scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
daf72aa42790144c3a0ca9c17bb19b1c5bce66c6
vault/builtin/logical/transit/path_backup_test.go
Alexander Scheel daf72aa427 Fix transit import/export of hmac-only keys (#20864) 
* Fix export of HMAC typed keys

When initially implemented, exporting HMAC keys resulted in returning
the unused, internal HMACKey value rather than the main Key value that
is used for HMAC operations.

This is a breaking change.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Consistently handle HMAC keys in keysutil

When generating HMAC-typed keys, set HMACKey = Key consistently, to
allow users of HMAC-typed keys to use them backwards compatibly.

Notably, this could discard the (unused) HMACKey field set today.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test proving export of HMAC keys work

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-31 18:04:08 +00:00

259 lines
7.7 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package transit
import (
"context"
"testing"
"github.com/hashicorp/vault/sdk/logical"
)
func TestTransit_BackupRestore(t *testing.T) {
// Test encryption/decryption after a restore for supported keys
testBackupRestore(t, "aes128-gcm96", "encrypt-decrypt")
testBackupRestore(t, "aes256-gcm96", "encrypt-decrypt")
testBackupRestore(t, "chacha20-poly1305", "encrypt-decrypt")
testBackupRestore(t, "rsa-2048", "encrypt-decrypt")
testBackupRestore(t, "rsa-3072", "encrypt-decrypt")
testBackupRestore(t, "rsa-4096", "encrypt-decrypt")
// Test signing/verification after a restore for supported keys
testBackupRestore(t, "ecdsa-p256", "sign-verify")
testBackupRestore(t, "ecdsa-p384", "sign-verify")
testBackupRestore(t, "ecdsa-p521", "sign-verify")
testBackupRestore(t, "ed25519", "sign-verify")
testBackupRestore(t, "rsa-2048", "sign-verify")
testBackupRestore(t, "rsa-3072", "sign-verify")
testBackupRestore(t, "rsa-4096", "sign-verify")
// Test HMAC/verification after a restore for all key types
testBackupRestore(t, "aes128-gcm96", "hmac-verify")
testBackupRestore(t, "aes256-gcm96", "hmac-verify")
testBackupRestore(t, "chacha20-poly1305", "hmac-verify")
testBackupRestore(t, "ecdsa-p256", "hmac-verify")
testBackupRestore(t, "ecdsa-p384", "hmac-verify")
testBackupRestore(t, "ecdsa-p521", "hmac-verify")
testBackupRestore(t, "ed25519", "hmac-verify")
testBackupRestore(t, "rsa-2048", "hmac-verify")
testBackupRestore(t, "rsa-3072", "hmac-verify")
testBackupRestore(t, "rsa-4096", "hmac-verify")
testBackupRestore(t, "hmac", "hmac-verify")
}
func testBackupRestore(t *testing.T, keyType, feature string) {
var resp *logical.Response
var err error
b, s := createBackendWithStorage(t)
// Create a key
keyReq := &logical.Request{
Path: "keys/test",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"type": keyType,
"exportable": true,
},
}
if keyType == "hmac" {
keyReq.Data["key_size"] = 32
}
resp, err = b.HandleRequest(context.Background(), keyReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// Configure the key to allow its deletion
configReq := &logical.Request{
Path: "keys/test/config",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"deletion_allowed": true,
"allow_plaintext_backup": true,
},
}
resp, err = b.HandleRequest(context.Background(), configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// Take a backup of the key
backupReq := &logical.Request{
Path: "backup/test",
Operation: logical.ReadOperation,
Storage: s,
}
resp, err = b.HandleRequest(context.Background(), backupReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
backup := resp.Data["backup"]
// Try to restore the key without deleting it. Expect error due to
// conflicting key names.
restoreReq := &logical.Request{
Path: "restore",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"backup": backup,
},
}
resp, err = b.HandleRequest(context.Background(), restoreReq)
if resp != nil && resp.IsError() {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
if err == nil {
t.Fatalf("expected an error")
}
plaintextB64 := "dGhlIHF1aWNrIGJyb3duIGZveA==" // "the quick brown fox"
// Perform encryption, signing or hmac-ing based on the set 'feature'
var encryptReq, signReq, hmacReq *logical.Request
var ciphertext, signature, hmac string
switch feature {
case "encrypt-decrypt":
encryptReq = &logical.Request{
Path: "encrypt/test",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"plaintext": plaintextB64,
},
}
resp, err = b.HandleRequest(context.Background(), encryptReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
ciphertext = resp.Data["ciphertext"].(string)
case "sign-verify":
signReq = &logical.Request{
Path: "sign/test",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"input": plaintextB64,
},
}
resp, err = b.HandleRequest(context.Background(), signReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
signature = resp.Data["signature"].(string)
case "hmac-verify":
hmacReq = &logical.Request{
Path: "hmac/test",
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"input": plaintextB64,
},
}
resp, err = b.HandleRequest(context.Background(), hmacReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
hmac = resp.Data["hmac"].(string)
}
// Delete the key
keyReq.Operation = logical.DeleteOperation
resp, err = b.HandleRequest(context.Background(), keyReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// Restore the key from the backup
resp, err = b.HandleRequest(context.Background(), restoreReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// validationFunc verifies the ciphertext, signature or hmac based on the
// set 'feature'
validationFunc := func(keyName string) {
var decryptReq *logical.Request
var verifyReq *logical.Request
switch feature {
case "encrypt-decrypt":
decryptReq = &logical.Request{
Path: "decrypt/" + keyName,
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"ciphertext": ciphertext,
},
}
resp, err = b.HandleRequest(context.Background(), decryptReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
if resp.Data["plaintext"].(string) != plaintextB64 {
t.Fatalf("bad: plaintext; expected: %q, actual: %q", plaintextB64, resp.Data["plaintext"].(string))
}
case "sign-verify":
verifyReq = &logical.Request{
Path: "verify/" + keyName,
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"signature": signature,
"input": plaintextB64,
},
}
resp, err = b.HandleRequest(context.Background(), verifyReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
if resp.Data["valid"].(bool) != true {
t.Fatalf("bad: signature verification failed for key type %q", keyType)
}
case "hmac-verify":
verifyReq = &logical.Request{
Path: "verify/" + keyName,
Operation: logical.UpdateOperation,
Storage: s,
Data: map[string]interface{}{
"hmac": hmac,
"input": plaintextB64,
},
}
resp, err = b.HandleRequest(context.Background(), verifyReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
if resp.Data["valid"].(bool) != true {
t.Fatalf("bad: HMAC verification failed for key type %q", keyType)
}
}
}
// Ensure that the restored key is functional
validationFunc("test")
// Delete the key again
resp, err = b.HandleRequest(context.Background(), keyReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// Restore the key under a different name
restoreReq.Path = "restore/test1"
resp, err = b.HandleRequest(context.Background(), restoreReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v\nerr: %v", resp, err)
}
// Ensure that the restored key is functional
validationFunc("test1")
}
Reference in New Issue View Git Blame Copy Permalink