Provide base64 keys in addition to hex encoded. (#1734)

* Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing.
2025-11-01 02:57:59 +00:00 · 2016-08-15 16:01:15 -04:00
parent 98d6218cfc
commit ed48b008ce
15 changed files with 236 additions and 117 deletions
--- a/api/sys_init.go
+++ b/api/sys_init.go
@@ -46,6 +46,8 @@ type InitStatusResponse struct {
 type InitResponse struct {
 	Keys            []string `json:"keys"`
 	KeysB64         []string `json:"keys_base64"`
 	RecoveryKeys    []string `json:"recovery_keys"`
 	RecoveryKeysB64 []string `json:"recovery_keys_base64"`
 	RootToken       string   `json:"root_token"`
 }
--- a/api/sys_rekey.go
+++ b/api/sys_rekey.go
@@ -190,6 +190,7 @@ type RekeyUpdateResponse struct {
 	Nonce           string
 	Complete        bool
 	Keys            []string
 	KeysB64         []string `json:"keys_base64"`
 	PGPFingerprints []string `json:"pgp_fingerprints"`
 	Backup          bool
 }
@@ -197,4 +198,5 @@ type RekeyUpdateResponse struct {
 type RekeyRetrieveResponse struct {
 	Nonce   string
 	Keys    map[string][]string
 	KeysB64 map[string][]string `json:"keys_base64"`
 }
--- a/command/init.go
+++ b/command/init.go
@@ -192,11 +192,21 @@ func (c *InitCommand) runInit(check bool, initRequest *api.InitRequest) int {
 	}
 	for i, key := range resp.Keys {
 		if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
 			c.Ui.Output(fmt.Sprintf("Unseal Key %d (hex)   : %s", i+1, key))
 			c.Ui.Output(fmt.Sprintf("Unseal Key %d (base64): %s", i+1, resp.KeysB64[i]))
 		} else {
 			c.Ui.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, key))
 		}
 	}
 	for i, key := range resp.RecoveryKeys {
 		if resp.RecoveryKeysB64 != nil && len(resp.RecoveryKeysB64) == len(resp.RecoveryKeys) {
 			c.Ui.Output(fmt.Sprintf("Recovery Key %d (hex)   : %s", i+1, key))
 			c.Ui.Output(fmt.Sprintf("Recovery Key %d (base64): %s", i+1, resp.RecoveryKeysB64[i]))
 		} else {
 			c.Ui.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, key))
 		}
 	}
 	c.Ui.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))
--- a/command/init_test.go
+++ b/command/init_test.go
@@ -244,5 +244,5 @@ func TestInit_PGP(t *testing.T) {
 	rootToken := matches[0][1]
-	parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), rootToken, false, nil, core)
+	parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), rootToken, false, nil, nil, core)
 }
--- a/command/pgp_test.go
+++ b/command/pgp_test.go
@@ -66,7 +66,9 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 	input, rootToken string,
 	fingerprints bool,
 	backupKeys map[string][]string,
 	backupKeysB64 map[string][]string,
 	core *vault.Core) {
 	decoder := base64.StdEncoding
 	priv1Bytes, err := decoder.DecodeString(pgpkeys.TestPrivKey1)
 	if err != nil {
@@ -87,11 +89,20 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 		priv3Bytes,
 	}
 	testFunc := func(b64 bool, bkeys map[string][]string) {
 		var re *regexp.Regexp
 		if fingerprints {
-		re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value:\\s+(.*)")
+			if b64 {
 				re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value\\s+\\(base64\\):\\s+(.*)")
 			} else {
-		re, err = regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
+				re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value\\s+\\(hex\\)\\s+:\\s+(.*)")
 			}
 		} else {
 			if b64 {
 				re, err = regexp.Compile("\\s*Key\\s+\\d+\\s\\(base64\\):\\s+(.*)")
 			} else {
 				re, err = regexp.Compile("\\s*Key\\s+\\d+\\s\\(hex\\)\\s+:\\s+(.*)")
 			}
 		}
 		if err != nil {
 			t.Fatalf("Error compiling regex: %s", err)
@@ -118,14 +129,14 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 			}
 		}
-	if backupKeys != nil && len(matchedFingerprints) != 0 {
+		if bkeys != nil && len(matchedFingerprints) != 0 {
 			testMap := map[string][]string{}
 			for i, v := range matchedFingerprints {
