vault
vault copied to clipboard
hashicorp
fix: PGP subkeys support
Closes #2372
My key https://keybase.io/yblanc/pgp_keys.asc is composed of subkeys, some of them are expired.
gpg: using pgp trust model
gpg: Note: signature key 0EAA4F45A8B52D95 expired Wed Sep 22 09:48:30 2021 CEST
pub rsa4096 2020-09-22 [C]
A2A7E23A88A21EA5561E581F068AF996C3F72ADA
uid [ unknown] Yoan Blanc <[email protected]>
sub rsa4096 2020-09-22 [S] [expired: 2021-09-22]
sub rsa4096 2020-09-22 [E] [expired: 2021-09-22]
sub rsa4096 2020-09-22 [A] [expired: 2021-09-22]
sub rsa4096 2021-09-23 [S] [expires: 2022-09-23]
sub rsa4096 2021-09-23 [E] [expires: 2022-09-23]
When doing the openpgp.Encrypt (https://github.com/hashicorp/vault/blob/main/helper/pgpkeys/encrypt_decrypt.go#L29=), it takes the first one resulting in a message I cannot decrypt.
I've also tried using the upstream golang.org/x/crypto/openpgp and it suffers the same issue. However ProtonMail's fork does it correctly.
The problem
# Start a dev server
vault server -dev
# Init a rekey
vault operator rekey -init -pgp-keys="./yblanc.asc" -key-shares=1 -key-threshold=1 -verify -backup
# Enter the Unseal key from the dev server
vault operator rekey
# Then verify
Using main, I cannot decrypt the new unseal key, hence verify.
gpg: encrypted with 4096-bit RSA key, ID 0x9729FBE777D989ED, created 2020-09-22
"Yoan Blanc <[email protected]>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
Using this branch, the new unseal key can be successfully decrypted.
gpg: encrypted with 4096-bit RSA key, ID 0xF72D1E537C6B68F7, created 2021-09-23
"Yoan Blanc <[email protected]>"
200567c2ec34cf606bd790d548331e76c11322c64030573ca826fbe9c95a1ef8
NB: when downloading the key from keybase using keybase:yblanc it seems okay. We like to bake them into the AMI we use though.
As 1.12 has been branched, I feel good merging this now.
Thank you @greut!
