Panic when reading transit ed25519 key when audit file backend is enabled

[bruno]

Summary:

When I try to read the details of a key created in the transit secret backend and the audit file backend is enabled, I get a panic.

Details:

• Vault v0.7.3
• Consul v0.8.5
• macOS 10.12.5

I am setting up a test Vault with consul storage. I start with an empty consul, just bootstrapped, initialise the vault, unseal it, mount the transit backend, create the key with type ed25519 and try to read it. This returns the details of the key. I then enable the audit file backend, try to read the key and I get a panic.

Configuration:

vault.hcl

storage "consul" {
  address = "localhost:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

consul.json

{ 
  "http_config": {
    "response_headers": {
      "Access-Control-Allow-Origin": "*"
    }
  },
  "client_addr": "127.0.0.1",
  "datacenter": "dc1",
  "acl_datacenter": "dc1",
  "acl_master_token": "<uuidgen token>",
  "data_dir": "path-to-consul-data",
  "server": true,
  "bootstrap": true,
  "ui": true
}

Steps:

1. start consul with consul agent -config-file=./consul/consul.json
2. start vault with vault server -config=./vault/vault.hcl
3. init vault, unseal it
4. vault mount transit
5. create key with curl -H 'X-Vault-Token: <root token>' -X POST http://localhost:8200/v1/transit/keys/boom -d '{ "type": "ed25519" }'
6. view the key

$ curl -H 'X-Vault-Token: <root token>' -X GET http://localhost:8200/v1/transit/keys/boom
{"request_id":"901cc0d1-32f5-a98b-63c6-1792de1f6b91","lease_id":"","renewable":false,"lease_duration":0,"data":{"deletion_allowed":false,"derived":false,"exportable":false,"keys":{"1":{"name":"ed25519","public_key":"Vd1fvzQgF9RKzsWkxNguR4Wz04mrQ2yy7q1CbnVlZ4I=","creation_time":"2017-07-02T19:27:34.983833598-03:00"}},"latest_version":1,"min_decryption_version":1,"name":"boom","supports_decryption":false,"supports_derivation":true,"supports_encryption":false,"supports_signing":true,"type":"ed25519"},"wrap_info":null,"warnings":null,"auth":null}

7. enable the audit backend

$ vault audit-enable file file_path=/Users/bruno/code/evergiving-vault/vault/logs/vault_audit.log
Successfully enabled audit backend 'file' with path 'file'!

8. try to read the key again

$ curl -H 'X-Vault-Token: <root token>' -X GET http://localhost:8200/v1/transit/keys/boom
{"errors":["internal error"]}

9. the logs on the console from vault:

2017/07/02 19:25:12.183020 [INFO ] core/startClusterListener: serving cluster requests: cluster_listen_address=[::]:8201
2017/07/02 19:26:23.172309 [INFO ] core: successful mount: path=transit/ type=transit
2017/07/02 19:28:13.366782 [INFO ] core: enabled audit backend: path=file/ type=file
2017/07/02 19:28:15.129826 [ERROR] audit: panic during logging: request_path=transit/keys/boom error="reflect: reflect.Value.Set using unaddressable value"
2017/07/02 19:28:15.129852 [ERROR] core: failed to audit response: request_path=transit/keys/boom error=1 error occurred:

* panic generating audit log

10. the audit log only shows the request

{"time":"2017-07-02T22:42:01Z","type":"request","auth":{"client_token":"hmac-sha256:0dd264d0f3158ac0af34ff0a7bac620c5a221c0d6dfe051d41e295d918a93212","accessor":"hmac-sha256:2a738dd5d8e2006bc36e0b3594ab6e22c8899033880ce6460d5661d56c7312ad","display_name":"root","policies":["root"],"metadata":null},"request":{"id":"94857778-32e6-3594-b1e1-9257c623ce3b","operation":"read","client_token":"hmac-sha256:0dd264d0f3158ac0af34ff0a7bac620c5a221c0d6dfe051d41e295d918a93212","client_token_accessor":"hmac-sha256:2a738dd5d8e2006bc36e0b3594ab6e22c8899033880ce6460d5661d56c7312ad","path":"transit/keys/boom","data":null,"remote_address":"127.0.0.1","wrap_ttl":0,"headers":{}},"error":""}