OSS portion of wrapper-v2 (#16811)

* OSS portion of wrapper-v2

* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter

* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch

* Fix unit test
This commit is contained in:
Scott Miller 2022-08-23 15:37:16 -04:00 committed by GitHub
parent 231f422822
commit 3bd38fd5dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 406 additions and 288 deletions

View file

@ -593,7 +593,7 @@ func (c *AgentCommand) Run(args []string) int {
c.UI.Warn(fmt.Sprintf("Failed to close persistent cache file after getting retrieval token: %s", err))
}
km, err := keymanager.NewPassthroughKeyManager(token)
km, err := keymanager.NewPassthroughKeyManager(ctx, token)
if err != nil {
c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
return 1
@ -657,7 +657,7 @@ func (c *AgentCommand) Run(args []string) int {
}
}
} else {
km, err := keymanager.NewPassthroughKeyManager(nil)
km, err := keymanager.NewPassthroughKeyManager(ctx, nil)
if err != nil {
c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
return 1
@ -675,7 +675,7 @@ func (c *AgentCommand) Run(args []string) int {
cacheLogger.Info("configured persistent storage", "path", config.Cache.Persist.Path)
// Stash the key material in bolt
token, err := km.RetrievalToken()
token, err := km.RetrievalToken(ctx)
if err != nil {
c.UI.Error(fmt.Sprintf("Error getting persistent key: %s", err))
return 1

View file

@ -10,7 +10,7 @@ import (
"github.com/golang/protobuf/proto"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-multierror"
bolt "go.etcd.io/bbolt"
)
@ -228,7 +228,7 @@ func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) {
// Set an index (token or lease) in bolt storage
func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error {
blob, err := b.wrapper.Encrypt(ctx, plaintext, []byte(b.aad))
blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad)))
if err != nil {
return fmt.Errorf("error encrypting %s index: %w", indexType, err)
}
@ -296,12 +296,12 @@ func (b *BoltStorage) Delete(id string, indexType string) error {
}
func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) {
var blob wrapping.EncryptedBlobInfo
var blob wrapping.BlobInfo
if err := proto.Unmarshal(ciphertext, &blob); err != nil {
return nil, err
}
return b.wrapper.Decrypt(ctx, &blob, []byte(b.aad))
return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad)))
}
// GetByType returns a list of stored items of the specified type

View file

@ -22,7 +22,7 @@ import (
func getTestKeyManager(t *testing.T) keymanager.KeyManager {
t.Helper()
km, err := keymanager.NewPassthroughKeyManager(nil)
km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
require.NoError(t, err)
return km
@ -286,7 +286,7 @@ func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) {
// Manually insert some items into the v1 schema.
err = db.Update(func(tx *bolt.Tx) error {
blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"), []byte(""))
blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"))
if err != nil {
return fmt.Errorf("error encrypting contents: %w", err)
}

View file

@ -1,6 +1,10 @@
package keymanager
import wrapping "github.com/hashicorp/go-kms-wrapping"
import (
"context"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
)
const (
KeyID = "root"
@ -12,5 +16,5 @@ type KeyManager interface {
// RetrievalToken is the material returned which can be used to source back the
// encryption key. Depending on the implementation, the token can be the
// encryption key itself or a token/identifier used to exchange the token.
RetrievalToken() ([]byte, error)
RetrievalToken(ctx context.Context) ([]byte, error)
}

View file

@ -1,11 +1,12 @@
package keymanager
import (
"context"
"crypto/rand"
"fmt"
wrapping "github.com/hashicorp/go-kms-wrapping"
"github.com/hashicorp/go-kms-wrapping/wrappers/aead"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
)
var _ KeyManager = (*PassthroughKeyManager)(nil)
@ -17,7 +18,7 @@ type PassthroughKeyManager struct {
// NewPassthroughKeyManager returns a new instance of the Kube encryption key.
// If a key is provided, it will be used as the encryption key for the wrapper,
// otherwise one will be generated.
func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
func NewPassthroughKeyManager(ctx context.Context, key []byte) (*PassthroughKeyManager, error) {
var rootKey []byte = nil
switch len(key) {
case 0:
@ -33,13 +34,13 @@ func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
return nil, fmt.Errorf("invalid key size, should be 32, got %d", len(key))
}
wrapper := aead.NewWrapper(nil)
wrapper := aead.NewWrapper()
if _, err := wrapper.SetConfig(map[string]string{"key_id": KeyID}); err != nil {
if _, err := wrapper.SetConfig(ctx, wrapping.WithConfigMap(map[string]string{"key_id": KeyID})); err != nil {
return nil, err
}
if err := wrapper.SetAESGCMKeyBytes(rootKey); err != nil {
if err := wrapper.SetAesGcmKeyBytes(rootKey); err != nil {
return nil, err
}
@ -58,10 +59,10 @@ func (w *PassthroughKeyManager) Wrapper() wrapping.Wrapper {
// RetrievalToken returns the key that was used on the wrapper since this key
// manager is simply a passthrough and does not provide a mechanism to abstract
// this key.
func (w *PassthroughKeyManager) RetrievalToken() ([]byte, error) {
func (w *PassthroughKeyManager) RetrievalToken(ctx context.Context) ([]byte, error) {
if w.wrapper == nil {
return nil, fmt.Errorf("unable to get wrapper for token retrieval")
}
return w.wrapper.GetKeyBytes(), nil
return w.wrapper.KeyBytes(ctx)
}

View file

@ -2,6 +2,7 @@ package keymanager
import (
"bytes"
"context"
"testing"
"github.com/stretchr/testify/require"
@ -30,9 +31,10 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
},
}
ctx := context.Background()
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
m, err := NewPassthroughKeyManager(tc.key)
m, err := NewPassthroughKeyManager(ctx, tc.key)
if tc.wantErr {
require.Error(t, err)
return
@ -43,7 +45,7 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
t.Fatalf("expected non-nil wrapper from the key manager")
}
token, err := m.RetrievalToken()
token, err := m.RetrievalToken(ctx)
if err != nil {
t.Fatalf("unable to retrieve token: %s", err)
}

View file

@ -699,7 +699,7 @@ func TestLeaseCache_Concurrent_Cacheable(t *testing.T) {
func setupBoltStorage(t *testing.T) (tempCacheDir string, boltStorage *cacheboltdb.BoltStorage) {
t.Helper()
km, err := keymanager.NewPassthroughKeyManager(nil)
km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
require.NoError(t, err)
tempCacheDir, err = ioutil.TempDir("", "agent-cache-test")

View file

@ -13,7 +13,7 @@ import (
"golang.org/x/term"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/docker/docker/pkg/ioutils"
"github.com/hashicorp/consul/api"
@ -455,7 +455,7 @@ func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error
}
// Ensure that the seal finalizer is called, even if using verify-only
defer func(seal *vault.Seal) {
sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType())
sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType().String())
finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal")
err = (*seal).Finalize(finalizeSealContext)
if err != nil {
@ -675,7 +675,7 @@ SEALFAIL:
if barrierSeal == nil {
return fmt.Errorf("Diagnose could not create a barrier seal object.")
}
if barrierSeal.BarrierType() == wrapping.Shamir {
if barrierSeal.BarrierType() == wrapping.WrapperTypeShamir {
diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.")
return nil
}

