v1.14.6/builtin/logical/transit/path_byok.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package transit

 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"

 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/keysutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )

 func (b *backend) pathBYOKExportKeys() *framework.Path {
 	return &framework.Path{
 		Pattern: "byok-export/" + framework.GenericNameRegex("destination") + "/" + framework.GenericNameRegex("source") + framework.OptionalParamRegex("version"),

 		DisplayAttrs: &framework.DisplayAttributes{
 			OperationPrefix: operationPrefixTransit,
 			OperationVerb:   "byok",
 			OperationSuffix: "key|key-version",
 		},

 		Fields: map[string]*framework.FieldSchema{
 			"destination": {
 				Type:        framework.TypeString,
 				Description: "Destination key to export to; usually the public wrapping key of another Transit instance.",
 			},
 			"source": {
 				Type:        framework.TypeString,
 				Description: "Source key to export; could be any present key within Transit.",
 			},
 			"version": {
 				Type:        framework.TypeString,
 				Description: "Optional version of the key to export, else all key versions are exported.",
 			},
 			"hash": {
 				Type:        framework.TypeString,
 				Description: "Hash function to use for inner OAEP encryption. Defaults to SHA256.",
 				Default:     "SHA256",
 			},
 		},

 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation: b.pathPolicyBYOKExportRead,
 		},

 		HelpSynopsis:    pathBYOKExportHelpSyn,
 		HelpDescription: pathBYOKExportHelpDesc,
 	}
 }

 func (b *backend) pathPolicyBYOKExportRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	dst := d.Get("destination").(string)
 	src := d.Get("source").(string)
 	version := d.Get("version").(string)
 	hash := d.Get("hash").(string)

 	dstP, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
 		Storage: req.Storage,
 		Name:    dst,
 	}, b.GetRandomReader())
 	if err != nil {
 		return nil, err
 	}
 	if dstP == nil {
 		return nil, fmt.Errorf("no such destination key to export to")
 	}
 	if !b.System().CachingDisabled() {
 		dstP.Lock(false)
 	}
 	defer dstP.Unlock()

 	srcP, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
 		Storage: req.Storage,
 		Name:    src,
 	}, b.GetRandomReader())
 	if err != nil {
 		return nil, err
 	}
 	if srcP == nil {
 		return nil, fmt.Errorf("no such source key for export")
 	}
 	if !b.System().CachingDisabled() {
 		srcP.Lock(false)
 	}
 	defer srcP.Unlock()

 	if !srcP.Exportable {
 		return logical.ErrorResponse("key is not exportable"), nil
 	}

 	retKeys := map[string]string{}
 	switch version {
 	case "":
 		for k, v := range srcP.Keys {
 			exportKey, err := getBYOKExportKey(dstP, srcP, &v, hash)
 			if err != nil {
 				return nil, err
 			}
 			retKeys[k] = exportKey
 		}

 	default:
 		var versionValue int
 		if version == "latest" {
 			versionValue = srcP.LatestVersion
 		} else {
 			version = strings.TrimPrefix(version, "v")
 			versionValue, err = strconv.Atoi(version)
 			if err != nil {
 				return logical.ErrorResponse("invalid key version"), logical.ErrInvalidRequest
 			}
 		}

 		if versionValue < srcP.MinDecryptionVersion {
 			return logical.ErrorResponse("version for export is below minimum decryption version"), logical.ErrInvalidRequest
 		}
 		key, ok := srcP.Keys[strconv.Itoa(versionValue)]
 		if !ok {
 			return logical.ErrorResponse("version does not exist or cannot be found"), logical.ErrInvalidRequest
 		}

 		exportKey, err := getBYOKExportKey(dstP, srcP, &key, hash)
 		if err != nil {
 			return nil, err
 		}

 		retKeys[strconv.Itoa(versionValue)] = exportKey
 	}

 	resp := &logical.Response{
 		Data: map[string]interface{}{
 			"name": srcP.Name,
 			"type": srcP.Type.String(),
 			"keys": retKeys,
 		},
 	}

