05f3236c15
* import rsa and ecdsa public keys * allow import_version to update public keys - wip * allow import_version to update public keys * move check key fields into func * put private/public keys in same switch cases * fix method in UpdateKeyVersion * move asymmetrics keys switch to its own method - WIP * test import public and update it with private counterpart * test import public keys * use public_key to encrypt if RSAKey is not present and failed to decrypt if key version does not have a private key * move key to KeyEntry parsing from Policy to KeyEntry method * move extracting of key from input fields into helper function * change back policy Import signature to keep backwards compatibility and add new method to import private or public keys * test import with imported public rsa and ecdsa keys * descriptions and error messages * error messages, remove comments and unused code * changelog * documentation - wip * suggested changes - error messages/typos and unwrap public key passed * fix unwrap key error * fail if both key fields have been set * fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work * checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests * handle panic on "export key" endpoint if imported key is public * fmt * remove 'isPrivateKey' argument from 'UpdateKeyVersion' and 'parseFromKey' methods also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing' * delete 'RSAPublicKey' when private key is imported * path_export: return public_key for ecdsa and rsa when there's no private key imported * allow signed data validation with pss algorithm * remove NOTE comment * fix typo in EC public key export where empty derBytes was being used * export rsa public key in pkcs8 format instead of pkcs1 and improve test * change logic on how check for is private key missing is calculated --------- Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
290 lines
7.1 KiB
Go
290 lines
7.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package transit
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
const (
|
|
exportTypeEncryptionKey = "encryption-key"
|
|
exportTypeSigningKey = "signing-key"
|
|
exportTypeHMACKey = "hmac-key"
|
|
)
|
|
|
|
func (b *backend) pathExportKeys() *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "export/" + framework.GenericNameRegex("type") + "/" + framework.GenericNameRegex("name") + framework.OptionalParamRegex("version"),
|
|
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
OperationPrefix: operationPrefixTransit,
|
|
OperationVerb: "export",
|
|
OperationSuffix: "key|key-version",
|
|
},
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"type": {
|
|
Type: framework.TypeString,
|
|
Description: "Type of key to export (encryption-key, signing-key, hmac-key)",
|
|
},
|
|
"name": {
|
|
Type: framework.TypeString,
|
|
Description: "Name of the key",
|
|
},
|
|
"version": {
|
|
Type: framework.TypeString,
|
|
Description: "Version of the key",
|
|
},
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.ReadOperation: b.pathPolicyExportRead,
|
|
},
|
|
|
|
HelpSynopsis: pathExportHelpSyn,
|
|
HelpDescription: pathExportHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathPolicyExportRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
exportType := d.Get("type").(string)
|
|
name := d.Get("name").(string)
|
|
version := d.Get("version").(string)
|
|
|
|
switch exportType {
|
|
case exportTypeEncryptionKey:
|
|
case exportTypeSigningKey:
|
|
case exportTypeHMACKey:
|
|
default:
|
|
return logical.ErrorResponse(fmt.Sprintf("invalid export type: %s", exportType)), logical.ErrInvalidRequest
|
|
}
|
|
|
|
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
|
|
Storage: req.Storage,
|
|
Name: name,
|
|
}, b.GetRandomReader())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if p == nil {
|
|
return nil, nil
|
|
}
|
|
if !b.System().CachingDisabled() {
|
|
p.Lock(false)
|
|
}
|
|
defer p.Unlock()
|
|
|
|
if !p.Exportable {
|
|
return logical.ErrorResponse("key is not exportable"), nil
|
|
}
|
|
|
|
switch exportType {
|
|
case exportTypeEncryptionKey:
|
|
if !p.Type.EncryptionSupported() {
|
|
return logical.ErrorResponse("encryption not supported for the key"), logical.ErrInvalidRequest
|
|
}
|
|
case exportTypeSigningKey:
|
|
if !p.Type.SigningSupported() {
|
|
return logical.ErrorResponse("signing not supported for the key"), logical.ErrInvalidRequest
|
|
}
|
|
}
|
|
|
|
retKeys := map[string]string{}
|
|
switch version {
|
|
case "":
|
|
for k, v := range p.Keys {
|
|
exportKey, err := getExportKey(p, &v, exportType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
retKeys[k] = exportKey
|
|
}
|
|
|
|
default:
|
|