 				testMap[v] = append(testMap[v], encodedKeys[i])
 				sort.Strings(testMap[v])
 			}
-		if !reflect.DeepEqual(testMap, backupKeys) {
+			if !reflect.DeepEqual(testMap, bkeys) {
-			t.Fatalf("test map and backup map do not match, test map is\n%#v\nbackup map is\n%#v", testMap, backupKeys)
+				t.Fatalf("test map and backup map do not match, test map is\n%#v\nbackup map is\n%#v", testMap, bkeys)
 			}
 		}
@@ -140,9 +151,14 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 			if err != nil {
 				t.Fatalf("Error parsing private key %d: %s", i, err)
 			}
-		keyBytes, err := hex.DecodeString(encodedKeys[i])
+			var keyBytes []byte
 			if b64 {
 				keyBytes, err = base64.StdEncoding.DecodeString(encodedKeys[i])
 			} else {
 				keyBytes, err = hex.DecodeString(encodedKeys[i])
 			}
 			if err != nil {
-			t.Fatalf("Error hex-decoding key %d: %s", i, err)
+				t.Fatalf("Error decoding key %d: %s", i, err)
 			}
 			entityList := &openpgp.EntityList{entity}
 			md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
@@ -171,5 +187,8 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
 				t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
 			}
 		}
 	}
 	testFunc(false, backupKeys)
 	testFunc(true, backupKeysB64)
 }
--- a/command/rekey.go
+++ b/command/rekey.go
@@ -93,12 +93,14 @@ func (c *RekeyCommand) Run(args []string) int {
 				SecretShares:    shares,
 				SecretThreshold: threshold,
 				PGPKeys:         pgpKeys,
 				Backup:          backup,
 			})
 		} else {
 			rekeyStatus, err = client.Sys().RekeyInit(&api.RekeyInitRequest{
 				SecretShares:    shares,
 				SecretThreshold: threshold,
 				PGPKeys:         pgpKeys,
 				Backup:          backup,
 			})
 		}
 		if err != nil {
@@ -158,13 +160,27 @@ func (c *RekeyCommand) Run(args []string) int {
 	// Space between the key prompt, if any, and the output
 	c.Ui.Output("\n")
 	// Provide the keys
 	var haveB64 bool
 	if result.KeysB64 != nil && len(result.KeysB64) == len(result.Keys) {
 		haveB64 = true
 	}
 	for i, key := range result.Keys {
 		if len(result.PGPFingerprints) > 0 {
 			if haveB64 {
 				c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value (hex)   : %s", i+1, result.PGPFingerprints[i], key))
 				c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value (base64): %s", i+1, result.PGPFingerprints[i], result.KeysB64[i]))
 			} else {
 				c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, result.PGPFingerprints[i], key))
 			}
 		} else {
 			if haveB64 {
 				c.Ui.Output(fmt.Sprintf("Key %d (hex)   : %s", i+1, key))
 				c.Ui.Output(fmt.Sprintf("Key %d (base64): %s", i+1, result.KeysB64[i]))
 			} else {
 				c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, key))
 			}
 		}
 	}
 	c.Ui.Output(fmt.Sprintf("\nOperation nonce: %s", result.Nonce))
--- a/command/rekey_test.go
+++ b/command/rekey_test.go
@@ -228,6 +228,7 @@ func TestRekey_init_pgp(t *testing.T) {
 	type backupStruct struct {
 		Keys    map[string][]string
 		KeysB64 map[string][]string
 	}
 	backupVals := &backupStruct{}
@@ -247,6 +248,7 @@ func TestRekey_init_pgp(t *testing.T) {
 	}
 	backupVals.Keys = resp.Data["keys"].(map[string][]string)
 	backupVals.KeysB64 = resp.Data["keys_base64"].(map[string][]string)
 	// Now delete and try again; the values should be inaccessible
 	req = logical.TestRequest(t, logical.DeleteOperation, "rekey/backup")
@@ -269,7 +271,8 @@ func TestRekey_init_pgp(t *testing.T) {
 	// Sort, because it'll be tested with DeepEqual later
 	for k, _ := range backupVals.Keys {
 		sort.Strings(backupVals.Keys[k])
 		sort.Strings(backupVals.KeysB64[k])
 	}
-	parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), token, true, backupVals.Keys, core)
+	parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), token, true, backupVals.Keys, backupVals.KeysB64, core)
 }
--- a/command/server.go
