// GenerateRootInit is used to initialize the root generation settings func (c *Core) GenerateRootInit(otp, pgpKey string) error { var fingerprint string switch { case len(otp) > 0: otpBytes, err := base64.StdEncoding.DecodeString(otp) if err != nil { return fmt.Errorf("error decoding base64 OTP value: %s", err) } if otpBytes == nil || len(otpBytes) != 16 { return fmt.Errorf("decoded OTP value is invalid or wrong length") } case len(pgpKey) > 0: fingerprints, err := pgpkeys.GetFingerprints([]string{pgpKey}, nil) if err != nil { return fmt.Errorf("error parsing PGP key: %s", err) } if len(fingerprints) != 1 || fingerprints[0] == "" { return fmt.Errorf("could not acquire PGP key entity") } fingerprint = fingerprints[0] default: return fmt.Errorf("unreachable condition") } c.stateLock.RLock() defer c.stateLock.RUnlock() if c.sealed { return ErrSealed } if c.standby { return ErrStandby } c.generateRootLock.Lock() defer c.generateRootLock.Unlock() // Prevent multiple concurrent root generations if c.generateRootConfig != nil { return fmt.Errorf("root generation already in progress") } // Copy the configuration generationNonce, err := uuid.GenerateUUID() if err != nil { return err } c.generateRootConfig = &GenerateRootConfig{ Nonce: generationNonce, OTP: otp, PGPKey: pgpKey, PGPFingerprint: fingerprint, } c.logger.Printf("[INFO] core: root generation initialized (nonce: %s)", c.generateRootConfig.Nonce) return nil }
func handleSysRekeyInitGet(core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) { barrierConfig, err := core.SealAccess().BarrierConfig() if err != nil { respondError(w, http.StatusInternalServerError, err) return } if barrierConfig == nil { respondError(w, http.StatusBadRequest, fmt.Errorf( "server is not yet initialized")) return } // Get the rekey configuration rekeyConf, err := core.RekeyConfig(recovery) if err != nil { respondError(w, http.StatusInternalServerError, err) return } // Get the progress progress, err := core.RekeyProgress(recovery) if err != nil { respondError(w, http.StatusInternalServerError, err) return } sealThreshold, err := core.RekeyThreshold(recovery) if err != nil { respondError(w, http.StatusInternalServerError, err) return } // Format the status status := &RekeyStatusResponse{ Started: false, T: 0, N: 0, Progress: progress, Required: sealThreshold, } if rekeyConf != nil { status.Nonce = rekeyConf.Nonce status.Started = true status.T = rekeyConf.SecretThreshold status.N = rekeyConf.SecretShares if rekeyConf.PGPKeys != nil && len(rekeyConf.PGPKeys) != 0 { pgpFingerprints, err := pgpkeys.GetFingerprints(rekeyConf.PGPKeys, nil) if err != nil { respondError(w, http.StatusInternalServerError, err) return } status.PGPFingerprints = pgpFingerprints status.Backup = rekeyConf.Backup } } respondOk(w, status) }