Esempio n. 1
0
  /** @param args */
  public static void main(String[] args) throws Exception {
    if (args.length < 3) {
      System.err.println(
          "Usage: OSSLoadAgent OSS_URL SECRET_NAME WRAPPED_PASSPHRASE AGENT_AUTH_SOCK [KEY_FILE]");
      System.exit(1);
    }

    SSHAgentClient sshAgent = new SSHAgentClient(args[2]);

    // Get the secret from OSS
    // FIXME ? Provide a way to specify the ssh signing key fingerprint
    byte[] secret = OSSClient.getSecret(args[0], args[1], null);
    // Use the secret to unwrap the passphrase
    byte[] unwrap = CryptoHelper.unwrapBlob(secret, Hex.decode(args[3]));
    String password = new String(unwrap, "UTF-8");

    // Read private keys
    // openssh store it in PEM format
    List<File> sshKeyFiles;
    if (args.length > 4) {
      sshKeyFiles = new ArrayList<File>(1);
      sshKeyFiles.add(new File(args[4]));
    } else {
      sshKeyFiles = getDefaultsKeyFiles();
    }

    for (File sshKeyFile : sshKeyFiles) {
      Reader fRd = new BufferedReader(new FileReader(sshKeyFile));
      PEMReader pem = new PEMReader(fRd, new DefaultPasswordFinder(password.toCharArray()), "BC");

      Object o;
      try {
        while ((o = pem.readObject()) != null) {
          if (o instanceof KeyPair) {
            KeyPair kp = (KeyPair) o;
            // Add the identity in the ssh-agent
            byte[] keyblob = CryptoHelper.sshPrivateKeyBlobFromKeyPair(kp);
            System.out.println("Loading " + sshKeyFile.getPath());
            sshAgent.addIdentity(keyblob, sshKeyFile.getPath());
          }
        }
      } catch (EncryptionException ee) {
        System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
        ee.printStackTrace();
      }

      pem.close();
    }

    System.out.println("Keys in agent:");
    List<SSHKey> identities = sshAgent.requestIdentities();
    for (SSHKey identity : identities) {
      System.out.println(identity);
    }
  }
Esempio n. 2
0
  @Override
  protected void doPost(HttpServletRequest req, HttpServletResponse resp)
      throws ServletException, IOException {

    //
    // If OSS is already initialized, bail out
    //

    if (OSS.isInitialized()) {
      resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Open Secret Server already initialized.");
      return;
    }

    //
    // Extract token
    //

    String b64token = req.getParameter("token");

    //
    // Decode it from base64
    //

    byte[] token = Base64.decode(b64token);

    //
    // Extract wrapped init token and sealed AES key
    //

    byte[] wrappedtoken = CryptoHelper.decodeNetworkString(token, 0);
    byte[] sealedaeskey = CryptoHelper.decodeNetworkString(token, wrappedtoken.length + 4);

    //
    // Unseal AES key
    //

    byte[] aeskey = CryptoHelper.decryptRSA(OSS.getSessionRSAPrivateKey(), sealedaeskey);

    //
    // Unwrap init token
    //

    byte[] inittoken = CryptoHelper.unwrapAES(aeskey, wrappedtoken);

    //
    // Check OSS Token
    //

    OSS.OSSToken osstoken = null;

    try {
      osstoken = OSS.checkToken(inittoken);
    } catch (OSSException osse) {
      LOGGER.error("doPost", osse);
      resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage());
      return;
    }

    //
    // Check signing key fingerprint
    //

    if (!OSS.checkInitSSHKey(osstoken.getKeyblob())) {
      LOGGER.error(
          "["
              + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
              + "] (unauthorized) attempted to initialize Open Secret Server.");
      resp.sendError(
          HttpServletResponse.SC_FORBIDDEN,
          "SSH signing key is not authorized to initialize this Open Secret Server.");
      return;
    }

    //
    // Add secret to initialization
    //

    try {
      OSS.init(osstoken.getSecret());
    } catch (OSSException osse) {
      LOGGER.error("doPost", osse);
      resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage());
      return;
    }

    if (!OSS.isInitialized()) {
      LOGGER.info(
          "["
              + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
              + "] added secret to intialize Open Secret Server.");
      resp.sendError(
          HttpServletResponse.SC_ACCEPTED,
          "Open Secret Server not yet initialized, needs some more secrets.");
      return;
    } else {
      LOGGER.info(
          "["
              + new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
              + "] completed intialization of Open Secret Server.");
    }

    resp.setStatus(HttpServletResponse.SC_OK);
  }