func rotate(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
if err != nil {
return nil, err
}
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
}
tree.Metadata.AddKMSMasterKeys(c.String("add-kms"), kmsEncryptionContext)
tree.Metadata.AddPGPMasterKeys(c.String("add-pgp"))
tree.Metadata.RemoveKMSMasterKeys(c.String("rm-kms"))
tree.Metadata.RemovePGPMasterKeys(c.String("rm-pgp"))
_, errs := tree.GenerateDataKey()
if len(errs) > 0 {
return nil, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
}
tree, err = encryptTree(tree, nil)
if err != nil {
return nil, err
}
out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
}
return out, nil
}
func encrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
tree, err := encryptTree(tree, nil)
if err != nil {
return nil, err
}
out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
if err != nil {
return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
}
return out, err
}