Beispiel #1
0
func loadExample(c *cli.Context, file string) (sops.Tree, error) {
	var in []byte
	var tree sops.Tree
	fileStore := inputStore(c, file)
	if _, ok := fileStore.(*json.BinaryStore); ok {
		// Get the value under the first key
		in = []byte(exampleTree[0].Value.(string))
	} else {
		var err error
		in, err = fileStore.Marshal(exampleTree)
		if err != nil {
			return tree, err
		}
	}
	branch, _ := fileStore.Unmarshal(in)
	tree.Branch = branch
	ks, err := getKeySources(c, file)
	if err != nil {
		return tree, err
	}
	tree.Metadata.UnencryptedSuffix = c.String("unencrypted-suffix")
	tree.Metadata.Version = version
	tree.Metadata.KeySources = ks
	key, errs := tree.GenerateDataKey()
	if len(errs) > 0 {
		return tree, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
	}
	tree.Metadata.UpdateMasterKeys(key)
	return tree, nil
}
Beispiel #2
0
func decryptConf(encryptedConf []byte) (decryptedConf []byte, err error) {
	store := &sopsyaml.Store{}
	metadata, err := store.UnmarshalMetadata(encryptedConf)
	if err != nil {
		return
	}
	key, err := metadata.GetDataKey()
	if err != nil {
		return
	}
	branch, err := store.Unmarshal(encryptedConf)
	if err != nil {
		return
	}
	tree := sops.Tree{Branch: branch, Metadata: metadata}
	cipher := aes.Cipher{}
	mac, err := tree.Decrypt(key, cipher)
	if err != nil {
		return
	}
	originalMac, err := cipher.Decrypt(
		metadata.MessageAuthenticationCode,
		key,
		[]byte(metadata.LastModified.Format(time.RFC3339)),
	)
	if originalMac != mac {
		return
	}
	return store.Marshal(tree.Branch)
}
Beispiel #3
0
func rotate(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
	tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
	if err != nil {
		return nil, err
	}
	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
		return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
	}
	tree.Metadata.AddKMSMasterKeys(c.String("add-kms"), kmsEncryptionContext)
	tree.Metadata.AddPGPMasterKeys(c.String("add-pgp"))
	tree.Metadata.RemoveKMSMasterKeys(c.String("rm-kms"))
	tree.Metadata.RemovePGPMasterKeys(c.String("rm-pgp"))
	_, errs := tree.GenerateDataKey()
	if len(errs) > 0 {
		return nil, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
	}
	tree, err = encryptTree(tree, nil)
	if err != nil {
		return nil, err
	}
	out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
	}
	return out, nil
}
Beispiel #4
0
func decryptFile(store sops.Store, fileBytes []byte, ignoreMac bool) (sops.Tree, error) {
	var tree sops.Tree
	metadata, err := store.UnmarshalMetadata(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	key, err := metadata.GetDataKey()
	if err != nil {
		return tree, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
	}
	branch, err := store.Unmarshal(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	tree = sops.Tree{Branch: branch, Metadata: metadata}
	cipher := aes.Cipher{}
	mac, err := tree.Decrypt(key, cipher)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), exitErrorDecryptingTree)
	}
	originalMac, err := cipher.Decrypt(metadata.MessageAuthenticationCode, key, []byte(metadata.LastModified.Format(time.RFC3339)))
	if originalMac != mac && !ignoreMac {
		return tree, cli.NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", originalMac, mac), 9)
	}
	return tree, nil
}
Beispiel #5
0
func encryptTree(tree sops.Tree, stash map[string][]interface{}) (sops.Tree, error) {
	cipher := aes.Cipher{}
	key, err := tree.Metadata.GetDataKey()
	if err != nil {
		return tree, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
	}
	computedMac, err := tree.Encrypt(key, cipher, stash)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error encrypting tree: %s", err), exitErrorEncryptingTree)
	}
	encryptedMac, err := cipher.Encrypt(computedMac, key, tree.Metadata.LastModified.Format(time.RFC3339), nil)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Could not encrypt MAC: %s", err), exitErrorEncryptingMac)
	}
	tree.Metadata.MessageAuthenticationCode = encryptedMac
	return tree, nil
}
Beispiel #6
0
func decryptTree(tree sops.Tree, ignoreMac bool) (sops.Tree, map[string][]interface{}, error) {
	cipher := aes.Cipher{}
	stash := make(map[string][]interface{})
	key, err := tree.Metadata.GetDataKey()
	if err != nil {
