,7 @@ func (c *Core) migrateSeal(ctx context.Context) error { } // We have recovery keys; we're going to use them as the new shamir KeK. - err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveryKey) + err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveryKey) if err != nil { return fmt.Errorf("failed to set master key in seal: %w", err) } @@ -2496,7 +2501,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi // In older versions of vault the default seal would not store a type. This // is here to offer backwards compatibility for older seal configs. if barrierConf.Type == "" { - barrierConf.Type = wrapping.Shamir + barrierConf.Type = wrapping.WrapperTypeShamir.String() } var recoveryConf *SealConfig @@ -2516,7 +2521,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi // In older versions of vault the default seal would not store a type. This // is here to offer backwards compatibility for older seal configs. if recoveryConf.Type == "" { - recoveryConf.Type = wrapping.Shamir + recoveryConf.Type = wrapping.WrapperTypeShamir.String() } } @@ -2551,31 +2556,30 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error { // If we don't have an existing config or if it's the deprecated auto seal // which needs an upgrade, skip out - if existBarrierSealConfig == nil || existBarrierSealConfig.Type == wrapping.HSMAutoDeprecated { + if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() { return nil } if unwrapSeal == nil { // With unwrapSeal==nil, either we're not migrating, or we're migrating // from shamir. + switch { - case existBarrierSealConfig.Type == c.seal.BarrierType(): + case existBarrierSealConfig.Type == c.seal.BarrierType().String(): // We have the same barrier type and the unwrap seal is nil so we're not // migrating from same to same, IOW we assume it's not a migration. return nil - case c.seal.BarrierType() == wrapping.Shamir: + case c.seal.BarrierType() == wrapping.WrapperTypeShamir: // The stored barrier config is not shamir, there is no disabled seal // in config, and either no configured seal (which equates to Shamir) // or an explicitly configured Shamir seal. return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration", existBarrierSealConfig.Type) - case existBarrierSealConfig.Type == wrapping.Shamir: + case existBarrierSealConfig.Type == wrapping.WrapperTypeShamir.String(): // The configured seal is not Shamir, the stored seal config is Shamir. // This is a migration away from Shamir. unwrapSeal = NewDefaultSeal(&vaultseal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("shamir"), - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) default: // We know at this point that there is a configured non-Shamir seal, @@ -2587,7 +2591,8 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error { } else { // If we're not coming from Shamir we expect the previous seal to be // in the config and disabled. - if unwrapSeal.BarrierType() == wrapping.Shamir { + + if unwrapSeal.BarrierType() == wrapping.WrapperTypeShamir { return errors.New("Shamir seals cannot be set disabled (they should simply not be set)") } } @@ -2597,7 +2602,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error { unwrapSeal.SetCore(c) // No stored recovery seal config found, what about the legacy recovery config? - if existBarrierSealConfig.Type != wrapping.Shamir && existRecoverySealConfig == nil { + if existBarrierSealConfig.Type != wrapping.WrapperTypeShamir.String() && existRecoverySealConfig == nil { entry, err := c.physical.Get(ctx, recoverySealConfigPath) if err != nil { return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err) @@ -2611,7 +2616,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error { c.migrationInfo = &migrationInformation{ seal: unwrapSeal, } - if existBarrierSealConfig.Type != c.seal.BarrierType() { + if existBarrierSealConfig.Type != c.seal.BarrierType().String() { // It's unnecessary to call this when doing an auto->auto // same-seal-type migration, since they'll have the same configs before // and after migration. @@ -2645,7 +2650,7 @@ func (c *Core) migrateSealConfig(ctx context.Context) error { // recovery config to a clone of shamir's barrier config with stored // keys set to 0. bc = &SealConfig{ - Type: c.seal.BarrierType(), + Type: c.seal.BarrierType().String(), SecretShares: 1, SecretThreshold: 1, StoredShares: 1, @@ -2684,7 +2689,7 @@ func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existReco // recovery config to a clone of shamir's barrier config