From: Kiran Kamineni Date: Fri, 9 Mar 2018 19:03:36 +0000 (-0800) Subject: Adding PGP key creation capability for vault init X-Git-Tag: 2.0.0-ONAP~60 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=6915d039b71df5aafd2746f933bffbd824343382;hp=0b3385c4fc8e728a2bff17ef7682c6e75918c2f2;p=aaf%2Fsms.git Adding PGP key creation capability for vault init Adding a couple of functions to support PGP key generation and using said keys to initialise vault. Issue-ID: AAF-165 Change-Id: Ic65f8157f125005d544bbf8dede184bd282a5357 Signed-off-by: Kiran Kamineni --- diff --git a/sms-service/src/sms/auth/auth.go b/sms-service/src/sms/auth/auth.go index 8186738..341f377 100644 --- a/sms-service/src/sms/auth/auth.go +++ b/sms-service/src/sms/auth/auth.go @@ -17,9 +17,14 @@ package auth import ( + "bytes" "crypto/tls" "crypto/x509" + "encoding/base64" + "golang.org/x/crypto/openpgp" "io/ioutil" + + smslogger "sms/log" ) var tlsConfig *tls.Config @@ -47,3 +52,44 @@ func GetTLSConfig(caCertFile string) (*tls.Config, error) { } return tlsConfig, nil } + +// GeneratePGPKeyPair produces a PGP key pair and returns +// two things: +// A base64 encoded form of the public part of the entity +// A base64 encoded form of the private key +func GeneratePGPKeyPair() (string, string, error) { + var entity *openpgp.Entity + entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + + // Sign the identity in the entity + for _, id := range entity.Identities { + err = id.SelfSignature.SignUserId(id.UserId.Id, entity.PrimaryKey, entity.PrivateKey, nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + } + + // Sign the subkey in the entity + for _, subkey := range entity.Subkeys { + err := subkey.Sig.SignKey(subkey.PublicKey, entity.PrivateKey, nil) + if err != nil { + smslogger.WriteError(err.Error()) + return "", "", err + } + } + + buffer := new(bytes.Buffer) + entity.Serialize(buffer) + pbkey := base64.StdEncoding.EncodeToString(buffer.Bytes()) + + buffer.Reset() + entity.SerializePrivate(buffer, nil) + prkey := base64.StdEncoding.EncodeToString(buffer.Bytes()) + + return pbkey, prkey, nil +} diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go index a4ebaaa..ac5cc67 100644 --- a/sms-service/src/sms/backend/vault.go +++ b/sms-service/src/sms/backend/vault.go @@ -19,6 +19,7 @@ package backend import ( uuid "github.com/hashicorp/go-uuid" vaultapi "github.com/hashicorp/vault/api" + smsauth "sms/auth" smslogger "sms/log" "errors" @@ -41,6 +42,10 @@ type Vault struct { vaultMount string vaultTempTokenTTL time.Time vaultToken string + unsealShards []string + rootToken string + pgpPub string + pgpPr string } // Init will initialize the vault connection @@ -349,3 +354,36 @@ func (v *Vault) checkToken() error { v.vaultClient.SetToken(tok) return nil } + +// vaultInit() is used to initialize the vault in cases where it is not +// initialized. This happens once during intial bring up. +func (v *Vault) initializeVault() error { + initReq := &vaultapi.InitRequest{ + SecretShares: 5, + SecretThreshold: 3, + } + + pbkey, prkey, err := smsauth.GeneratePGPKeyPair() + if err != nil { + smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!") + } else { + initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey} + initReq.RootTokenPGPKey = pbkey + v.pgpPub = pbkey + v.pgpPr = prkey + } + + resp, err := v.vaultClient.Sys().Init(initReq) + if err != nil { + smslogger.WriteError(err.Error()) + return errors.New("FATAL: Unable to initialize Vault") + } + + if resp != nil { + v.unsealShards = resp.KeysB64 + v.rootToken = resp.RootToken + return nil + } + + return errors.New("FATAL: Init response was empty") +}