View file

@ -24,8 +24,8 @@ import (
systemd "github.com/coreos/go-systemd/daemon"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/gatedwriter"
"github.com/hashicorp/go-secure-stdlib/mlock"
@ -556,7 +556,7 @@ func (c *ServerCommand) runRecoveryMode() int {
var wrapper wrapping.Wrapper
if len(config.Seals) == 0 {
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
}
if len(config.Seals) > 1 {
@ -565,7 +565,7 @@ func (c *ServerCommand) runRecoveryMode() int {
}
configSeal := config.Seals[0]
sealType := wrapping.Shamir
sealType := wrapping.WrapperTypeShamir.String()
if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
sealType = os.Getenv("VAULT_SEAL_TYPE")
configSeal.Type = sealType
@ -578,9 +578,7 @@ func (c *ServerCommand) runRecoveryMode() int {
var seal vault.Seal
defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("shamir"),
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
wrapper, sealConfigError = configutil.ConfigureWrapper(configSeal, &infoKeys, &info, sealLogger)
@ -594,9 +592,12 @@ func (c *ServerCommand) runRecoveryMode() int {
if wrapper == nil {
seal = defaultSeal
} else {
seal = vault.NewAutoSeal(&vaultseal.Access{
seal, err = vault.NewAutoSeal(&vaultseal.Access{
Wrapper: wrapper,
})
if err != nil {
c.UI.Error(fmt.Sprintf("error creating auto seal: %v", err))
}
}
barrierSeal = seal
@ -2350,24 +2351,28 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
var wrapper wrapping.Wrapper
var barrierWrapper wrapping.Wrapper
if c.flagDevAutoSeal {
barrierSeal = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
var err error
barrierSeal, err = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
if err != nil {
return nil, nil, nil, nil, nil, err
}
return barrierSeal, nil, nil, nil, nil, nil
}
// Handle the case where no seal is provided
switch len(config.Seals) {
case 0:
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
case 1:
// If there's only one seal and it's disabled assume they want to
// migrate to a shamir seal and simply didn't provide it
if config.Seals[0].Disabled {
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
}
}
var createdSeals []vault.Seal = make([]vault.Seal, len(config.Seals))
for _, configSeal := range config.Seals {
sealType := wrapping.Shamir
sealType := wrapping.WrapperTypeShamir.String()
if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
sealType = os.Getenv("VAULT_SEAL_TYPE")
configSeal.Type = sealType
@ -2379,9 +2384,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
c.allLoggers = append(c.allLoggers, sealLogger)
defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("shamir"),
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
var sealInfoKeys []string
sealInfoMap := map[string]string{}
@ -2395,9 +2398,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
if wrapper == nil {
seal = defaultSeal
} else {
seal = vault.NewAutoSeal(&vaultseal.Access{
var err error
seal, err = vault.NewAutoSeal(&vaultseal.Access{
Wrapper: wrapper,
})
if err != nil {
return nil, nil, nil, nil, nil, err
}
}
infoPrefix := ""
if configSeal.Disabled {

View file

@ -26,7 +26,7 @@ func TestTransitWrapper_Lifecycle(t *testing.T) {
"key_name": config.keyName,
}
kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
if err != nil {
t.Fatalf("error setting wrapper config: %v", err)
}
@ -72,7 +72,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) {
"mount_path": config.mountPath,
"key_name": config.keyName,
}
kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
if err != nil {
t.Fatalf("error setting wrapper config: %v", err)
}

20
go.mod
View file

@ -25,13 +25,13 @@ require (
github.com/SAP/go-hdb v0.14.1
github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
github.com/aerospike/aerospike-client-go/v5 v5.6.0
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5
github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
github.com/armon/go-metrics v0.4.0
github.com/armon/go-radix v1.0.0
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
github.com/aws/aws-sdk-go v1.43.4
github.com/aws/aws-sdk-go v1.43.8
github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
github.com/cenkalti/backoff/v3 v3.2.2
github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0
@ -66,7 +66,15 @@ require (
github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192
github.com/hashicorp/go-gcp-common v0.8.0
github.com/hashicorp/go-hclog v1.2.2
github.com/hashicorp/go-kms-wrapping v0.7.0
github.com/hashicorp/go-kms-wrapping v0.7.1
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1
github.com/hashicorp/go-memdb v1.3.3
github.com/hashicorp/go-msgpack v1.1.5
github.com/hashicorp/go-multierror v1.1.1
@ -203,7 +211,7 @@ require (
cloud.google.com/go/kms v1.4.0 // indirect
code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect
github.com/Azure/azure-pipeline-go v0.2.3 // indirect
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
@ -341,6 +349,7 @@ require (
github.com/opencontainers/image-spec v1.0.2 // indirect
github.com/opencontainers/runc v1.0.2 // indirect
github.com/openlyinc/pointy v1.1.2 // indirect
github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect
github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
@ -356,6 +365,7 @@ require (
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/snowflakedb/gosnowflake v1.6.3 // indirect
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/objx v0.4.0 // indirect
github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
@ -387,7 +397,7 @@ require (
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.62.0 // indirect
gopkg.in/ini.v1 v1.66.2 // indirect
gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
gopkg.in/resty.v1 v1.12.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect

38
go.sum
View file

@ -75,8 +75,8 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo
github.com/Azure/azure-sdk-for-go v36.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v58.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible h1:BF2Pm3aQWIa6q9KmxyF1JYKYXtVw67vtvu2Wd54NGuY=
github.com/Azure/azure-sdk-for-go v61.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw=
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
@ -212,8 +212,9 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f h1:oRD16bhpKNAanfcDDVU+J0NXqsgHIvGbbe/sy+r6Rs0=
github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ=
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499 h1:P2FUu1/xkj4abuHcqdRQO9ZAYc9hSWG5c5gifsU/Ogc=
github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU=
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c=
github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
@ -242,8 +243,8 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo
github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
github.com/aws/aws-sdk-go v1.43.4 h1:EtsGbtOB+1548T6Nb62XCOofgXtMHwf+WZh5gQc3xTY=
github.com/aws/aws-sdk-go v1.43.4/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc=
github.com/aws/aws-sdk-go v1.43.8 h1:8a/M9C4l5CxFNM6IuNx4F1p+ITJEX12VxWxUQo61cbc=
github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go-v2 v1.8.0 h1:HcN6yDnHV9S7D69E7To0aUppJhiJNEzQSNcUxc7r3qo=
github.com/aws/aws-sdk-go-v2 v1.8.0/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
github.com/aws/aws-sdk-go-v2/config v1.6.0 h1:rtoCnNObhVm7me+v9sA2aY+NtHNZjjWWC3ifXVci+wE=
@ -878,10 +879,26 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
github.com/hashicorp/go-kms-wrapping v0.7.0 h1:UBagVJn4nSNOSjjtpkR370VOEBLnGMXfQcIlE/WL/7o=
github.com/hashicorp/go-kms-wrapping v0.7.0/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
github.com/hashicorp/go-kms-wrapping v0.7.1 h1:SPdvddcmGjYkFrMROhRuW3VkOeVsNuEbpmfT7B1qSGM=
github.com/hashicorp/go-kms-wrapping v0.7.1/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs=
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d h1:mOtPXWIp4cWKNt9S55IuYAdyUgNtCfUAEVIjcXDx59E=
github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d/go.mod h1:sDQAfwJGv25uGPZA04x87ERglCG6avnRcBT9wYoMII8=
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4 h1:ws2CPDuXMKwaBb2z/duBCdnB9pSxlN2nuDZWXcVj6RU=
github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4/go.mod h1:dDxt3GXi5QONVHYrJi2+EjsJLCUs59FktZQA8ZMnm+U=
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI=
github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c=
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0 h1:RnTa2yQXHPP7CocgTAciNXcn5OG4wsqqENlMuUTXl74=
github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0/go.mod h1:3D5UB9fjot4oUTYGQ5gGmhLJKreyLZeI0XB+NxcLTKs=
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 h1:6joKpqCFveaNMEwC3qna67usws6DjdxqfCuQEHSM0aM=
github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE=
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0 h1:UE5bUOSPYqAUK+hV9ngxkQthltjhrYZHEbwqeh7hEq4=
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE=
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 h1:FnWV2E0NLj+yYdhToUQjU81ayCMgURiL2WbJ0V7u/XY=
github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY=
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 h1:72zlIBTJd2pvYmINqotpvcI4ZXLxhRq2cVPTuqv0xqY=
github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1/go.mod h1:JytRAxdJViV+unUUWedb7uzEy5pgu7OurbqX0eHEikE=
github.com/hashicorp/go-memdb v1.3.3 h1:oGfEWrFuxtIUF3W2q/Jzt6G85TrMk9ey6XfYLvVe1Wo=
github.com/hashicorp/go-memdb v1.3.3/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg=
github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
@ -1403,6 +1420,8 @@ github.com/openlyinc/pointy v1.1.2/go.mod h1:w2Sytx+0FVuMKn37xpXIAyBNhFNBIJGR/v2
github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
github.com/oracle/oci-go-sdk v13.1.0+incompatible h1:inwbT0b/mMbnTfzYoW2xcU1cCMIlU6Fz973at5phRXM=
github.com/oracle/oci-go-sdk v13.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM=
github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w=
github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA=
github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
github.com/ory/dockertest/v3 v3.8.0 h1:i5b0cJCd801qw0cVQUOH6dSpI9fT3j5tdWu0jKu90ks=
@ -1561,6 +1580,8 @@ github.com/snowflakedb/gosnowflake v1.6.3/go.mod h1:6hLajn6yxuJ4xUHZegMekpq9rnQb
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic=
github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw=
github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0=
github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
@ -2393,8 +2414,9 @@ gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:a
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI=
gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce h1:xcEWjVhvbDy+nHP67nPDDpbYrY+ILlfndk4bRioVHaU=

