Skip to content
This repository was archived by the owner on Nov 24, 2025. It is now read-only.

Traffic Vault: Fix reencrypt utility to uniquely reencrypt ssl keys#7159

Merged
ocket8888 merged 2 commits intoapache:masterfrom
tcfdev:fix/reencrypt_ssl_map
Oct 25, 2022
Merged

Traffic Vault: Fix reencrypt utility to uniquely reencrypt ssl keys#7159
ocket8888 merged 2 commits intoapache:masterfrom
tcfdev:fix/reencrypt_ssl_map

Conversation

@tcfdev
Copy link
Copy Markdown
Collaborator

@tcfdev tcfdev commented Oct 25, 2022
edited
Loading

Closes: #7158

A Traffic Vault utility called reencrypt allows for the ability to take previously encrypted values in the Traffic Vault DB and apply a new AES key for encryption. However, there was a bug that resulted in the "last" ssl key (misnomer) pulled from the DB during encryption would overwrite and wipe all other versions of ssl keys. This PR addresses said bug.

Which Traffic Control components are affected by this PR?

  • Traffic Vault (techinically a support utility call reencrypt)

What is the best way to verify this PR?

Previously existing "tests" should continue to work.

Manually verify:

  1. Obtain a dump of an existing DB with the AES key that was initially used to encrypt the data (Or create a DB with sufficient data and use an AES key to encrypt said data).
  2. Create a new, different AES key from the original.
  3. Restore the DB into a test/verification DB location.
  4. Run the reencrypt utility with the necessary connection info specified in the reencrypt.conf file, along with passing in the file path locations for the previous AES key as well as the new AES key.
  5. Observe that the data column in the sslkey table has been reencrypted AND unique values exist for each version under a particular Delivery Service.

If this is a bugfix, which Traffic Control versions contained the bug?

PR submission checklist

@mitchell852 mitchell852 added the Traffic Vault related to Traffic Vault label Oct 25, 2022
@ocket8888 ocket8888 added bug something isn't working as intended medium impact impacts a significant portion of a CDN, or has the potential to do so low difficulty the estimated level of effort to resolve this issue is low labels Oct 25, 2022
ocket8888
ocket8888 approved these changes Oct 25, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@ocket8888 ocket8888 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appears to fix the bug

@ocket8888 ocket8888 merged commit 33b86c5 into apache:master Oct 25, 2022
@asf-ci asf-ci mentioned this pull request Nov 1, 2022
Merged
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@ocket8888 ocket8888 ocket8888 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug something isn't working as intended low difficulty the estimated level of effort to resolve this issue is low medium impact impacts a significant portion of a CDN, or has the potential to do so Traffic Vault related to Traffic Vault

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Traffic Vault: Reencrypt utility wipes different SSL Keys during update

3 participants

@tcfdev @ocket8888 @mitchell852