Beispiel #1
0
// RecoverSecret decrypts an existing secret.
func RecoverSecret(boxSecret *messages.Secret) []byte {
	box := tkdf.Box{
		Data:      boxSecret.Data,
		Timestamp: boxSecret.Timestamp,
		Tag:       boxSecret.Tag,
	}
	return tkdf.Decrypt(kek, &box)
}
Beispiel #2
0
// Get retrieves a secret from the vault, using the provided function for
// determining whether to grant access.
func (v *KeyVault) Get(id string, check ContextCheck, authInfo ...interface{}) (k *Key, err error) {
	if v == nil {
		return nil, ErrVaultFailure
	}

	var logmeta = Metadata{
		"id":      id,
		"success": "false",
	}
	defer func() {
		if err != nil {
			logmeta["error"] = err.Error()
		}
		v.LogNow("get", logmeta)
	}()

	key, ok := v.secrets[id]
	if !ok {
		err = ErrInvalidKey
		return
	}

	context, ok := v.contexts[key.Label]
	if !ok {
		err = ErrContextFailure
		return
	}
	logmeta["label"] = context.Label

	if !checkCtx(*context, check, authInfo...) {
		err = ErrContextFailure
		return
	}

	k = &Key{}
	var box = &tkdf.Box{
		Data:      key.Secret,
		Timestamp: uint64(key.Timestamp),
		Tag:       key.Tag,
	}
	k.Secret = tkdf.Decrypt(v.metadata.Kek, box)
	if k.Secret == nil {
		err = ErrInvalidSecret
		return
	}

	k.Label = key.Label
	k.ID = key.ID
	k.Metadata = make(Metadata)
	for mk, mv := range key.Metadata {
		k.Metadata[mk] = mv
	}

	logmeta["success"] = "true"
	return
}