View file

@ -57,7 +57,7 @@ func (tss *TransitSealServer) MakeKey(t testing.T, key string) {
}
}
func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, error) {
client := tss.Cores[0].Client
wrapperConfig := map[string]string{
"address": client.Address(),
@ -66,7 +66,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
"key_name": key,
"tls_ca_cert": tss.CACertPEMFile,
}
transitSeal, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
transitSeal, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
if err != nil {
t.Fatalf("error setting wrapper config: %v", err)
}

View file

@ -151,7 +151,10 @@ func TestSysInit_Put_ValidateParams(t *testing.T) {
func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
testSeal := seal.NewTestSeal(nil)
autoSeal := vault.NewAutoSeal(testSeal)
autoSeal, err := vault.NewAutoSeal(testSeal)
if err != nil {
t.Fatal(err)
}
autoSeal.SetType("transit")
// Create the transit server.

View file

@ -8,7 +8,7 @@ import (
"fmt"
"regexp"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"google.golang.org/protobuf/proto"
)
@ -71,7 +71,7 @@ func EncryptDecrypt(rawStr string, decrypt, strip bool, wrapper wrapping.Wrapper
if err != nil {
return "", fmt.Errorf("error decoding encrypted parameter: %w", err)
}
inBlob := new(wrapping.EncryptedBlobInfo)
inBlob := new(wrapping.BlobInfo)
if err := proto.Unmarshal(inMsg, inBlob); err != nil {
return "", fmt.Errorf("error unmarshaling encrypted parameter: %w", err)
}

View file

@ -6,7 +6,7 @@ import (
"encoding/base64"
"testing"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"google.golang.org/protobuf/proto"
)
@ -51,7 +51,7 @@ telemetry {
if err != nil {
t.Fatal(err)
}
inBlob := new(wrapping.EncryptedBlobInfo)
inBlob := new(wrapping.BlobInfo)
if err := proto.Unmarshal(inMsg, inBlob); err != nil {
t.Fatal(err)
}
@ -89,18 +89,24 @@ telemetry {
type reversingWrapper struct{}
func (r *reversingWrapper) Type() string { return "reversing" }
func (r *reversingWrapper) KeyID() string { return "reverser" }
func (r *reversingWrapper) HMACKeyID() string { return "" }
func (r *reversingWrapper) Init(_ context.Context) error { return nil }
func (r *reversingWrapper) Finalize(_ context.Context) error { return nil }
func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ []byte) (*wrapping.EncryptedBlobInfo, error) {
return &wrapping.EncryptedBlobInfo{
func (r *reversingWrapper) Type(_ context.Context) (wrapping.WrapperType, error) {
return "reverser", nil
}
func (r *reversingWrapper) KeyId(_ context.Context) (string, error) { return "reverser", nil }
func (r *reversingWrapper) HMACKeyID() string { return "" }
func (r *reversingWrapper) Init(_ context.Context) error { return nil }
func (r *reversingWrapper) Finalize(_ context.Context) error { return nil }
func (r *reversingWrapper) SetConfig(_ context.Context, opts ...wrapping.Option) (*wrapping.WrapperConfig, error) {
return &wrapping.WrapperConfig{}, nil
}
func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ ...wrapping.Option) (*wrapping.BlobInfo, error) {
return &wrapping.BlobInfo{
Ciphertext: r.reverse(input),
}, nil
}
func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.EncryptedBlobInfo, _ []byte) ([]byte, error) {
func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.BlobInfo, _ ...wrapping.Option) ([]byte, error) {
return r.reverse(input.Ciphertext), nil
}

