func rotate(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
if err != nil {
return nil, err
}
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
}
tree.Metadata.AddKMSMasterKeys(c.String("add-kms"), kmsEncryptionContext)
tree.Metadata.AddPGPMasterKeys(c.String("add-pgp"))
tree.Metadata.RemoveKMSMasterKeys(c.String("rm-kms"))
tree.Metadata.RemovePGPMasterKeys(c.String("rm-pgp"))
_, errs := tree.GenerateDataKey()
if len(errs) > 0 {
return nil, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
}
tree, err = encryptTree(tree, nil)
if err != nil {
return nil, err
}
out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
}
return out, nil
}
func decryptFile(store sops.Store, fileBytes []byte, ignoreMac bool) (sops.Tree, error) {
var tree sops.Tree
metadata, err := store.UnmarshalMetadata(fileBytes)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
}
key, err := metadata.GetDataKey()
if err != nil {
return tree, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
}
branch, err := store.Unmarshal(fileBytes)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
}
tree = sops.Tree{Branch: branch, Metadata: metadata}
cipher := aes.Cipher{}
mac, err := tree.Decrypt(key, cipher)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), exitErrorDecryptingTree)
}
originalMac, err := cipher.Decrypt(metadata.MessageAuthenticationCode, key, []byte(metadata.LastModified.Format(time.RFC3339)))
if originalMac != mac && !ignoreMac {
return tree, cli.NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", originalMac, mac), 9)
}
return tree, nil
}
func encrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
tree, err := encryptTree(tree, nil)
if err != nil {
return nil, err
}
out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
}
return out, err
}
func loadEncryptedFile(c *cli.Context, store sops.Store, fileBytes []byte) (tree sops.Tree, err error) {
metadata, err := store.UnmarshalMetadata(fileBytes)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error loading file metadata: %s", err), exitCouldNotReadInputFile)
}
branch, err := store.Unmarshal(fileBytes)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
}
return sops.Tree{
Branch: branch,
Metadata: metadata,
}, nil
}
func loadPlainFile(c *cli.Context, store sops.Store, fileName string, fileBytes []byte) (tree sops.Tree, err error) {
branch, err := store.Unmarshal(fileBytes)
if err != nil {
return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
}
tree.Branch = branch
ks, err := getKeySources(c, fileName)
if err != nil {
return tree, err
}
tree.Metadata = sops.Metadata{
UnencryptedSuffix: c.String("unencrypted-suffix"),
Version: version,
KeySources: ks,
}
tree.GenerateDataKey()
return
}
func decrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
if c.String("extract") != "" {
v, err := tree.Branch.Truncate(c.String("extract"))
if err != nil {
return nil, cli.NewExitError(err.Error(), exitInvalidTreePathFormat)
}
if newBranch, ok := v.(sops.TreeBranch); ok {
tree.Branch = newBranch
} else {
bytes, err := sops.ToBytes(v)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Error dumping tree: %s", err), exitErrorDumpingTree)
}
return bytes, nil
}
}
out, err := outputStore.Marshal(tree.Branch)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Error dumping file: %s", err), exitErrorDumpingTree)
}
return out, nil
}