// getKeyBytes returns the RDBPrivateKey given a KeyID, as well as the decrypted private bytes func (rdb *RethinkDBKeyStore) getKey(keyID string) (*RDBPrivateKey, string, error) { // Retrieve the RethinkDB private key from the database dbPrivateKey := RDBPrivateKey{} res, err := gorethink.DB(rdb.dbName).Table(dbPrivateKey.TableName()).Filter(gorethink.Row.Field("key_id").Eq(keyID)).Run(rdb.sess) if err != nil { return nil, "", err } defer res.Close() err = res.One(&dbPrivateKey) if err != nil { return nil, "", trustmanager.ErrKeyNotFound{} } // Get the passphrase to use for this key passphrase, _, err := rdb.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return nil, "", err } // Decrypt private bytes from the gorm key decryptedPrivKey, _, err := jose.Decode(string(dbPrivateKey.Private), passphrase) if err != nil { return nil, "", err } return &dbPrivateKey, decryptedPrivKey, nil }
// GetKey returns the PrivateKey given a KeyID func (s *KeyDBStore) GetKey(name string) (data.PrivateKey, string, error) { s.Lock() defer s.Unlock() cachedKeyEntry, ok := s.cachedKeys[name] if ok { return cachedKeyEntry, "", nil } // Retrieve the GORM private key from the database dbPrivateKey := GormPrivateKey{} if s.db.Where(&GormPrivateKey{KeyID: name}).First(&dbPrivateKey).RecordNotFound() { return nil, "", ErrKeyNotFound{} } // Get the passphrase to use for this key passphrase, _, err := s.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return nil, "", err } // Decrypt private bytes from the gorm key decryptedPrivKey, _, err := jose.Decode(dbPrivateKey.Private, passphrase) if err != nil { return nil, "", err } // Create a new PrivateKey with unencrypted bytes privKey := data.NewPrivateKey(data.KeyAlgorithm(dbPrivateKey.Algorithm), []byte(dbPrivateKey.Public), []byte(decryptedPrivKey)) // Add the key to cache s.cachedKeys[privKey.ID()] = privKey return privKey, "", nil }
func (k *fileKeyring) Get(key string) (Item, error) { dir, err := k.dir() if err != nil { return Item{}, err } bytes, err := ioutil.ReadFile(filepath.Join(dir, key)) if os.IsNotExist(err) { return Item{}, ErrKeyNotFound } else if err != nil { return Item{}, err } if err = k.unlock(); err != nil { return Item{}, err } payload, _, err := jose.Decode(string(bytes), k.password) if err != nil { return Item{}, err } var decoded Item err = json.Unmarshal([]byte(payload), &decoded) return decoded, err }
// RotateKeyPassphrase rotates the key-encryption-key func (rdb RethinkDBKeyStore) RotateKeyPassphrase(name, newPassphraseAlias string) error { // Retrieve the RethinkDB private key from the database dbPrivateKey := RDBPrivateKey{KeyID: name} res, err := gorethink.DB(rdb.dbName).Table(dbPrivateKey.TableName()).Get(dbPrivateKey).Run(rdb.sess) if err != nil { return trustmanager.ErrKeyNotFound{} } defer res.Close() err = res.One(&dbPrivateKey) if err != nil { return trustmanager.ErrKeyNotFound{} } // Get the current passphrase to use for this key passphrase, _, err := rdb.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return err } // Decrypt private bytes from the rethinkDB key decryptedPrivKey, _, err := jose.Decode(dbPrivateKey.Private, passphrase) if err != nil { return err } // Get the new passphrase to use for this key newPassphrase, _, err := rdb.retriever(dbPrivateKey.KeyID, newPassphraseAlias, false, 1) if err != nil { return err } // Re-encrypt the private bytes with the new passphrase newEncryptedKey, err := jose.Encrypt(decryptedPrivKey, KeywrapAlg, EncryptionAlg, newPassphrase) if err != nil { return err } // Update the database object dbPrivateKey.Private = newEncryptedKey dbPrivateKey.PassphraseAlias = newPassphraseAlias if _, err := gorethink.DB(rdb.dbName).Table(dbPrivateKey.TableName()).Get(RDBPrivateKey{KeyID: name}).Update(dbPrivateKey).RunWrite(rdb.sess); err != nil { return err } return nil }
