Skip to content

Commit

Permalink
fix vault key path/key (#3557)
Browse files Browse the repository at this point in the history
  • Loading branch information
woutslakhorst authored Nov 14, 2024
1 parent 680437c commit fcf2f24
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 8 deletions.
15 changes: 8 additions & 7 deletions crypto/storage/vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (

const privateKeyPathName = "nuts-private-keys"
const defaultPathPrefix = "kv"
const vaultSecretkeyName = "key"

// StorageType is the name of this storage type, used in health check reports and configuration.
const StorageType = "vaultkv"
Expand Down Expand Up @@ -102,8 +103,8 @@ func NewVaultKVStorage(config Config) (spi.Storage, error) {
return vaultStorage, nil
}

func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
return spi.GenerateAndStore(ctx, v, keyName)
func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyPath string) (crypto.PublicKey, string, error) {
return spi.GenerateAndStore(ctx, v, keyPath)
}

func configureVaultClient(cfg Config) (*vault.Client, error) {
Expand Down Expand Up @@ -142,7 +143,7 @@ func (v vaultKVStorage) checkConnection() error {

func (v vaultKVStorage) GetPrivateKey(ctx context.Context, keyName string, _ string) (crypto.Signer, error) {
path := privateKeyPath(v.config.PathPrefix, keyName)
value, err := v.getValue(ctx, path, keyName)
value, err := v.getValue(ctx, path, vaultSecretkeyName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -181,7 +182,7 @@ func (v vaultKVStorage) storeValue(ctx context.Context, path, key string, value

func (v vaultKVStorage) PrivateKeyExists(ctx context.Context, keyName string, _ string) (bool, error) {
path := privateKeyPath(v.config.PathPrefix, keyName)
_, err := v.getValue(ctx, path, keyName)
_, err := v.getValue(ctx, path, vaultSecretkeyName)
if errors.Is(err, spi.ErrNotFound) {
return false, nil
}
Expand Down Expand Up @@ -224,14 +225,14 @@ func privateKeyListPath(prefix string) string {
return filepath.Clean(path)
}

func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyName string, key crypto.PrivateKey) error {
path := privateKeyPath(v.config.PathPrefix, keyName)
func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyPath string, key crypto.PrivateKey) error {
path := privateKeyPath(v.config.PathPrefix, keyPath)
pem, err := util.PrivateKeyToPem(key)
if err != nil {
return fmt.Errorf("unable to convert private key to pem format: %w", err)
}

return v.storeValue(ctx, path, keyName, pem)
return v.storeValue(ctx, path, vaultSecretkeyName, pem)
}

func (v vaultKVStorage) DeletePrivateKey(ctx context.Context, kid string) error {
Expand Down
14 changes: 13 additions & 1 deletion crypto/storage/vault/vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"errors"
vault "github.com/hashicorp/vault/api"
"github.com/nuts-foundation/nuts-node/core"
"github.com/nuts-foundation/nuts-node/crypto/util"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"net/http"
Expand Down Expand Up @@ -103,6 +104,17 @@ func TestVaultKVStorage(t *testing.T) {
assert.Equal(t, privateKey, result, "expected retrieved key to equal original")
})

t.Run("get", func(t *testing.T) {
pem, _ := util.PrivateKeyToPem(privateKey)
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: pem}}}}

signer, err := vaultStorage.GetPrivateKey(ctx, keyName, version)

require.NoError(t, err)
pem2, _ := util.PrivateKeyToPem(signer)
assert.Equal(t, pem, pem2)
})

t.Run("delete", func(t *testing.T) {
t.Run("ok", func(t *testing.T) {
vaultStorage := vaultKVStorage{client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {}}}}
Expand Down Expand Up @@ -171,7 +183,7 @@ func TestVaultKVStorage(t *testing.T) {
})

t.Run("error - encoding issues", func(t *testing.T) {
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {keyName: []byte("foo")}}}}
vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: []byte("foo")}}}}

t.Run("SavePrivateKey", func(t *testing.T) {
err := vaultStorage.SavePrivateKey(ctx, keyName, "123")
Expand Down
12 changes: 12 additions & 0 deletions docs/pages/release_notes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@
Release notes
#############

***************
Peanut (v6.0.2)
***************

Release date: 2024-11-14

- `#3556 <https://github.com/nuts-foundation/nuts-node/issues/3556>`_: fix private key path when using native Hashicorp Vault integration,
broken since v6.0.0 (pre-v6.0.0 keys couldn't be found, post-v6.0.0 keys have an incorrect name).
- Update `github.com/golang-jwt/jwt/v4` to v4.5.1 to address vulnerability `GO-2024-3250 <https://pkg.go.dev/vuln/GO-2024-3250>`_.

**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.0.1...v6.0.2

***************
Peanut (v6.0.1)
***************
Expand Down

0 comments on commit fcf2f24

Please sign in to comment.