with stored // keys set to 0. newBarrierSealConfig := &SealConfig{ - Type: c.seal.BarrierType(), + Type: c.seal.BarrierType().String(), SecretShares: 1, SecretThreshold: 1, StoredShares: 1, @@ -2739,9 +2744,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey case vaultseal.StoredKeysSupportedShamirRoot: if useTestSeal { testseal := NewDefaultSeal(&vaultseal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("testseal"), - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) testseal.SetCore(c) cfg, err := seal.BarrierConfig(ctx) @@ -2752,7 +2755,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey seal = testseal } - err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey) + err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey) if err != nil { return nil, fmt.Errorf("failed to setup unseal key: %w", err) } diff --git a/vault/external_tests/raft/raft_test.go b/vault/external_tests/raft/raft_test.go index 8f90ec208..f9f3fabe1 100644 --- a/vault/external_tests/raft/raft_test.go +++ b/vault/external_tests/raft/raft_test.go @@ -549,9 +549,13 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) { t.Parallel() seal, setErr := vaultseal.NewToggleableTestSeal(nil) + autoSeal, err := vault.NewAutoSeal(seal) + if err != nil { + t.Fatal(err) + } cluster := raftCluster(t, &RaftClusterOpts{ NumCores: 1, - Seal: vault.NewAutoSeal(seal), + Seal: autoSeal, }) defer cluster.Cleanup() @@ -582,7 +586,7 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) { setErr(errors.New("seal failure")) // Take a snapshot - err := leaderClient.Sys().RaftSnapshot(w) + err = leaderClient.Sys().RaftSnapshot(w) w.Close() if err == nil || err != api.ErrIncompleteSnapshot { t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err) diff --git a/vault/external_tests/sealmigration/testshared.go b/vault/external_tests/sealmigration/testshared.go index 625983058..e817af789 100644 --- a/vault/external_tests/sealmigration/testshared.go +++ b/vault/external_tests/sealmigration/testshared.go @@ -132,7 +132,11 @@ func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Log // Migrate the backend from shamir to transit. opts.SealFunc = func() vault.Seal { - return tss.MakeSeal(t, sealKeyName) + seal, err := tss.MakeSeal(t, sealKeyName) + if err != nil { + t.Fatal(err) + } + return seal } // Restart each follower with the new config, and migrate to Transit. @@ -173,7 +177,11 @@ func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger, // Migrate the backend from transit to transit. opts.UnwrapSealFunc = opts.SealFunc opts.SealFunc = func() vault.Seal { - return tss2.MakeSeal(t, "transit-seal-key-2") + seal, err := tss2.MakeSeal(t, "transit-seal-key-2") + if err != nil { + t.Fatal(err) + } + return seal } leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys) validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit) @@ -279,7 +287,11 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage SkipInit: true, // N.B. Providing a transit seal puts us in migration mode. SealFunc: func() vault.Seal { - return tss.MakeSeal(t, "transit-seal-key") + seal, err := tss.MakeSeal(t, "transit-seal-key") + if err != nil { + t.Fatal(err) + } + return seal }, } storage.Setup(&conf, &opts) @@ -697,7 +709,11 @@ func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.Re BaseListenAddress: fmt.Sprintf("127.0.0.1:%d", basePort), BaseClusterListenPort: baseClusterPort, SealFunc: func() vault.Seal { - return tss.MakeSeal(t, sealKeyName) + seal, err := tss.MakeSeal(t, sealKeyName) + if err != nil { + t.Fatal(err) + } + return seal }, } storage.Setup(&conf, &opts) diff --git a/vault/ha.go b/vault/ha.go index c79d62b26..c2d55bbf1 100644 --- a/vault/ha.go +++ b/vault/ha.go @@ -13,7 +13,7 @@ import ( "github.com/armon/go-metrics" "github.com/hashicorp/errwrap" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/namespace" @@ -869,7 +869,7 @@ func (c *Core) reloadShamirKey(ctx context.Context) error { } shamirKey = keyring.rootKey } - return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(shamirKey) + return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(shamirKey) } func (c *Core) performKeyUpgrades(ctx context.Context) error { diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index f30edf598..d7a5c3cc4 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -1774,7 +1774,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor nextExpiration = k.ExpireAt } - // Mark the KeyID as in use so it doesn't get deleted in the next step + // Mark the