 	return resp, nil
 }

 func getBYOKExportKey(dstP *keysutil.Policy, srcP *keysutil.Policy, key *keysutil.KeyEntry, hash string) (string, error) {
 	if dstP == nil || srcP == nil {
 		return "", errors.New("nil policy provided")
 	}

 	var targetKey interface{}
 	switch srcP.Type {
 	case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305, keysutil.KeyType_HMAC:
 		targetKey = key.Key
 	case keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096:
 		targetKey = key.RSAKey
 	case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ECDSA_P384, keysutil.KeyType_ECDSA_P521:
 		var curve elliptic.Curve
 		switch srcP.Type {
 		case keysutil.KeyType_ECDSA_P384:
 			curve = elliptic.P384()
 		case keysutil.KeyType_ECDSA_P521:
 			curve = elliptic.P521()
 		default:
 			curve = elliptic.P256()
 		}
 		pubKey := ecdsa.PublicKey{
 			Curve: curve,
 			X:     key.EC_X,
 			Y:     key.EC_Y,
 		}
 		targetKey = &ecdsa.PrivateKey{
 			PublicKey: pubKey,
 			D:         key.EC_D,
 		}
 	case keysutil.KeyType_ED25519:
 		targetKey = ed25519.PrivateKey(key.Key)
 	default:
 		return "", fmt.Errorf("unable to export to unknown key type: %v", srcP.Type)
 	}

 	hasher, err := parseHashFn(hash)
 	if err != nil {
 		return "", err
 	}

 	return dstP.WrapKey(0, targetKey, srcP.Type, hasher)
 }

 const pathBYOKExportHelpSyn = `Securely export named encryption or signing key`

 const pathBYOKExportHelpDesc = `
 This path is used to export the named keys that are configured as
 exportable.

 Unlike the regular /export/:name[/:version] paths, this path uses
 the same encryption specification /import, allowing secure migration
 of keys between clusters to enable workloads to communicate between
 them.

 Presently this only works for RSA destination keys.
 `
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package transit

	import (
	"context"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"errors"
	"fmt"
	"strconv"
	"strings"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/keysutil"
	"github.com/hashicorp/vault/sdk/logical"
	)

	func (b backend) pathBYOKExportKeys() framework.Path {
	return &framework.Path{
	Pattern: "byok-export/" + framework.GenericNameRegex("destination") + "/" + framework.GenericNameRegex("source") + framework.OptionalParamRegex("version"),

	DisplayAttrs: &framework.DisplayAttributes{
	OperationPrefix: operationPrefixTransit,
	OperationVerb: "byok",
	OperationSuffix: "key\|key-version",
	},

	Fields: map[string]*framework.FieldSchema{
	"destination": {
	Type: framework.TypeString,
	Description: "Destination key to export to; usually the public wrapping key of another Transit instance.",
	},
	"source": {
	Type: framework.TypeString,
	Description: "Source key to export; could be any present key within Transit.",
	},
	"version": {
	Type: framework.TypeString,
	Description: "Optional version of the key to export, else all key versions are exported.",
	},
	"hash": {
	Type: framework.TypeString,
	Description: "Hash function to use for inner OAEP encryption. Defaults to SHA256.",
	Default: "SHA256",
	},
	},

	Callbacks: map[logical.Operation]framework.OperationFunc{
	logical.ReadOperation: b.pathPolicyBYOKExportRead,
	},

