Example #1
0
func handleSysSeal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "PUT" {
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Get the auth for the request so we can access the token directly
		req := requestAuth(r, &logical.Request{})

		// Seal with the token above
		if err := core.Seal(req.ClientToken); err != nil {
			respondError(w, http.StatusInternalServerError, err)
			return
		}

		respondOk(w, nil)
	})
}
Example #2
0
func parseDecryptAndTestUnsealKeys(t *testing.T,
	input, rootToken string,
	fingerprints bool,
	backupKeys map[string][]string,
	core *vault.Core) {
	decoder := base64.StdEncoding
	priv1Bytes, err := decoder.DecodeString(privKey1)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 1: %s", err)
	}
	priv2Bytes, err := decoder.DecodeString(privKey2)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 2: %s", err)
	}
	priv3Bytes, err := decoder.DecodeString(privKey3)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 3: %s", err)
	}

	privBytes := [][]byte{
		priv1Bytes,
		priv2Bytes,
		priv3Bytes,
	}

	var re *regexp.Regexp
	if fingerprints {
		re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value:\\s+(.*)")
	} else {
		re, err = regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
	}
	if err != nil {
		t.Fatalf("Error compiling regex: %s", err)
	}
	matches := re.FindAllStringSubmatch(input, -1)
	if len(matches) != 3 {
		t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
	}

	encodedKeys := []string{}
	matchedFingerprints := []string{}
	for _, tuple := range matches {
		if fingerprints {
			if len(tuple) != 3 {
				t.Fatalf("Key not found: %#v", tuple)
			}
			matchedFingerprints = append(matchedFingerprints, tuple[1])
			encodedKeys = append(encodedKeys, tuple[2])
		} else {
			if len(tuple) != 2 {
				t.Fatalf("Key not found: %#v", tuple)
			}
			encodedKeys = append(encodedKeys, tuple[1])
		}
	}

	if backupKeys != nil && len(matchedFingerprints) != 0 {
		testMap := map[string][]string{}
		for i, v := range matchedFingerprints {
			testMap[v] = append(testMap[v], encodedKeys[i])
			sort.Strings(testMap[v])
		}
		if !reflect.DeepEqual(testMap, backupKeys) {
			t.Fatalf("test map and backup map do not match, test map is\n%#v\nbackup map is\n%#v", testMap, backupKeys)
		}
	}

	unsealKeys := []string{}
	ptBuf := bytes.NewBuffer(nil)
	for i, keyHex := range privBytes {
		if i > 2 {
			break
		}
		ptBuf.Reset()
		entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
		if err != nil {
			t.Fatalf("Error parsing private key %d: %s", i, err)
		}
		keyBytes, err := hex.DecodeString(encodedKeys[i])
		if err != nil {
			t.Fatalf("Error hex-decoding key %d: %s", i, err)
		}
		entityList := &openpgp.EntityList{entity}
		md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
		if err != nil {
			t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
		}
		ptBuf.ReadFrom(md.UnverifiedBody)
		unsealKeys = append(unsealKeys, ptBuf.String())
	}

	err = core.Seal(rootToken)
	if err != nil {
		t.Fatalf("Error sealing vault with provided root token: %s", err)
	}

	for i, unsealKey := range unsealKeys {
		unsealBytes, err := hex.DecodeString(unsealKey)
		if err != nil {
			t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
		}
		unsealed, err := core.Unseal(unsealBytes)
		if err != nil {
			t.Fatalf("Error using unseal key %s: %s", unsealKey, err)
		}
		if i >= 2 && !unsealed {
			t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
		}
	}

}
Example #3
0
func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *vault.Core) {
	decoder := base64.StdEncoding
	priv1Bytes, err := decoder.DecodeString(privKey1)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 1: %s", err)
	}
	priv2Bytes, err := decoder.DecodeString(privKey2)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 2: %s", err)
	}
	priv3Bytes, err := decoder.DecodeString(privKey3)
	if err != nil {
		t.Fatalf("Error decoding bytes for private key 3: %s", err)
	}

	privBytes := [][]byte{
		priv1Bytes,
		priv2Bytes,
		priv3Bytes,
	}

	re, err := regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
	if err != nil {
		t.Fatalf("Error compiling regex: %s", err)
	}
	matches := re.FindAllStringSubmatch(input, -1)
	if len(matches) != 3 {
		t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
	}

	encodedKeys := []string{}
	for _, pair := range matches {
		if len(pair) != 2 {
			t.Fatalf("Key not found: %#v", pair)
		}
		encodedKeys = append(encodedKeys, pair[1])
	}

	unsealKeys := []string{}
	ptBuf := bytes.NewBuffer(nil)
	for i, keyHex := range privBytes {
		if i > 2 {
			break
		}
		ptBuf.Reset()
		entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
		if err != nil {
			t.Fatalf("Error parsing private key %d: %s", i, err)
		}
		keyBytes, err := hex.DecodeString(encodedKeys[i])
		if err != nil {
			t.Fatalf("Error hex-decoding key %d: %s", i, err)
		}
		entityList := &openpgp.EntityList{entity}
		md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
		if err != nil {
			t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
		}
		ptBuf.ReadFrom(md.UnverifiedBody)
		unsealKeys = append(unsealKeys, ptBuf.String())
	}

	err = core.Seal(rootToken)
	if err != nil {
		t.Fatalf("Error sealing vault with provided root token: %s", err)
	}

	for i, unsealKey := range unsealKeys {
		unsealBytes, err := hex.DecodeString(unsealKey)
		if err != nil {
			t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
		}
		unsealed, err := core.Unseal(unsealBytes)
		if err != nil {
			t.Fatalf("Error using unseal key %s: %s", unsealKey, err)
		}
		if i >= 2 && !unsealed {
			t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
		}
	}

}