From 5ffdfd6d0bc77eda829054c9c3de6fba950507de Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@yahooinc.com>
Date: Mon, 30 Jan 2023 14:41:01 +0100
Subject: Add an "interactive" token resealing protocol and basic tooling
 support

Implements a protocol for delegated access to a shared secret key
of a token whose private key we do not possess. This builds directly
on top of the existing token resealing mechanisms.

The primary benefit of the resealing protocol is that none of the
data exchanged can reveal anything about the underlying secret.

Security note: neither resealing requests nor responses are explicitly
authenticated (this is a property inherited from the sealed shared
key tokens themselves). It is assumed that an attacker can observe
all requests and responses in transit, but cannot modify them.
---
 .../vespa/security/tool/crypto/DecryptTool.java    | 49 +++++++++++++++++--
 .../vespa/security/tool/crypto/ResealTool.java     | 55 ++++++++++++++++------
 2 files changed, 85 insertions(+), 19 deletions(-)

(limited to 'vespaclient-java/src/main/java/com/yahoo')

diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
index 4fbe89d4b03..4b3608fc3f7 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
@@ -2,14 +2,18 @@
 package com.yahoo.vespa.security.tool.crypto;
 
 import com.yahoo.security.SealedSharedKey;
+import com.yahoo.security.SecretSharedKey;
 import com.yahoo.security.SharedKeyGenerator;
+import com.yahoo.security.SharedKeyResealingSession;
 import com.yahoo.vespa.security.tool.CliUtils;
 import com.yahoo.vespa.security.tool.Tool;
 import com.yahoo.vespa.security.tool.ToolDescription;
 import com.yahoo.vespa.security.tool.ToolInvocation;
 import org.apache.commons.cli.Option;
 
+import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.util.List;
 import java.util.Optional;
 
@@ -31,6 +35,7 @@ public class DecryptTool implements Tool {
     static final String EXPECTED_KEY_ID_OPTION  = "expected-key-id";
     static final String ZSTD_DECOMPRESS_OPTION  = "zstd-decompress";
     static final String TOKEN_OPTION            = "token";
+    static final String RESEAL_REQUEST          = "reseal-request";
 
     private static final List<Option> OPTIONS = List.of(
             Option.builder("o")
@@ -77,6 +82,12 @@ public class DecryptTool implements Tool {
                     .hasArg(true)
                     .required(false)
                     .desc("Token generated when the input file was encrypted")
+                    .build(),
+            Option.builder("r")
+                    .longOpt(RESEAL_REQUEST)
+                    .hasArg(false)
+                    .required(false)
+                    .desc("Delegate private key decryption via an interactive resealing session")
                     .build());
 
     @Override
@@ -110,11 +121,12 @@ public class DecryptTool implements Tool {
             var sealedSharedKey = SealedSharedKey.fromTokenString(tokenString.strip());
             ToolUtils.verifyExpectedKeyId(sealedSharedKey, maybeKeyId);
 
-            var privateKey   = ToolUtils.resolvePrivateKeyFromInvocation(invocation, sealedSharedKey.keyId(),
-                                                                         !CliUtils.useStdIo(inputArg) && !CliUtils.useStdIo(outputArg));
-            var secretShared = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
-            var cipher       = secretShared.makeDecryptionCipher();
-            boolean unZstd   = arguments.hasOption(ZSTD_DECOMPRESS_OPTION);
+            var secret = arguments.hasOption(RESEAL_REQUEST)
+                    ? secretFromInteractiveResealing(invocation, inputArg, outputArg, sealedSharedKey)
+                    : secretFromPrivateKey(invocation, inputArg, outputArg, sealedSharedKey);
+
+            var cipher     = secret.makeDecryptionCipher();
+            boolean unZstd = arguments.hasOption(ZSTD_DECOMPRESS_OPTION);
 
             try (var inStream  = CliUtils.inputStreamFromFileOrStream(inputArg, invocation.stdIn());
                  var outStream = CliUtils.outputStreamToFileOrStream(outputArg, invocation.stdOut())) {
@@ -125,4 +137,31 @@ public class DecryptTool implements Tool {
         }
         return 0;
     }
+
+    private static SecretSharedKey secretFromPrivateKey(ToolInvocation invocation, String inputArg, String outputArg, SealedSharedKey sealedSharedKey) throws IOException {
+        var privateKey = ToolUtils.resolvePrivateKeyFromInvocation(invocation, sealedSharedKey.keyId(),
+                                                                   !CliUtils.useStdIo(inputArg) && !CliUtils.useStdIo(outputArg));
+        return SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
+    }
+
+    private static SecretSharedKey secretFromInteractiveResealing(ToolInvocation invocation, String inputArg,
+                                                                  String outputArg, SealedSharedKey sealedSharedKey) throws IOException {
+        if (!CliUtils.useStdIo(outputArg) || !CliUtils.useStdIo(inputArg)) {
+            throw new IllegalArgumentException("Interactive token resealing not available with redirected I/O");
+        }
+        var session = SharedKeyResealingSession.newEphemeralSession();
+        var req     = session.resealingRequestFor(sealedSharedKey);
+
+        invocation.stdOut().format("\nInteractive token resealing request:\n\n%s\n\n", req.toSerializedString());
+        invocation.stdOut().format("Paste response and hit return: ");
+
+        try (var reader = new BufferedReader(new InputStreamReader(invocation.stdIn()))) {
+            var serializedRes = reader.readLine().strip();
+            if (serializedRes.isEmpty()) {
+                throw new IllegalArgumentException("Empty response; aborting");
+            }
+            var res = SharedKeyResealingSession.ResealingResponse.fromSerializedString(serializedRes);
+            return session.openResealingResponse(res);
+        }
+    }
 }
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/ResealTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/ResealTool.java
index 19be3e9fa51..4fb8083b0f0 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/ResealTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/ResealTool.java
@@ -5,10 +5,12 @@ import com.yahoo.security.KeyId;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SealedSharedKey;
 import com.yahoo.security.SharedKeyGenerator;
+import com.yahoo.security.SharedKeyResealingSession;
 import com.yahoo.vespa.security.tool.CliUtils;
 import com.yahoo.vespa.security.tool.Tool;
 import com.yahoo.vespa.security.tool.ToolDescription;
 import com.yahoo.vespa.security.tool.ToolInvocation;
+import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 
 import java.io.IOException;
@@ -31,6 +33,7 @@ public class ResealTool implements Tool {
     static final String EXPECTED_KEY_ID_OPTION      = "expected-key-id";
     static final String RECIPIENT_KEY_ID_OPTION     = "key-id";
     static final String RECIPIENT_PUBLIC_KEY_OPTION = "recipient-public-key";
+    static final String RESEAL_REQUEST_OPTION       = "reseal-request";
 