	HelpSynopsis: pathBYOKExportHelpSyn,
	HelpDescription: pathBYOKExportHelpDesc,
	}
	}

	func (b backend) pathPolicyBYOKExportRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {
	dst := d.Get("destination").(string)
	src := d.Get("source").(string)
	version := d.Get("version").(string)
	hash := d.Get("hash").(string)

	dstP, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
	Storage: req.Storage,
	Name: dst,
	}, b.GetRandomReader())
	if err != nil {
	return nil, err
	}
	if dstP == nil {
	return nil, fmt.Errorf("no such destination key to export to")
	}
	if !b.System().CachingDisabled() {
	dstP.Lock(false)
	}
	defer dstP.Unlock()

	srcP, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
	Storage: req.Storage,
	Name: src,
	}, b.GetRandomReader())
	if err != nil {
	return nil, err
	}
	if srcP == nil {
	return nil, fmt.Errorf("no such source key for export")
	}
	if !b.System().CachingDisabled() {
	srcP.Lock(false)
	}
	defer srcP.Unlock()

	if !srcP.Exportable {
	return logical.ErrorResponse("key is not exportable"), nil
	}

	retKeys := map[string]string{}
	switch version {
	case "":
	for k, v := range srcP.Keys {
	exportKey, err := getBYOKExportKey(dstP, srcP, &v, hash)
	if err != nil {
	return nil, err
	}
	retKeys[k] = exportKey
	}

	default:
	var versionValue int
	if version == "latest" {
	versionValue = srcP.LatestVersion
	} else {
	version = strings.TrimPrefix(version, "v")
	versionValue, err = strconv.Atoi(version)
	if err != nil {
	return logical.ErrorResponse("invalid key version"), logical.ErrInvalidRequest
	}
	}

	if versionValue < srcP.MinDecryptionVersion {
	return logical.ErrorResponse("version for export is below minimum decryption version"), logical.ErrInvalidRequest
	}
	key, ok := srcP.Keys[strconv.Itoa(versionValue)]
	if !ok {
	return logical.ErrorResponse("version does not exist or cannot be found"), logical.ErrInvalidRequest
	}

	exportKey, err := getBYOKExportKey(dstP, srcP, &key, hash)
	if err != nil {
	return nil, err
	}

	retKeys[strconv.Itoa(versionValue)] = exportKey
	}

	resp := &logical.Response{
	Data: map[string]interface{}{
	"name": srcP.Name,
	"type": srcP.Type.String(),
	"keys": retKeys,
	},
	}

	return resp, nil
	}

	func getBYOKExportKey(dstP keysutil.Policy, srcP keysutil.Policy, key *keysutil.KeyEntry, hash string) (string, error) {
	if dstP == nil \|\| srcP == nil {
	return "", errors.New("nil policy provided")
	}

	var targetKey interface{}
	switch srcP.Type {
	case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305, keysutil.KeyType_HMAC:
	targetKey = key.Key
	case keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096:
	targetKey = key.RSAKey
	case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ECDSA_P384, keysutil.KeyType_ECDSA_P521:
	var curve elliptic.Curve
	switch srcP.Type {
	case keysutil.KeyType_ECDSA_P384:
	curve = elliptic.P384()
	case keysutil.KeyType_ECDSA_P521:
	curve = elliptic.P521()
	default:
	curve = elliptic.P256()
	}
	pubKey := ecdsa.PublicKey{
	Curve: curve,
	X: key.EC_X,
	Y: key.EC_Y,
	}
	targetKey = &ecdsa.PrivateKey{
	PublicKey: pubKey,
	D: key.EC_D,
	}
	case keysutil.KeyType_ED25519:
	targetKey = ed25519.PrivateKey(key.Key)
	default:
	return "", fmt.Errorf("unable to export to unknown key type: %v", srcP.Type)
	}

	hasher, err := parseHashFn(hash)
	if err != nil {
	return "", err
	}

	return dstP.WrapKey(0, targetKey, srcP.Type, hasher)
	}

	const pathBYOKExportHelpSyn = `Securely export named encryption or signing key`

	const pathBYOKExportHelpDesc = `
	This path is used to export the named keys that are configured as
	exportable.

	Unlike the regular /export/:name[/:version] paths, this path uses
	the same encryption specification /import, allowing secure migration
	of keys between clusters to enable workloads to communicate between
	them.

	Presently this only works for RSA destination keys.
	`