View file

@ -1,6 +1,7 @@
package configutil
import (
"context"
"crypto/rand"
"fmt"
"io"
@ -8,14 +9,14 @@ import (
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms"
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms"
"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault"
"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms"
"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms"
"github.com/hashicorp/go-kms-wrapping/wrappers/transit"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2"
"github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/hcl"
@ -159,41 +160,37 @@ func ParseKMSes(d string) ([]*KMS, error) {
return result.Seals, nil
}
func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger) (wrapping.Wrapper, error) {
func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger, opts ...wrapping.Option) (wrapping.Wrapper, error) {
var wrapper wrapping.Wrapper
var kmsInfo map[string]string
var err error
opts := &wrapping.WrapperOptions{
Logger: logger,
}
switch configKMS.Type {
case wrapping.Shamir:
switch wrapping.WrapperType(configKMS.Type) {
case wrapping.WrapperTypeShamir:
return nil, nil
case wrapping.AEAD:
wrapper, kmsInfo, err = GetAEADKMSFunc(opts, configKMS)
case wrapping.WrapperTypeAead:
wrapper, kmsInfo, err = GetAEADKMSFunc(configKMS, opts...)
case wrapping.AliCloudKMS:
wrapper, kmsInfo, err = GetAliCloudKMSFunc(opts, configKMS)
case wrapping.WrapperTypeAliCloudKms:
wrapper, kmsInfo, err = GetAliCloudKMSFunc(configKMS, opts...)
case wrapping.AWSKMS:
wrapper, kmsInfo, err = GetAWSKMSFunc(opts, configKMS)
case wrapping.WrapperTypeAwsKms:
wrapper, kmsInfo, err = GetAWSKMSFunc(configKMS, opts...)
case wrapping.AzureKeyVault:
wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(opts, configKMS)
case wrapping.WrapperTypeAzureKeyVault:
wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(configKMS, opts...)
case wrapping.GCPCKMS:
wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(opts, configKMS)
case wrapping.WrapperTypeGcpCkms:
wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(configKMS, opts...)
case wrapping.OCIKMS:
wrapper, kmsInfo, err = GetOCIKMSKMSFunc(opts, configKMS)
case wrapping.WrapperTypeOciKms:
wrapper, kmsInfo, err = GetOCIKMSKMSFunc(configKMS, opts...)
case wrapping.Transit:
wrapper, kmsInfo, err = GetTransitKMSFunc(opts, configKMS)
case wrapping.WrapperTypeTransit:
wrapper, kmsInfo, err = GetTransitKMSFunc(configKMS, opts...)
case wrapping.PKCS11:
case wrapping.WrapperTypePkcs11:
return nil, fmt.Errorf("KMS type 'pkcs11' requires the Vault Enterprise HSM binary")
default:
@ -214,9 +211,9 @@ func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]strin
return wrapper, nil
}
func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := aeadwrapper.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
func GetAEADKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := aeadwrapper.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), opts...)
if err != nil {
return nil, nil, err
}
@ -226,14 +223,14 @@ func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper,
if len(kms.Purpose) > 0 {
str = fmt.Sprintf("%v %s", kms.Purpose, str)
}
info[str] = wrapperInfo["aead_type"]
info[str] = wrapperInfo.Metadata["aead_type"]
}
return wrapper, info, nil
}
func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := alicloudkms.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
func GetAliCloudKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := alicloudkms.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@ -242,18 +239,18 @@ func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapp
}
info := make(map[string]string)
if wrapperInfo != nil {
info["AliCloud KMS Region"] = wrapperInfo["region"]
info["AliCloud KMS KeyID"] = wrapperInfo["kms_key_id"]
if domain, ok := wrapperInfo["domain"]; ok {
info["AliCloud KMS Region"] = wrapperInfo.Metadata["region"]
info["AliCloud KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
if domain, ok := wrapperInfo.Metadata["domain"]; ok {
info["AliCloud KMS Domain"] = domain
}
}
return wrapper, info, nil
}
var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := awskms.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
var GetAWSKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := awskms.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@ -262,18 +259,18 @@ var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrap
}
info := make(map[string]string)
if wrapperInfo != nil {
info["AWS KMS Region"] = wrapperInfo["region"]
info["AWS KMS KeyID"] = wrapperInfo["kms_key_id"]
if endpoint, ok := wrapperInfo["endpoint"]; ok {
info["AWS KMS Region"] = wrapperInfo.Metadata["region"]
info["AWS KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
if endpoint, ok := wrapperInfo.Metadata["endpoint"]; ok {
info["AWS KMS Endpoint"] = endpoint
}
}
return wrapper, info, nil
}
func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := azurekeyvault.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
func GetAzureKeyVaultKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := azurekeyvault.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@ -282,16 +279,16 @@ func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
}
info := make(map[string]string)
if wrapperInfo != nil {
info["Azure Environment"] = wrapperInfo["environment"]
info["Azure Vault Name"] = wrapperInfo["vault_name"]
info["Azure Key Name"] = wrapperInfo["key_name"]
info["Azure Environment"] = wrapperInfo.Metadata["environment"]
info["Azure Vault Name"] = wrapperInfo.Metadata["vault_name"]
info["Azure Key Name"] = wrapperInfo.Metadata["key_name"]
}
return wrapper, info, nil
}
func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := gcpckms.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
func GetGCPCKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := gcpckms.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@ -300,33 +297,33 @@ func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrappe
}
info := make(map[string]string)
if wrapperInfo != nil {
info["GCP KMS Project"] = wrapperInfo["project"]
info["GCP KMS Region"] = wrapperInfo["region"]
info["GCP KMS Key Ring"] = wrapperInfo["key_ring"]
info["GCP KMS Crypto Key"] = wrapperInfo["crypto_key"]
info["GCP KMS Project"] = wrapperInfo.Metadata["project"]
info["GCP KMS Region"] = wrapperInfo.Metadata["region"]
info["GCP KMS Key Ring"] = wrapperInfo.Metadata["key_ring"]
info["GCP KMS Crypto Key"] = wrapperInfo.Metadata["crypto_key"]
}
return wrapper, info, nil
}
func GetOCIKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := ocikms.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
func GetOCIKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := ocikms.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
return nil, nil, err
}
info := make(map[string]string)
if wrapperInfo != nil {
info["OCI KMS KeyID"] = wrapperInfo[ocikms.KMSConfigKeyID]
info["OCI KMS Crypto Endpoint"] = wrapperInfo[ocikms.KMSConfigCryptoEndpoint]
info["OCI KMS Management Endpoint"] = wrapperInfo[ocikms.KMSConfigManagementEndpoint]
info["OCI KMS Principal Type"] = wrapperInfo["principal_type"]
info["OCI KMS KeyID"] = wrapperInfo.Metadata[ocikms.KmsConfigKeyId]
info["OCI KMS Crypto Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigCryptoEndpoint]
info["OCI KMS Management Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigManagementEndpoint]
info["OCI KMS Principal Type"] = wrapperInfo.Metadata["principal_type"]
}
return wrapper, info, nil
}
var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
wrapper := transit.NewWrapper(opts)
wrapperInfo, err := wrapper.SetConfig(kms.Config)
var GetTransitKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
wrapper := transit.NewWrapper()
wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@ -335,10 +332,10 @@ var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
}
info := make(map[string]string)
if wrapperInfo != nil {
info["Transit Address"] = wrapperInfo["address"]
info["Transit Mount Path"] = wrapperInfo["mount_path"]
info["Transit Key Name"] = wrapperInfo["key_name"]
if namespace, ok := wrapperInfo["namespace"]; ok {
info["Transit Address"] = wrapperInfo.Metadata["address"]
info["Transit Mount Path"] = wrapperInfo.Metadata["mount_path"]
info["Transit Key Name"] = wrapperInfo.Metadata["key_name"]
if namespace, ok := wrapperInfo.Metadata["namespace"]; ok {
info["Transit Namespace"] = namespace
}
}

View file

@ -17,7 +17,7 @@ import (
"github.com/armon/go-metrics"
"github.com/golang/protobuf/proto"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-raftchunking"
"github.com/hashicorp/go-secure-stdlib/tlsutil"
"github.com/hashicorp/go-uuid"
@ -1801,7 +1801,7 @@ func (s sealer) Open(ctx context.Context, ct []byte) ([]byte, error) {
return nil, errors.New("no seal access available")
}
var eblob wrapping.EncryptedBlobInfo
var eblob wrapping.BlobInfo
err := proto.Unmarshal(ct, &eblob)
if err != nil {
return nil, err

View file

@ -22,11 +22,13 @@ import (
"sync/atomic"
"time"
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
"github.com/armon/go-metrics"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/mlock"
"github.com/hashicorp/go-secure-stdlib/reloadutil"
@ -93,6 +95,8 @@ const (
// forwardToActive to trigger forwarding if a perf standby encounters
// an SSC Token that it does not have the WAL state for.
ForwardSSCTokenToActive = "new_token"
WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")
)
var (
@ -190,7 +194,7 @@ type unlockInformation struct {
}
type raftInformation struct {
challenge *wrapping.EncryptedBlobInfo
challenge *wrapping.BlobInfo
leaderClient *api.Client
leaderBarrierConfig *SealConfig
nonVoter bool
@ -961,10 +965,11 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
}
if c.seal == nil {
wrapper := aeadwrapper.NewShamirWrapper()
wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
c.seal = NewDefaultSeal(&vaultseal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("shamir"),
}),
Wrapper: wrapper,
})
}
c.seal.SetCore(c)
@ -1368,10 +1373,10 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
func (c *Core) unsealWithRaft(combinedKey []byte) error {
ctx := context.Background()
if c.seal.BarrierType() == wrapping.Shamir {
if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
// If this is a legacy shamir seal this serves no purpose but it
// doesn't hurt.
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
if err != nil {
return err
}
@ -1540,7 +1545,7 @@ func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
return false, err
}
if existBarrierSealConfig.Type != c.seal.BarrierType() {
if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
return false, nil
}
if c.seal.RecoveryKeySupported() && existRecoverySealConfig.Type != c.seal.RecoveryType() {
@ -1622,7 +1627,7 @@ func (c *Core) migrateSeal(ctx context.Context) error {
}
// We have recovery keys; we're going to use them as the new shamir KeK.
err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveryKey)
err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveryKey)
if err != nil {
return fmt.Errorf("failed to set master key in seal: %w", err)
}
@ -2496,7 +2501,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
// In older versions of vault the default seal would not store a type. This
// is here to offer backwards compatibility for older seal configs.
if barrierConf.Type == "" {
barrierConf.Type = wrapping.Shamir
barrierConf.Type = wrapping.WrapperTypeShamir.String()
}
var recoveryConf *SealConfig
@ -2516,7 +2521,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
// In older versions of vault the default seal would not store a type. This
// is here to offer backwards compatibility for older seal configs.
if recoveryConf.Type == "" {
recoveryConf.Type = wrapping.Shamir
recoveryConf.Type = wrapping.WrapperTypeShamir.String()
}
}
@ -2551,31 +2556,30 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
// If we don't have an existing config or if it's the deprecated auto seal
// which needs an upgrade, skip out
if existBarrierSealConfig == nil || existBarrierSealConfig.Type == wrapping.HSMAutoDeprecated {
if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
return nil
}
if unwrapSeal == nil {
// With unwrapSeal==nil, either we're not migrating, or we're migrating
// from shamir.
switch {
case existBarrierSealConfig.Type == c.seal.BarrierType():
case existBarrierSealConfig.Type == c.seal.BarrierType().String():
// We have the same barrier type and the unwrap seal is nil so we're not
// migrating from same to same, IOW we assume it's not a migration.
return nil
case c.seal.BarrierType() == wrapping.Shamir:
case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
// The stored barrier config is not shamir, there is no disabled seal
// in config, and either no configured seal (which equates to Shamir)
// or an explicitly configured Shamir seal.
return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
existBarrierSealConfig.Type)
case existBarrierSealConfig.Type == wrapping.Shamir:
case existBarrierSealConfig.Type == wrapping.WrapperTypeShamir.String():
// The configured seal is not Shamir, the stored seal config is Shamir.
// This is a migration away from Shamir.
unwrapSeal = NewDefaultSeal(&vaultseal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("shamir"),
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
default:
// We know at this point that there is a configured non-Shamir seal,
@ -2587,7 +2591,8 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
} else {
// If we're not coming from Shamir we expect the previous seal to be
// in the config and disabled.
if unwrapSeal.BarrierType() == wrapping.Shamir {
if unwrapSeal.BarrierType() == wrapping.WrapperTypeShamir {
return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
}
}
@ -2597,7 +2602,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
unwrapSeal.SetCore(c)
// No stored recovery seal config found, what about the legacy recovery config?
if existBarrierSealConfig.Type != wrapping.Shamir && existRecoverySealConfig == nil {
if existBarrierSealConfig.Type != wrapping.WrapperTypeShamir.String() && existRecoverySealConfig == nil {
entry, err := c.physical.Get(ctx, recoverySealConfigPath)
if err != nil {
return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err)
@ -2611,7 +2616,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
c.migrationInfo = &migrationInformation{
seal: unwrapSeal,
}
if existBarrierSealConfig.Type != c.seal.BarrierType() {
if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
// It's unnecessary to call this when doing an auto->auto
// same-seal-type migration, since they'll have the same configs before
// and after migration.
@ -2645,7 +2650,7 @@ func (c *Core) migrateSealConfig(ctx context.Context) error {
// recovery config to a clone of shamir's barrier config with stored
// keys set to 0.
bc = &SealConfig{
Type: c.seal.BarrierType(),
Type: c.seal.BarrierType().String(),
SecretShares: 1,
SecretThreshold: 1,
StoredShares: 1,
@ -2684,7 +2689,7 @@ func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existReco
// recovery config to a clone of shamir's barrier config with stored
// keys set to 0.
newBarrierSealConfig := &SealConfig{
Type: c.seal.BarrierType(),
Type: c.seal.BarrierType().String(),
SecretShares: 1,
SecretThreshold: 1,
StoredShares: 1,
@ -2739,9 +2744,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
case vaultseal.StoredKeysSupportedShamirRoot:
if useTestSeal {
testseal := NewDefaultSeal(&vaultseal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("testseal"),
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
testseal.SetCore(c)
cfg, err := seal.BarrierConfig(ctx)
@ -2752,7 +2755,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
seal = testseal
}
err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
if err != nil {
return nil, fmt.Errorf("failed to setup unseal key: %w", err)
}

View file

@ -549,9 +549,13 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
t.Parallel()
seal, setErr := vaultseal.NewToggleableTestSeal(nil)
autoSeal, err := vault.NewAutoSeal(seal)
if err != nil {
t.Fatal(err)
}
cluster := raftCluster(t, &RaftClusterOpts{
NumCores: 1,
Seal: vault.NewAutoSeal(seal),
Seal: autoSeal,
})
defer cluster.Cleanup()
@ -582,7 +586,7 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
setErr(errors.New("seal failure"))
// Take a snapshot
err := leaderClient.Sys().RaftSnapshot(w)
err = leaderClient.Sys().RaftSnapshot(w)
w.Close()
if err == nil || err != api.ErrIncompleteSnapshot {
t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err)

View file

@ -132,7 +132,11 @@ func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Log
// Migrate the backend from shamir to transit.
opts.SealFunc = func() vault.Seal {
return tss.MakeSeal(t, sealKeyName)
seal, err := tss.MakeSeal(t, sealKeyName)
if err != nil {
t.Fatal(err)
}
return seal
}
// Restart each follower with the new config, and migrate to Transit.
@ -173,7 +177,11 @@ func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger,
// Migrate the backend from transit to transit.
opts.UnwrapSealFunc = opts.SealFunc
opts.SealFunc = func() vault.Seal {
return tss2.MakeSeal(t, "transit-seal-key-2")
seal, err := tss2.MakeSeal(t, "transit-seal-key-2")
if err != nil {
t.Fatal(err)
}
return seal
}
leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
@ -279,7 +287,11 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage
SkipInit: true,
// N.B. Providing a transit seal puts us in migration mode.
SealFunc: func() vault.Seal {
return tss.MakeSeal(t, "transit-seal-key")
seal, err := tss.MakeSeal(t, "transit-seal-key")
if err != nil {
t.Fatal(err)
}
return seal
},
}
storage.Setup(&conf, &opts)
@ -697,7 +709,11 @@ func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.Re
BaseListenAddress: fmt.Sprintf("127.0.0.1:%d", basePort),
BaseClusterListenPort: baseClusterPort,
SealFunc: func() vault.Seal {
return tss.MakeSeal(t, sealKeyName)
seal, err := tss.MakeSeal(t, sealKeyName)
if err != nil {
t.Fatal(err)
}
return seal
},
}
storage.Setup(&conf, &opts)

View file

@ -13,7 +13,7 @@ import (
"github.com/armon/go-metrics"
"github.com/hashicorp/errwrap"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/namespace"
@ -869,7 +869,7 @@ func (c *Core) reloadShamirKey(ctx context.Context) error {
}
shamirKey = keyring.rootKey
}
return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(shamirKey)
return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(shamirKey)
}
func (c *Core) performKeyUpgrades(ctx context.Context) error {

View file

@ -1774,7 +1774,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
nextExpiration = k.ExpireAt
}
// Mark the KeyID as in use so it doesn't get deleted in the next step
// Mark the KeyId as in use so it doesn't get deleted in the next step
usedKeys = append(usedKeys, k.KeyID)
}

View file

@ -9,11 +9,11 @@ import (
"net/url"
"sync/atomic"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/physical/raft"
"github.com/hashicorp/vault/vault/seal"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/helper/pgpkeys"
"github.com/hashicorp/vault/shamir"
@ -276,7 +276,8 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
var sealKey []byte
var sealKeyShares [][]byte
if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.Shamir {
if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.WrapperTypeShamir {
sealKey, sealKeyShares, err = c.generateShares(barrierConfig)
if err != nil {
c.logger.Error("error generating shares", "error", err)
@ -324,7 +325,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
switch c.seal.StoredKeysSupported() {
case seal.StoredKeysSupportedShamirRoot:
keysToStore := [][]byte{barrierKey}
if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(sealKey); err != nil {
if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(sealKey); err != nil {
c.logger.Error("failed to set seal key", "error", err)
return nil, fmt.Errorf("failed to set seal key: %w", err)
}
@ -439,7 +440,7 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
c.unsealWithStoredKeysLock.Lock()
defer c.unsealWithStoredKeysLock.Unlock()
if c.seal.BarrierType() == wrapping.Shamir {
if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
return nil
}

View file

@ -6,7 +6,7 @@ import (
"testing"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/sdk/helper/logging"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical/inmem"
@ -89,7 +89,7 @@ func testCore_Init_Common(t *testing.T, c *Core, conf *CoreConfig, barrierConf,
t.Fatalf("err: %v", err)
}
if c.seal.BarrierType() == wrapping.Shamir && len(res.SecretShares) != barrierConf.SecretShares {
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && len(res.SecretShares) != barrierConf.SecretShares {
t.Fatalf("Bad: got\n%#v\nexpected conf matching\n%#v\n", *res, *barrierConf)
}
if recoveryConf != nil {

View file

@ -4181,7 +4181,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
if sealConfig == nil {
return &SealStatusResponse{
Type: core.SealAccess().BarrierType(),
Type: core.SealAccess().BarrierType().String(),
Initialized: initialized,
Sealed: true,
RecoverySeal: core.SealAccess().RecoveryKeySupported(),

View file

@ -10,7 +10,7 @@ import (
"time"
"github.com/golang/protobuf/proto"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/constants"
"github.com/hashicorp/vault/helper/namespace"
@ -572,7 +572,7 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool) framework.Ope
case err == nil:
case strings.Contains(err.Error(), "failed to open the sealed hashes"):
switch b.Core.seal.BarrierType() {
case wrapping.Shamir:
case wrapping.WrapperTypeShamir:
return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different set of unseal keys; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
default:
return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different autoseal key; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest

View file

@ -17,7 +17,7 @@ import (
"github.com/hashicorp/go-discover"
discoverk8s "github.com/hashicorp/go-discover/provider/k8s"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-secure-stdlib/tlsutil"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/api"
@ -660,7 +660,7 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
// The snapshot contained a root key or keyring we couldn't
// recover
switch c.seal.BarrierType() {
case wrapping.Shamir:
case wrapping.WrapperTypeShamir:
// If we are a shamir seal we can't do anything. Just
// seal all nodes.
@ -804,7 +804,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
return nil, err
}
if sealConfig.Type != c.seal.BarrierType() {
if sealConfig.Type != c.seal.BarrierType().String() {
return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType())
}
@ -817,7 +817,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
}
eBlob := &wrapping.EncryptedBlobInfo{}
eBlob := &wrapping.BlobInfo{}
if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
}
@ -913,7 +913,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
// If we're using Shamir and using raft for both physical and HA, we
// need to block until the node is unsealed, unless retry is set to
// false.
if c.seal.BarrierType() == wrapping.Shamir && !c.isRaftHAOnly() {
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !c.isRaftHAOnly() {
c.raftInfo.Store(raftInfo)
if err := c.seal.SetBarrierConfig(ctx, raftInfo.leaderBarrierConfig); err != nil {
return err
@ -936,7 +936,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
return fmt.Errorf("failed to send answer to raft leader node: %w", err)
}
if c.seal.BarrierType() == wrapping.Shamir && !isRaftHAOnly {
if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !isRaftHAOnly {
// Reset the state
c.raftInfo.Store((*raftInformation)(nil))

View file

@ -9,8 +9,8 @@ import (
"fmt"
"net/http"
wrapping "github.com/hashicorp/go-kms-wrapping"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/pgpkeys"
"github.com/hashicorp/vault/sdk/helper/consts"
@ -169,7 +169,7 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
switch c.seal.BarrierType() {
case wrapping.Shamir:
case wrapping.WrapperTypeShamir:
// As of Vault 1.3 all seals use StoredShares==1. The one exception is
// legacy shamir seals, which we can read but not write (by design).
// So if someone does a rekey, regardless of their intention, we're going
@ -396,15 +396,13 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
c.logger.Error("rekey recovery key verification failed", "error", err)
return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error())
}
case c.seal.BarrierType() == wrapping.Shamir:
case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot {
testseal := NewDefaultSeal(&seal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: c.logger.Named("testseal"),
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
testseal.SetCore(c)
err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveredKey)
err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveredKey)
if err != nil {
return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup unseal key: %w", err).Error())
}
@ -532,7 +530,7 @@ func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logic
}
if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric {
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(newSealKey)
err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(newSealKey)
if err != nil {
return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to update barrier seal key: %w", err).Error())
}

View file

@ -154,7 +154,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str
if recovery {
expType = c.seal.RecoveryType()
} else {
expType = c.seal.BarrierType()
expType = c.seal.BarrierType().String()
}
newConf := &SealConfig{

View file

@ -13,7 +13,7 @@ import (
"github.com/hashicorp/vault/sdk/physical"
"github.com/golang/protobuf/proto"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/vault/seal"
"github.com/keybase/go-crypto/openpgp"
"github.com/keybase/go-crypto/openpgp/packet"
@ -59,7 +59,7 @@ type Seal interface {
SealWrapable() bool
SetStoredKeys(context.Context, [][]byte) error
GetStoredKeys(context.Context) ([][]byte, error)
BarrierType() string
BarrierType() wrapping.WrapperType
BarrierConfig(context.Context) (*SealConfig, error)
SetBarrierConfig(context.Context, *SealConfig) error
SetCachedBarrierConfig(*SealConfig)
@ -119,8 +119,8 @@ func (d *defaultSeal) Finalize(ctx context.Context) error {
return nil
}
func (d *defaultSeal) BarrierType() string {
return wrapping.Shamir
func (d *defaultSeal) BarrierType() wrapping.WrapperType {
return wrapping.WrapperTypeShamir
}
func (d *defaultSeal) StoredKeysSupported() seal.StoredKeysSupport {
@ -193,8 +193,8 @@ func (d *defaultSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
switch conf.Type {
// This case should not be valid for other types as only this is the default
case "":
conf.Type = d.BarrierType()
case d.BarrierType():
conf.Type = d.BarrierType().String()
case d.BarrierType().String():
default:
d.core.logger.Error("barrier seal type does not match expected type", "barrier_seal_type", conf.Type, "loaded_seal_type", d.BarrierType())
return nil, fmt.Errorf("barrier seal type of %q does not match expected type of %q", conf.Type, d.BarrierType())
@ -222,7 +222,7 @@ func (d *defaultSeal) SetBarrierConfig(ctx context.Context, config *SealConfig)
return nil
}
config.Type = d.BarrierType()
config.Type = d.BarrierType().String()
// If we are doing a raft unseal we do not want to persist the barrier config
// because storage isn't setup yet.
@ -477,7 +477,7 @@ func readStoredKeys(ctx context.Context, storage physical.Backend, encryptor *se
return nil, nil
}
blobInfo := &wrapping.EncryptedBlobInfo{}
blobInfo := &wrapping.BlobInfo{}
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
}

