luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Fix panic and update some text

This commit is contained in:
Jeff Mitchell 2018-05-29 13:13:47 -04:00
parent 8b065344f8
commit c53717ba1c
3 changed files with 17 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
command/operator_rekey.go
View File

@ -682,7 +682,11 @@ func (c *OperatorRekeyCommand) printStatus(in interface{}) int {
out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce)) out = append(out, fmt.Sprintf("Nonce | %s", status.Nonce))
out = append(out, fmt.Sprintf("Started | %t", status.Started)) out = append(out, fmt.Sprintf("Started | %t", status.Started))
if status.Started { if status.Started {
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required)) if status.Progress == status.Required {
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d (verification in progress)", status.Progress, status.Required))
} else {
out = append(out, fmt.Sprintf("Rekey Progress | %d/%d", status.Progress, status.Required))
}
out = append(out, fmt.Sprintf("New Shares | %d", status.N)) out = append(out, fmt.Sprintf("New Shares | %d", status.N))
out = append(out, fmt.Sprintf("New Threshold | %d", status.T)) out = append(out, fmt.Sprintf("New Threshold | %d", status.T))
out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired)) out = append(out, fmt.Sprintf("Verification Required | %t", status.VerificationRequired))

14
http/sys_rekey.go
View File

@ -117,20 +117,6 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool,
return return
} }
// If the seal supports stored keys, and we are rekeying the barrier key,
// force the shares to 1
if !recovery && core.SealAccess().StoredKeysSupported() {
req.SecretShares = 1
req.SecretThreshold = 1
req.StoredShares = 1
core.Logger().Warn("rekey: stored keys supported, forcing shares/threshold to 1")
} else {
if req.StoredShares != 0 {
respondError(w, http.StatusBadRequest, fmt.Errorf("stored keys are not supported by the current seal type"))
return
}
}
if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares { if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey")) respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
return return

27
vault/rekey.go
View File

@ -162,6 +162,13 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr
// BarrierRekeyInit is used to initialize the rekey settings for the barrier key // BarrierRekeyInit is used to initialize the rekey settings for the barrier key
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError { func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
if c.seal.StoredKeysSupported() {
c.logger.Warn("stored keys supported, forcing rekey shares/threshold to 1")
config.SecretShares = 1
config.SecretThreshold = 1
config.StoredShares = 1
}
if config.StoredShares > 0 { if config.StoredShares > 0 {
if !c.seal.StoredKeysSupported() { if !c.seal.StoredKeysSupported() {
return logical.CodedError(http.StatusBadRequest, "storing keys not supported by barrier seal") return logical.CodedError(http.StatusBadRequest, "storing keys not supported by barrier seal")
@ -357,13 +364,6 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
return nil, nil return nil, nil
} }
// Schedule the rekey progress for forgetting
defer func() {
if c.barrierRekeyConfig != nil {
c.barrierRekeyConfig.RekeyProgress = nil
}
}()
// Recover the master key or recovery key // Recover the master key or recovery key
var recoveredKey []byte var recoveredKey []byte
if existingConfig.SecretThreshold == 1 { if existingConfig.SecretThreshold == 1 {
@ -521,6 +521,8 @@ func (c *Core) performBarrierRekey(ctx context.Context, newMasterKey []byte) log
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error()) return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
} }
c.barrierRekeyConfig.RekeyProgress = nil
return nil return nil
} }
@ -590,13 +592,6 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string
return nil, nil return nil, nil
} }
// Schedule the rekey progress for forgetting
defer func() {
if c.recoveryRekeyConfig != nil {
c.recoveryRekeyConfig.RekeyProgress = nil
}
}()
// Recover the master key // Recover the master key
var recoveryKey []byte var recoveryKey []byte
if existingConfig.SecretThreshold == 1 { if existingConfig.SecretThreshold == 1 {
@ -726,6 +721,8 @@ func (c *Core) performRecoveryRekey(ctx context.Context, newMasterKey []byte) lo
return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error()) return logical.CodedError(http.StatusInternalServerError, errwrap.Wrapf("failed to save keyring canary: {{err}}", err).Error())
} }
c.recoveryRekeyConfig.RekeyProgress = nil
return nil return nil
} }
@ -763,7 +760,7 @@ func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recove
return nil, logical.CodedError(http.StatusBadRequest, "no rekey in progress") return nil, logical.CodedError(http.StatusBadRequest, "no rekey in progress")
} }
if len(c.barrierRekeyConfig.VerificationKey) == 0 { if len(config.VerificationKey) == 0 {
return nil, logical.CodedError(http.StatusBadRequest, "no rekey verification in progress") return nil, logical.CodedError(http.StatusBadRequest, "no rekey verification in progress")
} }