Extend acra-keys export/import subcommand (#629)

Extend acra-keys export/import subcommand with V1 keystore support
cossacklabs · Feb 6, 2023 · 47b679b · 47b679b
1 parent 9565e50
commit 47b679b
Show file tree

Hide file tree

Showing 24 changed files with 1,866 additions and 498 deletions.
diff --git a/CHANGELOG_DEV.md b/CHANGELOG_DEV.md
@@ -1,6 +1,9 @@
 # 0.95.0 - 2023-02-02
 - Improve processing int4 values from PostgreSQL with binary format of values
 
+# 0.95.0 - 2023-01-31
+- Extend `acra-keys` `export` and `import` subcommand by V1 keystore support;
+
 # 0.95.0 - 2023-01-24
 - Remove testing on the old versions of golang, leave only last fresh version
 

diff --git a/cmd/acra-backup/acra-backup.go b/cmd/acra-backup/acra-backup.go
@@ -20,7 +20,6 @@ import (
 	"encoding/base64"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 
 	"github.com/cossacklabs/acra/cmd"
@@ -85,7 +84,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	backuper, err := filesystem.NewKeyBackuper(*outputDir, *outputPublicKey, storage, keyStoreEncryptor)
+	backuper, err := filesystem.NewKeyBackuper(*outputDir, *outputPublicKey, storage, keyStoreEncryptor, nil)
 	if err != nil {
 		log.WithError(err).Errorln("Can't initialize backuper")
 		os.Exit(1)
@@ -107,25 +106,25 @@ func main() {
 			os.Exit(1)
 		}
 
-		keysContent, err := ioutil.ReadFile(*file)
+		keysContent, err := os.ReadFile(*file)
 		if err != nil {
 			log.WithError(err).Errorln("Can't read file with exported keys")
 			os.Exit(1)
 		}
-		backup := keystore.KeysBackup{MasterKey: key, Keys: keysContent}
-		if err := backuper.Import(&backup); err != nil {
+		backup := keystore.KeysBackup{Keys: key, Data: keysContent}
+		if _, err := backuper.Import(&backup); err != nil {
 			log.WithError(err).Errorln("Can't import keys")
 			os.Exit(1)
 		}
 	case actionExport:
-		backup, err := backuper.Export()
+		backup, err := backuper.Export(nil, keystore.ExportAllKeys)
 		if err != nil {
 			log.WithError(err).Errorln("Can't generate backup")
 			os.Exit(1)
 		}
-		base64MasterKey := base64.StdEncoding.EncodeToString(backup.MasterKey)
-		utils.ZeroizeSymmetricKey(backup.MasterKey)
-		if err := ioutil.WriteFile(*file, backup.Keys, filesystem.PrivateFileMode); err != nil {
+		base64MasterKey := base64.StdEncoding.EncodeToString(backup.Keys)
+		utils.ZeroizeSymmetricKey(backup.Keys)
+		if err := os.WriteFile(*file, backup.Keys, filesystem.PrivateFileMode); err != nil {
 			log.WithError(err).Errorf("Can't write backup to file %s", *file)
 			os.Exit(1)
 		}

diff --git a/cmd/acra-keys/keys/acra-keys.go b/cmd/acra-keys/keys/acra-keys.go
@@ -22,10 +22,10 @@ import (
 	"io"
 	"os"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/cossacklabs/acra/keystore"
-	"github.com/cossacklabs/acra/keystore/v2/keystore/api"
 	"github.com/cossacklabs/acra/utils"
-	log "github.com/sirupsen/logrus"
 )
 
 func warnKeystoreV2Only(command string) {
@@ -51,55 +51,6 @@ func ListKeysCommand(params ListKeysParams, keyStore keystore.ServerKeyStore) {
 	}
 }
 
-// ExportKeysCommand implements the "export" command.
-func ExportKeysCommand(params ExportKeysParams, keyStore api.KeyStore) {
-	encryptionKeyData, cryptosuite, err := PrepareExportEncryptionKeys()
-	if err != nil {
-		log.WithError(err).Fatal("Failed to prepare encryption keys")
-	}
-	defer utils.ZeroizeSymmetricKey(encryptionKeyData)
-
-	exportedData, err := ExportKeys(keyStore, cryptosuite, params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to export keys")
-	}
-
-	err = WriteExportedData(exportedData, encryptionKeyData, params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to write exported data")
-	}
-
-	log.Infof("Exported key data is encrypted and saved here: %s", params.ExportDataFile())
-	log.Infof("New encryption keys for import generated here: %s", params.ExportKeysFile())
-	log.Infof("DO NOT transport or store these files together")
-	log.Infof("Import the keys into another keystore like this:\n\tacra-keys import --key_bundle_file \"%s\" --key_bundle_secret \"%s\"", params.ExportDataFile(), params.ExportKeysFile())
-}
-
-// ImportKeysCommand implements the "import" command.
-func ImportKeysCommand(params ImportKeysParams, keyStore api.MutableKeyStore) {
-	exportedData, err := ReadExportedData(params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to read exported data")
-	}
-
-	cryptosuite, err := ReadImportEncryptionKeys(params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to prepare encryption keys")
-	}
-
-	descriptions, err := ImportKeys(exportedData, keyStore, cryptosuite, params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to import keys")
-	}
-
-	log.Infof("successfully imported %d keys", len(descriptions))
-
-	err = PrintKeys(descriptions, os.Stdout, params)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to print imported key list")
-	}
-}
-
 // PrintKeyCommand implements the "read" command.
 func (p *ReadKeySubcommand) PrintKeyCommand(params ReadKeyParams, keyStore keystore.ServerKeyStore) {
 	keyBytes, err := ReadKeyBytes(params, keyStore)

diff --git a/cmd/acra-keys/keys/command-line.go b/cmd/acra-keys/keys/command-line.go
@@ -52,21 +52,7 @@ const (
 	CmdExtractClientID = "extract-client-id"
 )
 
-// Key kind constants:
-const (
-	KeyPoisonKeypair   = "poison-keypair"
-	KeyPoisonSymmetric = "poison-symmetric"
-	KeyPoisonPublic    = "poison-public"
-	KeyPoisonPrivate   = "poison-private"
-	KeyStorageKeypair  = "storage-keypair"
-	KeyStoragePublic   = "storage-public"
-	KeyStoragePrivate  = "storage-private"
-
-	KeySymmetric = "symmetric-key"
-	KeySearch    = "hmac-key"
-)
-
-// Comman-line parsing errors:
+// Command-line parsing errors:
 var (
 	ErrUnknownSubCommand = errors.New("unknown command")
 	ErrMissingKeyKind    = errors.New("missing key kind")
@@ -160,21 +146,21 @@ func ParseKeyKind(keyID string) (string, []byte, error) {
 	if len(parts) == 1 {
 		switch parts[0] {
 		case "poison-record":
-			return KeyPoisonKeypair, nil, nil
+			return keystoreV1.KeyPoisonKeypair, nil, nil
 		case "poison-record-symmetric":
-			return KeyPoisonSymmetric, nil, nil
+			return keystoreV1.KeyPoisonSymmetric, nil, nil
 		}
 	}
 	if len(parts) == 3 {
 		id := []byte(parts[1])
 		if parts[0] == "client" {
 			switch parts[2] {
 			case "symmetric":
-				return KeySymmetric, id, nil
+				return keystoreV1.KeySymmetric, id, nil
 			case "storage":
-				return KeyStorageKeypair, id, nil
+				return keystoreV1.KeyStorageKeypair, id, nil
 			case "searchable":
-				return KeySearch, id, nil
+				return keystoreV1.KeySearch, id, nil
 			}
 		}
 		log.Warningln("Zone keys are deprecated since 0.94.0 and will be removed soon.")

diff --git a/cmd/acra-keys/keys/destroy-key.go b/cmd/acra-keys/keys/destroy-key.go
@@ -89,10 +89,10 @@ func (p *DestroyKeySubcommand) Parse(arguments []string) error {
 		return err
 	}
 	switch coarseKind {
-	case KeyPoisonKeypair, KeyPoisonSymmetric:
+	case keystore.KeyPoisonKeypair, keystore.KeyPoisonSymmetric:
 		p.destroyKeyKind = coarseKind
 
