open-vault/builtin/logical/transit/path_wrapping_key.go
Matt Schultz 611ab91e5a
Transit byok import endpoints (#15414)
* add import endpoint

* fix unlock

* add import_version

* refactor import endpoints and add tests

* add descriptions

* Update dependencies to include tink for Transit import operations. Convert Transit wrapping key endpoint to use shared wrapping key retrieval method. Disallow import of convergent keys to Transit via BYOK process.

* Include new 'hash_function' parameter on Transit import endpoints to specify OAEP random oracle hash function used to wrap ephemeral AES key.

* Add default values for Transit import endpoint fields. Prevent an OOB panic in Transit import. Proactively zero out ephemeral AES key used in Transit imports.

* Rename some Transit BYOK import variables. Ensure Transit BYOK ephemeral key is of the size specified byt the RFC.

* Add unit tests for Transit BYOK import endpoint.

* Simplify Transit BYOK import tests. Add a conditional on auto rotation to avoid errors on BYOK keys with allow_rotation=false.

* Added hash_function field to Transit import_version endpoint. Reworked Transit import unit tests. Added unit tests for Transit import_version endpoint.

* Add changelog entry for Transit BYOK.

* Transit BYOK formatting fixes.

* Omit 'convergent_encryption' field from Transit BYOK import endpoint, but reject with an error when the field is provided.

* Minor formatting fix in Transit import.

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
2022-05-16 11:50:38 -05:00

90 lines
2.3 KiB
Go

package transit
import (
"context"
"crypto/x509"
"encoding/pem"
"fmt"
"strconv"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/keysutil"
"github.com/hashicorp/vault/sdk/logical"
)
const WrappingKeyName = "wrapping-key"
func (b *backend) pathWrappingKey() *framework.Path {
return &framework.Path{
Pattern: "wrapping_key",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathWrappingKeyRead,
},
HelpSynopsis: pathWrappingKeyHelpSyn,
HelpDescription: pathWrappingKeyHelpDesc,
}
}
func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
p, err := b.getWrappingKey(ctx, req.Storage)
if err != nil {
return nil, err
}
wrappingKey := p.Keys[strconv.Itoa(p.LatestVersion)]
derBytes, err := x509.MarshalPKIXPublicKey(wrappingKey.RSAKey.Public())
if err != nil {
return nil, fmt.Errorf("error marshaling RSA public key: %w", err)
}
pemBlock := &pem.Block{
Type: "PUBLIC KEY",
Bytes: derBytes,
}
pemBytes := pem.EncodeToMemory(pemBlock)
if pemBytes == nil || len(pemBytes) == 0 {
return nil, fmt.Errorf("failed to PEM-encode RSA public key")
}
publicKeyString := string(pemBytes)
resp := &logical.Response{
Data: map[string]interface{}{
"public_key": publicKeyString,
},
}
return resp, nil
}
func (b *backend) getWrappingKey(ctx context.Context, storage logical.Storage) (*keysutil.Policy, error) {
polReq := keysutil.PolicyRequest{
Upsert: true,
Storage: storage,
Name: fmt.Sprintf("import/%s", WrappingKeyName),
KeyType: keysutil.KeyType_RSA4096,
Derived: false,
Convergent: false,
Exportable: false,
AllowPlaintextBackup: false,
AutoRotatePeriod: 0,
}
p, _, err := b.GetPolicy(ctx, polReq, b.GetRandomReader())
if err != nil {
return nil, err
}
if p == nil {
return nil, fmt.Errorf("error retrieving wrapping key: returned policy was nil")
}
if b.System().CachingDisabled() {
p.Unlock()
}
return p, nil
}
const (
pathWrappingKeyHelpSyn = "Returns the public key to use for wrapping imported keys"
pathWrappingKeyHelpDesc = "This path is used to retrieve the RSA-4096 wrapping key " +
"for wrapping keys that are being imported into transit."
)