diff options
-rw-r--r-- | sms-service/src/sms/auth/auth.go | 46 | ||||
-rw-r--r-- | sms-service/src/sms/backend/vault.go | 38 |
2 files changed, 84 insertions, 0 deletions
diff --git a/sms-service/src/sms/auth/auth.go b/sms-service/src/sms/auth/auth.go index 8186738..341f377 100644 --- a/sms-service/src/sms/auth/auth.go +++ b/sms-service/src/sms/auth/auth.go @@ -17,9 +17,14 @@ package auth import ( + "bytes" "crypto/tls" "crypto/x509" + "encoding/base64" + "golang.org/x/crypto/openpgp" "io/ioutil" + + smslogger "sms/log" ) var tlsConfig *tls.Config @@ -47,3 +52,44 @@ func GetTLSConfig(caCertFile string) (*tls.Config, error) { } return tlsConfig, nil } + +// GeneratePGPKeyPair produces a PGP key pair and returns +// two things: +// A base64 encoded form of the public part of the entity +// A base64 encoded form of the private key +func GeneratePGPKeyPair() (string, string, error) { + var entity *openpgp.Entity + entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + + // Sign the identity in the entity + for _, id := range entity.Identities { + err = id.SelfSignature.SignUserId(id.UserId.Id, entity.PrimaryKey, entity.PrivateKey, nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + } + + // Sign the subkey in the entity + for _, subkey := range entity.Subkeys { + err := subkey.Sig.SignKey(subkey.PublicKey, entity.PrivateKey, nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + } + + buffer := new(bytes.Buffer) + entity.Serialize(buffer) + pbkey := base64.StdEncoding.EncodeToString(buffer.Bytes()) + + buffer.Reset() + entity.SerializePrivate(buffer, nil) + prkey := base64.StdEncoding.EncodeToString(buffer.Bytes()) + + return pbkey, prkey, nil +} diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go index a4ebaaa..ac5cc67 100644 --- a/sms-service/src/sms/backend/vault.go +++ b/sms-service/src/sms/backend/vault.go @@ -19,6 +19,7 @@ package backend import ( uuid "github.com/hashicorp/go-uuid" vaultapi "github.com/hashicorp/vault/api" + smsauth "sms/auth" smslogger "sms/log" "errors" @@ -41,6 +42,10 @@ type Vault struct { vaultMount string vaultTempTokenTTL time.Time vaultToken string + unsealShards []string + rootToken string + pgpPub string + pgpPr string } // Init will initialize the vault connection @@ -349,3 +354,36 @@ func (v *Vault) checkToken() error { v.vaultClient.SetToken(tok) return nil } + +// vaultInit() is used to initialize the vault in cases where it is not +// initialized. This happens once during intial bring up. +func (v *Vault) initializeVault() error { + initReq := &vaultapi.InitRequest{ + SecretShares: 5, + SecretThreshold: 3, + } + + pbkey, prkey, err := smsauth.GeneratePGPKeyPair() + if err != nil { + smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!") + } else { + initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey} + initReq.RootTokenPGPKey = pbkey + v.pgpPub = pbkey + v.pgpPr = prkey + } + + resp, err := v.vaultClient.Sys().Init(initReq) + if err != nil { + smslogger.WriteError(err.Error()) + return errors.New("FATAL: Unable to initialize Vault") + } + + if resp != nil { + v.unsealShards = resp.KeysB64 + v.rootToken = resp.RootToken + return nil + } + + return errors.New("FATAL: Init response was empty") +} |