		return tree, nil, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
	}
	computedMac, err := tree.Decrypt(key, cipher, stash)
	if err != nil {
		return tree, nil, cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), exitErrorDecryptingTree)
	}
	fileMac, _, err := cipher.Decrypt(tree.Metadata.MessageAuthenticationCode, key, tree.Metadata.LastModified.Format(time.RFC3339))
	if fileMac != computedMac && !ignoreMac {
		return tree, nil, cli.NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", fileMac, computedMac), exitMacMismatch)
	}
	return tree, stash, nil
}
Beispiel #7
0
func decrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
	tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
	if c.String("extract") != "" {
		v, err := tree.Branch.Truncate(c.String("extract"))
		if err != nil {
			return nil, cli.NewExitError(err.Error(), exitInvalidTreePathFormat)
		}
		if newBranch, ok := v.(sops.TreeBranch); ok {
			tree.Branch = newBranch
		} else {
			bytes, err := sops.ToBytes(v)
			if err != nil {
				return nil, cli.NewExitError(fmt.Sprintf("Error dumping tree: %s", err), exitErrorDumpingTree)
			}
			return bytes, nil
		}
	}
	out, err := outputStore.Marshal(tree.Branch)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Error dumping file: %s", err), exitErrorDumpingTree)
	}
	return out, nil
}
Beispiel #8
0
func edit(c *cli.Context, file string, fileBytes []byte) ([]byte, error) {
	var tree sops.Tree
	var stash map[string][]interface{}
	var err error
	if fileBytes == nil {
		tree, err = loadExample(c, file)
	} else {
		tree, err = loadEncryptedFile(c, inputStore(c, file), fileBytes)
		if err != nil {
			return nil, err
		}
		tree, stash, err = decryptTree(tree, c.Bool("ignore-mac"))
		if err != nil {
			return nil, err
		}
	}
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not load file: %s", err), exitCouldNotReadInputFile)
	}
	tmpdir, err := ioutil.TempDir("", "")
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not create temporary directory: %s", err), exitCouldNotWriteOutputFile)
	}
	defer os.RemoveAll(tmpdir)
	tmpfile, err := os.Create(path.Join(tmpdir, path.Base(file)))
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not create temporary file: %s", err), exitCouldNotWriteOutputFile)
	}
	var out []byte
	if c.Bool("show-master-keys") {
		out, err = outputStore(c, file).MarshalWithMetadata(tree.Branch, tree.Metadata)
	} else {
		out, err = outputStore(c, file).Marshal(tree.Branch)
	}
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
	}
	_, err = tmpfile.Write(out)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not write output file: %s", err), exitCouldNotWriteOutputFile)
	}
	origHash, err := hashFile(tmpfile.Name())
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not hash file: %s", err), exitCouldNotReadInputFile)
	}
	for {
		err = runEditor(tmpfile.Name())
		if err != nil {
			return nil, cli.NewExitError(fmt.Sprintf("Could not run editor: %s", err), exitNoEditorFound)
		}
		newHash, err := hashFile(tmpfile.Name())
		if err != nil {
			return nil, cli.NewExitError(fmt.Sprintf("Could not hash file: %s", err), exitCouldNotReadInputFile)
		}
		if bytes.Equal(newHash, origHash) {
			return nil, cli.NewExitError("File has not changed, exiting.", exitFileHasNotBeenModified)
		}
		edited, err := ioutil.ReadFile(tmpfile.Name())
		if err != nil {
			return nil, cli.NewExitError(fmt.Sprintf("Could not read edited file: %s", err), exitCouldNotReadInputFile)
		}
		newBranch, err := inputStore(c, file).Unmarshal(edited)
		if err != nil {
			fmt.Printf("Could not load tree: %s\nProbably invalid syntax. Press a key to return to the editor, or Ctrl+C to exit.", err)
			bufio.NewReader(os.Stdin).ReadByte()
			continue
		}
		if c.Bool("show-master-keys") {
			metadata, err := inputStore(c, file).UnmarshalMetadata(edited)
			if err != nil {
				fmt.Printf("sops branch is invalid: %s.\nPress a key to return to the editor, or Ctrl+C to exit.", err)
				bufio.NewReader(os.Stdin).ReadByte()
				continue
			}
			tree.Metadata = metadata
		}
		tree.Branch = newBranch
		tree.Metadata.Version = version
		if tree.Metadata.MasterKeyCount() == 0 {
			fmt.Println("No master keys were provided, so sops can't encrypt the file.\nPress a key to return to the editor, or Ctrl+C to exit.")