// GetKey returns the PrivateKey given a KeyID func (rdb *RethinkDBKeyStore) GetKey(name string) (data.PrivateKey, string, error) { rdb.lock.Lock() defer rdb.lock.Unlock() cachedKeyEntry, ok := rdb.cachedKeys[name] if ok { return cachedKeyEntry, "", nil } // Retrieve the RethinkDB private key from the database dbPrivateKey := RDBPrivateKey{} res, err := gorethink.DB(rdb.dbName).Table(dbPrivateKey.TableName()).Filter(gorethink.Row.Field("key_id").Eq(name)).Run(rdb.sess) if err != nil { return nil, "", trustmanager.ErrKeyNotFound{} } defer res.Close() err = res.One(&dbPrivateKey) if err != nil { return nil, "", trustmanager.ErrKeyNotFound{} } // Get the passphrase to use for this key passphrase, _, err := rdb.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return nil, "", err } // Decrypt private bytes from the gorm key decryptedPrivKey, _, err := jose.Decode(dbPrivateKey.Private, passphrase) if err != nil { return nil, "", err } pubKey := data.NewPublicKey(dbPrivateKey.Algorithm, []byte(dbPrivateKey.Public)) // Create a new PrivateKey with unencrypted bytes privKey, err := data.NewPrivateKey(pubKey, []byte(decryptedPrivKey)) if err != nil { return nil, "", err } // Add the key to cache rdb.cachedKeys[privKey.ID()] = privKey return privKey, "", nil }
func (s *SQLKeyDBStore) getKey(keyID string, markActive bool) (*GormPrivateKey, string, error) { // Retrieve the GORM private key from the database dbPrivateKey := GormPrivateKey{} if s.db.Where(&GormPrivateKey{KeyID: keyID}).First(&dbPrivateKey).RecordNotFound() { return nil, "", trustmanager.ErrKeyNotFound{KeyID: keyID} } // Get the passphrase to use for this key passphrase, _, err := s.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return nil, "", err } // Decrypt private bytes from the gorm key decryptedPrivKey, _, err := jose.Decode(dbPrivateKey.Private, passphrase) if err != nil { return nil, "", err } return &dbPrivateKey, decryptedPrivKey, nil }
// RotateKeyPassphrase rotates the key-encryption-key func (s *KeyDBStore) RotateKeyPassphrase(name, newPassphraseAlias string) error { // Retrieve the GORM private key from the database dbPrivateKey := GormPrivateKey{} if s.db.Where(&GormPrivateKey{KeyID: name}).First(&dbPrivateKey).RecordNotFound() { return trustmanager.ErrKeyNotFound{} } // Get the current passphrase to use for this key passphrase, _, err := s.retriever(dbPrivateKey.KeyID, dbPrivateKey.PassphraseAlias, false, 1) if err != nil { return err } // Decrypt private bytes from the gorm key decryptedPrivKey, _, err := jose.Decode(dbPrivateKey.Private, passphrase) if err != nil { return err } // Get the new passphrase to use for this key newPassphrase, _, err := s.retriever(dbPrivateKey.KeyID, newPassphraseAlias, false, 1) if err != nil { return err } // Re-encrypt the private bytes with the new passphrase newEncryptedKey, err := jose.Encrypt(decryptedPrivKey, KeywrapAlg, EncryptionAlg, newPassphrase) if err != nil { return err } // Update the database object dbPrivateKey.Private = newEncryptedKey dbPrivateKey.PassphraseAlias = newPassphraseAlias s.db.Save(dbPrivateKey) return nil }