Skip to content

Commit

Permalink
Merge pull request #46 from Lagovas/lagovas/split-keys
Browse files Browse the repository at this point in the history 
Lagovas/split keys
  • Loading branch information
@mnaza
mnaza committed Jan 17, 2017
2 parents fc13867 + 47567b9 commit 66f812e
Show file tree
Hide file tree
Showing 6 changed files with 215 additions and 102 deletions.
42 changes: 30 additions & 12 deletions cmd/acra_genkeys/acra_genkeys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,28 +66,46 @@ func main() {
client_id := flag.String("client_id", "client", "Client id")
acraproxy := flag.Bool("acraproxy", false, "Create keypair only for acraproxy")
acraserver := flag.Bool("acraserver", false, "Create keypair only for acraserver")
data_keys := flag.Bool("data", false, "Create keypair for data encryption/decryption")
output_dir := flag.String("output", keystore.DEFAULT_KEY_DIR_SHORT, "Folder where will be saved keys")

utils.LoadFromConfig(DEFAULT_CONFIG_PATH)
iniflags.Parse()

var err error
*output_dir, err = utils.AbsPath(*output_dir)
if err != nil {
panic(err)
}

err = os.MkdirAll(*output_dir, 0700)
if err != nil {
store, err := keystore.NewFilesystemKeyStore(*output_dir)
if err != nil{
panic(err)
}

if *acraproxy {
create_keys(*client_id, *output_dir)
err = store.GenerateProxyKeys([]byte(*client_id))
if err != nil{
panic(err)
}
} else if *acraserver {
create_keys(fmt.Sprintf("%s_server", *client_id), *output_dir)
err = store.GenerateServerKeys([]byte(*client_id))
if err != nil{
panic(err)
}
} else if *data_keys{
err = store.GenerateDataEncryptionKeys([]byte(*client_id))
if err != nil{
panic(err)
}
} else {
create_keys(*client_id, *output_dir)
create_keys(fmt.Sprintf("%s_server", *client_id), *output_dir)
err = store.GenerateProxyKeys([]byte(*client_id))
if err != nil{
panic(err)
}

err = store.GenerateServerKeys([]byte(*client_id))
if err != nil{
panic(err)
}

err = store.GenerateDataEncryptionKeys([]byte(*client_id))
if err != nil{
panic(err)
}
}
}
56 changes: 0 additions & 56 deletions decryptor/postgresql/pg_escape_decryptor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,18 +106,6 @@ func NewPgEscapeDecryptor() *PgEscapeDecryptor {
}
}

func (decryptor *PgEscapeDecryptor) SetWithZone(b bool) {
decryptor.is_with_zone = b
}

func (decryptor *PgEscapeDecryptor) SetPoisonKey(key []byte) {
decryptor.poison_key = key
}

func (decryptor *PgEscapeDecryptor) GetPoisonKey() []byte {
return decryptor.poison_key
}

func (decryptor *PgEscapeDecryptor) MatchBeginTag(char byte) bool {
if char == ESCAPE_TAG_BEGIN[decryptor.current_index] {
decryptor.current_index++
Expand Down Expand Up @@ -281,50 +269,6 @@ func (decryptor *PgEscapeDecryptor) ReadData(symmetric_key, zone_id []byte, read
return EncodeToOctal(decrypted), nil
}

func (decryptor *PgEscapeDecryptor) SetKeyStore(store keystore.KeyStore) {
decryptor.key_store = store
}

func (decryptor *PgEscapeDecryptor) GetPrivateKey() (*keys.PrivateKey, error) {
return decryptor.key_store.GetZonePrivateKey(decryptor.GetMatchedZoneId())
}

func (decryptor *PgEscapeDecryptor) SetZoneMatcher(zone_matcher *zone.ZoneIdMatcher) {
decryptor.zone_matcher = zone_matcher
}

