upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-04-23 15:18:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Improve transit import command error handling (#22755)

Browse source 
- Doubtful this will ever happen in real life
 - We would nil panic if the public_key field was not present in the
   wrapping key response
 - Also trap a casting error if the public key was not an RSA public key
This commit is contained in:
Steven Clark 2023-09-05 10:04:37 -04:00 committed by GitHub
parent de043d6736
commit a7c2b15f4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
command/transit_import_key.go
View file

@ -134,7 +134,7 @@ func ImportKey(c *BaseCommand, operation string, pathFunc ImportKeyFunc, flags *
}
// Fetch the wrapping key
c.UI.Output("Retrieving wrapping key.")
wrappingKey, err := fetchWrappingKey(c, client, path)
wrappingKey, err := fetchWrappingKey(client, path)
if err != nil {
c.UI.Error(fmt.Sprintf("failed to fetch wrapping key: %v", err))
return 3
@ -154,7 +154,7 @@ func ImportKey(c *BaseCommand, operation string, pathFunc ImportKeyFunc, flags *
wrappedAESKey, err := rsa.EncryptOAEP(
sha256.New(),
rand.Reader,
wrappingKey.(*rsa.PublicKey),
wrappingKey,
ephemeralAESKey,
[]byte{},
)
@ -190,7 +190,7 @@ func ImportKey(c *BaseCommand, operation string, pathFunc ImportKeyFunc, flags *
}
}
func fetchWrappingKey(c *BaseCommand, client *api.Client, path string) (any, error) {
func fetchWrappingKey(client *api.Client, path string) (*rsa.PublicKey, error) {
resp, err := client.Logical().Read(path + "/wrapping_key")
if err != nil {
return nil, fmt.Errorf("error fetching wrapping key: %w", err)
@ -200,12 +200,19 @@ func fetchWrappingKey(c *BaseCommand, client *api.Client, path string) (any, err
}
key, ok := resp.Data["public_key"]
if !ok {
c.UI.Error("could not find wrapping key")
return nil, fmt.Errorf("missing public_key field in response")
}
keyBlock, _ := pem.Decode([]byte(key.(string)))
if keyBlock == nil {
return nil, fmt.Errorf("failed to decode PEM information from public_key response field")
}
parsedKey, err := x509.ParsePKIXPublicKey(keyBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("error parsing wrapping key: %w", err)
}
return parsedKey, nil
rsaKey, ok := parsedKey.(*rsa.PublicKey)
if !ok {
return nil, fmt.Errorf("returned value was not an RSA public key but a %T", rsaKey)
}
return rsaKey, nil
}