refactor wrapping key generation

builtin/logical/transit/backend.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"path"
 	"strconv"
 	"strings"
 	"sync"
@@ -49,6 +48,7 @@ func Backend(ctx context.Context, conf *logical.BackendConfig) (*backend, error)
 			b.pathRotate(),
 			b.pathRewrap(),
 			b.pathWrappingKey(),
+			b.pathImport(),
 			b.pathKeys(),
 			b.pathListKeys(),
 			b.pathExportKeys(),
@@ -157,33 +157,6 @@ func (b *backend) GetPolicy(ctx context.Context, polReq keysutil.PolicyRequest,
 	return p, true, nil
 }
 
-func (b *backend) GetWrappingKey(ctx context.Context, storage logical.Storage, keyName string, rand io.Reader) (*keysutil.Policy, error) {
-	// Load it from storage
-	p, err := keysutil.LoadPolicy(ctx, storage, path.Join("import", keyName))
-	if err != nil {
-		return nil, err
-	}
-
-	if p == nil {
-		p = &keysutil.Policy{
-			Name:                 keyName,
-			Type:                 keysutil.KeyType_RSA4096,
-			Derived:              false,
-			Exportable:           false,
-			AllowPlaintextBackup: false,
-			AutoRotatePeriod:     0,
-			StoragePrefix:        "import/",
-		}
-
-		err = p.Rotate(ctx, storage, rand)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return p, nil
-}
-
 func (b *backend) invalidate(ctx context.Context, key string) {
 	if b.Logger().IsDebug() {
 		b.Logger().Debug("invalidating key", "key", key)

builtin/logical/transit/path_wrapping_key.go

@@ -6,7 +6,10 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/keysutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"io"
+	"path"
 	"strconv"
 )
 
@@ -24,14 +27,16 @@ func (b *backend) pathWrappingKey() *framework.Path {
 }
 
 func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
-	p, err := b.GetWrappingKey(ctx, req.Storage, WrappingKeyName, b.GetRandomReader())
+	p, err := getWrappingKey(ctx, req.Storage)
 	if err != nil {
 		return nil, err
 	}
 	if p == nil {
-		return nil, fmt.Errorf("error generating wrapping key: returned policy was nil")
+		p, err = generateWrappingKey(ctx, req.Storage, b.GetRandomReader())
+		if err != nil {
+			return nil, err
+		}
 	}
-	defer p.Unlock()
 
 	rsaPublicKey := p.Keys[strconv.Itoa(p.LatestVersion)]
 
@@ -59,6 +64,34 @@ func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request,
 	return resp, nil
 }
 
+func getWrappingKey(ctx context.Context, storage logical.Storage) (*keysutil.Policy, error) {
+	p, err := keysutil.LoadPolicy(ctx, storage, path.Join("import", "policy", WrappingKeyName))
+	if err != nil {
+		return nil, err
+	}
+
+	return p, nil
+}
+
+func generateWrappingKey(ctx context.Context, storage logical.Storage, rand io.Reader) (*keysutil.Policy, error) {
+	p := &keysutil.Policy{
+		Name:                 WrappingKeyName,
+		Type:                 keysutil.KeyType_RSA4096,
+		Derived:              false,
+		Exportable:           false,
+		AllowPlaintextBackup: false,
+		AutoRotatePeriod:     0,
+		StoragePrefix:        "import/",
+	}
+
+	err := p.Rotate(ctx, storage, rand)
+	if err != nil {
+		return nil, err
+	}
+
+	return p, nil
+}
+
 const pathWrappingKeyHelpSyn = "Returns the public key to use for wrapping imported keys"
 const pathWrappingKeyHelpDesc = "This path is used to retrieve the RSA-4096 wrapping key" +
 	"for wrapping keys that are being imported into transit."