From 244288a4d3e8a02c5e4f04ad9b37459ba9819b92 Mon Sep 17 00:00:00 2001
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Tue, 19 May 2015 17:20:26 -0700
Subject: [PATCH] Check for full set of keys before using delegation.

---
 cryptor/cryptor.go   | 22 ++++++++++++++--------
 keycache/keycache.go | 14 ++++++++++++++
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/cryptor/cryptor.go b/cryptor/cryptor.go
index 0d27cd5..c4c1daa 100644
--- a/cryptor/cryptor.go
+++ b/cryptor/cryptor.go
@@ -322,19 +322,25 @@ func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (u
 			return nil, nil, err
 		}
 
-		tmpKeyValue := mwKey.Key
-
+		// loop through users to see if they are all delegated
+		fullMatch = true
 		for _, mwName := range mwKey.Name {
-			pubEncrypted := encrypted.KeySetRSA[mwName]
-			// if this is null, it's an AES encrypted key
-			if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
+			if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
+				fullMatch = false
 				break
 			}
 			nameSet[mwName] = true
 		}
-		if keyFound == nil {
-			fullMatch = true
-			// concatenate all the decrypted bytes
+
+		// if the keys are delegated, decrypt the mwKey with them
+		if fullMatch == true {
+			tmpKeyValue := mwKey.Key
+			for _, mwName := range mwKey.Name {
+				pubEncrypted := encrypted.KeySetRSA[mwName]
+				if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
+					break
+				}
+			}
 			unwrappedKey = tmpKeyValue
 			break
 		}
diff --git a/keycache/keycache.go b/keycache/keycache.go
index 2d1886a..f262523 100644
--- a/keycache/keycache.go
+++ b/keycache/keycache.go
@@ -86,6 +86,20 @@ func (cache *Cache) setUser(in ActiveUser, name string) {
 	cache.UserKeys[name] = in
 }
 
+// Valid returns true if matching active user is present.
+func (cache *Cache) Valid(name, user string, labels []string) (present bool) {
+	key, present := cache.UserKeys[name]
+	if present {
+		if key.Usage.matches(user, labels) {
+			return true
+		} else {
+			present = false
+		}
+	}
+
+	return
+}
+
 // matchUser returns the matching active user if present
 // and a boolean to indicate its presence.
 func (cache *Cache) matchUser(name, user string, labels []string) (out ActiveUser, present bool) {