From b4502752ea85d0d113887bf3cbc54f136dca2349 Mon Sep 17 00:00:00 2001 From: Frederic CORDIER Date: Wed, 12 Nov 2025 16:31:05 +0100 Subject: [PATCH 1/5] feat: key generation from key-provider-agent --- .../src/key_provider_agent.c | 54 +++++++++++++++---- 1 file changed, 43 insertions(+), 11 deletions(-) diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c index 3c266e6..a0bd42a 100644 --- a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c +++ b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c @@ -12,6 +12,9 @@ #define LOG_LEVEL_ERROR 3 #define LOG_LEVEL_NONE 4 +// Key length for wrap key +#define WRAP_KEY_LENGTH 32 + int app_log_level = LOG_LEVEL_INFO; // Default to INFO level #define LOG_WITH_TIMESTAMP(fmt, level, associated_level, ...) \ @@ -40,6 +43,29 @@ int app_log_level = LOG_LEVEL_INFO; // Default to INFO level char* wrap_key = ""; +// ----------------------------------------------------------------------------- +// Generate a random 32-byte key (alphanumeric and special characters) +// ----------------------------------------------------------------------------- +char* generate_random_key(void) { + char* key = malloc(WRAP_KEY_LENGTH + 1); + + if (!key) { + LOG_ERROR("Memory allocation failed"); + return NULL; + } + + const char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.~"; + size_t charset_size = sizeof(charset) - 1; + + srand((unsigned int)time(NULL)); + + for (size_t i = 0; i < WRAP_KEY_LENGTH; i++) { + key[i] = charset[rand() % charset_size]; + } + key[WRAP_KEY_LENGTH] = '\0'; + return key; +} + int push_wrapkey_to_secret_box(const char* wrapkey) { CURL* curl; CURLcode res; @@ -80,7 +106,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) { int main(int argc, char** argv) { setvbuf(stdout, NULL, _IONBF, 0); - + // Command line options char* const short_options = "l:h"; struct option long_options[] = { @@ -88,7 +114,7 @@ int main(int argc, char** argv) { {"help", no_argument, NULL, 'h'}, {0, 0, 0, 0} }; - + int opt; do { opt = getopt_long(argc, argv, short_options, long_options, NULL); @@ -120,20 +146,26 @@ int main(int argc, char** argv) { exit(-1); } } while (opt != -1); - + LOG_INFO("Try to get key from local"); wrap_key = getenv("localKey"); - if (NULL == wrap_key) { - LOG_ERROR("local-key does not config"); - return -1; - } - if (strlen(wrap_key) != 32) { - LOG_ERROR("Key size is not 32 bytes, please check"); + if (wrap_key == NULL) { + LOG_WARN("No 'localKey' found in environment, generating random key..."); + wrap_key = generate_random_key(); + if (wrap_key == NULL) { + LOG_ERROR("Failed to generate random wrap key"); + return -1; + } + LOG_INFO("Successfully generated random wrap key"); + LOG_INFO("Generated random wrap key: %s", wrap_key); + } else if (strlen(wrap_key) != WRAP_KEY_LENGTH) { + LOG_ERROR("Provided key is not %d bytes long, please check", WRAP_KEY_LENGTH); return -1; + } else { + LOG_INFO("Successfully retrieved wrap key from environment"); + LOG_DEBUG("Wrap key is %s", wrap_key); } - LOG_INFO("Get wrap_key successful from local"); - LOG_DEBUG("Wrapkey is %s", wrap_key); int ret = push_wrapkey_to_secret_box(wrap_key); if (ret != 0) { LOG_ERROR("Push wrapkey to secret box failed"); From 62a78af58760944279e2c8ba6757012041015c75 Mon Sep 17 00:00:00 2001 From: Frederic CORDIER Date: Wed, 12 Nov 2025 16:40:38 +0100 Subject: [PATCH 2/5] feat: switch to uppercase for key label --- .../keyprovider/key-provider-agent/src/key_provider_agent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c index a0bd42a..d19ac71 100644 --- a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c +++ b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c @@ -80,7 +80,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) { curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "http"); - strcpy(request_buffer, "key=wrapkey&value="); + strcpy(request_buffer, "key=WRAP_KEY&value="); strcat(request_buffer, wrapkey); LOG_DEBUG("Request body is %s", request_buffer); From 65ac11b1156c6f9bea345ee606e1a96b35bc07c4 Mon Sep 17 00:00:00 2001 From: Frederic CORDIER Date: Wed, 12 Nov 2025 16:49:08 +0100 Subject: [PATCH 3/5] feat: remove key injection feature --- .../src/key_provider_agent.c | 23 ++++--------------- 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c index d19ac71..5f41171 100644 --- a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c +++ b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c @@ -40,9 +40,6 @@ int app_log_level = LOG_LEVEL_INFO; // Default to INFO level #define LOG_ERROR(fmt, ...) \ LOG_WITH_TIMESTAMP(fmt, "ERROR", LOG_LEVEL_ERROR, ##__VA_ARGS__) - -char* wrap_key = ""; - // ----------------------------------------------------------------------------- // Generate a random 32-byte key (alphanumeric and special characters) // ----------------------------------------------------------------------------- @@ -147,24 +144,14 @@ int main(int argc, char** argv) { } } while (opt != -1); - LOG_INFO("Try to get key from local"); - wrap_key = getenv("localKey"); + + char* wrap_key = generate_random_key(); if (wrap_key == NULL) { - LOG_WARN("No 'localKey' found in environment, generating random key..."); - wrap_key = generate_random_key(); - if (wrap_key == NULL) { - LOG_ERROR("Failed to generate random wrap key"); - return -1; - } - LOG_INFO("Successfully generated random wrap key"); - LOG_INFO("Generated random wrap key: %s", wrap_key); - } else if (strlen(wrap_key) != WRAP_KEY_LENGTH) { - LOG_ERROR("Provided key is not %d bytes long, please check", WRAP_KEY_LENGTH); + LOG_ERROR("Failed to generate random wrap key"); return -1; - } else { - LOG_INFO("Successfully retrieved wrap key from environment"); - LOG_DEBUG("Wrap key is %s", wrap_key); } + LOG_INFO("Successfully generated random wrap key"); + LOG_INFO("Generated random wrap key: %s", wrap_key); int ret = push_wrapkey_to_secret_box(wrap_key); if (ret != 0) { From cdf3c5063df3131c533f2211c4bcea541ba8554e Mon Sep 17 00:00:00 2001 From: Frederic CORDIER Date: Wed, 12 Nov 2025 16:50:22 +0100 Subject: [PATCH 4/5] feat: read key from WRAP_KEY instead of wrapkey --- cvmassistants/disktool/encryptedDisk.sh | 26 ++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/cvmassistants/disktool/encryptedDisk.sh b/cvmassistants/disktool/encryptedDisk.sh index d2bf120..de88ede 100644 --- a/cvmassistants/disktool/encryptedDisk.sh +++ b/cvmassistants/disktool/encryptedDisk.sh @@ -6,7 +6,7 @@ # This script partitions, formats, and mounts disk devices. Supports both # encrypted (LUKS) and unencrypted disks. Environment variables control behavior: # `MOUNT_PATH` (mount point), `DISK` (device name), `KEY_TYPE` (only wrapkey supported), -# and `wrapkey` (encryption key). +# and `WRAP_KEY` (encryption key). # # Requirements: # - Must be run as root @@ -42,11 +42,11 @@ detect_or_create_partition() { fi done - log_info "Creating partition on $disk_dev with the following passed fdisk parameters: - n = new partition - p = primary partition - 1 = partition number 1 - = default start and end sectors + log_info "Creating partition on $disk_dev with the following passed fdisk