search

tink-crypto / tink-tinkey

Utility that allows generating and manipulating Tink keysets
Apache License 2.0
14 stars 1 forks source link

--key-id option rarely working on Tinkey 1.10.0 #1

Closed xalvarez closed 11 months ago

xalvarez commented 11 months ago

Describe the bug:

Commands that require a --key-id option rarely work on Tinkey 1.10.0.

Given a key set including multiple keys, running commands with the option --key-id usually ends up with:

org.kohsuke.args4j.CmdLineException: "x" is not a valid value for "--key-id"

This doesn't happen with Tinkey 1.9.0.

What was the expected behavior?

Since a valid key-id was provided, the command should have worked.

How can we reproduce the bug?

Using bash:

Generate a new key-set:

./tinkey create-keyset --key-template=AES256_GCM

Add a new key to the key-set:

echo '<key_set_with_one_key>' | ./tinkey add-key --key-template=AES256_GCM

Promote the new key:

echo '<key_set_with_two_keys>' | ./tinkey promote-key --key-id <key-id>

Output:

Argument wrong!
org.kohsuke.args4j.CmdLineException: "x" is not a valid value for "--key-id"

What version of Tinkey are you using?

1.10.0

Can you tell us more about your development environment?

I'm using this Tinkey version: https://storage.googleapis.com/tinkey/tinkey-1.10.0.tar.gz I'm running it on Ubuntu 22.04

Is there anything else you'd like to add?

I couldn't reproduce this error with Tinkey 1.9.0

morambro commented 11 months ago

Hi @xalvarez,

I couldn't reproduce the issue. The following worked for me:

...:~# java --version
openjdk 11.0.19 2023-04-18
OpenJDK Runtime Environment (build 11.0.19+7-post-Ubuntu-0ubuntu118.04.1)
OpenJDK 64-Bit Server VM (build 11.0.19+7-post-Ubuntu-0ubuntu118.04.1, mixed mode, sharing)
...:~# curl -sS https://storage.googleapis.com/tinkey/tinkey-1.10.0.tar.gz -o tinkey.tar.gz
...:~# tar -zxvf tinkey.tar.gz
tinkey_deploy.jar
tinkey
tinkey.bat
...:~# KEYSET="$(./tinkey create-keyset --key-template=AES256_GCM)"
...:~# echo "${KEYSET}"
{"primaryKeyId":3717731505,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBnypnRPZyoyMVhUcC91BNht/+WuyLog5xgfZxR6TTe7Q==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":3717731505,"outputPrefixType":"TINK"}]}
...:~# KEYSET="$(echo "${KEYSET}" | ./tinkey add-key --key-template=AES256_GCM)"
...:~# echo "${KEYSET}"
{"primaryKeyId":3717731505,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBnypnRPZyoyMVhUcC91BNht/+WuyLog5xgfZxR6TTe7Q==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":3717731505,"outputPrefixType":"TINK"},{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBCG5gnbg5u40Xdv1gU4RGHZbJTJ9mV1zNBesWL2GITaA==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":1417504640,"outputPrefixType":"TINK"}]}
...:~# echo "${KEYSET}" | ./tinkey promote-key --key-id 1417504640
{"primaryKeyId":1417504640,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBnypnRPZyoyMVhUcC91BNht/+WuyLog5xgfZxR6TTe7Q==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":3717731505,"outputPrefixType":"TINK"},{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBCG5gnbg5u40Xdv1gU4RGHZbJTJ9mV1zNBesWL2GITaA==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":1417504640,"outputPrefixType":"TINK"}]}

Can you please provide a repro that I can copy-paste?

xalvarez commented 11 months ago

Hi @morambro,

In my case I'm using JDK 17, not sure if that's relevant:

# java --version                                                                                                                                                                                                      
openjdk version "17.0.8.1" 2023-08-24
OpenJDK Runtime Environment Temurin-17.0.8.1+1 (build 17.0.8.1+1)
OpenJDK 64-Bit Server VM Temurin-17.0.8.1+1 (build 17.0.8.1+1, mixed mode, sharing)

I can't always reproduce the issue. I executed the same commands you did three times in a row. The first two times everything worked, the third time it didn't:

# KEYSET="$(./tinkey create-keyset --key-template=AES256_GCM)"
# echo "${KEYSET}"
{"primaryKeyId":1373832914,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiDEWSWfvditpOD4+Xi+hq8mqGY3mhwZReoSlaZgU0rvLA==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":1373832914,"outputPrefixType":"TINK"}]}
# KEYSET="$(echo "${KEYSET}" | ./tinkey add-key --key-template=AES256_GCM)"
# echo "${KEYSET}"
{"primaryKeyId":1373832914,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiDEWSWfvditpOD4+Xi+hq8mqGY3mhwZReoSlaZgU0rvLA==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":1373832914,"outputPrefixType":"TINK"},{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiCKDRRRHQSnD0N/aJE6hMKQub+W2A2agfGzel6bsvNGBQ==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":4052895615,"outputPrefixType":"TINK"}]}
# echo "${KEYSET}" | ./tinkey promote-key --key-id 4052895615
Argument wrong!
org.kohsuke.args4j.CmdLineException: "4052895615" is not a valid value for "--key-id"
morambro commented 11 months ago

I could reproduce the same issue you had in https://github.com/tink-crypto/tink-tinkey/issues/1#issuecomment-1772378627 with:

curl -sS https://storage.googleapis.com/tinkey/tinkey-1.10.0.tar.gz -o tinkey.tar.gz
tar -zxvf tinkey.tar.gz
cat <<'EOF' > test.sh
set -eou pipefail

for i in `seq 1 100`; do
    KEYSET="$(./tinkey create-keyset --key-template=AES256_GCM)"
    KEYSET="$(echo "${KEYSET}" | ./tinkey add-key --key-template=AES256_GCM)"
    KEY_ID="$(echo "$KEYSET" | grep -Po 'keyId":[0-9]+' | tail -1 | cut -d: -f2)"
    echo "${KEYSET}" | ./tinkey promote-key --key-id "${KEY_ID}"
done
EOF
bash test.sh
rm -rf test.sh

I got Argument wrong! org.kohsuke.args4j.CmdLineException: "4083652082" is not a valid value for "--key-id".

morambro commented 11 months ago

Couldn't reproduce this with v1.9.0. I'll take a deeper look into this.

morambro commented 11 months ago

Hi @xalvarez , the issue should be solved with https://github.com/tink-crypto/tink-tinkey/commit/8bd5e008d7f8c242ad7779ebdd745612d86e1402. Could you please try the latest snapshot?

xalvarez commented 11 months ago

Hi @morambro I couldn't reproduce the issue using the snapshot version :slightly_smiling_face: thank you!

morambro commented 11 months ago

Great, thanks! I will work on a patch release.

morambro commented 11 months ago

The fix is now in v1.10.1.