3c683dba92
This PR adds a new Storage Backend for Triton's Object Storage - Manta ``` make testacc TEST=./physical/manta ==> Checking that code complies with gofmt requirements... ==> Checking that build is using go version >= 1.9.1... go generate VAULT_ACC=1 go test -tags='vault' ./physical/manta -v -timeout 45m === RUN TestMantaBackend --- PASS: TestMantaBackend (61.18s) PASS ok github.com/hashicorp/vault/physical/manta 61.210s ``` Manta behaves differently to how S3 works - it has no such concepts of Buckets - it is merely a filesystem style object store Therefore, we have chosen the approach of when writing a secret `foo` it will actually map (on disk) as foo/.vault_value The reason for this is because if we write the secret `foo/bar` and then try and Delete a key using the name `foo` then Manta will complain that the folder is not empty because `foo/bar` exists. Therefore, `foo/bar` is written as `foo/bar/.vault_value` The value of the key is *always* written to a directory tree of the name and put in a `.vault_value` file.
75 lines
1.5 KiB
Go
75 lines
1.5 KiB
Go
//
|
|
// Copyright (c) 2018, Joyent, Inc. All rights reserved.
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
//
|
|
|
|
package authentication
|
|
|
|
import (
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"math/big"
|
|
|
|
"github.com/pkg/errors"
|
|
"golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
type ecdsaSignature struct {
|
|
hashAlgorithm string
|
|
R *big.Int
|
|
S *big.Int
|
|
}
|
|
|
|
func (s *ecdsaSignature) SignatureType() string {
|
|
return fmt.Sprintf("ecdsa-%s", s.hashAlgorithm)
|
|
}
|
|
|
|
func (s *ecdsaSignature) String() string {
|
|
toEncode := struct {
|
|
R *big.Int
|
|
S *big.Int
|
|
}{
|
|
R: s.R,
|
|
S: s.S,
|
|
}
|
|
|
|
signatureBytes, err := asn1.Marshal(toEncode)
|
|
if err != nil {
|
|
panic(fmt.Sprintf("Error marshaling signature: %s", err))
|
|
}
|
|
|
|
return base64.StdEncoding.EncodeToString(signatureBytes)
|
|
}
|
|
|
|
func newECDSASignature(signatureBlob []byte) (*ecdsaSignature, error) {
|
|
var ecSig struct {
|
|
R *big.Int
|
|
S *big.Int
|
|
}
|
|
|
|
if err := ssh.Unmarshal(signatureBlob, &ecSig); err != nil {
|
|
return nil, errors.Wrap(err, "unable to unmarshall signature")
|
|
}
|
|
|
|
rValue := ecSig.R.Bytes()
|
|
var hashAlgorithm string
|
|
switch len(rValue) {
|
|
case 31, 32:
|
|
hashAlgorithm = "sha256"
|
|
case 65, 66:
|
|
hashAlgorithm = "sha512"
|
|
default:
|
|
return nil, fmt.Errorf("Unsupported key length: %d", len(rValue))
|
|
}
|
|
|
|
return &ecdsaSignature{
|
|
hashAlgorithm: hashAlgorithm,
|
|
R: ecSig.R,
|
|
S: ecSig.S,
|
|
}, nil
|
|
}
|