+++ b/command/server.go
@@ -1,6 +1,7 @@
 package command
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"log"
@@ -489,8 +490,9 @@ func (c *ServerCommand) Run(args []string) int {
 				"    "+export+" VAULT_ADDR="+quote+"http://"+config.Listeners[0].Config["address"]+quote+"\n\n"+
 				"The unseal key and root token are reproduced below in case you\n"+
 				"want to seal/unseal the Vault or play with authentication.\n\n"+
-				"Unseal Key: %s\nRoot Token: %s\n",
+				"Unseal Key (hex)   : %s\nUnseal Key (base64): %s\nRoot Token: %s\n",
 			hex.EncodeToString(init.SecretShares[0]),
 			base64.StdEncoding.EncodeToString(init.SecretShares[0]),
 			init.RootToken,
 		))
 	}
--- a/http/sys_generate_root.go
+++ b/http/sys_generate_root.go
@@ -1,6 +1,7 @@
 package http
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -123,14 +124,21 @@ func handleSysGenerateRootUpdate(core *vault.Core) http.Handler {
 			return
 		}
-		// Decode the key, which is hex encoded
+		// Decode the key, which is base64 or hex encoded
 		min, max := core.BarrierKeyLength()
 		key, err := hex.DecodeString(req.Key)
 		// We check min and max here to ensure that a string that is base64
 		// encoded but also valid hex will not be valid and we instead base64
 		// decode it
 		if err != nil || len(key) < min || len(key) > max {
 			key, err = base64.StdEncoding.DecodeString(req.Key)
 			if err != nil {
 				respondError(
 					w, http.StatusBadRequest,
-				errors.New("'key' must be a valid hex-string"))
+					errors.New("'key' must be a valid hex or base64 string"))
 				return
 			}
 		}
 		// Use the key to make progress on root generation
 		result, err := core.GenerateRootUpdate(key, req.Nonce)
--- a/http/sys_init.go
+++ b/http/sys_init.go
@@ -1,6 +1,7 @@
 package http
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net/http"
@@ -93,19 +94,24 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
 	// Encode the keys
 	keys := make([]string, 0, len(result.SecretShares))
 	keysB64 := make([]string, 0, len(result.SecretShares))
 	for _, k := range result.SecretShares {
 		keys = append(keys, hex.EncodeToString(k))
 		keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
 	}
 	resp := &InitResponse{
 		Keys:      keys,
 		KeysB64:   keysB64,
 		RootToken: result.RootToken,
 	}
 	if len(result.RecoveryShares) > 0 {
 		resp.RecoveryKeys = make([]string, 0, len(result.RecoveryShares))
 		resp.RecoveryKeysB64 = make([]string, 0, len(result.RecoveryShares))
 		for _, k := range result.RecoveryShares {
 			resp.RecoveryKeys = append(resp.RecoveryKeys, hex.EncodeToString(k))
 			resp.RecoveryKeysB64 = append(resp.RecoveryKeysB64, base64.StdEncoding.EncodeToString(k))
 		}
 	}
@@ -126,7 +132,9 @@ type InitRequest struct {
 type InitResponse struct {
 	Keys            []string `json:"keys"`
 	KeysB64         []string `json:"keys_base64"`
 	RecoveryKeys    []string `json:"recovery_keys,omitempty"`
 	RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
 	RootToken       string   `json:"root_token"`
 }
--- a/http/sys_rekey.go
+++ b/http/sys_rekey.go
@@ -1,6 +1,7 @@
 package http
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -146,14 +147,21 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
 			return
 		}
-		// Decode the key, which is hex encoded
+		// Decode the key, which is base64 or hex encoded
 		min, max := core.BarrierKeyLength()
 		key, err := hex.DecodeString(req.Key)
 		// We check min and max here to ensure that a string that is base64
 		// encoded but also valid hex will not be valid and we instead base64
 		// decode it
 		if err != nil || len(key) < min || len(key) > max {
 			key, err = base64.StdEncoding.DecodeString(req.Key)
 			if err != nil {
 				respondError(
 					w, http.StatusBadRequest,
-				errors.New("'key' must be a valid hex-string"))
