Skip to content

Commit

Permalink
Add encrypt and decrypt crypto keys to vault auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@zachhuff386
zachhuff386 committed Aug 16, 2019
1 parent 08edca5 commit c2644fa
Showing 1 changed file with 109 additions and 0 deletions.
109 changes: 109 additions & 0 deletions vault/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,115 @@ func (v *Vault) decryptPayload(payload *Payload) (data []byte, err error) {
return
}

func (v *Vault) decryptCryptoKeys(masterKey []byte) (
cryptoKeys *CryptoKeys, err error) {

block, err := aes.NewCipher(masterKey)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to parse encryption key"),
}
return
}

gcm, err := cipher.NewGCM(block)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to parse encryption block"),
}
return
}

data, err := gcm.Open(nil, v.cryptoNonce, v.cryptoData, nil)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to parse encryption block"),
}
return
}

keys := &CryptoKeys{}

err = json.Unmarshal(data, keys)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to unmarshal encryption data"),
}
return
}

hashFunc := hmac.New(sha512.New, masterKey)
hashFunc.Write([]byte(keys.AesKey + "&" + keys.HmacKey))
hashData := hashFunc.Sum(nil)

authorization, err := base64.StdEncoding.DecodeString(keys.Authorization)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to decode authorization"),
}
return
}

if subtle.ConstantTimeCompare(hashData, authorization) != 1 {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to unmarshal encryption data"),
}
return
}

cryptoKeys = keys

return
}

func (v *Vault) encryptCryptoKeys(masterKey []byte) (
ciphertext []byte, err error) {

v.cryptoNonce, err = utils.RandBytes(12)
if err != nil {
return
}

block, err := aes.NewCipher(masterKey)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to parse encryption key"),
}
return
}

gcm, err := cipher.NewGCM(block)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to parse encryption block"),
}
return
}

keys := &CryptoKeys{
AesKey: base64.StdEncoding.EncodeToString(v.aesKey),
HmacKey: base64.StdEncoding.EncodeToString(v.hmacKey),
}

hashFunc := hmac.New(sha512.New, masterKey)
hashFunc.Write([]byte(keys.AesKey + "&" + keys.HmacKey))
hashData := hashFunc.Sum(nil)

keys.Authorization = base64.StdEncoding.EncodeToString(hashData)

data, err := json.Marshal(keys)
if err != nil {
err = &errortypes.ParseError{
errors.Wrap(err, "vault: Failed to marshal encryption data"),
}
return
}

ciphertext = gcm.Seal(nil, v.cryptoNonce, data, nil)

return
}

func (v *Vault) decryptMasterKey(key *MasterKey) (master []byte, err error) {
hostCiphertext, err := base64.StdEncoding.DecodeString(key.HostSecret)
if err != nil {
Expand Down

0 comments on commit c2644fa

Please sign in to comment.