Fixing rebase of andrewbuss/decrypt_sign

Also switched testdata/ssh_key with an ssh-ed25519 key

README.md

@@ -352,13 +352,13 @@ remote SSH server without ever handling the unencrypted private key directly.
 
 Generate an ssh key without passphrase:
 
- $ ssh-keygen -f id_rsa -N ""
+ $ ssh-keygen -f id_ed25519 -N ""
 
 Encrypt with the "ssh-sign-with" usage only:
 
- $ ro -minimum 2 -owners alice,bob -usages ssh-sign-with \
-  -server ro.local -in id_rsa -out id_rsa.encrypted encrypt
+ $ ro -minUsers 2 -owners alice,bob -usages ssh-sign-with \
+  -server localhost:443 -in id_ed25519 -out id_ed25519.encrypted encrypt
 
 Use the remote server to authenticate to an SSH server
 
- $ ro -server ro.local -in id_rsa.encrypted -pubkey id_rsa.pub ssh root@gibson
+ $ ro -server localhost:443 -in id_ed25519.encrypted -pubkey id_ed25519.pub ssh root@gibson

client/client.go

@@ -254,7 +254,7 @@ func (c *RemoteServer) Decrypt(req core.DecryptRequest) (*core.ResponseData, err
 
 }
 
-// SSHSignWith issues an SSH-sign-with request to the remote server
+// SSHSignWith issues a SSH-sign-with request to the remote server
 func (c *RemoteServer) SSHSignWith(req core.SSHSignWithRequest) (*core.ResponseData, error) {
  reqBytes, err := json.Marshal(req)
  if err != nil {
@@ -267,6 +267,7 @@ func (c *RemoteServer) SSHSignWith(req core.SSHSignWithRequest) (*core.ResponseD
  }
 
  return unmarshalResponseData(respBytes)
+
 }
 
 // DecryptIntoData issues an decrypt request to the remote server and extract

cmd/ro/roagent/roagent.go

@@ -8,7 +8,6 @@ import (
  "encoding/json"
  "errors"
  "io"
- "log"
 
  "github.com/cloudflare/redoctober/client"
  "github.com/cloudflare/redoctober/core"
@@ -41,15 +40,19 @@ func (signer ROSigner) Sign(rand io.Reader, msg []byte) (signature *ssh.Signatur
  return nil, err
  }
  if resp.Status != "ok" {
- log.Fatal("response status error:", resp.Status)
+ return nil, errors.New("response status error: " + resp.Status)
  }
 
  var respMsg core.SSHSignatureWithDelegates
  err = json.Unmarshal(resp.Response, &respMsg)
  if err != nil {
  return nil, err
  }
- return &respMsg.Signature, nil
+ sshSignature := ssh.Signature{
+ Format: respMsg.SignatureFormat,
+ Blob: respMsg.Signature,
+ }
+ return &sshSignature, nil
 }
 
 type ROAgent struct {

cryptor/cryptor_test.go

@@ -169,7 +169,7 @@ func TestEncryptDecrypt(t *testing.T) {
  RightNames: right,
  }
 
- resp, err := c.Encrypt([]byte("Hello World!"), []string{}, ac)
+ resp, err := c.Encrypt([]byte("Hello World!"), []string{}, []string{}, ac)
  if err != nil {
  t.Fatalf("Error: %s", err)
  }
@@ -183,7 +183,7 @@ func TestEncryptDecrypt(t *testing.T) {
  }
 
  // (resp []byte, labels, names []string, secure bool, err error)
- _, _, _, _, err = c.Decrypt(resp, "alice")
+ _, _, _, _, _, err = c.Decrypt(resp, "alice")
  if err != nil {
  t.Fatalf("%v", err)
  }

generate.go

@@ -21,7 +21,7 @@ func main() {
  indexPath := filepath.Join(wd, "static", "index.html")
 
  out.Write([]byte("// This file is autogenerated; DO NOT EDIT DIRECTLY\n// See generate.go for more info\npackage main\n\nconst (\n"))
- out.Write([]byte("\tindexHtml = `"))
+ out.Write([]byte("\tindexHTML = `"))
  f, err := os.Open(indexPath)
  if err != nil {
  panic(err)

persist/persist.go

@@ -16,6 +16,9 @@ var defaultStore Store = &File{}
 // Labels are the labels that the keycache should be encrypted with.
 var Labels = []string{"restore"}
 
+// Usages indicate whether encrypted data can be decrypted or only used for signing
+var Usages = []string{}
+
 const (
  // Disabled indicates that the persistence store will never
  // persist active delegations.

server/server.go

@@ -23,9 +23,9 @@ import (
  "github.com/coreos/go-systemd/activation"
 )
 