KeyId as in use so it doesn't get deleted in the next step usedKeys = append(usedKeys, k.KeyID) } diff --git a/vault/init.go b/vault/init.go index f092da294..e148ef365 100644 --- a/vault/init.go +++ b/vault/init.go @@ -9,11 +9,11 @@ import ( "net/url" "sync/atomic" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/physical/raft" "github.com/hashicorp/vault/vault/seal" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/pgpkeys" "github.com/hashicorp/vault/shamir" @@ -276,7 +276,8 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes var sealKey []byte var sealKeyShares [][]byte - if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.Shamir { + + if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.WrapperTypeShamir { sealKey, sealKeyShares, err = c.generateShares(barrierConfig) if err != nil { c.logger.Error("error generating shares", "error", err) @@ -324,7 +325,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes switch c.seal.StoredKeysSupported() { case seal.StoredKeysSupportedShamirRoot: keysToStore := [][]byte{barrierKey} - if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(sealKey); err != nil { + if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(sealKey); err != nil { c.logger.Error("failed to set seal key", "error", err) return nil, fmt.Errorf("failed to set seal key: %w", err) } @@ -439,7 +440,7 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error { c.unsealWithStoredKeysLock.Lock() defer c.unsealWithStoredKeysLock.Unlock() - if c.seal.BarrierType() == wrapping.Shamir { + if c.seal.BarrierType() == wrapping.WrapperTypeShamir { return nil } diff --git a/vault/init_test.go b/vault/init_test.go index 99a9fc57c..079693cff 100644 --- a/vault/init_test.go +++ b/vault/init_test.go @@ -6,7 +6,7 @@ import ( "testing" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/physical/inmem" @@ -89,7 +89,7 @@ func testCore_Init_Common(t *testing.T, c *Core, conf *CoreConfig, barrierConf, t.Fatalf("err: %v", err) } - if c.seal.BarrierType() == wrapping.Shamir && len(res.SecretShares) != barrierConf.SecretShares { + if c.seal.BarrierType() == wrapping.WrapperTypeShamir && len(res.SecretShares) != barrierConf.SecretShares { t.Fatalf("Bad: got\n%#v\nexpected conf matching\n%#v\n", *res, *barrierConf) } if recoveryConf != nil { diff --git a/vault/logical_system.go b/vault/logical_system.go index f0b0d3ef8..3771e536b 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -4181,7 +4181,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error if sealConfig == nil { return &SealStatusResponse{ - Type: core.SealAccess().BarrierType(), + Type: core.SealAccess().BarrierType().String(), Initialized: initialized, Sealed: true, RecoverySeal: core.SealAccess().RecoveryKeySupported(), diff --git a/vault/logical_system_raft.go b/vault/logical_system_raft.go index 3516828cb..62145663f 100644 --- a/vault/logical_system_raft.go +++ b/vault/logical_system_raft.go @@ -10,7 +10,7 @@ import ( "time" "github.com/golang/protobuf/proto" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/helper/namespace" @@ -572,7 +572,7 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool) framework.Ope case err == nil: case strings.Contains(err.Error(), "failed to open the sealed hashes"): switch b.Core.seal.BarrierType() { - case wrapping.Shamir: + case wrapping.WrapperTypeShamir: return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different set of unseal keys; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest default: return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different autoseal key; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest diff --git a/vault/raft.go b/vault/raft.go index 46cf87398..15bc01312 100644 --- a/vault/raft.go +++ b/vault/raft.go @@ -17,7 +17,7 @@ import ( "github.com/hashicorp/go-discover" discoverk8s "github.com/hashicorp/go-discover/provider/k8s" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-secure-stdlib/tlsutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/api" @@ -660,7 +660,7 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co // The snapshot contained a root key or keyring we couldn't // recover switch c.seal.BarrierType() { - case wrapping.Shamir: + case wrapping.WrapperTypeShamir: // If we are a shamir seal we can't do anything. Just // seal all nodes. @@ -804,7 +804,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati return nil, err } - if sealConfig.Type != c.seal.BarrierType() { + if sealConfig.Type != c.seal.BarrierType().String() { return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType()) } @@ -817,7 +817,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err) } - eBlob := &wrapping.EncryptedBlobInfo{} + eBlob := &wrapping.BlobInfo{} if err := proto.Unmarshal(challengeRaw, eBlob); err != nil { return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err) } @@ -913,7 +913,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo // If we're using Shamir and using raft for both physical and HA, we // need to block until the node is unsealed, unless retry is set to // false. - if c.seal.BarrierType() == wrapping.Shamir && !c.isRaftHAOnly() { + if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !c.isRaftHAOnly() { c.raftInfo.Store(raftInfo) if err := c.seal.SetBarrierConfig(ctx, raftInfo.leaderBarrierConfig); err != nil { return err @@ -936,7 +936,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo return fmt.Errorf("failed to send answer to raft leader node: %w", err) } - if c.seal.BarrierType() == wrapping.Shamir && !isRaftHAOnly { + if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !isRaftHAOnly { // Reset the state c.raftInfo.Store((*raftInformation)(nil)) diff --git a/vault/rekey.go b/vault/rekey.go index 9ee4c4663..742543a55 100644 --- a/vault/rekey.go +++ b/vault/rekey.go @@ -9,8 +9,8 @@ import ( "fmt" "net/http" - wrapping "github.com/hashicorp/go-kms-wrapping" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/pgpkeys" "github.com/hashicorp/vault/sdk/helper/consts" @@ -169,7 +169,7 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr // BarrierRekeyInit is used to initialize the rekey settings for the barrier key func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError { switch c.seal.BarrierType() { - case wrapping.Shamir: + case wrapping.WrapperTypeShamir: // As of Vault 1.3 all seals use StoredShares==1. The one exception is // legacy shamir seals, which we can read but not write (by design). // So if someone does a rekey, regardless of their intention, we're going @@ -396,15 +396,13 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) c.logger.Error("rekey recovery key verification failed", "error", err) return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error()) } - case c.seal.BarrierType() == wrapping.Shamir: + case c.seal.BarrierType() == wrapping.WrapperTypeShamir: if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot { testseal := NewDefaultSeal(&seal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: c.logger.Named("testseal"), - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) testseal.SetCore(c) - err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveredKey) + err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveredKey) if err != nil { return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup unseal key: %w", err).Error()) } @@ -532,7 +530,7 @@ func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logic } if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric { - err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(newSealKey) + err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(newSealKey) if err != nil { return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to update barrier seal key: %w", err).Error()) } diff --git a/vault/rekey_test.go b/vault/rekey_test.go index 4e84e7f83..5224db532 100644 --- a/vault/rekey_test.go +++ b/vault/rekey_test.go @@ -154,7 +154,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str if recovery { expType = c.seal.RecoveryType() } else { - expType = c.seal.BarrierType() + expType = c.seal.BarrierType().String() } newConf := &SealConfig{ diff --git a/vault/seal.go b/vault/seal.go index ae9f07144..1fdfcacef 100644 --- a/vault/seal.go +++ b/vault/seal.go @@ -13,7 +13,7 @@ import ( "github.com/hashicorp/vault/sdk/physical" "github.com/golang/protobuf/proto" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/vault/seal" "github.com/keybase/go-crypto/openpgp" "github.com/keybase/go-crypto/openpgp/packet" @@ -59,7 +59,7 @@ type Seal interface { SealWrapable() bool SetStoredKeys(context.Context, [][]byte) error GetStoredKeys(context.Context) ([][]byte, error) - BarrierType() string + BarrierType() wrapping.WrapperType BarrierConfig(context.Context) (*SealConfig, error) SetBarrierConfig(context.Context, *SealConfig) error SetCachedBarrierConfig(*SealConfig) @@ -119,8 +119,8 @@ func (d *defaultSeal) Finalize(ctx context.Context) error { return nil } -func (d *defaultSeal) BarrierType() string { - return