// RecoverSecret decrypts an existing secret.
func RecoverSecret(boxSecret *messages.Secret) []byte {
box := tkdf.Box{
Data: boxSecret.Data,
Timestamp: boxSecret.Timestamp,
Tag: boxSecret.Tag,
}
return tkdf.Decrypt(kek, &box)
}
// Get retrieves a secret from the vault, using the provided function for
// determining whether to grant access.
func (v *KeyVault) Get(id string, check ContextCheck, authInfo ...interface{}) (k *Key, err error) {
if v == nil {
return nil, ErrVaultFailure
}
var logmeta = Metadata{
"id": id,
"success": "false",
}
defer func() {
if err != nil {
logmeta["error"] = err.Error()
}
v.LogNow("get", logmeta)
}()
key, ok := v.secrets[id]
if !ok {
err = ErrInvalidKey
return
}
context, ok := v.contexts[key.Label]
if !ok {
err = ErrContextFailure
return
}
logmeta["label"] = context.Label
if !checkCtx(*context, check, authInfo...) {
err = ErrContextFailure
return
}
k = &Key{}
var box = &tkdf.Box{
Data: key.Secret,
Timestamp: uint64(key.Timestamp),
Tag: key.Tag,
}
k.Secret = tkdf.Decrypt(v.metadata.Kek, box)
if k.Secret == nil {
err = ErrInvalidSecret
return
}
k.Label = key.Label
k.ID = key.ID
k.Metadata = make(Metadata)
for mk, mv := range key.Metadata {
k.Metadata[mk] = mv
}
logmeta["success"] = "true"
return
}