Skip to content

Commit 5483d0e

Browse files
jackyalbojackyalbo
committed
Fixing KMIP issues
As some KMIP doesn't support any CryptographicLength, we will revert to saving only one key in KMIP. Once we will want to support rotating secrets we will need to find a better solution Signed-off-by: jackyalbo <[email protected]> (cherry picked from commit 5b3aa9e)
1 parent dba5806 commit 5483d0e

File tree

3 files changed

+27
-38
lines changed

3 files changed

+27
-38
lines changed

pkg/util/kms/kms_kmip.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ const (
1515
KMIPSecret = "KMIP_CERTS_SECRET"
1616
KMIPUniqueID = "UniqueIdentifier"
1717
NewKMIPUniqueID = "UniqueIdentifierNew"
18+
NewActiveKeyID = "NewActiveKeyID"
1819
KMIPTLSServerName = "TLS_SERVER_NAME"
1920
KMIPReadTimeOut = "READ_TIMEOUT"
2021
KMIPWriteTimeOut = "WRITE_TIMEOUT"

pkg/util/kms/kms_kmip_storage.go

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ const (
3535
protocolMajor = 1
3636
protocolMinor = 4
3737

38+
// Expected secret data length in bits
39+
cryptographicLength = 256
3840
)
3941

4042
// KMIPSecretStorage is a KMIP backend Key Management Systems (KMS)
@@ -208,7 +210,7 @@ func (k *KMIPSecretStorage) response(respMsg *kmip.ResponseMessage, operation km
208210
return nil, fmt.Errorf("Unexpected uniqueBatchItemID, real %v expected %v", bi.UniqueBatchItemID, uniqueBatchItemID)
209211
}
210212
if kmip14.ResultStatusSuccess != bi.ResultStatus {
211-
return nil, fmt.Errorf("Unexpected result status %v expected success %v", bi.ResultStatus, kmip14.ResultStatusSuccess)
213+
return nil, fmt.Errorf("Unexpected result status %v: Reason: %v Message: %v", bi.ResultStatus, bi.ResultReason, bi.ResultMessage)
212214
}
213215

214216
return &bi, nil
@@ -261,14 +263,21 @@ func (k *KMIPSecretStorage) GetSecret(
261263
log := util.Logger()
262264

263265
lookfor := KMIPUniqueID // Addition to upgrade
266+
var activeKeyID string
264267
if strings.HasSuffix(secretID, "-root-master-key-backend") {
265268
lookfor = NewKMIPUniqueID
269+
exists := false
270+
activeKeyID, exists = k.secret.StringData[NewActiveKeyID]
271+
if !exists {
272+
log.Errorf("KMIPSecretStorage.GetSecret() activeKeyID %v does not exist in secret %v", activeKeyID, k.secret.Name)
273+
return nil, secrets.NoVersion, secrets.ErrInvalidSecretId
274+
}
266275
}
267276

268277
// KMIP key uniqueIdentifier
269278
uniqueIdentifier, exists := k.secret.StringData[lookfor]
270279
if !exists {
271-
log.Errorf("KMIPSecretStorage.GetSecret() uniqueIdentifier %v does not exist in secret %v", lookfor, k.secret)
280+
log.Errorf("KMIPSecretStorage.GetSecret() uniqueIdentifier %v does not exist in secret %v", lookfor, k.secret.Name)
272281
return nil, secrets.NoVersion, secrets.ErrInvalidSecretId
273282
}
274283

@@ -306,6 +315,9 @@ func (k *KMIPSecretStorage) GetSecret(
306315
if getRespPayload.SymmetricKey == nil {
307316
return nil, secrets.NoVersion, fmt.Errorf("Unexpected get response SymmetricKey can not be nil")
308317
}
318+
if getRespPayload.SymmetricKey.KeyBlock.CryptographicLength != cryptographicLength {
319+
return nil, secrets.NoVersion, fmt.Errorf("Unexpected KeyBlock crypto len actual %v, expected %v", getRespPayload.SymmetricKey.KeyBlock.CryptographicLength, cryptographicLength)
320+
}
309321
if getRespPayload.SymmetricKey.KeyBlock.KeyFormatType != kmip14.KeyFormatTypeRaw {
310322
return nil, secrets.NoVersion, fmt.Errorf("Unexpected KeyBlock format type actual %v, expected KeyFormatTypeRaw %v", getRespPayload.SymmetricKey.KeyBlock.KeyFormatType, kmip14.KeyFormatTypeRaw)
311323
}
@@ -316,10 +328,13 @@ func (k *KMIPSecretStorage) GetSecret(
316328
secretBytes := getRespPayload.SymmetricKey.KeyBlock.KeyValue.KeyMaterial.([]byte)
317329
secretBase64 := base64.StdEncoding.EncodeToString(secretBytes)
318330

