Check for full set of keys before using delegation.

cryptor/cryptor.go

@@ -322,19 +322,25 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 			return nil, nil, err
 		}
 
-		tmpKeyValue := mwKey.Key
-
+		// loop through users to see if they are all delegated
+		fullMatch = true
 		for _, mwName := range mwKey.Name {
-			pubEncrypted := encrypted.KeySetRSA[mwName]
-			// if this is null, it's an AES encrypted key
-			if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
+			if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
+				fullMatch = false
 				break
 			}
 			nameSet[mwName] = true
 		}
-		if keyFound == nil {
-			fullMatch = true
-			// concatenate all the decrypted bytes
+
+		// if the keys are delegated, decrypt the mwKey with them
+		if fullMatch == true {
+			tmpKeyValue := mwKey.Key
+			for _, mwName := range mwKey.Name {
+				pubEncrypted := encrypted.KeySetRSA[mwName]
+				if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
+					break
+				}
+			}
 			unwrappedKey = tmpKeyValue
 			break
 		}

keycache/keycache.go

@@ -86,6 +86,20 @@ func (cache *Cache) setUser(in ActiveUser, name string) {
 	cache.UserKeys[name] = in
 }
 
+// Valid returns true if matching active user is present.
+func (cache *Cache) Valid(name, user string, labels []string) (present bool) {
+	key, present := cache.UserKeys[name]
+	if present {
+		if key.Usage.matches(user, labels) {
+			return true
+		} else {
+			present = false
+		}
+	}
+
+	return
+}
+
 // matchUser returns the matching active user if present
 // and a boolean to indicate its presence.
 func (cache *Cache) matchUser(name, user string, labels []string) (out ActiveUser, present bool) {