vault: Adding VerifyMaster to Barrier

2015-05-28 11:28:33 -07:00 · 2015-05-28 11:28:33 -07:00 · 4e3f0cddcf
parent 9f399eb9ff
commit 4e3f0cddcf
3 changed files with 37 additions and 0 deletions
--- a/vault/barrier.go
+++ b/vault/barrier.go
@ -62,6 +62,9 @@ type SecurityBarrier interface {
 	// to be unsealed. If the key is not correct, the barrier remains sealed.
 	Unseal(key []byte) error

+	// VerifyMaster is used to check if the given key matches the master key
+	VerifyMaster(key []byte) error
+
 	// Seal is used to re-seal the barrier. This requires the barrier to
 	// be unsealed again to perform any further operations.
 	Seal() error
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@ -4,6 +4,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/binary"
 	"encoding/json"
 	"fmt"
@ -173,6 +174,19 @@ func (b *AESGCMBarrier) Sealed() (bool, error) {
 	return b.sealed, nil
 }

+// VerifyMaster is used to check if the given key matches the master key
+func (b *AESGCMBarrier) VerifyMaster(key []byte) error {
+	b.l.RLock()
+	defer b.l.RUnlock()
+	if b.sealed {
+		return ErrBarrierSealed
+	}
+	if subtle.ConstantTimeCompare(key, b.keyring.MasterKey()) != 1 {
+		return ErrBarrierInvalidKey
+	}
+	return nil
+}
+
 // Unseal is used to provide the master key which permits the barrier
 // to be unsealed. If the key is not correct, the barrier remains sealed.
 func (b *AESGCMBarrier) Unseal(key []byte) error {
--- a/vault/barrier_test.go
+++ b/vault/barrier_test.go
@ -112,6 +112,11 @@ func testBarrier(t *testing.T, b SecurityBarrier) {
 		t.Fatalf("should be unsealed")
 	}

+	// Verify the master key
+	if err := b.VerifyMaster(key); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
 	// Operations should work
 	out, err := b.Get("test")
 	if err != nil {
@ -347,6 +352,11 @@ func testBarrier_Rekey(t *testing.T, b SecurityBarrier) {
 		t.Fatalf("err: %v", err)
 	}

+	// Verify the master key
+	if err := b.VerifyMaster(key); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
 	// Rekey to a new key
 	newKey, _ := b.GenerateKey()
 	err = b.Rekey(newKey)
@ -354,6 +364,16 @@ func testBarrier_Rekey(t *testing.T, b SecurityBarrier) {
 		t.Fatalf("err: %v", err)
 	}

+	// Verify the old master key
+	if err := b.VerifyMaster(key); err != ErrBarrierInvalidKey {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the new master key
+	if err := b.VerifyMaster(newKey); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
 	// Reading should work
 	out, err := b.Get(e1.Key)
 	if err != nil {