/** @param args */
public static void main(String[] args) throws Exception {
if (args.length < 3) {
System.err.println(
"Usage: OSSLoadAgent OSS_URL SECRET_NAME WRAPPED_PASSPHRASE AGENT_AUTH_SOCK [KEY_FILE]");
System.exit(1);
}
SSHAgentClient sshAgent = new SSHAgentClient(args[2]);
// Get the secret from OSS
// FIXME ? Provide a way to specify the ssh signing key fingerprint
byte[] secret = OSSClient.getSecret(args[0], args[1], null);
// Use the secret to unwrap the passphrase
byte[] unwrap = CryptoHelper.unwrapBlob(secret, Hex.decode(args[3]));
String password = new String(unwrap, "UTF-8");
// Read private keys
// openssh store it in PEM format
List<File> sshKeyFiles;
if (args.length > 4) {
sshKeyFiles = new ArrayList<File>(1);
sshKeyFiles.add(new File(args[4]));
} else {
sshKeyFiles = getDefaultsKeyFiles();
}
for (File sshKeyFile : sshKeyFiles) {
Reader fRd = new BufferedReader(new FileReader(sshKeyFile));
PEMReader pem = new PEMReader(fRd, new DefaultPasswordFinder(password.toCharArray()), "BC");
Object o;
try {
while ((o = pem.readObject()) != null) {
if (o instanceof KeyPair) {
KeyPair kp = (KeyPair) o;
// Add the identity in the ssh-agent
byte[] keyblob = CryptoHelper.sshPrivateKeyBlobFromKeyPair(kp);
System.out.println("Loading " + sshKeyFile.getPath());
sshAgent.addIdentity(keyblob, sshKeyFile.getPath());
}
}
} catch (EncryptionException ee) {
System.err.println("Can't read private key in " + sshKeyFile.getAbsolutePath());
ee.printStackTrace();
}
pem.close();
}
System.out.println("Keys in agent:");
List<SSHKey> identities = sshAgent.requestIdentities();
for (SSHKey identity : identities) {
System.out.println(identity);
}
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
//
// If OSS is already initialized, bail out
//
if (OSS.isInitialized()) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Open Secret Server already initialized.");
return;
}
//
// Extract token
//
String b64token = req.getParameter("token");
//
// Decode it from base64
//
byte[] token = Base64.decode(b64token);
//
// Extract wrapped init token and sealed AES key
//
byte[] wrappedtoken = CryptoHelper.decodeNetworkString(token, 0);
byte[] sealedaeskey = CryptoHelper.decodeNetworkString(token, wrappedtoken.length + 4);
//
// Unseal AES key
//
byte[] aeskey = CryptoHelper.decryptRSA(OSS.getSessionRSAPrivateKey(), sealedaeskey);
//
// Unwrap init token
//
byte[] inittoken = CryptoHelper.unwrapAES(aeskey, wrappedtoken);
//
// Check OSS Token
//
OSS.OSSToken osstoken = null;
try {
osstoken = OSS.checkToken(inittoken);
} catch (OSSException osse) {
LOGGER.error("doPost", osse);
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage());
return;
}
//
// Check signing key fingerprint
//
if (!OSS.checkInitSSHKey(osstoken.getKeyblob())) {
LOGGER.error(
"["
+ new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
+ "] (unauthorized) attempted to initialize Open Secret Server.");
resp.sendError(
HttpServletResponse.SC_FORBIDDEN,
"SSH signing key is not authorized to initialize this Open Secret Server.");
return;
}
//
// Add secret to initialization
//
try {
OSS.init(osstoken.getSecret());
} catch (OSSException osse) {
LOGGER.error("doPost", osse);
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, osse.getMessage());
return;
}
if (!OSS.isInitialized()) {
LOGGER.info(
"["
+ new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
+ "] added secret to intialize Open Secret Server.");
resp.sendError(
HttpServletResponse.SC_ACCEPTED,
"Open Secret Server not yet initialized, needs some more secrets.");
return;
} else {
LOGGER.info(
"["
+ new String(Hex.encode(CryptoHelper.sshKeyBlobFingerprint(osstoken.getKeyblob())))
+ "] completed intialization of Open Secret Server.");
}
resp.setStatus(HttpServletResponse.SC_OK);
}