Supports MSP and requires several arguments to add hipchat integration to
red october. RedOctober will then alert on creation of an order, any new
delegation, or several other states.
The keycache does not remove active delegations when uses drops to zero;
rather it only removes these when Refresh is called.
So Valid returns true even if the user's delegation has expired,
so fullMatch is not set to false in unwrapKey,
so DecryptKey fails since the keycache refreshes and finds the delegation has expired,
so tmpKeyValue is left empty and decryptErr is set.
Since decryptErr is only used to break out of the inner loop, and
fullMatch wasn't set to false, no error is returned from unwrapKey.
So aesKey in DecryptKey is an empty string, causing an error when
passed to aes.NewCipher.
This commit actively removes a delegation from the keycache when it
is used for the last time, and properly handles errors thrown by
DecryptKey in unwrapKey.
The "minimum" parameter was ignored, so when a single user
was provided as an owner, the encrypted data had no KeySet value
and could not be decrypted.
This change fixes the API and cryptor to pay attention to the Minimum
parameter and handle the case where Minimum is 1
The idea is to create a new type (to avoid ugly string parsing) and
then, instead of iterating through delegations with the username, iterate
through the delegations and look for your username and matching slot. Also
in cases we don't have the slot (everything but delegation), find the slot
when we match a user.
This patch adds the /owners API endpoint that returns the list of users
that "own" the given secret. These are the users that can delegate their
passwords for decrypting the secret.
It also adds the "Get Owners" form in the web UI that uses the new API.
Fixes#62
LeftOwners and RightOwners can now be used as either disjoint
or overlapping sets of users for encrypting a message. Default
behavior is to set them to Owners given a non-empty Owners set.
One member from each group are required to decrypt the message.
There are a few changes made here:
* Comments have been updated to reflect the presence of ECC records.
* Variables named rsa* have been renamed pub* to reflect the general
use of public key cryptography, instead of RSA specifically.
* An if statement for RSA keys now handles both RSA and ECC keys.
The passvault's id is created with math.rand as a native int.
If the vault is created on a 64-bit system, it breaks compatibility
with 32-bit systems.
- Generate vaults with 32-bit ids.
- Update testcode
