mirror of
https://github.com/getsops/sops.git
synced 2026-02-05 12:45:21 +01:00
Adrian Utrilla
@@ -362,9 +362,9 @@ func encrypt(c *cli.Context, file string, fileBytes []byte, output io.Writer) er
|
||||
KeySources: ks,
|
||||
}
|
||||
tree := sops.Tree{Branch: branch, Metadata: metadata}
|
||||
key, err := tree.GenerateDataKey()
|
||||
if err != nil {
|
||||
return cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
|
||||
key, errs := tree.GenerateDataKey()
|
||||
if len(errs) > 0 {
|
||||
return cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
|
||||
}
|
||||
cipher := aes.Cipher{}
|
||||
mac, err := tree.Encrypt(key, cipher, nil)
|
||||
@@ -386,9 +386,9 @@ func rotate(c *cli.Context, file string, fileBytes []byte, output io.Writer) err
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
newKey, err := tree.GenerateDataKey()
|
||||
if err != nil {
|
||||
return cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
|
||||
newKey, errs := tree.GenerateDataKey()
|
||||
if len(errs) > 0 {
|
||||
return cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
|
||||
}
|
||||
cipher := aes.Cipher{}
|
||||
mac, err := tree.Encrypt(newKey, cipher, nil)
|
||||
@@ -407,7 +407,10 @@ func rotate(c *cli.Context, file string, fileBytes []byte, output io.Writer) err
|
||||
tree.Metadata.AddPGPMasterKeys(c.String("add-pgp"))
|
||||
tree.Metadata.RemoveKMSMasterKeys(c.String("rm-kms"))
|
||||
tree.Metadata.RemovePGPMasterKeys(c.String("rm-pgp"))
|
||||
tree.Metadata.UpdateMasterKeys(newKey)
|
||||
errs = tree.Metadata.UpdateMasterKeysIfNeeded(newKey)
|
||||
if len(errs) > 0 {
|
||||
return cli.NewExitError(fmt.Sprintf("One or more keys could not be updated:\n%s", errs), exitErrorEncryptingTree)
|
||||
}
|
||||
tree.Metadata.MessageAuthenticationCode = encryptedMac
|
||||
out, err := outputStore(c, file).MarshalWithMetadata(tree.Branch, tree.Metadata)
|
||||
|
||||
@@ -481,9 +484,9 @@ func loadExample(c *cli.Context, file string) (sops.Tree, error) {
|
||||
tree.Metadata.UnencryptedSuffix = c.String("unencrypted-suffix")
|
||||
tree.Metadata.Version = version
|
||||
tree.Metadata.KeySources = ks
|
||||
key, err := tree.GenerateDataKey()
|
||||
if err != nil {
|
||||
return tree, cli.NewExitError(err.Error(), exitCouldNotRetrieveKey)
|
||||
key, errs := tree.GenerateDataKey()
|
||||
if len(errs) > 0 {
|
||||
return tree, cli.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), exitCouldNotRetrieveKey)
|
||||
}
|
||||
tree.Metadata.UpdateMasterKeys(key)
|
||||
return tree, nil
|
||||
|
||||
34
sops.go
34
sops.go
@@ -207,21 +207,13 @@ func (tree Tree) Decrypt(key []byte, cipher DataKeyCipher, stash map[string][]in
|
||||
}
|
||||
|
||||
// GenerateDataKey generates a new random data key and encrypts it with all MasterKeys.
|
||||
func (tree Tree) GenerateDataKey() ([]byte, error) {
|
||||
func (tree Tree) GenerateDataKey() ([]byte, []error) {
|
||||
newKey := make([]byte, 32)
|
||||
_, err := rand.Read(newKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Could not generate random key: %s", err)
|
||||
return nil, []error{fmt.Errorf("Could not generate random key: %s", err)}
|
||||
}
|
||||
for _, ks := range tree.Metadata.KeySources {
|
||||
for _, k := range ks.Keys {
|
||||
err := k.Encrypt(newKey)
|
||||
if err != nil {
|
||||
fmt.Printf("[WARNING]: Failed to encrypt new data key with master key: %s\n", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return newKey, nil
|
||||
return newKey, tree.Metadata.UpdateMasterKeys(newKey)
|
||||
}
|
||||
|
||||
// Metadata holds information about a file encrypted by sops
|
||||
@@ -280,16 +272,30 @@ func (m *Metadata) RemoveMasterKeys(keys []MasterKey) {
|
||||
}
|
||||
}
|
||||
|
||||
// UpdateMasterKeys encrypts the data key with all master keys if it's needed
|
||||
func (m *Metadata) UpdateMasterKeys(dataKey []byte) {
|
||||
// UpdateMasterKeysIfNeeded encrypts the data key with all master keys if it's needed
|
||||
func (m *Metadata) UpdateMasterKeysIfNeeded(dataKey []byte) (errs []error) {
|
||||
for _, ks := range m.KeySources {
|
||||
for _, k := range ks.Keys {
|
||||
err := k.EncryptIfNeeded(dataKey)
|
||||
if err != nil {
|
||||
fmt.Println("[WARNING]: could not encrypt data key with master key ", k.ToString())
|
||||
errs = append(errs, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// UpdateMasterKeys encrypts the data key with all master keys
|
||||
func (m *Metadata) UpdateMasterKeys(dataKey []byte) (errs []error) {
|
||||
for _, ks := range m.KeySources {
|
||||
for _, k := range ks.Keys {
|
||||
err := k.Encrypt(dataKey)
|
||||
if err != nil {
|
||||
errs = append(errs, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// AddPGPMasterKeys parses the input comma separated string of GPG fingerprints, generates a PGP MasterKey for each fingerprint, and adds the keys to the PGP KeySource
|
||||
|
||||
Reference in New Issue
Block a user