summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKiran Kamineni <kiran.k.kamineni@intel.com>2018-03-09 11:03:36 -0800
committerKiran Kamineni <kiran.k.kamineni@intel.com>2018-03-09 11:03:42 -0800
commit6915d039b71df5aafd2746f933bffbd824343382 (patch)
treeef29cdd415158bb0b15a351d070f0c9fd7d04877
parent0b3385c4fc8e728a2bff17ef7682c6e75918c2f2 (diff)
Adding PGP key creation capability for vault init
Adding a couple of functions to support PGP key generation and using said keys to initialise vault. Issue-ID: AAF-165 Change-Id: Ic65f8157f125005d544bbf8dede184bd282a5357 Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
-rw-r--r--sms-service/src/sms/auth/auth.go46
-rw-r--r--sms-service/src/sms/backend/vault.go38
2 files changed, 84 insertions, 0 deletions
diff --git a/sms-service/src/sms/auth/auth.go b/sms-service/src/sms/auth/auth.go
index 8186738..341f377 100644
--- a/sms-service/src/sms/auth/auth.go
+++ b/sms-service/src/sms/auth/auth.go
@@ -17,9 +17,14 @@
package auth
import (
+ "bytes"
"crypto/tls"
"crypto/x509"
+ "encoding/base64"
+ "golang.org/x/crypto/openpgp"
"io/ioutil"
+
+ smslogger "sms/log"
)
var tlsConfig *tls.Config
@@ -47,3 +52,44 @@ func GetTLSConfig(caCertFile string) (*tls.Config, error) {
}
return tlsConfig, nil
}
+
+// GeneratePGPKeyPair produces a PGP key pair and returns
+// two things:
+// A base64 encoded form of the public part of the entity
+// A base64 encoded form of the private key
+func GeneratePGPKeyPair() (string, string, error) {
+ var entity *openpgp.Entity
+ entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", nil)
+ if err != nil {
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }
+
+ // Sign the identity in the entity
+ for _, id := range entity.Identities {
+ err = id.SelfSignature.SignUserId(id.UserId.Id, entity.PrimaryKey, entity.PrivateKey, nil)
+ if err != nil {
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }
+ }
+
+ // Sign the subkey in the entity
+ for _, subkey := range entity.Subkeys {
+ err := subkey.Sig.SignKey(subkey.PublicKey, entity.PrivateKey, nil)
+ if err != nil {
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }
+ }
+
+ buffer := new(bytes.Buffer)
+ entity.Serialize(buffer)
+ pbkey := base64.StdEncoding.EncodeToString(buffer.Bytes())
+
+ buffer.Reset()
+ entity.SerializePrivate(buffer, nil)
+ prkey := base64.StdEncoding.EncodeToString(buffer.Bytes())
+
+ return pbkey, prkey, nil
+}
diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go
index a4ebaaa..ac5cc67 100644
--- a/sms-service/src/sms/backend/vault.go
+++ b/sms-service/src/sms/backend/vault.go
@@ -19,6 +19,7 @@ package backend
import (
uuid "github.com/hashicorp/go-uuid"
vaultapi "github.com/hashicorp/vault/api"
+ smsauth "sms/auth"
smslogger "sms/log"
"errors"
@@ -41,6 +42,10 @@ type Vault struct {
vaultMount string
vaultTempTokenTTL time.Time
vaultToken string
+ unsealShards []string
+ rootToken string
+ pgpPub string
+ pgpPr string
}
// Init will initialize the vault connection
@@ -349,3 +354,36 @@ func (v *Vault) checkToken() error {
v.vaultClient.SetToken(tok)
return nil
}
+
+// vaultInit() is used to initialize the vault in cases where it is not
+// initialized. This happens once during intial bring up.
+func (v *Vault) initializeVault() error {
+ initReq := &vaultapi.InitRequest{
+ SecretShares: 5,
+ SecretThreshold: 3,
+ }
+
+ pbkey, prkey, err := smsauth.GeneratePGPKeyPair()
+ if err != nil {
+ smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!")
+ } else {
+ initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey}
+ initReq.RootTokenPGPKey = pbkey
+ v.pgpPub = pbkey
+ v.pgpPr = prkey
+ }
+
+ resp, err := v.vaultClient.Sys().Init(initReq)
+ if err != nil {
+ smslogger.WriteError(err.Error())
+ return errors.New("FATAL: Unable to initialize Vault")
+ }
+
+ if resp != nil {
+ v.unsealShards = resp.KeysB64
+ v.rootToken = resp.RootToken
+ return nil
+ }
+
+ return errors.New("FATAL: Init response was empty")
+}