minio/cmd/crypto/kes.go

// MinIO Cloud Storage, (C) 2019-2020 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package crypto

import (
	"bytes"
	"context"
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"
	"os"
	"path/filepath"
	"strings"
	"time"

	jsoniter "github.com/json-iterator/go"
	xhttp "github.com/minio/minio/cmd/http"
	xnet "github.com/minio/minio/pkg/net"
)

var json = jsoniter.ConfigCompatibleWithStandardLibrary

// ErrKESKeyExists is the error returned a KES server
// when a master key does exist.
var ErrKESKeyExists = NewKESError(http.StatusBadRequest, "key does already exist")

// KesConfig contains the configuration required
// to initialize and connect to a kes server.
type KesConfig struct {
	Enabled bool

	// The KES server endpoints.
	Endpoint []string

	// The path to the TLS private key used
	// by MinIO to authenticate to the kes
	// server during the TLS handshake (mTLS).
	KeyFile string

	// The path to the TLS certificate used
	// by MinIO to authenticate to the kes
	// server during the TLS handshake (mTLS).
	//
	// The kes server will also allow or deny
	// access based on this certificate.
	// In particular, the kes server will
	// lookup the policy that corresponds to
	// the identity in this certificate.
	CertFile string

	// Path to a file or directory containing
	// the CA certificate(s) that issued / will
	// issue certificates for the kes server.
	//
	// This is required if the TLS certificate
	// of the kes server has not been issued
	// (e.g. b/c it's self-signed) by a CA that
	// MinIO trusts.
	CAPath string

	// The default key ID returned by KMS.KeyID().
	DefaultKeyID string

	// The HTTP transport configuration for
	// the KES client.
	Transport *http.Transport
}

// Verify verifies if the kes configuration is correct
func (k KesConfig) Verify() (err error) {
	switch {
	case len(k.Endpoint) == 0:
		err = Errorf("crypto: missing kes endpoint")
	case k.CertFile == "":
		err = Errorf("crypto: missing cert file")
	case k.KeyFile == "":
		err = Errorf("crypto: missing key file")
	case k.DefaultKeyID == "":
		err = Errorf("crypto: missing default key id")
	}
	return err
}

type kesService struct {
	client *kesClient

	endpoints    []string
	defaultKeyID string
}

// NewKes returns a new kes KMS client. The returned KMS
// uses the X.509 certificate to authenticate itself to
// the kes server available at address.
//
// The defaultKeyID is the key ID returned when calling
// KMS.KeyID().
func NewKes(cfg KesConfig) (KMS, error) {
	cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
	if err != nil {
		return nil, err
	}
	if cfg.Transport.TLSClientConfig != nil {
		if err = loadCACertificates(cfg.CAPath,
			cfg.Transport.TLSClientConfig.RootCAs); err != nil {
			return nil, err
		}
	} else {
		rootCAs, _ := x509.SystemCertPool()
		if rootCAs == nil {
			// In some systems (like Windows) system cert pool is
			// not supported or no certificates are present on the
			// system - so we create a new cert pool.
			rootCAs = x509.NewCertPool()
		}
		if err = loadCACertificates(cfg.CAPath, rootCAs); err != nil {
			return nil, err
		}
		cfg.Transport.TLSClientConfig = &tls.Config{
			RootCAs: rootCAs,
		}
	}
	cfg.Transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
	cfg.Transport.TLSClientConfig.NextProtos = []string{"h2"}

	return &kesService{
		client: &kesClient{
			endpoints: cfg.Endpoint,
			httpClient: http.Client{
				Transport: cfg.Transport,
			},
		},
		endpoints:    cfg.Endpoint,
		defaultKeyID: cfg.DefaultKeyID,
	}, nil
}

// DefaultKeyID returns the default key ID that should be
// used for SSE-S3 or SSE-KMS when the S3 client does not
// provide an explicit key ID.
func (kes *kesService) DefaultKeyID() string {
	return kes.defaultKeyID
}

// Info returns some information about the KES,
// configuration - like the endpoint or authentication
// method.
func (kes *kesService) Info() KMSInfo {
	return KMSInfo{
		Endpoints: kes.endpoints,
		Name:      kes.DefaultKeyID(),
		AuthType:  "TLS",
	}
}

// CreateKey tries to create a new master key with the given keyID.
func (kes *kesService) CreateKey(keyID string) error { return kes.client.CreateKey(keyID) }