-	case KeySymmetric, KeyStorageKeypair, KeySearch:
+	case keystore.KeySymmetric, keystore.KeyStorageKeypair, keystore.KeySearch:
 		p.destroyKeyKind = coarseKind
 		p.contextID = id
 	default:
@@ -125,37 +125,37 @@ func (p *DestroyKeySubcommand) ClientID() []byte {
 func DestroyKey(params DestroyKeyParams, keyStore keystore.KeyMaking) error {
 	kind := params.DestroyKeyKind()
 	switch kind {
-	case KeyPoisonKeypair:
+	case keystore.KeyPoisonKeypair:
 		err := keyStore.DestroyPoisonKeyPair()
 		if err != nil {
 			log.WithError(err).Error("Cannot destroy poison record key pair")
 			return err
 		}
 		return nil
-	case KeyPoisonSymmetric:
+	case keystore.KeyPoisonSymmetric:
 		err := keyStore.DestroyPoisonSymmetricKey()
 		if err != nil {
 			log.WithError(err).Error("Cannot destroy poison record symmetric key")
 			return err
 		}
 		return nil
 
-	case KeyStorageKeypair:
+	case keystore.KeyStorageKeypair:
 		err := keyStore.DestroyClientIDEncryptionKeyPair(params.ClientID())
 		if err != nil {
 			log.WithError(err).Error("Cannot destroy client storage key pair")
 			return err
 		}
 		return nil
 
-	case KeySymmetric:
+	case keystore.KeySymmetric:
 		err := keyStore.DestroyClientIDSymmetricKey(params.ClientID())
 		if err != nil {
 			log.WithError(err).Error("Cannot destroy client symmetric key")
 			return err
 		}
 		return nil
-	case KeySearch:
+	case keystore.KeySearch:
 		err := keyStore.DestroyHmacSecretKey(params.ClientID())
 		if err != nil {
 			log.WithError(err).Error("Cannot destroy client hmac key")

diff --git a/cmd/acra-keys/keys/destroy-key_test.go b/cmd/acra-keys/keys/destroy-key_test.go
@@ -43,7 +43,7 @@ func TestDestroyCMD_FS_V2(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyStorageKeypair,
+			destroyKeyKind: keystore.KeyStorageKeypair,
 			FlagSet:        flagSet,
 		}
 
@@ -79,7 +79,7 @@ func TestDestroyCMD_FS_V2(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeySymmetric,
+			destroyKeyKind: keystore.KeySymmetric,
 			FlagSet:        flagSet,
 		}
 
@@ -115,7 +115,7 @@ func TestDestroyCMD_FS_V2(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyPoisonKeypair,
+			destroyKeyKind: keystore.KeyPoisonKeypair,
 			FlagSet:        flagSet,
 		}
 
@@ -146,7 +146,7 @@ func TestDestroyCMD_FS_V2(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyPoisonSymmetric,
+			destroyKeyKind: keystore.KeyPoisonSymmetric,
 			FlagSet:        flagSet,
 		}
 
@@ -182,7 +182,7 @@ func TestDestroyCMD_FS_V2(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeySearch,
+			destroyKeyKind: keystore.KeySearch,
 			FlagSet:        flagSet,
 		}
 
@@ -243,7 +243,7 @@ func TestDestroyCMD_FS_V1(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyStorageKeypair,
+			destroyKeyKind: keystore.KeyStorageKeypair,
 			FlagSet:        flagSet,
 		}
 
@@ -274,7 +274,7 @@ func TestDestroyCMD_FS_V1(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeySymmetric,
+			destroyKeyKind: keystore.KeySymmetric,
 			FlagSet:        flagSet,
 		}
 
@@ -305,7 +305,7 @@ func TestDestroyCMD_FS_V1(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyPoisonKeypair,
+			destroyKeyKind: keystore.KeyPoisonKeypair,
 			FlagSet:        flagSet,
 		}
 
@@ -336,7 +336,7 @@ func TestDestroyCMD_FS_V1(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeyPoisonSymmetric,
+			destroyKeyKind: keystore.KeyPoisonSymmetric,
 			FlagSet:        flagSet,
 		}
 
@@ -367,7 +367,7 @@ func TestDestroyCMD_FS_V1(t *testing.T) {
 				keyDir: dirName,
 			},
 			contextID:      clientID,
-			destroyKeyKind: KeySearch,
+			destroyKeyKind: keystore.KeySearch,
 			FlagSet:        flagSet,
 		}