upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-28 04:10:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

properly unlock policy when returning key setting errors (#2974)

Browse source
This commit is contained in:
Chris Hoffman 2017-07-05 11:47:15 -04:00 committed by GitHub
parent c6820655bc
commit c6f9dbdf46
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
helper/keysutil/lock_manager.go
View file

@ -243,20 +243,24 @@ func (lm *LockManager) getPolicyCommon(req PolicyRequest, lockType bool) (*Polic
switch req.KeyType {
case KeyType_AES256_GCM96:
if req.Convergent && !req.Derived {
lm.UnlockPolicy(lock, lockType)
return nil, nil, false, fmt.Errorf("convergent encryption requires derivation to be enabled")
}
case KeyType_ECDSA_P256:
if req.Derived || req.Convergent {
return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %v", KeyType_ECDSA_P256)
lm.UnlockPolicy(lock, lockType)
return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %v", req.KeyType)
}
case KeyType_ED25519:
if req.Convergent {
return nil, nil, false, fmt.Errorf("convergent encryption not not supported for keys of type %v", KeyType_ED25519)
lm.UnlockPolicy(lock, lockType)
return nil, nil, false, fmt.Errorf("convergent encryption not not supported for keys of type %v", req.KeyType)
}
default:
lm.UnlockPolicy(lock, lockType)
return nil, nil, false, fmt.Errorf("unsupported key type %v", req.KeyType)
}