// GenerateKey returns a new plaintext key, generated by the KMS,
// and a sealed version of this plaintext key encrypted using the
// named key referenced by keyID. It also binds the generated key
// cryptographically to the provided context.
func (kes *kesService) GenerateKey(keyID string, ctx Context) (key [32]byte, sealedKey []byte, err error) {
	context := ctx.AppendTo(make([]byte, 0, 128))

	var plainKey []byte
	plainKey, sealedKey, err = kes.client.GenerateDataKey(keyID, context)
	if err != nil {
		return key, nil, err
	}
	if len(plainKey) != len(key) {
		return key, nil, Errorf("crypto: received invalid plaintext key size from KMS")
	}
	copy(key[:], plainKey)
	return key, sealedKey, nil
}

// UnsealKey returns the decrypted sealedKey as plaintext key.
// Therefore it sends the sealedKey to the KMS which decrypts
// it using the named key referenced by keyID and responses with
// the plaintext key.
//
// The context must be same context as the one provided while
// generating the plaintext key / sealedKey.
func (kes *kesService) UnsealKey(keyID string, sealedKey []byte, ctx Context) (key [32]byte, err error) {
	context := ctx.AppendTo(make([]byte, 0, 128))

	var plainKey []byte
	plainKey, err = kes.client.DecryptDataKey(keyID, sealedKey, context)
	if err != nil {
		return key, err
	}
	if len(plainKey) != len(key) {
		return key, Errorf("crypto: received invalid plaintext key size from KMS")
	}
	copy(key[:], plainKey)
	return key, nil
}

// kesClient implements the bare minimum functionality needed for
// MinIO to talk to a KES server. In particular, it implements
//   • CreateKey       (API: /v1/key/create/)
//   • GenerateDataKey (API: /v1/key/generate/)
//   • DecryptDataKey  (API: /v1/key/decrypt/)
type kesClient struct {
	endpoints  []string
	httpClient http.Client
}

// CreateKey tries to create a new cryptographic key with
// the specified name.
//
// The key will be generated by the server. The client
// application does not have the cryptographic key at
// any point in time.
func (c *kesClient) CreateKey(name string) error {
	path := fmt.Sprintf("/v1/key/create/%s", url.PathEscape(name))
	_, err := c.postRetry(path, nil, 0) // No request body and no response expected
	if err != nil {
		return err
	}
	return nil
}

// GenerateDataKey requests a new data key from the KES server.
// On success, the KES server will respond with the plaintext key
// and the ciphertext key as the plaintext key encrypted with
// the key specified by name.
//
// The optional context is crytpo. bound to the generated data key
// such that you have to provide the same context when decrypting
// the data key.
func (c *kesClient) GenerateDataKey(name string, context []byte) ([]byte, []byte, error) {
	type Request struct {
		Context []byte `json:"context"`
	}
	type Response struct {
		Plaintext  []byte `json:"plaintext"`
		Ciphertext []byte `json:"ciphertext"`
	}

	body, err := json.Marshal(Request{
		Context: context,
	})
	if err != nil {
		return nil, nil, err
	}

	const limit = 1 << 20 // A plaintext/ciphertext key pair will never be larger than 1 MB
	path := fmt.Sprintf("/v1/key/generate/%s", url.PathEscape(name))
	resp, err := c.postRetry(path, bytes.NewReader(body), limit)
	if err != nil {
		return nil, nil, err
	}

	var response Response
	if err = json.NewDecoder(resp).Decode(&response); err != nil {
		return nil, nil, err
	}
	return response.Plaintext, response.Ciphertext, nil
}

// GenerateDataKey decrypts an encrypted data key with the key
// specified by name by talking to the KES server.
// On success, the KES server will respond with the plaintext key.
//
// The optional context must match the value you provided when
// generating the data key.
func (c *kesClient) DecryptDataKey(name string, ciphertext, context []byte) ([]byte, error) {
	type Request struct {
		Ciphertext []byte `json:"ciphertext"`
		Context    []byte `json:"context,omitempty"`
	}
	type Response struct {
		Plaintext []byte `json:"plaintext"`
	}

	body, err := json.Marshal(Request{
		Ciphertext: ciphertext,
		Context:    context,
	})
	if err != nil {
		return nil, err
	}

	const limit = 1 << 20 // A data key will never be larger than 1 MiB
	path := fmt.Sprintf("/v1/key/decrypt/%s", url.PathEscape(name))
	resp, err := c.postRetry(path, bytes.NewReader(body), limit)
	if err != nil {
		return nil, err
	}

	var response Response
	if err = json.NewDecoder(resp).Decode(&response); err != nil {
		return nil, err
	}
	return response.Plaintext, nil
}

// NewKESError returns a new KES API error with the given
// HTTP status code and error message.
//
// Two errors with the same status code and
// error message are equal:
//   e1 == e2 // true.
func NewKESError(code int, text string) error {
	return kesError{
		code:    code,
		message: text,
	}
}

type kesError struct {
	code    int
	message string
}

// Status returns the HTTP status code of the error.
func (e kesError) Status() int { return e.code }