var versionValue int
|
|
if version == "latest" {
|
|
versionValue = p.LatestVersion
|
|
} else {
|
|
version = strings.TrimPrefix(version, "v")
|
|
versionValue, err = strconv.Atoi(version)
|
|
if err != nil {
|
|
return logical.ErrorResponse("invalid key version"), logical.ErrInvalidRequest
|
|
}
|
|
}
|
|
|
|
if versionValue < p.MinDecryptionVersion {
|
|
return logical.ErrorResponse("version for export is below minimum decryption version"), logical.ErrInvalidRequest
|
|
}
|
|
key, ok := p.Keys[strconv.Itoa(versionValue)]
|
|
if !ok {
|
|
return logical.ErrorResponse("version does not exist or cannot be found"), logical.ErrInvalidRequest
|
|
}
|
|
|
|
exportKey, err := getExportKey(p, &key, exportType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
retKeys[strconv.Itoa(versionValue)] = exportKey
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
Data: map[string]interface{}{
|
|
"name": p.Name,
|
|
"type": p.Type.String(),
|
|
"keys": retKeys,
|
|
},
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func getExportKey(policy *keysutil.Policy, key *keysutil.KeyEntry, exportType string) (string, error) {
|
|
if policy == nil {
|
|
return "", errors.New("nil policy provided")
|
|
}
|
|
|
|
switch exportType {
|
|
case exportTypeHMACKey:
|
|
return strings.TrimSpace(base64.StdEncoding.EncodeToString(key.HMACKey)), nil
|
|
|
|
case exportTypeEncryptionKey:
|
|
switch policy.Type {
|
|
case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305:
|
|
return strings.TrimSpace(base64.StdEncoding.EncodeToString(key.Key)), nil
|
|
|
|
case keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096:
|
|
rsaKey, err := encodeRSAPrivateKey(key)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return rsaKey, nil
|
|
}
|
|
|
|
case exportTypeSigningKey:
|
|
switch policy.Type {
|
|
case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ECDSA_P384, keysutil.KeyType_ECDSA_P521:
|
|
var curve elliptic.Curve
|
|
switch policy.Type {
|
|
case keysutil.KeyType_ECDSA_P384:
|
|
curve = elliptic.P384()
|
|
case keysutil.KeyType_ECDSA_P521:
|
|
curve = elliptic.P521()
|
|
default:
|
|
curve = elliptic.P256()
|
|
}
|
|
ecKey, err := keyEntryToECPrivateKey(key, curve)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return ecKey, nil
|
|
|
|
case keysutil.KeyType_ED25519:
|
|
return strings.TrimSpace(base64.StdEncoding.EncodeToString(key.Key)), nil
|
|
|
|
case keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096:
|
|
rsaKey, err := encodeRSAPrivateKey(key)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return rsaKey, nil
|
|
}
|
|
}
|
|
|
|
return "", fmt.Errorf("unknown key type %v", policy.Type)
|
|
}
|
|
|
|
func encodeRSAPrivateKey(key *keysutil.KeyEntry) (string, error) {
|
|
// When encoding PKCS1, the PEM header should be `RSA PRIVATE KEY`. When Go
|
|
// has PKCS8 encoding support, we may want to change this.
|
|
var blockType string
|
|
var derBytes []byte
|
|
var err error
|
|
if !key.IsPrivateKeyMissing() {
|
|
blockType = "RSA PRIVATE KEY"
|
|
derBytes = x509.MarshalPKCS1PrivateKey(key.RSAKey)
|
|
} else {
|
|
blockType = "PUBLIC KEY"
|
|
derBytes, err = x509.MarshalPKIXPublicKey(key.RSAPublicKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
pemBlock := pem.Block{
|
|
Type: blockType,
|
|
Bytes: derBytes,
|
|
}
|
|
|
|
pemBytes := pem.EncodeToMemory(&pemBlock)
|
|
return string(pemBytes), nil
|
|
}
|
|
|
|
func keyEntryToECPrivateKey(k *keysutil.KeyEntry, curve elliptic.Curve) (string, error) {
|
|
if k == nil {
|
|
return "", errors.New("nil KeyEntry provided")
|
|
}
|
|
|
|
pubKey := ecdsa.PublicKey{
|
|
Curve: curve,
|
|
X: k.EC_X,
|
|
Y: k.EC_Y,
|
|
}
|
|
|
|
var blockType string
|
|
var derBytes []byte
|
|
var err error
|
|
if !k.IsPrivateKeyMissing() {
|
|
blockType = "EC PRIVATE KEY"
|
|
privKey := &ecdsa.PrivateKey{
|
|
PublicKey: pubKey,
|
|
D: k.EC_D,
|
|
}
|
|
derBytes, err = x509.MarshalECPrivateKey(privKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if derBytes == nil {
|
|
return "", errors.New("no data returned when marshalling to private key")
|
|
}
|
|
} else {
|
|
blockType = "PUBLIC KEY"
|
|
derBytes, err = x509.MarshalPKIXPublicKey(&pubKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if derBytes == nil {
|
|
return "", errors.New("no data returned when marshalling to public key")
|
|
}
|
|
}
|
|
|
|
pemBlock := pem.Block{
|
|
Type: blockType,
|
|
Bytes: derBytes,
|
|
}
|
|
|
|
return strings.TrimSpace(string(pem.EncodeToMemory(&pemBlock))), nil
|
|
}
|
|
|
|
const pathExportHelpSyn = `Export named encryption or signing key`
|
|
|
|
const pathExportHelpDesc = `
|
|
This path is used to export the named keys that are configured as
|
|
exportable.
|
|
`
|