+					errors.New("'key' must be a valid hex or base64 string"))
 				return
 			}
 		}
 		// Use the key to make progress on rekey
 		result, err := core.RekeyUpdate(key, req.Nonce, recovery)
@@ -167,16 +175,18 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
 		if result != nil {
 			resp.Complete = true
 			resp.Nonce = req.Nonce
 			resp.Backup = result.Backup
 			resp.PGPFingerprints = result.PGPFingerprints
 			// Encode the keys
 			keys := make([]string, 0, len(result.SecretShares))
 			keysB64 := make([]string, 0, len(result.SecretShares))
 			for _, k := range result.SecretShares {
 				keys = append(keys, hex.EncodeToString(k))
 				keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
 			}
 			resp.Keys = keys
-
+			resp.KeysB64 = keysB64
 			resp.Backup = result.Backup
 			resp.PGPFingerprints = result.PGPFingerprints
 		}
 		respondOk(w, resp)
 	})
@@ -210,6 +220,7 @@ type RekeyUpdateResponse struct {
 	Nonce           string   `json:"nonce"`
 	Complete        bool     `json:"complete"`
 	Keys            []string `json:"keys"`
 	KeysB64         []string `json:"keys_base64"`
 	PGPFingerprints []string `json:"pgp_fingerprints"`
 	Backup          bool     `json:"backup"`
 }
--- a/http/sys_rekey_test.go
+++ b/http/sys_rekey_test.go
@@ -180,8 +180,13 @@ func TestSysRekey_Update(t *testing.T) {
 	if len(keys) != 5 {
 		t.Fatalf("bad: %#v", keys)
 	}
 	keysB64 := actual["keys_base64"].([]interface{})
 	if len(keysB64) != 5 {
 		t.Fatalf("bad: %#v", keysB64)
 	}
 	delete(actual, "keys")
 	delete(actual, "keys_base64")
 	if !reflect.DeepEqual(actual, expected) {
 		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
 	}
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -1,6 +1,7 @@
 package http
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -97,14 +98,21 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 			}
 			core.ResetUnsealProcess()
 		} else {
-			// Decode the key, which is hex encoded
+			// Decode the key, which is base64 or hex encoded
 			min, max := core.BarrierKeyLength()
 			key, err := hex.DecodeString(req.Key)
 			// We check min and max here to ensure that a string that is base64
 			// encoded but also valid hex will not be valid and we instead base64
 			// decode it
 			if err != nil || len(key) < min || len(key) > max {
 				key, err = base64.StdEncoding.DecodeString(req.Key)
 				if err != nil {
 					respondError(
 						w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex-string"))
+						errors.New("'key' must be a valid hex or base64 string"))
 					return
 				}
 			}
 			// Attempt the unseal
 			if _, err := core.Unseal(key); err != nil {
--- a/vault/core.go
+++ b/vault/core.go
@@ -1490,3 +1490,9 @@ func (c *Core) SealAccess() *SealAccess {
 func (c *Core) Logger() *log.Logger {
 	return c.logger
 }
 func (c *Core) BarrierKeyLength() (min, max int) {
 	min, max = c.barrier.KeyLength()
 	max += shamir.ShareOverhead
 	return
 }
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -1,6 +1,8 @@
 package vault
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"strings"
 	"sync"
@@ -607,11 +609,28 @@ func (b *SystemBackend) handleRekeyRetrieve(
 		return logical.ErrorResponse("no backed-up keys found"), nil
 	}
 	keysB64 := map[string][]string{}
 	for k, v := range backup.Keys {
 		for _, j := range v {
 			currB64Keys := keysB64[k]
 			if currB64Keys == nil {
 				currB64Keys = []string{}
 			}
 			key, err := hex.DecodeString(j)
 			if err != nil {
 				return nil, fmt.Errorf("error decoding hex-encoded backup key: %v", err)
 			}
 			currB64Keys = append(currB64Keys, base64.StdEncoding.EncodeToString(key))
 			keysB64[k] = currB64Keys
 		}
 	}
 	// Format the status
 	resp := &logical.Response{
 		Data: map[string]interface{}{
 			"nonce":       backup.Nonce,
 			"keys":        backup.Keys,
 			"keys_base64": keysB64,
 		},
 	}