func (decryptor *PgEscapeDecryptor) MatchZone(c byte) bool {
return decryptor.zone_matcher.Match(c)
}

func (decryptor *PgEscapeDecryptor) IsWithZone() bool {
return decryptor.is_with_zone
}

func (decryptor *PgEscapeDecryptor) IsMatchedZone() bool {
return decryptor.zone_matcher.IsMatched()
}

func (decryptor *PgEscapeDecryptor) ResetZoneMatch() {
decryptor.zone_matcher.Reset()
}

func (decryptor *PgEscapeDecryptor) GetMatchedZoneId() []byte {
if decryptor.IsWithZone() {
return decryptor.zone_matcher.GetZoneId()
} else {
return nil
}
}

func (decryptor *PgEscapeDecryptor) SetPoisonCallbackStorage(storage *base.PoisonCallbackStorage) {
decryptor.callback_storage = storage
}

func (decryptor *PgEscapeDecryptor) GetPoisonCallbackStorage() *base.PoisonCallbackStorage {
return decryptor.callback_storage
}

func (decryptor *PgEscapeDecryptor) GetTagBeginLength() int {
return len(ESCAPE_TAG_BEGIN)
}
2 changes: 1 addition & 1 deletion decryptor/postgresql/pg_general_decryptor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ func (decryptor *PgDecryptor) GetPrivateKey() (*keys.PrivateKey, error) {
if decryptor.IsWithZone() {
return decryptor.key_store.GetZonePrivateKey(decryptor.GetMatchedZoneId())
} else {
return decryptor.key_store.GetServerPrivateKey(decryptor.client_id)
return decryptor.key_store.GetServerDecryptionPrivateKey(decryptor.client_id)
}
}

Expand Down
106 changes: 86 additions & 20 deletions keystore/filesystem_store.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,6 @@ import (

var lock = sync.RWMutex{}

func GetPublicKeyFilename(id []byte) string {
return fmt.Sprintf("%s_zone.pub", string(id))
}

type FilesystemKeyStore struct {
keys map[string][]byte
directory string
Expand All @@ -51,31 +47,59 @@ func (*FilesystemKeyStore) get_zone_key_filename(id []byte) string {
return fmt.Sprintf("%s_zone", string(id))
}

func (store *FilesystemKeyStore) GenerateZoneKey() ([]byte, []byte, error) {
/* save private key in fs, return id and public key*/
var id []byte
for {
// generate until key not exists
id = zone.GenerateZoneId()
if !store.HasZonePrivateKey(id) {
break
}
}
func (store *FilesystemKeyStore) get_zone_public_key_filename(id []byte) string {
return fmt.Sprintf("%s.pub", store.get_zone_key_filename(id))
}

func (*FilesystemKeyStore) get_server_key_filename(id []byte) string {
return fmt.Sprintf("%s_server", string(id))
}

func (*FilesystemKeyStore) get_server_decryption_key_filename(id []byte) string {
return fmt.Sprintf("%s_decrypt", string(id))
}

func (*FilesystemKeyStore) get_proxy_key_filename(id []byte) string {
return string(id)
}

func (store *FilesystemKeyStore) generate_key_pair(filename string, id []byte)(*keys.Keypair, error){
keypair, err := keys.New(keys.KEYTYPE_EC)
if err != nil {
return []byte{}, []byte{}, err
return nil, err
}
keydir, err := GetDefaultKeyDir()
if err != nil {
return []byte{}, []byte{}, err
return nil, err
}
err = os.MkdirAll(keydir, 0700)
if err != nil {
return []byte{}, []byte{}, err
return nil, err
}
err = ioutil.WriteFile(store.get_file_path(store.get_zone_key_filename(id)), keypair.Private.Value, 0600)
err = ioutil.WriteFile(store.get_file_path(filename), keypair.Private.Value, 0600)
if err != nil {
return nil, err
}
err = ioutil.WriteFile(store.get_file_path(fmt.Sprintf("%s.pub", filename)), keypair.Public.Value, 0644)
if err != nil {
return nil, err
}
return keypair, nil
}