319-
// Return the fetched key value
320-
r := map[string]interface{}{secretID: secretBase64}
321-
322-
return r, secrets.NoVersion, nil
331+
if len(activeKeyID) > 0 {
332+
r := map[string]interface{}{ActiveRootKey: activeKeyID, activeKeyID: secretBase64}
333+
return r, secrets.NoVersion, nil
334+
} else {
335+
r := map[string]interface{}{secretID: secretBase64}
336+
return r, secrets.NoVersion, nil
337+
}
323338
}
324339

325340
// PutSecret will associate an secretId to its secret data
@@ -332,7 +347,8 @@ func (k *KMIPSecretStorage) PutSecret(
332347
log := util.Logger()
333348

334349
// Register the key value the KMIP endpoint
335-
value := plainText[secretID].(string)
350+
activeKey := plainText[ActiveRootKey].(string)
351+
value := plainText[activeKey].(string)
336352
valueBytes, err := base64.StdEncoding.DecodeString(value)
337353
if err != nil {
338354
return secrets.NoVersion, err
@@ -353,7 +369,7 @@ func (k *KMIPSecretStorage) PutSecret(
353369
KeyValue: &kmip.KeyValue{
354370
KeyMaterial: valueBytes,
355371
},
356-
CryptographicLength: len(valueBytes) * 8, // in bits
372+
CryptographicLength: cryptographicLength,
357373
CryptographicAlgorithm: kmip14.CryptographicAlgorithmAES,
358374
},
359375
},
@@ -377,6 +393,7 @@ func (k *KMIPSecretStorage) PutSecret(
377393
return secrets.NoVersion, err
378394
}
379395

396+
k.secret.StringData[NewActiveKeyID] = activeKey
380397
k.secret.StringData[NewKMIPUniqueID] = registerRespPayload.UniqueIdentifier
381398
if !util.KubeUpdate(k.secret) {
382399
log.Errorf("Failed to update KMS secret %v in ns %v", k.secret.Name, k.secret.Namespace)

pkg/util/kms/kms_version.go

Lines changed: 1 addition & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,6 @@
11
package kms
22

33
import (
4-
"encoding/base64"
5-
"encoding/json"
64
"fmt"
75
"sort"
86
"strconv"
@@ -115,23 +113,6 @@ func (v *VersionRotatingSecret) Get() error {
115113
return err
116114
}
117115

118-
if (v.k.driver.Name() == "KMIPSecret") {
119-
encodedData, ok := s[v.BackendSecretName()]
120-
if !ok {
121-
return secrets.ErrInvalidSecretData
122-
}
123-
data := map[string]string{}
124-
decodedString, err := base64.StdEncoding.DecodeString(encodedData.(string))
125-
if err != nil {
126-
return secrets.ErrInvalidSecretData
127-
}
128-
err = json.Unmarshal(decodedString, &data)
129-
if err != nil {
130-
return secrets.ErrInvalidSecretData
131-
}
132-
v.data = data
133-
return nil
134-
}
135116
rc := map[string]string{}
136117
for k, v := range s {
137118
rc[k] = v.(string)
@@ -157,17 +138,7 @@ func (v *VersionRotatingSecret) Set(val string) error {
157138
s[ActiveRootKey] = key
158139
s[key] = val
159140
v.data = s
160-
var err error
161-
if (v.k.driver.Name() == "KMIPSecret") {
162-
jsonData, err := json.Marshal(s)
163-
encodedString := base64.StdEncoding.EncodeToString(jsonData)
164-
if err != nil {
165-
return err
166-
}
167-
_, err = v.k.PutSecret(v.BackendSecretName(), map[string]interface{}{v.BackendSecretName(): encodedString}, v.k.driver.SetContext())
168-
return err
169-
}
170-
_, err = v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
141+
_, err := v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
171142
return err
172143
}
173144

0 commit comments

Comments
 (0)