Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.

Fixes #940
2016-01-18 17:01:52 -05:00 · 2016-01-18 17:01:52 -05:00 · 630b2d83a7
parent ce65fe9173
commit 630b2d83a7
4 changed files with 70 additions and 7 deletions
--- a/command/init_test.go
+++ b/command/init_test.go
@ -148,8 +148,8 @@ func TestInit_PGP(t *testing.T) {

 	args = []string{
 		"-address", addr,
-		"-key-shares", "3",
-		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2],
+		"-key-shares", "4",
+		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
 		"-key-threshold", "2",
 	}

@ -182,7 +182,7 @@ func TestInit_PGP(t *testing.T) {
 	}

 	expected := &vault.SealConfig{
-		SecretShares:    3,
+		SecretShares:    4,
 		SecretThreshold: 2,
 		PGPKeys:         pgpKeys,
 	}
--- a/command/pgp_test.go
+++ b/command/pgp_test.go
@ -26,6 +26,7 @@ func getPubKeyFiles(t *testing.T) (string, []string, error) {
 		tempDir + "/pubkey1",
 		tempDir + "/pubkey2",
 		tempDir + "/pubkey3",
+		tempDir + "/aapubkey1",
 	}
 	decoder := base64.StdEncoding
 	pub1Bytes, err := decoder.DecodeString(pubKey1)
@ -52,6 +53,10 @@ func getPubKeyFiles(t *testing.T) (string, []string, error) {
 	if err != nil {
 		t.Fatalf("Error writing pub key 3 to temp file: %s", err)
 	}
+	err = ioutil.WriteFile(pubFiles[3], []byte(aaPubKey1), 0755)
+	if err != nil {
+		t.Fatalf("Error writing aa pub key 1 to temp file: %s", err)
+	}

 	return tempDir, pubFiles, nil
 }
@ -91,7 +96,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 		t.Fatalf("Error compiling regex: %s", err)
 	}
 	matches := re.FindAllStringSubmatch(input, -1)
-	if len(matches) != 3 {
+	if len(matches) != 4 {
 		t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
 	}

@ -393,3 +398,39 @@ GSP00i+sxql1NhTjJcjJtfOPUzgfW+Af/+HR648z4c7c6MCjDFKnk8ZkoGLRU7ISjenkNFzvu2bj
 lxJkil0uJDlLPbbX80ojzV1GS9g+ZxVPR+68N1QLl2FU6zsfg34upmLLHG8VG4vExzgyNkOwfTYv
 dgyRNTjnuPue6H12fZZ9uCNeG52v7lR3eoQcCxBOniwgipB8UJ52RWXblwxzCtGtDi/EWB3zLTUn
 puKcgucA0LotbihSMxhDylaARfVO1QV6csabM/g=`
+const aaPubKey1 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzz
+wiMwBS5cD0darGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7
+H+/mhfFvKmgr0Y5kDCF1j0T/063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX
+1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0fsF5St9jhO7mbZU9EFkv9O3t3EaUR
+fHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg8hQssKeVGpuskTdz
+5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3QgS2V5
+IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
+EOfLr44BHbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRT
+JfjECi+AuTGeDwBy84TDcRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3C
+Ee8cMwIPqPT2kajJVdOyrvkyuFOdPFOEA7bdCH0MqgIdM2SdF8t40k/ATfuD2K1Z
+mumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlBC0yoArn+0QA3cf2B9T4z
+J2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXaQKfOt5x+
+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7o
+EDCnaY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I
+1Ktm698UAZS9Jt8yjak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okj
+h5o/3d4cBt1yZPUJJyLKY43Wvptb6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTj
+OleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5NZLGnED3lq+hQNbe+8UI5tD2o
+P/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu9p315E87DOle
+Ywxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
+AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVh
+EGipBmpDGRYulEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHk
+GRHG0/DGum0l4sKTta3OPGHNC1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRd
+tPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0YwKoz3h9+QEcZHvsjSZjgydKvfLY
+cm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJioPn2jVMnXCm4EKc7
+fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH/AtY
+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7
+moViAAcIPXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWko
+jHqyob3cyLgy6z9Q557O9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJ
+iEBt8UZGypQ/E56/343epmYAe0a87sHx8iDV+dNtDVKfPRENiLOOc19MmS+phmUy
+rbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKdOIu60YPNE4+h7u2CfYyF
+Pu3AlUaGNMBlvy6PEpU=
+=NUTS
+-----END PGP PUBLIC KEY BLOCK-----`
--- a/command/rekey_test.go
+++ b/command/rekey_test.go
@ -193,8 +193,8 @@ func TestRekey_init_pgp(t *testing.T) {
 	args := []string{
 		"-address", addr,
 		"-init",
-		"-key-shares", "3",
-		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2],
+		"-key-shares", "4",
+		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
 		"-key-threshold", "2",
 		"-backup", "true",
 	}
@ -207,7 +207,7 @@ func TestRekey_init_pgp(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
-	if config.SecretShares != 3 {
+	if config.SecretShares != 4 {
 		t.Fatal("should rekey")
 	}
 	if config.SecretThreshold != 2 {
--- a/helper/pgpkeys/flag.go
+++ b/helper/pgpkeys/flag.go
@ -7,6 +7,8 @@ import (
 	"fmt"
 	"os"
 	"strings"
+
+	"golang.org/x/crypto/openpgp"
 )

 // PGPPubKeyFiles implements the flag.Value interface and allows
@ -66,6 +68,26 @@ func ReadPGPFile(path string) (string, error) {
 		return "", err
 	}

+	// First parse as an armored keyring file, if that doesn't work, treat it as a straight binary/b64 string
+	keyReader := bytes.NewReader(buf.Bytes())
+	entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
+	if err == nil {
+		if len(entityList) != 1 {
+			return "", fmt.Errorf("more than one key found in file %s", path)
+		}
+		if entityList[0] == nil {
+			return "", fmt.Errorf("primary key was nil for file %s", path)
+		}
+
+		serializedEntity := bytes.NewBuffer(nil)
+		err = entityList[0].Serialize(serializedEntity)
+		if err != nil {
+			return "", fmt.Errorf("error serializing entity for file %s: %s", path, err)
+		}
+
+		return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil
+	}
+
 	_, err = base64.StdEncoding.DecodeString(buf.String())
 	if err == nil {
 		return buf.String(), nil