func (store *FilesystemKeyStore) GenerateZoneKey() ([]byte, []byte, error) {
/* save private key in fs, return id and public key*/
var id []byte
for {
// generate until key not exists
id = zone.GenerateZoneId()
if !store.HasZonePrivateKey(id) {
break
}
}

keypair, err := store.generate_key_pair(store.get_zone_key_filename(id), id)
if err != nil{
return []byte{}, []byte{}, err
}
lock.Lock()
Expand Down Expand Up @@ -125,7 +149,7 @@ func (store *FilesystemKeyStore) HasZonePrivateKey(id []byte) bool {
}

func (store *FilesystemKeyStore) GetProxyPublicKey(id []byte) (*keys.PublicKey, error) {
fname := GetPublicKeyFilename(id)
fname := store.get_zone_public_key_filename(id)
lock.Lock()
defer lock.Unlock()
key, ok := store.keys[fname]
Expand All @@ -143,7 +167,25 @@ func (store *FilesystemKeyStore) GetProxyPublicKey(id []byte) (*keys.PublicKey,
}

func (store *FilesystemKeyStore) GetServerPrivateKey(id []byte) (*keys.PrivateKey, error) {
fname := fmt.Sprintf("%s_server", id)
fname := store.get_server_key_filename(id)
lock.Lock()
defer lock.Unlock()
key, ok := store.keys[fname]
if ok {
log.Printf("Debug: load cached key: %s\n", fname)
return &keys.PrivateKey{Value: key}, nil
}
private_key, err := LoadPrivateKey(store.get_file_path(fname))
if err != nil {
return nil, err
}
log.Printf("Debug: load key from fs: %s\n", fname)
store.keys[fname] = private_key.Value
return private_key, nil
}

func (store *FilesystemKeyStore) GetServerDecryptionPrivateKey(id []byte)(*keys.PrivateKey, error){
fname := store.get_server_decryption_key_filename(id)
lock.Lock()
defer lock.Unlock()
key, ok := store.keys[fname]
Expand All @@ -160,6 +202,30 @@ func (store *FilesystemKeyStore) GetServerPrivateKey(id []byte) (*keys.PrivateKe
return private_key, nil
}

func (store *FilesystemKeyStore) GenerateProxyKeys(id []byte)(error){
filename := store.get_proxy_key_filename(id)
_, err := store.generate_key_pair(filename, id)
if err != nil{
return err
}
return nil
}
func (store *FilesystemKeyStore) GenerateServerKeys(id []byte)(error){
filename := store.get_server_key_filename(id)
_, err := store.generate_key_pair(filename, id)
if err != nil{
return err
}
return nil
}
// generate key pair for data encryption/decryption
func (store *FilesystemKeyStore) GenerateDataEncryptionKeys(id []byte)(error){
_, err := store.generate_key_pair(store.get_server_decryption_key_filename(id), id)
if err != nil{
return err
}
return nil


// clear all cached keys
func (store *FilesystemKeyStore) Reset(){
Expand Down
7 changes: 7 additions & 0 deletions keystore/keystore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,15 @@ type KeyStore interface {
HasZonePrivateKey(id []byte) bool
GetProxyPublicKey(id []byte) (*keys.PublicKey, error)
GetServerPrivateKey(id []byte) (*keys.PrivateKey, error)
GetServerDecryptionPrivateKey(id []byte)(*keys.PrivateKey, error)
// return id, public key, error
GenerateZoneKey() ([]byte, []byte, error)

GenerateProxyKeys(id []byte) error
GenerateServerKeys(id []byte) error
// generate key pair for data encryption/decryption
GenerateDataEncryptionKeys(id []byte) error

Reset()
}

Expand Down

0 comments on commit 66f812e

Please sign in to comment.