Fixing rebase of andrewbuss/decrypt_sign

Also switched testdata/ssh_key with an ssh-ed25519 key

README.md

@@ -352,13 +352,13 @@ remote SSH server without ever handling the unencrypted private key directly.
 
 Generate an ssh key without passphrase:
 
-    $ ssh-keygen -f id_rsa -N ""
+    $ ssh-keygen -f id_ed25519 -N ""
 
 Encrypt with the "ssh-sign-with" usage only:
 
-    $ ro -minimum 2 -owners alice,bob -usages ssh-sign-with \
-         -server ro.local -in id_rsa -out id_rsa.encrypted encrypt
+    $ ro -minUsers 2 -owners alice,bob -usages ssh-sign-with \
+         -server localhost:443 -in id_ed25519 -out id_ed25519.encrypted encrypt
 
 Use the remote server to authenticate to an SSH server
 
-    $ ro -server ro.local -in id_rsa.encrypted -pubkey id_rsa.pub ssh root@gibson
+    $ ro -server localhost:443 -in id_ed25519.encrypted -pubkey id_ed25519.pub ssh root@gibson

client/client.go

@@ -254,7 +254,7 @@ func (c *RemoteServer) Decrypt(req core.DecryptRequest) (*core.ResponseData, err
 
 }
 
-// SSHSignWith issues an SSH-sign-with request to the remote server
+// SSHSignWith issues a SSH-sign-with request to the remote server
 func (c *RemoteServer) SSHSignWith(req core.SSHSignWithRequest) (*core.ResponseData, error) {
 	reqBytes, err := json.Marshal(req)
 	if err != nil {
@@ -267,6 +267,7 @@ func (c *RemoteServer) SSHSignWith(req core.SSHSignWithRequest) (*core.ResponseD
 	}
 
 	return unmarshalResponseData(respBytes)
+
 }
 
 // DecryptIntoData issues an decrypt request to the remote server and extract

cmd/ro/roagent/roagent.go

@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"log"
 
 	"github.com/cloudflare/redoctober/client"
 	"github.com/cloudflare/redoctober/core"
@@ -41,7 +40,7 @@ func (signer ROSigner) Sign(rand io.Reader, msg []byte) (signature *ssh.Signatur
 		return nil, err
 	}
 	if resp.Status != "ok" {
-		log.Fatal("response status error:", resp.Status)
+		return nil, errors.New("response status error: " + resp.Status)
 	}
 
 	var respMsg core.SSHSignatureWithDelegates
@@ -49,7 +48,11 @@ func (signer ROSigner) Sign(rand io.Reader, msg []byte) (signature *ssh.Signatur
 	if err != nil {
 		return nil, err
 	}
-	return &respMsg.Signature, nil
+	sshSignature := ssh.Signature{
+		Format: respMsg.SignatureFormat,
+		Blob:   respMsg.Signature,
+	}
+	return &sshSignature, nil
 }
 
 type ROAgent struct {

cryptor/cryptor_test.go

@@ -169,7 +169,7 @@ func TestEncryptDecrypt(t *testing.T) {
 		RightNames: right,
 	}
 
-	resp, err := c.Encrypt([]byte("Hello World!"), []string{}, ac)
+	resp, err := c.Encrypt([]byte("Hello World!"), []string{}, []string{}, ac)
 	if err != nil {
 		t.Fatalf("Error: %s", err)
 	}
@@ -183,7 +183,7 @@ func TestEncryptDecrypt(t *testing.T) {
 	}
 
 	// (resp []byte, labels, names []string, secure bool, err error)
-	_, _, _, _, err = c.Decrypt(resp, "alice")
+	_, _, _, _, _, err = c.Decrypt(resp, "alice")
 	if err != nil {
 		t.Fatalf("%v", err)
 	}

generate.go

@@ -21,7 +21,7 @@ func main() {
 	indexPath := filepath.Join(wd, "static", "index.html")
 
 	out.Write([]byte("// This file is autogenerated; DO NOT EDIT DIRECTLY\n// See generate.go for more info\npackage main\n\nconst (\n"))
-	out.Write([]byte("\tindexHtml = `"))
+	out.Write([]byte("\tindexHTML = `"))
 	f, err := os.Open(indexPath)
 	if err != nil {
 		panic(err)

persist/persist.go

@@ -16,6 +16,9 @@ var defaultStore Store = &File{}
 // Labels are the labels that the keycache should be encrypted with.
 var Labels = []string{"restore"}
 
+// Usages indicate whether encrypted data can be decrypted or only used for signing
+var Usages = []string{}
+
 const (
 	// Disabled indicates that the persistence store will never
 	// persist active delegations.

server/server.go

@@ -23,9 +23,9 @@ import (
 	"github.com/coreos/go-systemd/activation"
 )
 
