I had a need to export individual keys from the keyrings used by our WebKDC and main WebLogin servers to ensure that our dev pool and production pool had a common key from which to pivot around. This allowed the previous keys used to still be valid but also provide the shared key\u00a0to cut-over to our next-gen servers. Digging into the keyring.c library I noticed that most of the framework was already in the library and that only a couple accessory functions needed to be written for the wa_keyring binary. The patch for this is below.<\/p>\n
From d824d427eff88c318877d64e0dfe3b2a56e4191f Mon Sep 17 00:00:00 2001\r\nFrom: Greg Kuchyt <gkuchyt@uvm.edu>\r\nDate: Tue, 7 Jun 2016 08:44:37 -0400\r\nSubject: [PATCH] Add export\/import functionality of individual keys in wa_keyring\r\n\r\n---\r\n tools\/wa_keyring.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n 1 files changed, 68 insertions(+), 0 deletions(-)\r\n\r\ndiff --git a\/tools\/wa_keyring.c b\/tools\/wa_keyring.c\r\nindex e78f7fb..44ad3b0 100644\r\n--- a\/tools\/wa_keyring.c\r\n+++ b\/tools\/wa_keyring.c\r\n@@ -32,6 +32,7 @@ Usage: %s [-hv] -f <keyring> list\\n\\\r\n \\n\\\r\n Functions:\\n\\\r\n add <valid-after> # add a new random key\\n\\\r\n+ export <id> # export key by id\\n\\\r\n gc <oldest-valid-after-to-keep> # garbage collect old keys\\n\\\r\n list # list keys\\n\\\r\n remove <id> # remove key by id\\n\\\r\n@@ -273,6 +274,60 @@ list_keyring(struct webauth_context *ctx, const char *keyring, bool verbose)\r\n }\r\n }\r\n \r\n+\/*\r\n+ * Export the key at the given slot such that it can be imported into a\r\n+ * keyring on a different server. Thus allowing keys to be synchronized\r\n+ * across servers that have divergent key histories.\r\n+ *\/\r\n+static void\r\n+export_key(struct webauth_context *ctx, const char *keyring, unsigned long n)\r\n+{\r\n+ struct webauth_keyring *ring;\r\n+ struct webauth_keyring *newring;\r\n+ const char *newkeyring = "export_wakeyring";\r\n+ struct webauth_keyring_entry *entry;\r\n+ int s;\r\n+\r\n+ s = webauth_keyring_read(ctx, keyring, &ring);\r\n+ if (s != WA_ERR_NONE)\r\n+ die_webauth(ctx, s, "cannot read keyring %s", keyring);\r\n+\r\n+ entry = &APR_ARRAY_IDX(ring->entries, n, struct webauth_keyring_entry);\r\n+ newring = webauth_keyring_new(ctx, 1);\r\n+ webauth_keyring_add(ctx, newring, entry->creation, entry->valid_after, entry->key);\r\n+ s = webauth_keyring_write(ctx, newring, newkeyring);\r\n+ if (s != WA_ERR_NONE)\r\n+ die_webauth(ctx, s, "cannot write new keyring %s", newkeyring);\r\n+}\r\n+\r\n+\/*\r\n+ * Import one keyring into another keyring. This allows keys from another\r\n+ * server to be synchronized with servers that have a divergent key history.\r\n+ *\/\r\n+static void\r\n+import_key(struct webauth_context *ctx, const char *keyring, const char *impkeyring) {\r\n+ struct webauth_keyring *ring;\r\n+ struct webauth_keyring *impring;\r\n+ struct webauth_keyring_entry *impentry;\r\n+ int s;\r\n+ size_t i;\r\n+\r\n+ s = webauth_keyring_read(ctx, keyring, &ring);\r\n+ if (s != WA_ERR_NONE)\r\n+ die_webauth(ctx, s, "cannot read keyring %s", keyring);\r\n+\r\n+ s = webauth_keyring_read(ctx, impkeyring, &impring);\r\n+ if (s != WA_ERR_NONE)\r\n+ die_webauth(ctx, s, "cannot read keyring %s", impkeyring);\r\n+\r\n+ for (i = 0; i < (size_t) impring->entries->nelts; i++) {\r\n+ impentry = &APR_ARRAY_IDX(impring->entries, i, struct webauth_keyring_entry);\r\n+ webauth_keyring_add(ctx, ring, impentry->creation, impentry->valid_after, impentry->key);\r\n+ }\r\n+ s = webauth_keyring_write(ctx, ring, keyring);\r\n+ if (s != WA_ERR_NONE)\r\n+ die_webauth(ctx, s, "cannot write new keyring %s", keyring);\r\n+}\r\n \r\n \/*\r\n * Add a new key to a keyring. Takes the path to the keyring and the offset\r\n@@ -418,6 +473,19 @@ main(int argc, char **argv)\r\n if (argc > 0)\r\n usage(1);\r\n list_keyring(ctx, keyring, verbose);\r\n+ } else if (strcmp(command, "export") == 0) {\r\n+ if (argc != 1)\r\n+ usage(1);\r\n+ errno = 0;\r\n+ id = strtoul(argv[0], &end, 10);\r\n+ if (errno != 0 || *end != '\0')\r\n+ die("invalid key id: %s", argv[0]);\r\n+ export_key(ctx, keyring, id);\r\n+ } else if (strcmp(command, "import") == 0) {\r\n+ if (argc != 1)\r\n+ usage(1);\r\n+ errno = 0;\r\n+ import_key(ctx, keyring, argv[0]);\r\n } else if (strcmp(command, "add") == 0) {\r\n if (argc != 1)\r\n usage(1);\r\n-- \r\n1.7.1\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"I had a need to export individual keys from the keyrings used by our WebKDC and main WebLogin servers to ensure that our dev pool and production pool had a common key from which to pivot around. This allowed the previous keys used to still be valid but also provide the shared key\u00a0to cut-over to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9],"tags":[],"class_list":["post-1046","post","type-post","status-publish","format-standard","hentry","category-work"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4mwGD-gS","_links":{"self":[{"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/posts\/1046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1046"}],"version-history":[{"count":6,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/posts\/1046\/revisions"}],"predecessor-version":[{"id":1084,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=\/wp\/v2\/posts\/1046\/revisions\/1084"}],"wp:attachment":[{"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1046"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.gregkuchyt.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}