Properly restore delegations.

This change addresses several points: 1. The integration tests didn't verify that delegations could be used for decryption following a restore. The integration tests now verify this. 2. There was no functionality for clearing persisted delegations if needed. The vault admin can now do this via the command line tool. 3. Restoring active delegations wasn't storing the key with the delegation. Keys are now serialised properly. 4. [Minor] The MSP package now reports the name of the offending user when it can't find a user name in the database.
2026-01-05 13:07:10 +00:00 · 2016-08-24 11:26:14 -07:00
parent a4b17c3d35
commit 9f39413adb
14 changed files with 405 additions and 49 deletions
--- a/keycache/keycache.go
+++ b/keycache/keycache.go
@@ -11,6 +11,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log"
@@ -44,6 +45,7 @@ type ActiveUser struct {
 	AltNames map[string]string
 	Admin    bool
 	Type     string
+	Key      []byte

 	rsaKey rsa.PrivateKey
 	eccKey *ecdsa.PrivateKey
@@ -225,8 +227,16 @@ func (cache *Cache) AddKeyFromRecord(record passvault.PasswordRecord, name, pass
 	switch record.Type {
 	case passvault.RSARecord:
 		current.rsaKey, err = record.GetKeyRSA(password)
+		if err != nil {
+			return
+		}
+		current.Key = x509.MarshalPKCS1PrivateKey(&current.rsaKey)
 	case passvault.ECCRecord:
 		current.eccKey, err = record.GetKeyECC(password)
+		if err != nil {
+			return
+		}
+		current.Key, err = x509.MarshalECPrivateKey(current.eccKey)
 	default:
 		err = errors.New("Unknown record type")
 	}
@@ -370,3 +380,31 @@ func (cache *Cache) DelegateStatus(name string, labels, admins []string) (admins
 	}
 	return
 }
+
+// Restore unmarshals the private key stored in the delegator to the
+// appropriate private structure.
+func (cache *Cache) Restore() (err error) {
+	for index, uk := range cache.UserKeys {
+		if len(uk.Key) == 0 {
+			return errors.New("keycache: no private key in active user")
+		}
+
+		rsaPriv, err := x509.ParsePKCS1PrivateKey(uk.Key)
+		if err == nil {
+			uk.rsaKey = *rsaPriv
+			cache.UserKeys[index] = uk
+			continue
+		}
+
+		ecPriv, err := x509.ParseECPrivateKey(uk.Key)
+		if err == nil {
+			uk.eccKey = ecPriv
+			cache.UserKeys[index] = uk
+			continue
+		}
+
+		return err
+	}
+
+	return nil
+}