feat: key generation from key-provider-agent (#36)

thewhitewizard · web-flow · commit dd9a85f34c6f · 2025-11-12T17:06:07.000+01:00
diff --git a/cvmassistants/disktool/encryptedDisk.sh b/cvmassistants/disktool/encryptedDisk.sh
@@ -6,7 +6,7 @@
 # This script partitions, formats, and mounts disk devices. Supports both
 # encrypted (LUKS) and unencrypted disks. Environment variables control behavior:
 # `MOUNT_PATH` (mount point), `DISK` (device name), `KEY_TYPE` (only wrapkey supported),
-# and `wrapkey` (encryption key).
+# and `WRAP_KEY` (encryption key).
 #
 # Requirements:
 #   - Must be run as root
@@ -42,11 +42,11 @@ detect_or_create_partition() {
     fi
   done
 
-  log_info "Creating partition on $disk_dev with the following passed fdisk parameters: 
-  n = new partition 
-  p = primary partition 
-  1 = partition number 1 
-  <Enter><Enter> = default start and end sectors 
+  log_info "Creating partition on $disk_dev with the following passed fdisk parameters:
+  n = new partition
+  p = primary partition
+  1 = partition number 1
+  <Enter><Enter> = default start and end sectors
   w = write changes"
   # Create the partition using fdisk
   # fdisk may return non-zero due to partition table re-read warning, but partition is created
@@ -65,7 +65,7 @@ detect_or_create_partition() {
   # Try both possible partition naming schemes
   for suffix in "1" "p1"; do
     part_disk="${disk_dev}${suffix}"
-    if [[ -e "$part_disk" ]]; then 
+    if [[ -e "$part_disk" ]]; then
       mappername="${mappername}${suffix}"
       log_info "Partition $part_disk successfully created on $disk_dev"
       return 0
@@ -81,7 +81,7 @@ format_and_encrypt_partition() {
   local key="$1"
   local part_dev="$2"
   local mapper="$3"
-  
+
   echo "$key" | cryptsetup luksFormat --key-file=- "$part_dev"
   [[ $? -ne 0 ]] && log_fatal "Failed to format partition $part_dev in luks format"
   log_info "Partition $part_dev formatted successfully in luks format"
@@ -93,7 +93,7 @@ format_and_encrypt_partition() {
   mkfs.ext4 "/dev/mapper/$mapper"
   [[ $? -ne 0 ]] && log_fatal "Failed to format partition /dev/mapper/$mapper in ext4 format"
   log_info "Partition /dev/mapper/$mapper successfully formatted in ext4 format"
-  
+
   cryptsetup close "$mapper"
   [[ $? -ne 0 ]] && log_fatal "Failed to close partition /dev/mapper/$mapper"
   log_info "Partition /dev/mapper/$mapper closed successfully"
@@ -104,7 +104,7 @@ format_and_encrypt_partition() {
 mount_device() {
   local device="$1"
   local mount_point="$2"
-  
+
   mount "$device" "$mount_point"
   [[ $? -ne 0 ]] && log_fatal "Failed to mount $device to $mount_point"
   log_info "Mounted $device to $mount_point"
@@ -119,7 +119,7 @@ log_info "Starting encrypted disk configuration..."
 [ "$KEY_TYPE" != "wrapkey" ] && log_fatal "KEY_TYPE $KEY_TYPE is not supported"
 
 log_info "Handling encrypted disk case"
-[[ -z "$wrapkey" ]] && log_fatal "wrapkey is null"
+[[ -z "$WRAP_KEY" ]] && log_fatal "WRAP_KEY is null"
 
 if [ ! -d "$MOUNT_PATH" ]; then
     log_info "Mount directory $MOUNT_PATH does not exist"
@@ -137,10 +137,10 @@ device_to_mount="/dev/mapper/$mappername"
 [ -e "$device_to_mount"  ] && log_fatal "Mapper $device_to_mount already exists"
 
 # Format and encrypt the partition (and check if it opens correctly)
-format_and_encrypt_partition "$wrapkey" "$part_disk" "$mappername"
+format_and_encrypt_partition "$WRAP_KEY" "$part_disk" "$mappername"
 
 # Open the encrypted device in its mapper
-echo "$wrapkey" | cryptsetup open --key-file=- "$part_disk" "$mappername"
+echo "$WRAP_KEY" | cryptsetup open --key-file=- "$part_disk" "$mappername"
 [[ $? -ne 0 ]] && log_fatal "cryptsetup open --key-file=- "$part_disk" "$mappername": failed"
 log_info "cryptsetup open --key-file=- "$part_disk" "$mappername": success"
 
diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c
@@ -12,6 +12,9 @@
 #define LOG_LEVEL_ERROR 3
 #define LOG_LEVEL_NONE  4
 
+// Key length for wrap key
+#define WRAP_KEY_LENGTH 32
+
 int app_log_level = LOG_LEVEL_INFO;  // Default to INFO level
 
 #define LOG_WITH_TIMESTAMP(fmt, level, associated_level, ...) \
@@ -37,8 +40,29 @@ int app_log_level = LOG_LEVEL_INFO;  // Default to INFO level
 #define LOG_ERROR(fmt, ...) \
     LOG_WITH_TIMESTAMP(fmt, "ERROR", LOG_LEVEL_ERROR, ##__VA_ARGS__)
 
+// -----------------------------------------------------------------------------
+// Generate a random 32-byte key (alphanumeric and special characters)
+// -----------------------------------------------------------------------------
+char* generate_random_key(void) {
+    char* key = malloc(WRAP_KEY_LENGTH + 1);
+
+    if (!key) {
+        LOG_ERROR("Memory allocation failed");
+        return NULL;
+    }
+
+    const char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.~";
+    size_t charset_size = sizeof(charset) - 1;
 
-char* wrap_key = "";
+    // Seed the random number generator with current time to ensure different keys on each run
+    srand((unsigned int)time(NULL));
+
+    for (size_t i = 0; i < WRAP_KEY_LENGTH; i++) {
+        key[i] = charset[rand() % charset_size];
+    }
+    key[WRAP_KEY_LENGTH] = '\0';
+    return key;
+}
 
 int push_wrapkey_to_secret_box(const char* wrapkey) {
     CURL* curl;
@@ -54,7 +78,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) {
         curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
         curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "http");
 
-        strcpy(request_buffer, "key=wrapkey&value=");
+        strcpy(request_buffer, "key=WRAP_KEY&value=");
         strcat(request_buffer, wrapkey);
         LOG_DEBUG("Request body is %s", request_buffer);
 
@@ -80,15 +104,15 @@ int push_wrapkey_to_secret_box(const char* wrapkey) {
 
 int main(int argc, char** argv) {
     setvbuf(stdout, NULL, _IONBF, 0);
-    
+
     // Command line options
     char* const short_options = "l:h";
     struct option long_options[] = {
         {"log-level", required_argument, NULL, 'l'},
         {"help", no_argument, NULL, 'h'},
         {0, 0, 0, 0}
     };
-    
+
     int opt;
     do {
         opt = getopt_long(argc, argv, short_options, long_options, NULL);
@@ -120,20 +144,16 @@ int main(int argc, char** argv) {
                 exit(-1);
         }
     } while (opt != -1);
-    
-    LOG_INFO("Try to get key from local");
-    wrap_key = getenv("localKey");
-    if (NULL == wrap_key) {
-        LOG_ERROR("local-key does not config");
-        return -1;
-    }
-    if (strlen(wrap_key) != 32) {
-        LOG_ERROR("Key size is not 32 bytes, please check");
+
+
+    char* wrap_key = generate_random_key();
+    if (wrap_key == NULL) {
+        LOG_ERROR("Failed to generate random wrap key");
         return -1;
     }
+    LOG_INFO("Successfully generated random wrap key");
+    LOG_INFO("Generated random wrap key: %s", wrap_key);
 
-    LOG_INFO("Get wrap_key successful from local");
-    LOG_DEBUG("Wrapkey is %s", wrap_key);
     int ret = push_wrapkey_to_secret_box(wrap_key);
     if (ret != 0) {
         LOG_ERROR("Push wrapkey to secret box failed");