     private static final List<Option> OPTIONS = List.of(
             Option.builder("k")
@@ -70,6 +73,12 @@ public class ResealTool implements Tool {
                     .hasArg(true)
                     .required(false)
                     .desc("ID of recipient key")
+                    .build(),
+            Option.builder()
+                    .longOpt(RESEAL_REQUEST_OPTION)
+                    .hasArg(false)
+                    .required(false)
+                    .desc("Handle input as a resealing request instead of a token")
                     .build());
 
     @Override
@@ -96,23 +105,41 @@ public class ResealTool implements Tool {
             if (leftoverArgs.length != 1) {
                 throw new IllegalArgumentException("Expected exactly 1 token argument to re-seal");
             }
-            var tokenString = leftoverArgs[0];
-            var maybeKeyId  = Optional.ofNullable(arguments.hasOption(EXPECTED_KEY_ID_OPTION)
-                                                  ? arguments.getOptionValue(EXPECTED_KEY_ID_OPTION)
-                                                  : null);
-            var sealedSharedKey = SealedSharedKey.fromTokenString(tokenString.strip());
-            ToolUtils.verifyExpectedKeyId(sealedSharedKey, maybeKeyId);
-
-            var recipientPubKey = KeyUtils.fromBase58EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
-            var recipientKeyId  = KeyId.ofString(CliUtils.optionOrThrow(arguments, RECIPIENT_KEY_ID_OPTION));
-            var privateKey      = ToolUtils.resolvePrivateKeyFromInvocation(invocation, sealedSharedKey.keyId(), true);
-            var secretShared    = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
-            var resealedShared  = SharedKeyGenerator.reseal(secretShared, recipientPubKey, recipientKeyId);
-
-            invocation.stdOut().println(resealedShared.sealedSharedKey().toTokenString());
+            var inputArg   = leftoverArgs[0].strip();
+            var maybeKeyId = Optional.ofNullable(arguments.hasOption(EXPECTED_KEY_ID_OPTION)
+                                                 ? arguments.getOptionValue(EXPECTED_KEY_ID_OPTION)
+                                                 : null);
+            if (arguments.hasOption(RESEAL_REQUEST_OPTION)) {
+                handleResealingRequest(invocation, inputArg, maybeKeyId);
+            } else {
+                handleTokenResealing(invocation, arguments, inputArg, maybeKeyId);
+            }
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
         return 0;
     }
+
+    private static void handleTokenResealing(ToolInvocation invocation, CommandLine arguments, String inputArg, Optional<String> maybeKeyId) throws IOException {
+        var sealedSharedKey = SealedSharedKey.fromTokenString(inputArg);
+        ToolUtils.verifyExpectedKeyId(sealedSharedKey, maybeKeyId);
+
+        var recipientPubKey = KeyUtils.fromBase58EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
+        var recipientKeyId  = KeyId.ofString(CliUtils.optionOrThrow(arguments, RECIPIENT_KEY_ID_OPTION));
+        var privateKey      = ToolUtils.resolvePrivateKeyFromInvocation(invocation, sealedSharedKey.keyId(), true);
+        var secretShared    = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
+        var resealedShared  = SharedKeyGenerator.reseal(secretShared, recipientPubKey, recipientKeyId);
+
+        invocation.stdOut().println(resealedShared.sealedSharedKey().toTokenString());
+    }
+
+    private static void handleResealingRequest(ToolInvocation invocation, String inputArg, Optional<String> maybeKeyId) throws IOException {
+        var request = SharedKeyResealingSession.ResealingRequest.fromSerializedString(inputArg);
+        ToolUtils.verifyExpectedKeyId(request.sealedKey(), maybeKeyId);
+
+        var privateKey = ToolUtils.resolvePrivateKeyFromInvocation(invocation, request.sealedKey().keyId(), true);
+        var resealed   = SharedKeyResealingSession.reseal(request, (keyId) -> Optional.of(privateKey));
+
+        invocation.stdOut().println(resealed.toSerializedString());
+    }
 }
-- 
cgit v1.2.3