Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix vault key path/key #3558

Merged
merged 3 commits into from
Nov 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions crypto/storage/vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (

const privateKeyPathName = "nuts-private-keys"
const defaultPathPrefix = "kv"
const vaultSecretkeyName = "key"

// StorageType is the name of this storage type, used in health check reports and configuration.
const StorageType = "vaultkv"
Expand Down Expand Up @@ -102,8 +103,8 @@ func NewVaultKVStorage(config Config) (spi.Storage, error) {
return vaultStorage, nil
}

func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
return spi.GenerateAndStore(ctx, v, keyName)
func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyPath string) (crypto.PublicKey, string, error) {
return spi.GenerateAndStore(ctx, v, keyPath)
}

func configureVaultClient(cfg Config) (*vault.Client, error) {
Expand Down Expand Up @@ -142,7 +143,7 @@ func (v vaultKVStorage) checkConnection() error {

func (v vaultKVStorage) GetPrivateKey(ctx context.Context, keyName string, _ string) (crypto.Signer, error) {
path := privateKeyPath(v.config.PathPrefix, keyName)
value, err := v.getValue(ctx, path, keyName)
value, err := v.getValue(ctx, path, vaultSecretkeyName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -181,7 +182,7 @@ func (v vaultKVStorage) storeValue(ctx context.Context, path, key string, value

func (v vaultKVStorage) PrivateKeyExists(ctx context.Context, keyName string, _ string) (bool, error) {
path := privateKeyPath(v.config.PathPrefix, keyName)
_, err := v.getValue(ctx, path, keyName)
_, err := v.getValue(ctx, path, vaultSecretkeyName)
if errors.Is(err, spi.ErrNotFound) {
return false, nil
}
Expand Down Expand Up @@ -224,14 +225,14 @@ func privateKeyListPath(prefix string) string {
return filepath.Clean(path)
}

func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyName string, key crypto.PrivateKey) error {
path := privateKeyPath(v.config.PathPrefix, keyName)
func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyPath string, key crypto.PrivateKey) error {
path := privateKeyPath(v.config.PathPrefix, keyPath)
pem, err := util.PrivateKeyToPem(key)
if err != nil {
return fmt.Errorf("unable to convert private key to pem format: %w", err)
}

return v.storeValue(ctx, path, keyName, pem)
return v.storeValue(ctx, path, vaultSecretkeyName, pem)
}

func (v vaultKVStorage) DeletePrivateKey(ctx context.Context, kid string) error {
Expand Down
14 changes: 13 additions & 1 deletion crypto/storage/vault/vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"errors"
vault "github.com/hashicorp/vault/api"
"github.com/nuts-foundation/nuts-node/core"
"github.com/nuts-foundation/nuts-node/crypto/util"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"net/http"
Expand Down Expand Up @@ -103,6 +104,17 @@ func TestVaultKVStorage(t *testing.T) {
assert.Equal(t, privateKey, result, "expected retrieved key to equal original")
})

t.Run("get", func(t *testing.T) {
pem, _ := util.PrivateKeyToPem(privateKey)
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: pem}}}}

signer, err := vaultStorage.GetPrivateKey(ctx, keyName, version)

require.NoError(t, err)
pem2, _ := util.PrivateKeyToPem(signer)
assert.Equal(t, pem, pem2)
})

t.Run("delete", func(t *testing.T) {
t.Run("ok", func(t *testing.T) {
vaultStorage := vaultKVStorage{client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {}}}}
Expand Down Expand Up @@ -171,7 +183,7 @@ func TestVaultKVStorage(t *testing.T) {
})

t.Run("error - encoding issues", func(t *testing.T) {
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {keyName: []byte("foo")}}}}
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: []byte("foo")}}}}

t.Run("SavePrivateKey", func(t *testing.T) {
err := vaultStorage.SavePrivateKey(ctx, keyName, "123")
Expand Down
12 changes: 12 additions & 0 deletions docs/pages/release_notes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@
Release notes
#############

***************
Peanut (v6.0.2)
***************

Release date: 2024-11-14

- `#3556 <https://github.com/nuts-foundation/nuts-node/issues/3556>`_: fix private key path when using native Hashicorp Vault integration,
broken since v6.0.0 (pre-v6.0.0 keys couldn't be found, post-v6.0.0 keys have an incorrect name).
- Update `github.com/golang-jwt/jwt/v4` to v4.5.1 to address vulnerability `GO-2024-3250 <https://pkg.go.dev/vuln/GO-2024-3250>`_.

**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.0.1...v6.0.2

***************
Peanut (v6.0.1)
***************
Expand Down