// Status returns the error message of the error.
func (e kesError) Error() string { return e.message }

func parseErrorResponse(resp *http.Response) error {
	if resp == nil || resp.StatusCode < 400 {
		return nil
	}
	if resp.Body == nil {
		return NewKESError(resp.StatusCode, "")
	}
	defer resp.Body.Close()

	const MaxBodySize = 1 << 20
	var size = resp.ContentLength
	if size < 0 || size > MaxBodySize {
		size = MaxBodySize
	}

	contentType := strings.TrimSpace(resp.Header.Get("Content-Type"))
	if strings.HasPrefix(contentType, "application/json") {
		type Response struct {
			Message string `json:"message"`
		}
		var response Response
		if err := json.NewDecoder(io.LimitReader(resp.Body, size)).Decode(&response); err != nil {
			return err
		}
		return NewKESError(resp.StatusCode, response.Message)
	}

	var sb strings.Builder
	if _, err := io.Copy(&sb, io.LimitReader(resp.Body, size)); err != nil {
		return err
	}
	return NewKESError(resp.StatusCode, sb.String())
}

func (c *kesClient) post(url string, body io.Reader, limit int64) (io.Reader, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
	defer cancel()

	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
	if err != nil {
		return nil, err
	}
	req.Header.Set("Content-Type", "application/json")

	resp, err := c.httpClient.Do(req)
	if err != nil {
		return nil, err
	}
	// Drain the entire body to make sure we have re-use connections
	defer xhttp.DrainBody(resp.Body)

	if resp.StatusCode != http.StatusOK {
		return nil, parseErrorResponse(resp)
	}

	// We have to copy the response body due to draining.
	var respBody bytes.Buffer
	if _, err = io.Copy(&respBody, io.LimitReader(resp.Body, limit)); err != nil {
		return nil, err
	}
	return &respBody, nil
}

func (c *kesClient) postRetry(path string, body io.ReadSeeker, limit int64) (io.Reader, error) {
	retryMax := 1 + len(c.endpoints)
	for i := 0; ; i++ {
		if body != nil {
			body.Seek(0, io.SeekStart) // seek to the beginning of the body.
		}

		response, err := c.post(c.endpoints[i%len(c.endpoints)]+path, body, limit)
		if err == nil {
			return response, nil
		}

		// If the error is not temp. / retryable => fail the request immediately.
		if !xnet.IsNetworkOrHostDown(err, false) &&
			!errors.Is(err, io.EOF) &&
			!errors.Is(err, io.ErrUnexpectedEOF) &&
			!errors.Is(err, context.DeadlineExceeded) {
			return nil, err
		}
		if remain := retryMax - i; remain <= 0 { // Fail if we exceeded our retry limit.
			return response, err
		}

		// If there are more KES instances then skip waiting and
		// try the next endpoint directly.
		if i < len(c.endpoints) {
			continue
		}
		<-time.After(LinearJitterBackoff(retryWaitMin, retryWaitMax, i))
	}
}

// loadCACertificates returns a new CertPool
// that contains all system root CA certificates
// and any PEM-encoded certificate(s) found at
// path.
//
// If path is a file, loadCACertificates will
// try to parse it as PEM-encoded certificate.
// If this fails, it returns an error.
//
// If path is a directory it tries to parse each
// file as PEM-encoded certificate and add it to
// the CertPool. If a file is not a PEM certificate
// it will be ignored.
func loadCACertificates(path string, rootCAs *x509.CertPool) error {
	if path == "" {
		return nil
	}

	stat, err := os.Stat(path)
	if err != nil {
		if os.IsNotExist(err) || os.IsPermission(err) {
			return nil
		}
		return Errorf("crypto: cannot open '%s': %v", path, err)
	}

	// If path is a file, parse as PEM-encoded certifcate
	// and try to add it to the CertPool. If this fails
	// return an error.
	if !stat.IsDir() {
		cert, err := ioutil.ReadFile(path)
		if err != nil {
			return err
		}
		if !rootCAs.AppendCertsFromPEM(cert) {
			return Errorf("crypto: '%s' is not a valid PEM-encoded certificate", path)
		}
		return nil
	}

	// If path is a directory then try
	// to parse each file as PEM-encoded
	// certificate and add it to the CertPool.
	// If a file is not a PEM-encoded certificate
	// we ignore it.
	files, err := ioutil.ReadDir(path)
	if err != nil {
		return err
	}
	for _, file := range files {
		cert, err := ioutil.ReadFile(filepath.Join(path, file.Name()))
		if err != nil {
			continue // ignore files which are not readable
		}
		rootCAs.AppendCertsFromPEM(cert) // ignore files which are not PEM certtificates
	}
	return nil

}