View file

@ -5,11 +5,11 @@ import (
"time"
metrics "github.com/armon/go-metrics"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
)
type Envelope struct {
envelope *wrapping.Envelope
envelope *wrapping.EnvelopeInfo
once sync.Once
}
@ -18,19 +18,19 @@ func NewEnvelope() *Envelope {
}
func (e *Envelope) init() {
e.envelope = new(wrapping.Envelope)
e.envelope = new(wrapping.EnvelopeInfo)
}
func (e *Envelope) Encrypt(plaintext, aad []byte) (*wrapping.EnvelopeInfo, error) {
defer metrics.MeasureSince([]string{"seal", "envelope", "encrypt"}, time.Now())
e.once.Do(e.init)
return e.envelope.Encrypt(plaintext, aad)
return wrapping.EnvelopeEncrypt(plaintext, wrapping.WithAad(aad))
}
func (e *Envelope) Decrypt(data *wrapping.EnvelopeInfo, aad []byte) ([]byte, error) {
defer metrics.MeasureSince([]string{"seal", "envelope", "decrypt"}, time.Now())
e.once.Do(e.init)
return e.envelope.Decrypt(data, aad)
return wrapping.EnvelopeDecrypt(data, wrapping.WithAad(aad))
}

View file

@ -5,7 +5,7 @@ import (
"time"
metrics "github.com/armon/go-metrics"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
)
type StoredKeysSupport int
@ -35,54 +35,74 @@ func (s StoredKeysSupport) String() string {
// specific to encrypting and decrypting data, or in this case keys.
type Access struct {
wrapping.Wrapper
OverriddenType string
WrapperType wrapping.WrapperType
}
func (a *Access) SetType(t string) {
a.OverriddenType = t
}
func (a *Access) Type() string {
if a.OverriddenType != "" {
return a.OverriddenType
func (a *Access) Init(ctx context.Context) error {
if initWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
return initWrapper.Init(ctx)
}
return a.Wrapper.Type()
return nil
}
func (a *Access) SetType(t wrapping.WrapperType) {
a.WrapperType = t
}
func (a *Access) Type(ctx context.Context) (wrapping.WrapperType, error) {
if a != nil && a.WrapperType != "" {
return a.WrapperType, nil
}
return a.Wrapper.Type(ctx)
}
// Encrypt uses the underlying seal to encrypt the plaintext and returns it.
func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.EncryptedBlobInfo, err error) {
func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.BlobInfo, err error) {
wTyp, err := a.Wrapper.Type(ctx)
if err != nil {
return nil, err
}
defer func(now time.Time) {
metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now)
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "encrypt", "time"}, now)
metrics.MeasureSince([]string{"seal", wTyp.String(), "encrypt", "time"}, now)
if err != nil {
metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1)
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt", "error"}, 1)
metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt", "error"}, 1)
}
}(time.Now())
metrics.IncrCounter([]string{"seal", "encrypt"}, 1)
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt"}, 1)
metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt"}, 1)
return a.Wrapper.Encrypt(ctx, plaintext, aad)
return a.Wrapper.Encrypt(ctx, plaintext, wrapping.WithAad(aad))
}
// Decrypt uses the underlying seal to decrypt the cryptotext and returns it.
// Note that it is possible depending on the wrapper used that both pt and err
// are populated.
func (a *Access) Decrypt(ctx context.Context, data *wrapping.EncryptedBlobInfo, aad []byte) (pt []byte, err error) {
func (a *Access) Decrypt(ctx context.Context, data *wrapping.BlobInfo, aad []byte) (pt []byte, err error) {
wTyp, err := a.Wrapper.Type(ctx)
defer func(now time.Time) {
metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now)
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "decrypt", "time"}, now)
metrics.MeasureSince([]string{"seal", wTyp.String(), "decrypt", "time"}, now)
if err != nil {
metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1)
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt", "error"}, 1)
metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt", "error"}, 1)
}
}(time.Now())
metrics.IncrCounter([]string{"seal", "decrypt"}, 1)
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt"}, 1)
metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt"}, 1)
return a.Wrapper.Decrypt(ctx, data, aad)
return a.Wrapper.Decrypt(ctx, data, wrapping.WithAad(aad))
}
func (a *Access) Finalize(ctx context.Context) error {
if finalizeWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
return finalizeWrapper.Finalize(ctx)
}
return nil
}

View file

@ -5,14 +5,14 @@ import (
"sync"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
)
type TestSealOpts struct {
Logger hclog.Logger
StoredKeys StoredKeysSupport
Secret []byte
Name string
Name wrapping.WrapperType
}
func NewTestSeal(opts *TestSealOpts) *Access {
@ -21,8 +21,8 @@ func NewTestSeal(opts *TestSealOpts) *Access {
}
return &Access{
Wrapper: wrapping.NewTestWrapper(opts.Secret),
OverriddenType: opts.Name,
Wrapper: wrapping.NewTestWrapper(opts.Secret),
WrapperType: opts.Name,
}
}
@ -33,8 +33,8 @@ func NewToggleableTestSeal(opts *TestSealOpts) (*Access, func(error)) {
w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
return &Access{
Wrapper: w,
OverriddenType: opts.Name,
Wrapper: w,
WrapperType: opts.Name,
}, w.SetError
}
@ -44,22 +44,22 @@ type ToggleableWrapper struct {
l sync.RWMutex
}
func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, bytes2 []byte) (*wrapping.EncryptedBlobInfo, error) {
func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, opts ...wrapping.Option) (*wrapping.BlobInfo, error) {
t.l.RLock()
defer t.l.RUnlock()
if t.error != nil {
return nil, t.error
}
return t.Wrapper.Encrypt(ctx, bytes, bytes2)
return t.Wrapper.Encrypt(ctx, bytes, opts...)
}
func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.EncryptedBlobInfo, bytes []byte) ([]byte, error) {
func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.BlobInfo, opts ...wrapping.Option) ([]byte, error) {
t.l.RLock()
defer t.l.RUnlock()
if t.error != nil {
return nil, t.error
}
return t.Wrapper.Decrypt(ctx, info, bytes)
return t.Wrapper.Decrypt(ctx, info, opts...)
}
func (t *ToggleableWrapper) SetError(err error) {

View file

@ -3,6 +3,8 @@ package vault
import (
"context"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/vault/seal"
)
@ -21,7 +23,7 @@ func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport {
return s.seal.StoredKeysSupported()
}
func (s *SealAccess) BarrierType() string {
func (s *SealAccess) BarrierType() wrapping.WrapperType {
return s.seal.BarrierType()
}

View file

@ -13,7 +13,7 @@ import (
proto "github.com/golang/protobuf/proto"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/vault/seal"
)
@ -21,7 +21,7 @@ import (
// barrierTypeUpgradeCheck checks for backwards compat on barrier type, not
// applicable in the OSS side
var (
barrierTypeUpgradeCheck = func(_ string, _ *SealConfig) {}
barrierTypeUpgradeCheck = func(_ wrapping.WrapperType, _ *SealConfig) {}
autoSealUnavailableDuration = []string{"seal", "unreachable", "time"}
// vars for unit testings
sealHealthTestIntervalNominal = 10 * time.Minute
@ -47,13 +47,19 @@ type autoSeal struct {
// Ensure we are implementing the Seal interface
var _ Seal = (*autoSeal)(nil)
func NewAutoSeal(lowLevel *seal.Access) *autoSeal {
func NewAutoSeal(lowLevel *seal.Access) (*autoSeal, error) {
ret := &autoSeal{
Access: lowLevel,
}
ret.barrierConfig.Store((*SealConfig)(nil))
ret.recoveryConfig.Store((*SealConfig)(nil))
return ret
var err error
ret.WrapperType, err = ret.Type(context.Background())
if err != nil {
return nil, err
}
return ret, nil
}
func (d *autoSeal) SealWrapable() bool {
@ -87,8 +93,8 @@ func (d *autoSeal) Finalize(ctx context.Context) error {
return d.Access.Finalize(ctx)
}
func (d *autoSeal) BarrierType() string {
return d.Type()
func (d *autoSeal) BarrierType() wrapping.WrapperType {
return d.WrapperType
}
func (d *autoSeal) StoredKeysSupported() seal.StoredKeysSupport {
@ -120,12 +126,16 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
return fmt.Errorf("no stored keys found")
}
blobInfo := &wrapping.EncryptedBlobInfo{}
blobInfo := &wrapping.BlobInfo{}
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
return fmt.Errorf("failed to proto decode stored keys: %w", err)
}
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
keyId, err := d.Access.KeyId(ctx)
if err != nil {
return err
}
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
d.logger.Info("upgrading stored keys")
pt, err := d.Decrypt(ctx, blobInfo, nil)
@ -147,11 +157,11 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
}
// UpgradeKeys re-encrypts and saves the stored keys and the recovery key
// with the current key if the current KeyID is different from the KeyID
// with the current key if the current KeyId is different from the KeyId
// the stored keys and the recovery key are encrypted with. The provided
// Context must be non-nil.
func (d *autoSeal) UpgradeKeys(ctx context.Context) error {
// Many of the seals update their keys to the latest KeyID when Encrypt
// Many of the seals update their keys to the latest KeyId when Encrypt
// is called.
if _, err := d.Encrypt(ctx, []byte("a"), nil); err != nil {
return err
@ -206,7 +216,7 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
barrierTypeUpgradeCheck(d.BarrierType(), conf)
if conf.Type != d.BarrierType() {
if conf.Type != d.BarrierType().String() {
d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierType())
return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierType())
}
@ -225,7 +235,7 @@ func (d *autoSeal) SetBarrierConfig(ctx context.Context, conf *SealConfig) error
return nil
}
conf.Type = d.BarrierType()
conf.Type = d.BarrierType().String()
// Encode the seal configuration
buf, err := json.Marshal(conf)
@ -436,7 +446,7 @@ func (d *autoSeal) getRecoveryKeyInternal(ctx context.Context) ([]byte, error) {
return nil, fmt.Errorf("no recovery key found")
}
blobInfo := &wrapping.EncryptedBlobInfo{}
blobInfo := &wrapping.BlobInfo{}
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
}
@ -458,12 +468,17 @@ func (d *autoSeal) upgradeRecoveryKey(ctx context.Context) error {
return fmt.Errorf("no recovery key found")
}
blobInfo := &wrapping.EncryptedBlobInfo{}
blobInfo := &wrapping.BlobInfo{}
if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
return fmt.Errorf("failed to proto decode recovery key: %w", err)
}
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
keyId, err := d.Access.KeyId(ctx)
if err != nil {
return err
}
if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
d.logger.Info("upgrading recovery key")
pt, err := d.Decrypt(ctx, blobInfo, nil)

View file

@ -13,7 +13,7 @@ import (
"github.com/hashicorp/vault/helper/metricsutil"
proto "github.com/golang/protobuf/proto"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/vault/seal"
)
@ -71,13 +71,17 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
var encKeys []string
changeKey := func(key string) {
encKeys = append(encKeys, key)
testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyID(key)
testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyId(key)
}
// Set initial encryption key.
changeKey("kaz")
autoSeal := NewAutoSeal(testSeal)
autoSeal, err := NewAutoSeal(testSeal)
if err != nil {
t.Fatal(err)
}
autoSeal.SetCore(core)
pBackend := newTestBackend(t)
core.physical = pBackend
@ -130,14 +134,14 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
// in encKeys. Iterate over each phyEntry and verify it was
// encrypted with its corresponding key in encKeys.
for i, phyEntry := range phyEntries {
blobInfo := &wrapping.EncryptedBlobInfo{}
blobInfo := &wrapping.BlobInfo{}
if err := proto.Unmarshal(phyEntry.Value, blobInfo); err != nil {
t.Errorf("phyKey = %s: failed to proto decode stored keys: %s", phyKey, err)
}
if blobInfo.KeyInfo == nil {
t.Errorf("phyKey = %s: KeyInfo missing: %+v", phyKey, blobInfo)
}
if want, got := encKeys[i], blobInfo.KeyInfo.KeyID; want != got {
if want, got := encKeys[i], blobInfo.KeyInfo.KeyId; want != got {
t.Errorf("phyKey = %s: Incorrect encryption key: want %s, got %s", phyKey, want, got)
}
}
@ -185,7 +189,11 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
})
sealHealthTestIntervalNominal = 10 * time.Millisecond
sealHealthTestIntervalUnhealthy = 10 * time.Millisecond
autoSeal := NewAutoSeal(testSealAccess)
autoSeal, err := NewAutoSeal(testSealAccess)
if err != nil {
t.Fatal(err)
}
autoSeal.SetCore(core)
core.seal = autoSeal
autoSeal.StartHealthCheck()

View file

@ -2,8 +2,7 @@ package vault
import (
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
"github.com/hashicorp/vault/sdk/helper/logging"
"github.com/hashicorp/vault/vault/seal"
testing "github.com/mitchellh/go-testing-interface"
@ -21,9 +20,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
switch opts.StoredKeys {
case seal.StoredKeysSupportedShamirRoot:
newSeal := NewDefaultSeal(&seal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: opts.Logger,
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
// Need StoredShares set or this will look like a legacy shamir seal.
newSeal.SetCachedBarrierConfig(&SealConfig{
@ -34,9 +31,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
return newSeal
case seal.StoredKeysNotSupported:
newSeal := NewDefaultSeal(&seal.Access{
Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
Logger: opts.Logger,
}),
Wrapper: aeadwrapper.NewShamirWrapper(),
})
newSeal.SetCachedBarrierConfig(&SealConfig{
StoredShares: 0,
@ -45,6 +40,10 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
})
return newSeal
default:
return NewAutoSeal(seal.NewTestSeal(opts))
seal, err := NewAutoSeal(seal.NewTestSeal(opts))
if err != nil {
t.Fatal(err)
}
return seal
}
}

View file

@ -9,7 +9,7 @@ import (
proto "github.com/golang/protobuf/proto"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/physical"
)
@ -72,7 +72,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
}
var performUnwrap bool
se := &wrapping.EncryptedBlobInfo{}
se := &wrapping.BlobInfo{}
// If the value ends in our canary value, try to decode the bytes.
eLen := len(entry.Value)
if eLen > 0 && entry.Value[eLen-1] == 's' {
@ -109,7 +109,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
}
performUnwrap = false
se = &wrapping.EncryptedBlobInfo{}
se = &wrapping.BlobInfo{}
// If the value ends in our canary value, try to decode the bytes.
eLen = len(entry.Value)
if eLen > 0 && entry.Value[eLen-1] == 's' {

View file

@ -10,7 +10,7 @@ import (
proto "github.com/golang/protobuf/proto"
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/sdk/physical/inmem"
)
@ -57,7 +57,7 @@ func performTestSealUnwrapper(t *testing.T, phys physical.Backend, logger log.Lo
// Save the original for comparison later
origBytes := make([]byte, len(entry.Value))
copy(origBytes, entry.Value)
se := &wrapping.EncryptedBlobInfo{
se := &wrapping.BlobInfo{
Ciphertext: entry.Value,
}
seb, err := proto.Marshal(se)