wrapping.Shamir +func (d *defaultSeal) BarrierType() wrapping.WrapperType { + return wrapping.WrapperTypeShamir } func (d *defaultSeal) StoredKeysSupported() seal.StoredKeysSupport { @@ -193,8 +193,8 @@ func (d *defaultSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) { switch conf.Type { // This case should not be valid for other types as only this is the default case "": - conf.Type = d.BarrierType() - case d.BarrierType(): + conf.Type = d.BarrierType().String() + case d.BarrierType().String(): default: d.core.logger.Error("barrier seal type does not match expected type", "barrier_seal_type", conf.Type, "loaded_seal_type", d.BarrierType()) return nil, fmt.Errorf("barrier seal type of %q does not match expected type of %q", conf.Type, d.BarrierType()) @@ -222,7 +222,7 @@ func (d *defaultSeal) SetBarrierConfig(ctx context.Context, config *SealConfig) return nil } - config.Type = d.BarrierType() + config.Type = d.BarrierType().String() // If we are doing a raft unseal we do not want to persist the barrier config // because storage isn't setup yet. @@ -477,7 +477,7 @@ func readStoredKeys(ctx context.Context, storage physical.Backend, encryptor *se return nil, nil } - blobInfo := &wrapping.EncryptedBlobInfo{} + blobInfo := &wrapping.BlobInfo{} if err := proto.Unmarshal(pe.Value, blobInfo); err != nil { return nil, fmt.Errorf("failed to proto decode stored keys: %w", err) } diff --git a/vault/seal/envelope.go b/vault/seal/envelope.go index 6558fc54c..b3165e9f7 100644 --- a/vault/seal/envelope.go +++ b/vault/seal/envelope.go @@ -5,11 +5,11 @@ import ( "time" metrics "github.com/armon/go-metrics" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" ) type Envelope struct { - envelope *wrapping.Envelope + envelope *wrapping.EnvelopeInfo once sync.Once } @@ -18,19 +18,19 @@ func NewEnvelope() *Envelope { } func (e *Envelope) init() { - e.envelope = new(wrapping.Envelope) + e.envelope = new(wrapping.EnvelopeInfo) } func (e *Envelope) Encrypt(plaintext, aad []byte) (*wrapping.EnvelopeInfo, error) { defer metrics.MeasureSince([]string{"seal", "envelope", "encrypt"}, time.Now()) e.once.Do(e.init) - return e.envelope.Encrypt(plaintext, aad) + return wrapping.EnvelopeEncrypt(plaintext, wrapping.WithAad(aad)) } func (e *Envelope) Decrypt(data *wrapping.EnvelopeInfo, aad []byte) ([]byte, error) { defer metrics.MeasureSince([]string{"seal", "envelope", "decrypt"}, time.Now()) e.once.Do(e.init) - return e.envelope.Decrypt(data, aad) + return wrapping.EnvelopeDecrypt(data, wrapping.WithAad(aad)) } diff --git a/vault/seal/seal.go b/vault/seal/seal.go index 009e775b9..913bc8227 100644 --- a/vault/seal/seal.go +++ b/vault/seal/seal.go @@ -5,7 +5,7 @@ import ( "time" metrics "github.com/armon/go-metrics" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" ) type StoredKeysSupport int @@ -35,54 +35,74 @@ func (s StoredKeysSupport) String() string { // specific to encrypting and decrypting data, or in this case keys. type Access struct { wrapping.Wrapper - OverriddenType string + WrapperType wrapping.WrapperType } -func (a *Access) SetType(t string) { - a.OverriddenType = t -} - -func (a *Access) Type() string { - if a.OverriddenType != "" { - return a.OverriddenType +func (a *Access) Init(ctx context.Context) error { + if initWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok { + return initWrapper.Init(ctx) } - return a.Wrapper.Type() + return nil +} + +func (a *Access) SetType(t wrapping.WrapperType) { + a.WrapperType = t +} + +func (a *Access) Type(ctx context.Context) (wrapping.WrapperType, error) { + if a != nil && a.WrapperType != "" { + return a.WrapperType, nil + } + return a.Wrapper.Type(ctx) } // Encrypt uses the underlying seal to encrypt the plaintext and returns it. -func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.EncryptedBlobInfo, err error) { +func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.BlobInfo, err error) { + wTyp, err := a.Wrapper.Type(ctx) + if err != nil { + return nil, err + } + defer func(now time.Time) { metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "encrypt", "time"}, now) + metrics.MeasureSince([]string{"seal", wTyp.String(), "encrypt", "time"}, now) if err != nil { metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt", "error"}, 1) + metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt", "error"}, 1) } }(time.Now()) metrics.IncrCounter([]string{"seal", "encrypt"}, 1) - metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt"}, 1) + metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt"}, 1) - return a.Wrapper.Encrypt(ctx, plaintext, aad) + return a.Wrapper.Encrypt(ctx, plaintext, wrapping.WithAad(aad)) } // Decrypt uses the underlying seal to decrypt the cryptotext and returns it. // Note that it is possible depending on the wrapper used that both pt and err // are populated. -func (a *Access) Decrypt(ctx context.Context, data *wrapping.EncryptedBlobInfo, aad []byte) (pt []byte, err error) { +func (a *Access) Decrypt(ctx context.Context, data *wrapping.BlobInfo, aad []byte) (pt []byte, err error) { + wTyp, err := a.Wrapper.Type(ctx) defer func(now time.Time) { metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "decrypt", "time"}, now) + metrics.MeasureSince([]string{"seal", wTyp.String(), "decrypt", "time"}, now) if err != nil { metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt", "error"}, 1) + metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt", "error"}, 1) } }(time.Now()) metrics.IncrCounter([]string{"seal", "decrypt"}, 1) - metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt"}, 1) + metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt"}, 1) - return a.Wrapper.Decrypt(ctx, data, aad) + return a.Wrapper.Decrypt(ctx, data, wrapping.WithAad(aad)) +} + +func (a *Access) Finalize(ctx context.Context) error { + if finalizeWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok { + return finalizeWrapper.Finalize(ctx) + } + return nil } diff --git a/vault/seal/seal_testing.go b/vault/seal/seal_testing.go index 3f05fea0a..fc33e4d9a 100644 --- a/vault/seal/seal_testing.go +++ b/vault/seal/seal_testing.go @@ -5,14 +5,14 @@ import ( "sync" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" ) type TestSealOpts struct { Logger hclog.Logger StoredKeys StoredKeysSupport Secret []byte - Name string + Name wrapping.WrapperType } func NewTestSeal(opts *TestSealOpts) *Access { @@ -21,8 +21,8 @@ func NewTestSeal(opts *TestSealOpts) *Access { } return &Access{ - Wrapper: wrapping.NewTestWrapper(opts.Secret), - OverriddenType: opts.Name, + Wrapper: wrapping.NewTestWrapper(opts.Secret), + WrapperType: opts.Name, } } @@ -33,8 +33,8 @@ func NewToggleableTestSeal(opts *TestSealOpts) (*Access, func(error)) { w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)} return &Access{ - Wrapper: w, - OverriddenType: opts.Name, + Wrapper: w, + WrapperType: opts.Name, }, w.SetError } @@ -44,22 +44,22 @@ type ToggleableWrapper struct { l sync.RWMutex } -func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, bytes2 []byte) (*wrapping.EncryptedBlobInfo, error) { +func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, opts ...wrapping.Option) (*wrapping.BlobInfo, error) { t.l.RLock() defer t.l.RUnlock() if t.error != nil { return nil, t.error } - return t.Wrapper.Encrypt(ctx, bytes, bytes2) + return t.Wrapper.Encrypt(ctx, bytes, opts...) } -func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.EncryptedBlobInfo, bytes []byte) ([]byte, error) { +func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.BlobInfo, opts ...wrapping.Option) ([]byte, error) { t.l.RLock() defer t.l.RUnlock() if t.error != nil { return nil, t.error } - return t.Wrapper.Decrypt(ctx, info, bytes) + return t.Wrapper.Decrypt(ctx, info, opts...) } func (t *ToggleableWrapper) SetError(err error) { diff --git a/vault/seal_access.go b/vault/seal_access.go index 050702320..cd7b8e417 100644 --- a/vault/seal_access.go +++ b/vault/seal_access.go @@ -3,6 +3,8 @@ package vault import ( "context" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/vault/vault/seal" ) @@ -21,7 +23,7 @@ func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport { return s.seal.StoredKeysSupported() } -func (s *SealAccess) BarrierType() string { +func (s *SealAccess) BarrierType() wrapping.WrapperType { return s.seal.BarrierType() } diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go index 12bcc1a9d..59afd3596 100644 --- a/vault/seal_autoseal.go +++ b/vault/seal_autoseal.go @@ -13,7 +13,7 @@ import ( proto "github.com/golang/protobuf/proto" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/sdk/physical" "github.com/hashicorp/vault/vault/seal" ) @@ -21,7 +21,7 @@ import ( // barrierTypeUpgradeCheck checks for backwards compat on barrier type, not // applicable in the OSS side var ( - barrierTypeUpgradeCheck = func(_ string, _ *SealConfig) {} + barrierTypeUpgradeCheck = func(_ wrapping.WrapperType, _ *SealConfig) {} autoSealUnavailableDuration = []string{"seal", "unreachable", "time"} // vars for unit testings sealHealthTestIntervalNominal = 10 * time.Minute @@ -47,13 +47,19 @@ type autoSeal struct { // Ensure we are implementing the Seal interface var _ Seal = (*autoSeal)(nil) -func NewAutoSeal(lowLevel *seal.Access) *autoSeal { +func NewAutoSeal(lowLevel *seal.Access) (*autoSeal, error) { ret := &autoSeal{ Access: lowLevel, } ret.barrierConfig.Store((*SealConfig)(nil)) ret.recoveryConfig.Store((*SealConfig)(nil)) - return ret + + var err error + ret.WrapperType, err = ret.Type(context.Background()) + if err != nil { + return nil, err + } + return ret, nil } func (d *autoSeal) SealWrapable() bool { @@ -87,8 +93,8 @@ func (d *autoSeal) Finalize(ctx context.Context) error { return d.Access.Finalize(ctx) } -func (d *autoSeal) BarrierType() string { - return d.Type() +func (d *autoSeal) BarrierType() wrapping.WrapperType { + return d.WrapperType } func (d *autoSeal) StoredKeysSupported() seal.StoredKeysSupport { @@ -120,12 +126,16 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error { return fmt.Errorf("no stored keys found") } - blobInfo := &wrapping.EncryptedBlobInfo{} + blobInfo := &wrapping.BlobInfo{} if err := proto.Unmarshal(pe.Value, blobInfo); err != nil { return fmt.Errorf("failed to proto decode stored keys: %w", err) } - if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() { + keyId, err := d.Access.KeyId(ctx) + if err != nil { + return err + } + if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId { d.logger.Info("upgrading stored keys") pt, err := d.Decrypt(ctx, blobInfo, nil) @@ -147,11 +157,11 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error { } // UpgradeKeys re-encrypts and saves the stored keys and the recovery key -// with the current key if the current KeyID is different from the KeyID +// with the current key if the current KeyId is different from the KeyId // the stored keys and the recovery key are encrypted with. The provided // Context must be non-nil. func (d *autoSeal) UpgradeKeys(ctx context.Context) error { - // Many of the seals update their keys to the latest KeyID when Encrypt + // Many of the seals update their keys to the latest KeyId when Encrypt // is called. if _, err := d.Encrypt(ctx, []byte("a"), nil); err != nil { return err @@ -206,7 +216,7 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) { barrierTypeUpgradeCheck(d.BarrierType(), conf) - if conf.Type != d.BarrierType() { + if conf.Type != d.BarrierType().String() { d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierType()) return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierType()) } @@ -225,7 +235,7 @@ func (d *autoSeal) SetBarrierConfig(ctx context.Context, conf *SealConfig) error return nil } - conf.Type = d.BarrierType() + conf.Type = d.BarrierType().String() // Encode the seal configuration buf, err := json.Marshal(conf) @@ -436,7 +446,7 @@ func (d *autoSeal) getRecoveryKeyInternal(ctx context.Context) ([]byte, error) { return nil, fmt.Errorf("no recovery key found") } - blobInfo := &wrapping.EncryptedBlobInfo{} + blobInfo := &wrapping.BlobInfo{} if err := proto.Unmarshal(pe.Value, blobInfo); err != nil { return nil, fmt.Errorf("failed to proto decode stored keys: %w", err) } @@ -458,12 +468,17 @@ func (d *autoSeal) upgradeRecoveryKey(ctx context.Context) error { return fmt.Errorf("no recovery key found") } - blobInfo := &wrapping.EncryptedBlobInfo{} + blobInfo := &wrapping.BlobInfo{} if err := proto.Unmarshal(pe.Value, blobInfo); err != nil { return fmt.Errorf("failed to proto decode recovery key: %w", err) } - if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() { + keyId, err := d.Access.KeyId(ctx) + if err != nil { + return err + } + + if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId { d.logger.Info("upgrading recovery key") pt, err := d.Decrypt(ctx, blobInfo, nil) diff --git a/vault/seal_autoseal_test.go b/vault/seal_autoseal_test.go index 96901fa8a..6635bfc82 100644 --- a/vault/seal_autoseal_test.go +++ b/vault/seal_autoseal_test.go @@ -13,7 +13,7 @@ import ( "github.com/hashicorp/vault/helper/metricsutil" proto "github.com/golang/protobuf/proto" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/sdk/physical" "github.com/hashicorp/vault/vault/seal" ) @@ -71,13 +71,17 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) { var encKeys []string changeKey := func(key string) { encKeys = append(encKeys, key) - testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyID(key) + testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyId(key) } // Set