Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.

Fixes #940
This commit is contained in:
Jeff Mitchell 2016-01-18 17:01:52 -05:00
parent ce65fe9173
commit 630b2d83a7
4 changed files with 70 additions and 7 deletions

View file

@ -148,8 +148,8 @@ func TestInit_PGP(t *testing.T) {
args = []string{ args = []string{
"-address", addr, "-address", addr,
"-key-shares", "3", "-key-shares", "4",
"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2], "-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
"-key-threshold", "2", "-key-threshold", "2",
} }
@ -182,7 +182,7 @@ func TestInit_PGP(t *testing.T) {
} }
expected := &vault.SealConfig{ expected := &vault.SealConfig{
SecretShares: 3, SecretShares: 4,
SecretThreshold: 2, SecretThreshold: 2,
PGPKeys: pgpKeys, PGPKeys: pgpKeys,
} }

View file

@ -26,6 +26,7 @@ func getPubKeyFiles(t *testing.T) (string, []string, error) {
tempDir + "/pubkey1", tempDir + "/pubkey1",
tempDir + "/pubkey2", tempDir + "/pubkey2",
tempDir + "/pubkey3", tempDir + "/pubkey3",
tempDir + "/aapubkey1",
} }
decoder := base64.StdEncoding decoder := base64.StdEncoding
pub1Bytes, err := decoder.DecodeString(pubKey1) pub1Bytes, err := decoder.DecodeString(pubKey1)
@ -52,6 +53,10 @@ func getPubKeyFiles(t *testing.T) (string, []string, error) {
if err != nil { if err != nil {
t.Fatalf("Error writing pub key 3 to temp file: %s", err) t.Fatalf("Error writing pub key 3 to temp file: %s", err)
} }
err = ioutil.WriteFile(pubFiles[3], []byte(aaPubKey1), 0755)
if err != nil {
t.Fatalf("Error writing aa pub key 1 to temp file: %s", err)
}
return tempDir, pubFiles, nil return tempDir, pubFiles, nil
} }
@ -91,7 +96,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
t.Fatalf("Error compiling regex: %s", err) t.Fatalf("Error compiling regex: %s", err)
} }
matches := re.FindAllStringSubmatch(input, -1) matches := re.FindAllStringSubmatch(input, -1)
if len(matches) != 3 { if len(matches) != 4 {
t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input) t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
} }
@ -393,3 +398,39 @@ GSP00i+sxql1NhTjJcjJtfOPUzgfW+Af/+HR648z4c7c6MCjDFKnk8ZkoGLRU7ISjenkNFzvu2bj
lxJkil0uJDlLPbbX80ojzV1GS9g+ZxVPR+68N1QLl2FU6zsfg34upmLLHG8VG4vExzgyNkOwfTYv lxJkil0uJDlLPbbX80ojzV1GS9g+ZxVPR+68N1QLl2FU6zsfg34upmLLHG8VG4vExzgyNkOwfTYv
dgyRNTjnuPue6H12fZZ9uCNeG52v7lR3eoQcCxBOniwgipB8UJ52RWXblwxzCtGtDi/EWB3zLTUn dgyRNTjnuPue6H12fZZ9uCNeG52v7lR3eoQcCxBOniwgipB8UJ52RWXblwxzCtGtDi/EWB3zLTUn
puKcgucA0LotbihSMxhDylaARfVO1QV6csabM/g=` puKcgucA0LotbihSMxhDylaARfVO1QV6csabM/g=`
const aaPubKey1 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzz
wiMwBS5cD0darGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7
H+/mhfFvKmgr0Y5kDCF1j0T/063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX
1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0fsF5St9jhO7mbZU9EFkv9O3t3EaUR
fHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg8hQssKeVGpuskTdz
5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3QgS2V5
IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EOfLr44BHbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRT
JfjECi+AuTGeDwBy84TDcRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3C
Ee8cMwIPqPT2kajJVdOyrvkyuFOdPFOEA7bdCH0MqgIdM2SdF8t40k/ATfuD2K1Z
mumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlBC0yoArn+0QA3cf2B9T4z
J2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXaQKfOt5x+
7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7o
EDCnaY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I
1Ktm698UAZS9Jt8yjak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okj
h5o/3d4cBt1yZPUJJyLKY43Wvptb6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTj
OleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5NZLGnED3lq+hQNbe+8UI5tD2o
P/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu9p315E87DOle
Ywxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVh
EGipBmpDGRYulEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHk
GRHG0/DGum0l4sKTta3OPGHNC1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRd
tPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0YwKoz3h9+QEcZHvsjSZjgydKvfLY
cm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJioPn2jVMnXCm4EKc7
fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH/AtY
+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7
moViAAcIPXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWko
jHqyob3cyLgy6z9Q557O9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJ
iEBt8UZGypQ/E56/343epmYAe0a87sHx8iDV+dNtDVKfPRENiLOOc19MmS+phmUy
rbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKdOIu60YPNE4+h7u2CfYyF
Pu3AlUaGNMBlvy6PEpU=
=NUTS
-----END PGP PUBLIC KEY BLOCK-----`

View file

@ -193,8 +193,8 @@ func TestRekey_init_pgp(t *testing.T) {
args := []string{ args := []string{
"-address", addr, "-address", addr,
"-init", "-init",
"-key-shares", "3", "-key-shares", "4",
"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2], "-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
"-key-threshold", "2", "-key-threshold", "2",
"-backup", "true", "-backup", "true",
} }
@ -207,7 +207,7 @@ func TestRekey_init_pgp(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("err: %s", err) t.Fatalf("err: %s", err)
} }
if config.SecretShares != 3 { if config.SecretShares != 4 {
t.Fatal("should rekey") t.Fatal("should rekey")
} }
if config.SecretThreshold != 2 { if config.SecretThreshold != 2 {

View file

@ -7,6 +7,8 @@ import (
"fmt" "fmt"
"os" "os"
"strings" "strings"
"golang.org/x/crypto/openpgp"
) )
// PGPPubKeyFiles implements the flag.Value interface and allows // PGPPubKeyFiles implements the flag.Value interface and allows
@ -66,6 +68,26 @@ func ReadPGPFile(path string) (string, error) {
return "", err return "", err
} }
// First parse as an armored keyring file, if that doesn't work, treat it as a straight binary/b64 string
keyReader := bytes.NewReader(buf.Bytes())
entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
if err == nil {
if len(entityList) != 1 {
return "", fmt.Errorf("more than one key found in file %s", path)
}
if entityList[0] == nil {
return "", fmt.Errorf("primary key was nil for file %s", path)
}
serializedEntity := bytes.NewBuffer(nil)
err = entityList[0].Serialize(serializedEntity)
if err != nil {
return "", fmt.Errorf("error serializing entity for file %s: %s", path, err)
}
return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil
}
_, err = base64.StdEncoding.DecodeString(buf.String()) _, err = base64.StdEncoding.DecodeString(buf.String())
if err == nil { if err == nil {
return buf.String(), nil return buf.String(), nil