search

wohaph / keyczar

Automatically exported from code.google.com/p/keyczar
0 stars 0 forks source link

Cannot revoke a key from an encrypted keyset #96

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
It appears that KeyczarTool is unable to revoke a key from an encrypted keyset 
(maybe not taking the --crypter argument):

$ KeyczarTool revoke --location=ek/ --version=1 --crypter=kek
org.keyczar.exceptions.KeyczarException: Must use an EncryptedReader to read  
encrypted key sets.
    at org.keyczar.Keyczar.<init>(Keyczar.java:88)
    at org.keyczar.GenericKeyczar.<init>(GenericKeyczar.java:30)
    at org.keyczar.KeyczarTool.createGenericKeyczar(KeyczarTool.java:503)
    at org.keyczar.KeyczarTool.createGenericKeyczar(KeyczarTool.java:478)
    at org.keyczar.KeyczarTool.revoke(KeyczarTool.java:444)
    at org.keyczar.KeyczarTool.main(KeyczarTool.java:138)

It seems like it probably doesn't actually need it to revoke an encrypted key, 
but ideally I suppose it shouldn't crash..

Original issue reported on code.google.com by mbarry%b...@gtempaccount.com on 4 May 2012 at 8:57

GoogleCodeExporter commented 9 years ago 
This is a problem across both java and python that I ran across on the weekend 
and applies to all functions (promote, demote, etc) once you add an encrypted 
key. Indeed once an encrypted key is added any pre-existing unencrypted keys 
are not usable. I have fixes for python but unfortunately the way the mocks are 
embedded in the code make it difficult to write tests for so I was reworking 
that before raising an issue. Unfortunately I've been too busy to finish it off 
so far this week, hopefully will wrap it up on the weekend.

See 
http://code.google.com/r/rleftwich-lightkeeper/source/detail?r=39fea025cd98e473a
e6d9fb04ecf60af92a1072c&name=fix_python_revoke_bug for a somewhat related bug 
where after a revoke the internal state of the Keyczar object is out of sync 
with the metadata and if you access the revoked key thru the same instance it 
is still present and worse will be rewritten to disk as unrevoked. A similar 
issue also appears to be present in java.

Original comment by rleftw...@lightkeeper.com on 4 May 2012 at 9:11

GoogleCodeExporter commented 9 years ago

Original comment by jtu...@gmail.com on 2 Mar 2013 at 9:30

GoogleCodeExporter commented 9 years ago 
I've attached a patch for the Java side of this issue; I'm not good at Python, 
so someone else will have to implement that fix.

Unfortunately, there aren't any test cases for this fix, as the KeyczarToolTest 
class isn't really conducive testing with encrypted keys, and I don't feel 
comfortable refactoring your test enough to make it happen.

Also, I could only update the English internationalizion, as I don't know the 
other languages.

Original comment by yo.yo.yo...@gmail.com on 7 Oct 2014 at 9:17

Attachments: