[trafficcontrol] branch master updated: Traffic Vault: Fix `reencrypt` utility to uniquely reencrypt ssl keys (#7159)

Tue, 25 Oct 2022 16:10:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

ocket8888 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 33b86c5c62 Traffic Vault: Fix `reencrypt` utility to uniquely 
reencrypt ssl keys (#7159)
33b86c5c62 is described below

commit 33b86c5c62206f352cea6e6fbb62b5bf7f1f6e40
Author: Taylor Clayton Frey <[email protected]>
AuthorDate: Tue Oct 25 17:09:56 2022 -0600

    Traffic Vault: Fix `reencrypt` utility to uniquely reencrypt ssl keys 
(#7159)
    
    * Include ssl DS 'version' (not TLS version) when reencrypting DS SSL Key 
information
    
    * Changelog entry
    
    Co-authored-by: Taylor Frey <[email protected]>
---
 CHANGELOG.md                              |  1 +
 traffic_ops/app/db/reencrypt/reencrypt.go | 35 ++++++++++++++++++-------------
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2cd55cdaa..a84a14f39a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,7 @@ The format is based on [Keep a 
Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7048](https://github.com/apache/trafficcontrol/issues/7048) *Traffic 
Stats* Add configuration value to set the client request timeout for calls to 
Traffic Ops.
 - Updated Apache Tomcat from 9.0.43 to 9.0.67
 - [#7125](https://github.com/apache/trafficcontrol/issues/7125) *Docs* Reflect 
implementation and deprecation notice for `letsencrypt/autorenew` endpoint.
+- [#7158](https://github.com/apache/trafficcontrol/issues/7158) *Traffic 
Vault* Fix the `reencrypt` utility to uniquely reencrypt each version of the 
SSL Certificates.
 
 ## [7.0.0] - 2022-07-19
 ### Added
diff --git a/traffic_ops/app/db/reencrypt/reencrypt.go 
b/traffic_ops/app/db/reencrypt/reencrypt.go
index cd25ac34c1..2453befdee 100644
--- a/traffic_ops/app/db/reencrypt/reencrypt.go
+++ b/traffic_ops/app/db/reencrypt/reencrypt.go
@@ -160,49 +160,56 @@ func readKey(keyLocation string) ([]byte, error) {
        return key, nil
 }
 
+type sslInfo struct {
+       xmlId        string
+       version      string
+       previousData []byte
+       newData      []byte
+}
+
 func reEncryptSslKeys(tx *sql.Tx, previousKey []byte, newKey []byte) error {
-       rows, err := tx.Query("SELECT deliveryservice, data FROM sslkey")
+       rows, err := tx.Query("SELECT deliveryservice, version, data FROM 
sslkey")
        if err != nil {
                return fmt.Errorf("querying: %w", err)
        }
        defer rows.Close()
 
-       sslKeyMap := map[string][]byte{}
+       var sslKeyInfos []sslInfo
 
        for rows.Next() {
-               xmlid := ""
-               var encryptedSslKeys []byte
-               if err = rows.Scan(&xmlid, &encryptedSslKeys); err != nil {
+               sslKeyInfo := sslInfo{}
+
+               if err = rows.Scan(&sslKeyInfo.xmlId, &sslKeyInfo.version, 
&sslKeyInfo.previousData); err != nil {
                        return fmt.Errorf("getting SSL Keys: %w", err)
                }
-               jsonKeys, err := util.AESDecrypt(encryptedSslKeys, previousKey)
+               jsonKeys, err := util.AESDecrypt(sslKeyInfo.previousData, 
previousKey)
                if err != nil {
                        return fmt.Errorf("reading SSL Keys: %w", err)
                }
 
                if !bytes.HasPrefix(jsonKeys, []byte("{")) {
-                       return fmt.Errorf("decrypted SSL Key did not have 
prefix '{' for xmlid %s", xmlid)
+                       return fmt.Errorf("decrypted SSL Key did not have 
prefix '{' for xmlid %s", sslKeyInfo.xmlId)
                }
 
-               reencryptedKeys, err := util.AESEncrypt(jsonKeys, newKey)
+               sslKeyInfo.newData, err = util.AESEncrypt(jsonKeys, newKey)
                if err != nil {
                        return fmt.Errorf("encrypting SSL Keys with new key: 
%w", err)
                }
 
-               sslKeyMap[xmlid] = reencryptedKeys
+               sslKeyInfos = append(sslKeyInfos, sslKeyInfo)
        }
 
-       for xmlid, reencryptedKeys := range sslKeyMap {
-               res, err := tx.Exec(`UPDATE sslkey SET data = $1 WHERE 
deliveryservice = $2`, reencryptedKeys, xmlid)
+       for _, sslKeyInfo := range sslKeyInfos {
+               res, err := tx.Exec(`UPDATE sslkey SET data = $1 WHERE 
deliveryservice = $2 AND version = $3`, sslKeyInfo.newData, sslKeyInfo.xmlId, 
sslKeyInfo.version)
                if err != nil {
-                       return fmt.Errorf("updating SSL Keys for xmlid %s: %w", 
xmlid, err)
+                       return fmt.Errorf("updating SSL Keys for xmlid %s: %w", 
sslKeyInfo.xmlId, err)
                }
                rowsAffected, err := res.RowsAffected()
                if err != nil {
-                       return fmt.Errorf("determining rows affected for 
reencrypting SSL Keys with xmlid %s: %w", xmlid, err)
+                       return fmt.Errorf("determining rows affected for 
reencrypting SSL Keys with xmlid %s: %w", sslKeyInfo.xmlId, err)
                }
                if rowsAffected == 0 {
-                       return fmt.Errorf("no rows updated for reencrypting SSL 
Keys for xmlid %s", xmlid)
+                       return fmt.Errorf("no rows updated for reencrypting SSL 
Keys for xmlid %s", sslKeyInfo.xmlId)
                }
        }

Reply via email to