1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.security.tool.crypto;
import com.yahoo.security.KeyId;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SealedSharedKey;
import com.yahoo.security.SharedKeyGenerator;
import com.yahoo.security.SharedKeyResealingSession;
import com.yahoo.vespa.security.tool.CliUtils;
import com.yahoo.vespa.security.tool.Tool;
import com.yahoo.vespa.security.tool.ToolDescription;
import com.yahoo.vespa.security.tool.ToolInvocation;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
import static com.yahoo.vespa.security.tool.crypto.ToolUtils.NO_INTERACTIVE_OPTION;
import static com.yahoo.vespa.security.tool.crypto.ToolUtils.PRIVATE_KEY_DIR_OPTION;
import static com.yahoo.vespa.security.tool.crypto.ToolUtils.PRIVATE_KEY_FILE_OPTION;
/**
* Tooling for resealing a token for another recipient. This allows for delegating
* decryption to another party without having to reveal the private key of the original
* recipient.
*
* @author vekterli
*/
public class ResealTool implements Tool {
static final String EXPECTED_KEY_ID_OPTION = "expected-key-id";
static final String RECIPIENT_KEY_ID_OPTION = "key-id";
static final String RECIPIENT_PUBLIC_KEY_OPTION = "recipient-public-key";
static final String RESEAL_REQUEST_OPTION = "reseal-request";
private static final List<Option> OPTIONS = List.of(
Option.builder("k")
.longOpt(PRIVATE_KEY_FILE_OPTION)
.hasArg(true)
.required(false)
.desc("Private key file in Base58 encoded format")
.build(),
Option.builder("d")
.longOpt(PRIVATE_KEY_DIR_OPTION)
.hasArg(true)
.required(false)
.desc("Private key file directory used for automatically looking up " +
"private keys based on the key ID specified as part of a token.")
.build(),
Option.builder()
.longOpt(NO_INTERACTIVE_OPTION)
.hasArg(false)
.required(false)
.desc("Never ask for private key interactively if no private key file or " +
"directory is provided, even if process is running in a console")
.build(),
Option.builder("e")
.longOpt(EXPECTED_KEY_ID_OPTION)
.hasArg(true)
.required(false)
.desc("Expected key ID in token. If this is not provided, the key ID is not verified.")
.build(),
Option.builder("r")
.longOpt(RECIPIENT_PUBLIC_KEY_OPTION)
.hasArg(true)
.required(false)
.desc("Recipient X25519 public key in Base58 encoded format")
.build(),
Option.builder("i")
.longOpt(RECIPIENT_KEY_ID_OPTION)
.hasArg(true)
.required(false)
.desc("ID of recipient key")
.build(),
Option.builder()
.longOpt(RESEAL_REQUEST_OPTION)
.hasArg(false)
.required(false)
.desc("Handle input as a resealing request instead of a token")
.build());
@Override
public String name() {
return "reseal";
}
@Override
public ToolDescription description() {
return new ToolDescription(
"<token> <options>",
"Reseals the input token for another recipient, allowing that recipient to " +
"decrypt the file that the input token was originally created for.\n" +
"Prints new token to STDOUT.",
"Note: this is a BETA tool version; its interface may be changed at any time",
OPTIONS);
}
@Override
public int invoke(ToolInvocation invocation) {
try {
var arguments = invocation.arguments();
var leftoverArgs = arguments.getArgs();
if (leftoverArgs.length != 1) {
throw new IllegalArgumentException("Expected exactly 1 token argument to re-seal");
}
var inputArg = leftoverArgs[0].strip();
var maybeKeyId = Optional.ofNullable(arguments.hasOption(EXPECTED_KEY_ID_OPTION)
? arguments.getOptionValue(EXPECTED_KEY_ID_OPTION)
: null);
if (arguments.hasOption(RESEAL_REQUEST_OPTION)) {
handleResealingRequest(invocation, inputArg, maybeKeyId);
} else {
handleTokenResealing(invocation, arguments, inputArg, maybeKeyId);
}
} catch (IOException e) {
throw new RuntimeException(e);
}
return 0;
}
private static void handleTokenResealing(ToolInvocation invocation, CommandLine arguments, String inputArg, Optional<String> maybeKeyId) throws IOException {
var sealedSharedKey = SealedSharedKey.fromTokenString(inputArg);
ToolUtils.verifyExpectedKeyId(sealedSharedKey, maybeKeyId);
var recipientPubKey = KeyUtils.fromBase58EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
var recipientKeyId = KeyId.ofString(CliUtils.optionOrThrow(arguments, RECIPIENT_KEY_ID_OPTION));
var privateKey = ToolUtils.resolvePrivateKeyFromInvocation(invocation, sealedSharedKey.keyId(), true);
var secretShared = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
var resealedShared = SharedKeyGenerator.reseal(secretShared, recipientPubKey, recipientKeyId);
invocation.stdOut().println(resealedShared.sealedSharedKey().toTokenString());
}
private static void handleResealingRequest(ToolInvocation invocation, String inputArg, Optional<String> maybeKeyId) throws IOException {
var request = SharedKeyResealingSession.ResealingRequest.fromSerializedString(inputArg);
ToolUtils.verifyExpectedKeyId(request.sealedKey(), maybeKeyId);
var privateKey = ToolUtils.resolvePrivateKeyFromInvocation(invocation, request.sealedKey().keyId(), true);
var resealed = SharedKeyResealingSession.reseal(request, (keyId) -> Optional.of(privateKey));
invocation.stdOut().println(resealed.toSerializedString());
}
}
|