-// DefaultIndexHtml can be used to customize the package default index page
+// DefaultIndexHTML can be used to customize the package default index page
 // when static path is not specified
-var DefaultIndexHtml = ""
+var DefaultIndexHTML = ""
 
 var functions = map[string]func([]byte) ([]byte, error){
  "/create": core.Create,
@@ -37,6 +37,7 @@ var functions = map[string]func([]byte) ([]byte, error){
  "/encrypt": core.Encrypt,
  "/re-encrypt": core.ReEncrypt,
  "/decrypt": core.Decrypt,
+ "/ssh-sign-with": core.SSHSignWith,
  "/owners": core.Owners,
  "/modify": core.Modify,
  "/export": core.Export,
@@ -50,13 +51,18 @@ var functions = map[string]func([]byte) ([]byte, error){
 }
 
 type userRequest struct {
- rt string // The request type (which will be one of the
+ // The request type (which will be one of the
  // keys of the functions map above
- in []byte // Arbitrary input data (depends on the core.*
+ rt string
+
+ // Arbitrary input data (depends on the core.*
  // function called)
- resp chan<- []byte // Channel down which a response is sent (the
+ in []byte
+
+ // Channel down which a response is sent (the
  // data sent will depend on the core.* function
  // called to handle this request)
+ resp chan<- []byte
 }
 
 // processRequest handles a single request receive on the JSON API for
@@ -194,13 +200,13 @@ type indexHandler struct {
  staticPath string
 }
 
-func (this *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
+func (handler *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
  var body io.ReadSeeker
  var tags = map[string]string{}
 
- if this.staticPath != "" {
- tags["static-path"] = this.staticPath
- f, err := os.Open(this.staticPath)
+ if handler.staticPath != "" {
+ tags["static-path"] = handler.staticPath
+ f, err := os.Open(handler.staticPath)
  if err != nil {
  report.Check(err, tags)
  http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -209,7 +215,7 @@ func (this *indexHandler) handle(w http.ResponseWriter, r *http.Request) {
  defer f.Close()
  body = f
  } else {
- body = bytes.NewReader([]byte(DefaultIndexHtml))
+ body = bytes.NewReader([]byte(DefaultIndexHTML))
  }
 
  header := w.Header()

testdata/ssh_key

@@ -1,15 +1,7 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCz2+6OyTyo4Qo/hCtaBLT9gczJPzPhu7CzYWOSqRjbFs2/16y0
-YOuyPesO/e84ZasMlzFJMogNddnq5uJxcM6+f3XzUs2yIL26cw0rcespNg1UUpZg
-OSxSluXoJapB/SQhcIuO+uD0snvjNQrAMUz7oK+b6Uv3fYu3DmgI8CrSlwIDAQAB
-AoGAYs8ci8z6Sjz3iFVwC5AybmL0wkq6kfSu6p1COrwzL4mjlxVBiAcG9XEWxbGz
-zmPsSIp3RSNBo0NvaKFXHcM/kHRMsZG9FmmQBikoOkMTaEeCdbw/9k3Xzh1aFPo7
-eCAMbMAO/6nZb8wjARZZ2EHFAo4fXcORwj7dY4/hR3r7KEECQQDdOioQLThTVXXT
-tV24cE0WVezC8xcnSOE0MIMyFyxjD0aGtzrBKoXewocfRe+zvzoMJzrWM0CIEP5U
-IbSUTGX5AkEA0CEuJxOpc3yw3I9hy3isqcA9rR6Pa7gvG/H8dLkmhyK6knzuUHU0
-kW+aTg/LqH22hdCe8SQbUuIWoblSetnhDwJAZOPhyv7UcSzIT4Sm+TY98bG+CCpU
-pNXX3rVBH9bxpzuQLl/hq7Z41t5gQSLj7lWHY4OAka9N/r/BPR0h/X/aAQJAKbHL
-9iYZNzqOj9DljYaCSItrj6fkoXbHcTi8E4IX9tB9QeVnNJUWT+BksCi36uwsSYhu
-nu5VzvfeAs4GePf2/wJATHu5znRyBkegvvn702wodqfhbPd8pmnNT0vXKcD90jsz
-ZDe0VlX/kmE4fbORozMDRURUGaVDhFIiEsa4gct2mA==
------END RSA PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACArNmLycKg+U8IR/exXU6PmHvL6fIzf3NYed9wTD3zlrAAAAJANDbiNDQ24
+jQAAAAtzc2gtZWQyNTUxOQAAACArNmLycKg+U8IR/exXU6PmHvL6fIzf3NYed9wTD3zlrA
+AAAED4z9YhcScIDbVDcCfxIhW+SL2oHeP2/T/zxGjom1EWiys2YvJwqD5TwhH97FdTo+Ye
+8vp8jN/c1h533BMPfOWsAAAADW1haHJ1ZEBnYWxvaXM=
+-----END OPENSSH PRIVATE KEY-----

testdata/ssh_key.pub

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCz2+6OyTyo4Qo/hCtaBLT9gczJPzPhu7CzYWOSqRjbFs2/16y0YOuyPesO/e84ZasMlzFJMogNddnq5uJxcM6+f3XzUs2yIL26cw0rcespNg1UUpZgOSxSluXoJapB/SQhcIuO+uD0snvjNQrAMUz7oK+b6Uv3fYu3DmgI8CrSlw==
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICs2YvJwqD5TwhH97FdTo+Ye8vp8jN/c1h533BMPfOWs mahrud@galois