rekey: pgp keys input validation

2026-06-09 08:55:13 -04:00 · 2017-01-12 00:05:41 -05:00 · 2017-01-12 00:05:41 -05:00 · 3cd4cb1381
commit 3cd4cb1381
parent 089cb4f9c0
2 changed files with 21 additions and 0 deletions
--- a/http/sys_rekey.go
+++ b/http/sys_rekey.go
@ -113,6 +113,11 @@ func handleSysRekeyInitPut(core *vault.Core, recovery bool, w http.ResponseWrite
 		return
 	}

+	if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {
+		respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
+		return
+	}
+
 	// Initialize the rekey
 	err := core.RekeyInit(&vault.SealConfig{
 		SecretShares:    req.SecretShares,
--- a/http/sys_rekey_test.go
+++ b/http/sys_rekey_test.go
@ -10,6 +10,22 @@ import (
 	"github.com/hashicorp/vault/vault"
 )

+// Test to check if the API errors out when wrong number of PGP keys are
+// supplied for rekey
+func TestSysRekeyInit_pgpKeysEntriesForRekey(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
+		"secret_shares":    5,
+		"secret_threshold": 3,
+		"pgp_keys":         []string{"pgpkey1"},
+	})
+	testResponseStatus(t, resp, 400)
+}
+
 func TestSysRekeyInit_Status(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)