From 25e46bdd57dc0e5d50688e2363b1fc6de38ed3f0 Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Thu, 5 Mar 2015 13:57:45 -0800 Subject: [PATCH] vault: Structure the barrier init file --- vault/barrier_aes_gcm.go | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go index 2875100ac7..2bcc94ae06 100644 --- a/vault/barrier_aes_gcm.go +++ b/vault/barrier_aes_gcm.go @@ -4,6 +4,7 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" + "encoding/json" "fmt" "sync" @@ -16,6 +17,12 @@ const ( aesgcmVersionByte = 0x1 ) +// barrierInit is the JSON encoded value stored +type barrierInit struct { + Version int // Version is the current format version + Key []byte // Key is the primary encryption key +} + // AESGCMBarrier is a SecurityBarrier implementation that // uses a 128bit AES encryption cipher with the Galois Counter Mode. // AES-GCM is high performance, and provides both confidentiality @@ -82,15 +89,26 @@ func (b *AESGCMBarrier) Initialize(key []byte) error { } defer memzero(encrypt) - // Generate the barrier init value - value := b.encrypt(gcm, encrypt) + // Create the barrier init entry + init := barrierInit{ + Version: 1, + Key: encrypt, + } + buf, err := json.Marshal(init) + if err != nil { + return fmt.Errorf("failed to create barrier entry: %v", err) + } + defer memzero(buf) + + // Encrypt the barrier init value + value := b.encrypt(gcm, buf) // Create the barrierInitPath - init := &physical.Entry{ + pe := &physical.Entry{ Key: barrierInitPath, Value: value, } - if err := b.backend.Put(init); err != nil { + if err := b.backend.Put(pe); err != nil { return fmt.Errorf("failed to create initialization key: %v", err) } return nil @@ -138,14 +156,21 @@ func (b *AESGCMBarrier) Unseal(key []byte) error { } // Decrypt the barrier init key - encryptKey, err := b.decrypt(gcm, out.Value) + plain, err := b.decrypt(gcm, out.Value) if err != nil { return err } - defer memzero(encryptKey) + defer memzero(plain) + + // Unmarshal the barrier init + var init barrierInit + if err := json.Unmarshal(plain, &init); err != nil { + return fmt.Errorf("failed to unmarshal barrier init file") + } + defer memzero(init.Key) // Initialize the master encryption key - b.primary, err = b.aeadFromKey(encryptKey) + b.primary, err = b.aeadFromKey(init.Key) if err != nil { return err }