luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes.

This commit is contained in:
Jeff Mitchell 2015-08-26 07:59:50 -07:00
parent 17cbd9e1ca
commit 8669a87fdd
6 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
command/init.go
View File

@ -97,12 +97,11 @@ Init Options:
-pgp-keys If provided, must be a comma-separated list of
files on disk containing binary-format public PGP
keys. The number of files must match 'key-shares'.
The output unseal keys will be hex-encoded and
encrypted, in order, with the given public keys.
The output unseal keys will encrypted and hex-encoded,
in order, with the given public keys.
If you want to use them with the 'vault unseal'
command, you will need to hex decode, decrypt, and
hex encode the result; this will be the plaintext
unseal key.
command, you will need to hex decode and decrypt;
this will be the plaintext unseal key.
`
return strings.TrimSpace(helpText)
}

4
command/pgp_test.go
View File

@ -113,7 +113,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *
t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
}
ptBuf.ReadFrom(md.UnverifiedBody)
unsealKeys = append(unsealKeys, hex.EncodeToString(ptBuf.Bytes()))
unsealKeys = append(unsealKeys, ptBuf.String())
}
err = core.Seal(rootToken)
@ -124,7 +124,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *
for i, unsealKey := range unsealKeys {
unsealBytes, err := hex.DecodeString(unsealKey)
if err != nil {
t.Fatalf("Error decoding hex string %s: %s", unsealKey, err)
t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
}
unsealed, err := core.Unseal(unsealBytes)
if err != nil {

10
command/rekey.go
View File

@ -234,13 +234,11 @@ Unseal Options:
-pgp-keys If provided, must be a comma-separated list of
files on disk containing binary-format public PGP
keys. The number of files must match 'key-shares'.
The output unseal keys will be hex-encoded and
encrypted, in order, with the given public keys.
The output unseal keys will encrypted and hex-encoded,
in order, with the given public keys.
If you want to use them with the 'vault unseal'
command, you will need to hex decode, decrypt, and
hex encode the result; this will be the plaintext
unseal key.
command, you will need to hex decode and decrypt;
this will be the plaintext unseal key.
`
return strings.TrimSpace(helpText)
}

3
helper/pgpkeys/encryptshares.go
View File

@ -3,6 +3,7 @@ package pgpkeys
import (
"bytes"
"encoding/base64"
"encoding/hex"
"fmt"
"golang.org/x/crypto/openpgp"
@ -34,7 +35,7 @@ func EncryptShares(secretShares [][]byte, pgpKeys []string) ([][]byte, error) {
if err != nil {
return nil, fmt.Errorf("Error setting up encryption for PGP message: %s", err)
}
_, err = pt.Write(secretShares[i])
_, err = pt.Write([]byte(hex.EncodeToString(secretShares[i])))
if err != nil {
return nil, fmt.Errorf("Error encrypting PGP message: %s", err)
}

3
website/source/docs/http/sys-init.html.md
View File

@ -73,7 +73,8 @@ description: |-
<dt>Returns</dt>
<dd>
A JSON-encoded object including the master keys and initial root token:
A JSON-encoded object including the (possibly encrypted, if
<code>pgp_keys</code> was provided) master keys and initial root token:
```javascript
{

3
website/source/docs/http/sys-rekey.html.md
View File

@ -149,7 +149,8 @@ description: |-
<dt>Returns</dt>
<dd>
A JSON-encoded object indicating completion and if so with the new master keys:
A JSON-encoded object indicating completion and if so with the (possibly
encrypted, if <code>pgp_keys</code> was provided) new master keys:
```javascript
{