parameters: + n = new partition + p = primary partition + 1 = partition number 1 + = default start and end sectors w = write changes" # Create the partition using fdisk # fdisk may return non-zero due to partition table re-read warning, but partition is created @@ -65,7 +65,7 @@ detect_or_create_partition() { # Try both possible partition naming schemes for suffix in "1" "p1"; do part_disk="${disk_dev}${suffix}" - if [[ -e "$part_disk" ]]; then + if [[ -e "$part_disk" ]]; then mappername="${mappername}${suffix}" log_info "Partition $part_disk successfully created on $disk_dev" return 0 @@ -81,7 +81,7 @@ format_and_encrypt_partition() { local key="$1" local part_dev="$2" local mapper="$3" - + echo "$key" | cryptsetup luksFormat --key-file=- "$part_dev" [[ $? -ne 0 ]] && log_fatal "Failed to format partition $part_dev in luks format" log_info "Partition $part_dev formatted successfully in luks format" @@ -93,7 +93,7 @@ format_and_encrypt_partition() { mkfs.ext4 "/dev/mapper/$mapper" [[ $? -ne 0 ]] && log_fatal "Failed to format partition /dev/mapper/$mapper in ext4 format" log_info "Partition /dev/mapper/$mapper successfully formatted in ext4 format" - + cryptsetup close "$mapper" [[ $? -ne 0 ]] && log_fatal "Failed to close partition /dev/mapper/$mapper" log_info "Partition /dev/mapper/$mapper closed successfully" @@ -104,7 +104,7 @@ format_and_encrypt_partition() { mount_device() { local device="$1" local mount_point="$2" - + mount "$device" "$mount_point" [[ $? -ne 0 ]] && log_fatal "Failed to mount $device to $mount_point" log_info "Mounted $device to $mount_point" @@ -119,7 +119,7 @@ log_info "Starting encrypted disk configuration..." [ "$KEY_TYPE" != "wrapkey" ] && log_fatal "KEY_TYPE $KEY_TYPE is not supported" log_info "Handling encrypted disk case" -[[ -z "$wrapkey" ]] && log_fatal "wrapkey is null" +[[ -z "$WRAP_KEY" ]] && log_fatal "WRAP_KEY is null" if [ ! -d "$MOUNT_PATH" ]; then log_info "Mount directory $MOUNT_PATH does not exist" @@ -137,10 +137,10 @@ device_to_mount="/dev/mapper/$mappername" [ -e "$device_to_mount" ] && log_fatal "Mapper $device_to_mount already exists" # Format and encrypt the partition (and check if it opens correctly) -format_and_encrypt_partition "$wrapkey" "$part_disk" "$mappername" +format_and_encrypt_partition "$WRAP_KEY" "$part_disk" "$mappername" # Open the encrypted device in its mapper -echo "$wrapkey" | cryptsetup open --key-file=- "$part_disk" "$mappername" +echo "$WRAP_KEY" | cryptsetup open --key-file=- "$part_disk" "$mappername" [[ $? -ne 0 ]] && log_fatal "cryptsetup open --key-file=- "$part_disk" "$mappername": failed" log_info "cryptsetup open --key-file=- "$part_disk" "$mappername": success" From af844bada540ebfa36f435572bb01068b784debc Mon Sep 17 00:00:00 2001 From: Frederic CORDIER Date: Wed, 12 Nov 2025 16:54:02 +0100 Subject: [PATCH 5/5] docs: add comment explaining srand seed initialization --- .../keyprovider/key-provider-agent/src/key_provider_agent.c | 1 + 1 file changed, 1 insertion(+) diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c index 5f41171..f922334 100644 --- a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c +++ b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c @@ -54,6 +54,7 @@ char* generate_random_key(void) { const char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.~"; size_t charset_size = sizeof(charset) - 1; + // Seed the random number generator with current time to ensure different keys on each run srand((unsigned int)time(NULL)); for (size_t i = 0; i < WRAP_KEY_LENGTH; i++) {