Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: PGP subkeys support #16224

Merged
merged 5 commits into from
Sep 22, 2022
Merged

fix: PGP subkeys support #16224

merged 5 commits into from
Sep 22, 2022

Conversation

greut
Copy link
Contributor

@greut greut commented Jul 5, 2022

Closes #2372

My key https://keybase.io/yblanc/pgp_keys.asc is composed of subkeys, some of them are expired.

gpg: using pgp trust model
gpg: Note: signature key 0EAA4F45A8B52D95 expired Wed Sep 22 09:48:30 2021 CEST
pub   rsa4096 2020-09-22 [C]
      A2A7E23A88A21EA5561E581F068AF996C3F72ADA
uid           [ unknown] Yoan Blanc <[email protected]>
sub   rsa4096 2020-09-22 [S] [expired: 2021-09-22]
sub   rsa4096 2020-09-22 [E] [expired: 2021-09-22]
sub   rsa4096 2020-09-22 [A] [expired: 2021-09-22]
sub   rsa4096 2021-09-23 [S] [expires: 2022-09-23]
sub   rsa4096 2021-09-23 [E] [expires: 2022-09-23]

When doing the openpgp.Encrypt (https://github.com/hashicorp/vault/blob/main/helper/pgpkeys/encrypt_decrypt.go#L29=), it takes the first one resulting in a message I cannot decrypt.

I've also tried using the upstream golang.org/x/crypto/openpgp and it suffers the same issue. However ProtonMail's fork does it correctly.

The problem

# Start a dev server
vault server -dev

# Init a rekey
vault operator rekey -init -pgp-keys="./yblanc.asc" -key-shares=1 -key-threshold=1 -verify -backup

# Enter the Unseal key from the dev server
vault operator rekey

# Then verify

Using main, I cannot decrypt the new unseal key, hence verify.

gpg: encrypted with 4096-bit RSA key, ID 0x9729FBE777D989ED, created 2020-09-22
      "Yoan Blanc <[email protected]>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

Using this branch, the new unseal key can be successfully decrypted.

gpg: encrypted with 4096-bit RSA key, ID 0xF72D1E537C6B68F7, created 2021-09-23
      "Yoan Blanc <[email protected]>"
200567c2ec34cf606bd790d548331e76c11322c64030573ca826fbe9c95a1ef8

NB: when downloading the key from keybase using keybase:yblanc it seems okay. We like to bake them into the AMI we use though.

@greut greut force-pushed the fix/openpgp-subkeys branch from 6a577b6 to 9692fcb Compare July 5, 2022 06:50
Signed-off-by: Yoan Blanc <[email protected]>
@heatherezell heatherezell added cryptosec bug Used to indicate a potential bug labels Jul 19, 2022
@aphorise
Copy link
Contributor

@cipherboy hey opinions on this or can this be considered for merging?

@kitography kitography self-requested a review September 21, 2022 13:49
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We talked about this during a team meeting, and this update makes sense.

We aren't going to have time to verify anything for 1.12.

@cipherboy cipherboy added this to the 1.13 milestone Sep 21, 2022
@cipherboy
Copy link
Contributor

As 1.12 has been branched, I feel good merging this now.

Thank you @greut!

@cipherboy cipherboy merged commit 87801ec into hashicorp:main Sep 22, 2022
@greut greut deleted the fix/openpgp-subkeys branch September 23, 2022 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug cryptosec
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vault init support for subkeys
5 participants