initial encryption key. changeKey("kaz") - autoSeal := NewAutoSeal(testSeal) + autoSeal, err := NewAutoSeal(testSeal) + if err != nil { + t.Fatal(err) + } + autoSeal.SetCore(core) pBackend := newTestBackend(t) core.physical = pBackend @@ -130,14 +134,14 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) { // in encKeys. Iterate over each phyEntry and verify it was // encrypted with its corresponding key in encKeys. for i, phyEntry := range phyEntries { - blobInfo := &wrapping.EncryptedBlobInfo{} + blobInfo := &wrapping.BlobInfo{} if err := proto.Unmarshal(phyEntry.Value, blobInfo); err != nil { t.Errorf("phyKey = %s: failed to proto decode stored keys: %s", phyKey, err) } if blobInfo.KeyInfo == nil { t.Errorf("phyKey = %s: KeyInfo missing: %+v", phyKey, blobInfo) } - if want, got := encKeys[i], blobInfo.KeyInfo.KeyID; want != got { + if want, got := encKeys[i], blobInfo.KeyInfo.KeyId; want != got { t.Errorf("phyKey = %s: Incorrect encryption key: want %s, got %s", phyKey, want, got) } } @@ -185,7 +189,11 @@ func TestAutoSeal_HealthCheck(t *testing.T) { }) sealHealthTestIntervalNominal = 10 * time.Millisecond sealHealthTestIntervalUnhealthy = 10 * time.Millisecond - autoSeal := NewAutoSeal(testSealAccess) + autoSeal, err := NewAutoSeal(testSealAccess) + if err != nil { + t.Fatal(err) + } + autoSeal.SetCore(core) core.seal = autoSeal autoSeal.StartHealthCheck() diff --git a/vault/seal_testing_util.go b/vault/seal_testing_util.go index 193ec62dd..f4dcc02fb 100644 --- a/vault/seal_testing_util.go +++ b/vault/seal_testing_util.go @@ -2,8 +2,7 @@ package vault import ( "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" - aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead" + aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/vault/seal" testing "github.com/mitchellh/go-testing-interface" @@ -21,9 +20,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal { switch opts.StoredKeys { case seal.StoredKeysSupportedShamirRoot: newSeal := NewDefaultSeal(&seal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: opts.Logger, - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) // Need StoredShares set or this will look like a legacy shamir seal. newSeal.SetCachedBarrierConfig(&SealConfig{ @@ -34,9 +31,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal { return newSeal case seal.StoredKeysNotSupported: newSeal := NewDefaultSeal(&seal.Access{ - Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{ - Logger: opts.Logger, - }), + Wrapper: aeadwrapper.NewShamirWrapper(), }) newSeal.SetCachedBarrierConfig(&SealConfig{ StoredShares: 0, @@ -45,6 +40,10 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal { }) return newSeal default: - return NewAutoSeal(seal.NewTestSeal(opts)) + seal, err := NewAutoSeal(seal.NewTestSeal(opts)) + if err != nil { + t.Fatal(err) + } + return seal } } diff --git a/vault/sealunwrapper.go b/vault/sealunwrapper.go index c90ad9993..eb22fb3ef 100644 --- a/vault/sealunwrapper.go +++ b/vault/sealunwrapper.go @@ -9,7 +9,7 @@ import ( proto "github.com/golang/protobuf/proto" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/sdk/helper/locksutil" "github.com/hashicorp/vault/sdk/physical" ) @@ -72,7 +72,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e } var performUnwrap bool - se := &wrapping.EncryptedBlobInfo{} + se := &wrapping.BlobInfo{} // If the value ends in our canary value, try to decode the bytes. eLen := len(entry.Value) if eLen > 0 && entry.Value[eLen-1] == 's' { @@ -109,7 +109,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e } performUnwrap = false - se = &wrapping.EncryptedBlobInfo{} + se = &wrapping.BlobInfo{} // If the value ends in our canary value, try to decode the bytes. eLen = len(entry.Value) if eLen > 0 && entry.Value[eLen-1] == 's' { diff --git a/vault/sealunwrapper_test.go b/vault/sealunwrapper_test.go index bd29e4f0b..339b9ec5b 100644 --- a/vault/sealunwrapper_test.go +++ b/vault/sealunwrapper_test.go @@ -10,7 +10,7 @@ import ( proto "github.com/golang/protobuf/proto" log "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/vault/sdk/physical" "github.com/hashicorp/vault/sdk/physical/inmem" ) @@ -57,7 +57,7 @@ func performTestSealUnwrapper(t *testing.T, phys physical.Backend, logger log.Lo // Save the original for comparison later origBytes := make([]byte, len(entry.Value)) copy(origBytes, entry.Value) - se := &wrapping.EncryptedBlobInfo{ + se := &wrapping.BlobInfo{ Ciphertext: entry.Value, } seb, err := proto.Marshal(se)