			bufio.NewReader(os.Stdin).ReadByte()
			continue
		}
		break
	}
	tree, err = encryptTree(tree, stash)
	if err != nil {
		return nil, err
	}
	out, err = outputStore(c, file).MarshalWithMetadata(tree.Branch, tree.Metadata)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
	}
	return out, nil
}
Beispiel #9
0
func encrypt(c *cli.Context, file string, fileBytes []byte, output io.Writer) error {
	store := store(file)
	branch, err := store.Unmarshal(fileBytes)
	if err != nil {
		return cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	var metadata sops.Metadata
	metadata.UnencryptedSuffix = c.String("unencrypted-suffix")
	metadata.Version = "2.0.0"
	var kmsKeys []sops.MasterKey
	var pgpKeys []sops.MasterKey

	if c.String("kms") != "" {
		for _, k := range kms.MasterKeysFromArnString(c.String("kms")) {
			kmsKeys = append(kmsKeys, &k)
		}
	}
	if c.String("pgp") != "" {
		for _, k := range pgp.MasterKeysFromFingerprintString(c.String("pgp")) {
			pgpKeys = append(pgpKeys, &k)
		}
	}

	if c.String("kms") == "" && c.String("pgp") == "" {
		var confBytes []byte
		if c.String("config") != "" {
			confBytes, err = ioutil.ReadFile(c.String("config"))
			if err != nil {
				return cli.NewExitError(fmt.Sprintf("Error loading config file: %s", err), exitErrorReadingConfig)
			}
		}
		kmsString, pgpString, err := yaml.MasterKeyStringsForFile(file, confBytes)
		if err == nil {
			for _, k := range pgp.MasterKeysFromFingerprintString(pgpString) {
				pgpKeys = append(pgpKeys, &k)
			}
			for _, k := range kms.MasterKeysFromArnString(kmsString) {
				kmsKeys = append(kmsKeys, &k)
			}
		}
	}
	kmsKs := sops.KeySource{Name: "kms", Keys: kmsKeys}
	pgpKs := sops.KeySource{Name: "pgp", Keys: pgpKeys}
	metadata.KeySources = append(metadata.KeySources, kmsKs)
	metadata.KeySources = append(metadata.KeySources, pgpKs)
	tree := sops.Tree{Branch: branch, Metadata: metadata}
	key, err := tree.GenerateDataKey()
	if err != nil {
		return cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
	}
	cipher := aes.Cipher{}
	mac, err := tree.Encrypt(key, cipher)
	encryptedMac, err := cipher.Encrypt(mac, key, []byte(metadata.LastModified.Format(time.RFC3339)))
	if err != nil {
		return cli.NewExitError(fmt.Sprintf("Could not encrypt MAC: %s", err), exitErrorEncryptingTree)
	}
	metadata.MessageAuthenticationCode = encryptedMac
	out, err := store.MarshalWithMetadata(tree.Branch, metadata)
	_, err = output.Write([]byte(out))
	if err != nil {
		return cli.NewExitError(fmt.Sprintf("Could not write to output stream: %s", err), exitCouldNotWriteOutputFile)
	}
	return nil
}