-// DefaultIndexHtml can be used to customize the package default index page
+// DefaultIndexHTML can be used to customize the package default index page
 // when static path is not specified
-var DefaultIndexHtml = ""
+var DefaultIndexHTML = ""
 
 var functions = map[string]func([]byte) ([]byte, error){
 	"/create":          core.Create,
@@ -37,6 +37,7 @@ var functions = map[string]func([]byte) ([]byte, error){
 	"/encrypt":         core.Encrypt,
 	"/re-encrypt":      core.ReEncrypt,
 	"/decrypt":         core.Decrypt,
+	"/ssh-sign-with":   core.SSHSignWith,
 	"/owners":          core.Owners,
 	"/modify":          core.Modify,
 	"/export":          core.Export,
@@ -50,13 +51,18 @@ var functions = map[string]func([]byte) ([]byte, error){
 }
 
 type userRequest struct {
-	rt string // The request type (which will be one of the
+	// The request type (which will be one of the
 	// keys of the functions map above
-	in []byte // Arbitrary input data (depends on the core.*
+	rt string
+
+	// Arbitrary input data (depends on the core.*
 	// function called)
-	resp chan<- []byte // Channel down which a response is sent (the
+	in []byte
+
+	// Channel down which a response is sent (the
 	// data sent will depend on the core.* function
 	// called to handle this request)
+	resp chan<- []byte
 }
 
 // processRequest handles a single request receive on the JSON API for
@@ -194,13 +200,13 @@ type indexHandler struct {
 	staticPath string
 }
 
-func (this *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
+func (handler *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
 	var body io.ReadSeeker
 	var tags = map[string]string{}
 
-	if this.staticPath != "" {
-		tags["static-path"] = this.staticPath
-		f, err := os.Open(this.staticPath)
+	if handler.staticPath != "" {
+		tags["static-path"] = handler.staticPath
+		f, err := os.Open(handler.staticPath)
 		if err != nil {
 			report.Check(err, tags)
 			http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -209,7 +215,7 @@ func (this *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
 		defer f.Close()
 		body = f
 	} else {
-		body = bytes.NewReader([]byte(DefaultIndexHtml))
+		body = bytes.NewReader([]byte(DefaultIndexHTML))
 	}
 
 	header := w.Header()

testdata/ssh_key

@@ -1,15 +1,7 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCz2+6OyTyo4Qo/hCtaBLT9gczJPzPhu7CzYWOSqRjbFs2/16y0
-YOuyPesO/e84ZasMlzFJMogNddnq5uJxcM6+f3XzUs2yIL26cw0rcespNg1UUpZg
-OSxSluXoJapB/SQhcIuO+uD0snvjNQrAMUz7oK+b6Uv3fYu3DmgI8CrSlwIDAQAB
-AoGAYs8ci8z6Sjz3iFVwC5AybmL0wkq6kfSu6p1COrwzL4mjlxVBiAcG9XEWxbGz
-zmPsSIp3RSNBo0NvaKFXHcM/kHRMsZG9FmmQBikoOkMTaEeCdbw/9k3Xzh1aFPo7
-eCAMbMAO/6nZb8wjARZZ2EHFAo4fXcORwj7dY4/hR3r7KEECQQDdOioQLThTVXXT
-tV24cE0WVezC8xcnSOE0MIMyFyxjD0aGtzrBKoXewocfRe+zvzoMJzrWM0CIEP5U
-IbSUTGX5AkEA0CEuJxOpc3yw3I9hy3isqcA9rR6Pa7gvG/H8dLkmhyK6knzuUHU0
-kW+aTg/LqH22hdCe8SQbUuIWoblSetnhDwJAZOPhyv7UcSzIT4Sm+TY98bG+CCpU
-pNXX3rVBH9bxpzuQLl/hq7Z41t5gQSLj7lWHY4OAka9N/r/BPR0h/X/aAQJAKbHL
-9iYZNzqOj9DljYaCSItrj6fkoXbHcTi8E4IX9tB9QeVnNJUWT+BksCi36uwsSYhu
-nu5VzvfeAs4GePf2/wJATHu5znRyBkegvvn702wodqfhbPd8pmnNT0vXKcD90jsz
-ZDe0VlX/kmE4fbORozMDRURUGaVDhFIiEsa4gct2mA==
------END RSA PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACArNmLycKg+U8IR/exXU6PmHvL6fIzf3NYed9wTD3zlrAAAAJANDbiNDQ24
+jQAAAAtzc2gtZWQyNTUxOQAAACArNmLycKg+U8IR/exXU6PmHvL6fIzf3NYed9wTD3zlrA
+AAAED4z9YhcScIDbVDcCfxIhW+SL2oHeP2/T/zxGjom1EWiys2YvJwqD5TwhH97FdTo+Ye
+8vp8jN/c1h533BMPfOWsAAAADW1haHJ1ZEBnYWxvaXM=
+-----END OPENSSH PRIVATE KEY-----

testdata/ssh_key.pub

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCz2+6OyTyo4Qo/hCtaBLT9gczJPzPhu7CzYWOSqRjbFs2/16y0YOuyPesO/e84ZasMlzFJMogNddnq5uJxcM6+f3XzUs2yIL26cw0rcespNg1UUpZgOSxSluXoJapB/SQhcIuO+uD0snvjNQrAMUz7oK+b6Uv3fYu3DmgI8CrSlw==
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICs2YvJwqD5TwhH97FdTo+Ye8vp8jN/c1h533BMPfOWs mahrud@galois