Пример #1
0
func rotate(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
	tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
	if err != nil {
		return nil, err
	}
	kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
	if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
		return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
	}
	tree.Metadata.AddKMSMasterKeys(c.String("add-kms"), kmsEncryptionContext)
	tree.Metadata.AddPGPMasterKeys(c.String("add-pgp"))
	tree.Metadata.RemoveKMSMasterKeys(c.String("rm-kms"))
	tree.Metadata.RemovePGPMasterKeys(c.String("rm-pgp"))
	_, errs := tree.GenerateDataKey()
	if len(errs) > 0 {
		return nil, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
	}
	tree, err = encryptTree(tree, nil)
	if err != nil {
		return nil, err
	}
	out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
	}
	return out, nil
}
Пример #2
0
func decryptFile(store sops.Store, fileBytes []byte, ignoreMac bool) (sops.Tree, error) {
	var tree sops.Tree
	metadata, err := store.UnmarshalMetadata(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	key, err := metadata.GetDataKey()
	if err != nil {
		return tree, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
	}
	branch, err := store.Unmarshal(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	tree = sops.Tree{Branch: branch, Metadata: metadata}
	cipher := aes.Cipher{}
	mac, err := tree.Decrypt(key, cipher)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), exitErrorDecryptingTree)
	}
	originalMac, err := cipher.Decrypt(metadata.MessageAuthenticationCode, key, []byte(metadata.LastModified.Format(time.RFC3339)))
	if originalMac != mac && !ignoreMac {
		return tree, cli.NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", originalMac, mac), 9)
	}
	return tree, nil
}
Пример #3
0
func encrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
	tree, err := encryptTree(tree, nil)
	if err != nil {
		return nil, err
	}
	out, err := outputStore.MarshalWithMetadata(tree.Branch, tree.Metadata)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), exitErrorDumpingTree)
	}
	return out, err
}
Пример #4
0
func loadEncryptedFile(c *cli.Context, store sops.Store, fileBytes []byte) (tree sops.Tree, err error) {
	metadata, err := store.UnmarshalMetadata(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file metadata: %s", err), exitCouldNotReadInputFile)
	}
	branch, err := store.Unmarshal(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	return sops.Tree{
		Branch:   branch,
		Metadata: metadata,
	}, nil
}
Пример #5
0
func loadPlainFile(c *cli.Context, store sops.Store, fileName string, fileBytes []byte) (tree sops.Tree, err error) {
	branch, err := store.Unmarshal(fileBytes)
	if err != nil {
		return tree, cli.NewExitError(fmt.Sprintf("Error loading file: %s", err), exitCouldNotReadInputFile)
	}
	tree.Branch = branch
	ks, err := getKeySources(c, fileName)
	if err != nil {
		return tree, err
	}
	tree.Metadata = sops.Metadata{
		UnencryptedSuffix: c.String("unencrypted-suffix"),
		Version:           version,
		KeySources:        ks,
	}
	tree.GenerateDataKey()
	return
}
Пример #6
0
func decrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, error) {
	tree, _, err := decryptTree(tree, c.Bool("ignore-mac"))
	if c.String("extract") != "" {
		v, err := tree.Branch.Truncate(c.String("extract"))
		if err != nil {
			return nil, cli.NewExitError(err.Error(), exitInvalidTreePathFormat)
		}
		if newBranch, ok := v.(sops.TreeBranch); ok {
			tree.Branch = newBranch
		} else {
			bytes, err := sops.ToBytes(v)
			if err != nil {
				return nil, cli.NewExitError(fmt.Sprintf("Error dumping tree: %s", err), exitErrorDumpingTree)
			}
			return bytes, nil
		}
	}
	out, err := outputStore.Marshal(tree.Branch)
	if err != nil {
		return nil, cli.NewExitError(fmt.Sprintf("Error dumping file: %s", err), exitErrorDumpingTree)
	}
	return out, nil
}