mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-09-21 05:24:43 -04:00
Generate random salt for key derivation on init (#309)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
e0ce2e8a51
commit
9a3bd38912
25 changed files with 342 additions and 317 deletions
|
|
@ -2,9 +2,9 @@ package main
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"time"
|
||||
|
|
@ -21,7 +21,8 @@ import (
|
|||
|
||||
func main() {
|
||||
port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on")
|
||||
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.MasterSecretFilename), "Path to the Constellation master secret")
|
||||
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
|
||||
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretSalt), "Path to the Constellation salt")
|
||||
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
||||
|
||||
flag.Parse()
|
||||
|
|
@ -30,15 +31,28 @@ func main() {
|
|||
log.With(zap.String("version", constants.VersionInfo)).
|
||||
Infof("Constellation Key Management Service")
|
||||
|
||||
// set up Key Management Service
|
||||
masterKey, err := readMainSecret(*masterSecretPath)
|
||||
// read master secret and salt
|
||||
file := file.NewHandler(afero.NewOsFs())
|
||||
masterKey, err := file.Read(*masterSecretPath)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to read master secret")
|
||||
}
|
||||
if len(masterKey) < crypto.MasterSecretLengthMin {
|
||||
log.With(zap.Error(errors.New("invalid key length"))).Fatalf("Provided master secret is smaller than the required minimum of %d bytes", crypto.MasterSecretLengthMin)
|
||||
}
|
||||
salt, err := file.Read(*saltPath)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to read salt")
|
||||
}
|
||||
if len(salt) < crypto.RNGLengthDefault {
|
||||
log.With(zap.Error(errors.New("invalid salt length"))).Fatalf("Expected salt to be %d bytes, but got %d", crypto.RNGLengthDefault, len(salt))
|
||||
}
|
||||
keyURI := setup.ClusterKMSURI + "?salt=" + base64.URLEncoding.EncodeToString(salt)
|
||||
|
||||
// set up Key Management Service
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
|
||||
defer cancel()
|
||||
conKMS, err := setup.SetUpKMS(ctx, setup.NoStoreURI, setup.ClusterKMSURI)
|
||||
conKMS, err := setup.SetUpKMS(ctx, setup.NoStoreURI, keyURI)
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to setup KMS")
|
||||
}
|
||||
|
|
@ -50,22 +64,3 @@ func main() {
|
|||
log.With(zap.Error(err)).Fatalf("Failed to run KMS server")
|
||||
}
|
||||
}
|
||||
|
||||
// readMainSecret reads the base64 encoded main secret file from specified path and returns the secret as bytes.
|
||||
func readMainSecret(fileName string) ([]byte, error) {
|
||||
if fileName == "" {
|
||||
return nil, errors.New("no filename to master secret provided")
|
||||
}
|
||||
|
||||
fileHandler := file.NewHandler(afero.NewOsFs())
|
||||
|
||||
secretBytes, err := fileHandler.Read(fileName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(secretBytes) < crypto.MasterSecretLengthMin {
|
||||
return nil, fmt.Errorf("provided master secret is smaller than the required minimum of %d bytes", crypto.MasterSecretLengthMin)
|
||||
}
|
||||
|
||||
return secretBytes, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,6 +10,12 @@ import (
|
|||
// ClusterKMS implements the kms.CloudKMS interface for in cluster key management.
|
||||
type ClusterKMS struct {
|
||||
masterKey []byte
|
||||
salt []byte
|
||||
}
|
||||
|
||||
// New creates a new ClusterKMS.
|
||||
func New(salt []byte) *ClusterKMS {
|
||||
return &ClusterKMS{salt: salt}
|
||||
}
|
||||
|
||||
// CreateKEK sets the ClusterKMS masterKey.
|
||||
|
|
@ -23,6 +29,5 @@ func (c *ClusterKMS) GetDEK(ctx context.Context, kekID string, dekID string, dek
|
|||
if len(c.masterKey) == 0 {
|
||||
return nil, errors.New("master key not set for Constellation KMS")
|
||||
}
|
||||
// TODO: Choose a way to salt key derivation
|
||||
return crypto.DeriveKey(c.masterKey, []byte("Constellation"), []byte(dekID), uint(dekSize))
|
||||
return crypto.DeriveKey(c.masterKey, c.salt, []byte(dekID), uint(dekSize))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package setup
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"strconv"
|
||||
|
|
@ -123,7 +124,11 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS
|
|||
return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl))
|
||||
|
||||
case "cluster-kms":
|
||||
return &cluster.ClusterKMS{}, nil
|
||||
salt, err := getClusterKMSConfig(uri)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return cluster.New(salt), nil
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown KMS type: %s", uri.Host)
|
||||
|
|
@ -186,6 +191,14 @@ func getGCPStorageConfig(uri *url.URL) (string, string, error) {
|
|||
return r[0], r[1], err
|
||||
}
|
||||
|
||||
func getClusterKMSConfig(uri *url.URL) ([]byte, error) {
|
||||
r, err := getConfig(uri.Query(), []string{"salt"})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return base64.URLEncoding.DecodeString(r[0])
|
||||
}
|
||||
|
||||
// getConfig parses url query values, returning a map of the requested values.
|
||||
// Returns an error if a key has no value.
|
||||
// This function MUST always return a slice of the same length as len(keys).
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package setup
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"testing"
|
||||
|
|
@ -73,7 +74,7 @@ func TestGetKMS(t *testing.T) {
|
|||
wantErr bool
|
||||
}{
|
||||
"cluster kms": {
|
||||
uri: ClusterKMSURI,
|
||||
uri: fmt.Sprintf("%s?salt=%s", ClusterKMSURI, base64.URLEncoding.EncodeToString([]byte("salt"))),
|
||||
wantErr: false,
|
||||
},
|
||||
"aws kms": {
|
||||
|
|
@ -124,11 +125,11 @@ func TestGetKMS(t *testing.T) {
|
|||
func TestSetUpKMS(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
kms, err := SetUpKMS(context.TODO(), "storage://unknown", "kms://unknown")
|
||||
kms, err := SetUpKMS(context.Background(), "storage://unknown", "kms://unknown")
|
||||
assert.Error(err)
|
||||
assert.Nil(kms)
|
||||
|
||||
kms, err = SetUpKMS(context.Background(), "storage://no-store", "kms://cluster-kms")
|
||||
kms, err = SetUpKMS(context.Background(), "storage://no-store", "kms://cluster-kms?salt="+base64.URLEncoding.EncodeToString([]byte("salt")))
|
||||
assert.NoError(err)
|
||||
assert.NotNil(kms)
|
||||
}
|
||||
|
|
@ -186,6 +187,23 @@ func TestGetGCPKMSConfig(t *testing.T) {
|
|||
assert.Error(err)
|
||||
}
|
||||
|
||||
func TestGetClusterKMSConfig(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
require := require.New(t)
|
||||
|
||||
expectedSalt := []byte{
|
||||
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
|
||||
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
|
||||
}
|
||||
|
||||
uri, err := url.Parse(ClusterKMSURI + "?salt=" + base64.URLEncoding.EncodeToString(expectedSalt))
|
||||
require.NoError(err)
|
||||
|
||||
salt, err := getClusterKMSConfig(uri)
|
||||
assert.NoError(err)
|
||||
assert.Equal(expectedSalt, salt)
|
||||
}
|
||||
|
||||
func TestGetConfig(t *testing.T) {
|
||||
const testURI = "test://config?name=test-name&data=test-data&value=test-value"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue