sse-kms: fix assignment to potential nil map (#12250)

This commit fixes a bug introduced by af0c65b. When there is no / an empty client-provided SSE-KMS context the `ParseMetadata` may return a nil map (`kms.Context`). When unsealing the object key we must check that the context is nil before assigning a key-value pair. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-01-23 12:43:16 -05:00 · 2021-05-07 18:16:49 +02:00 · 2021-05-07 18:16:49 +02:00 · 0ba8c0a19b
commit 0ba8c0a19b
parent cb0b36f8c2
1 changed files with 6 additions and 3 deletions
--- a/cmd/crypto/sse-kms.go
+++ b/cmd/crypto/sse-kms.go
@ -28,6 +28,7 @@ import (
 	jsoniter "github.com/json-iterator/go"
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
+	"github.com/minio/minio/pkg/kms"
 )

 type ssekms struct{}
@ -94,15 +95,17 @@ func (ssekms) IsEncrypted(metadata map[string]string) bool {
 // UnsealObjectKey extracts and decrypts the sealed object key
 // from the metadata using KMS and returns the decrypted object
 // key.
-func (s3 ssekms) UnsealObjectKey(kms KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
+func (s3 ssekms) UnsealObjectKey(KMS kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
 	keyID, kmsKey, sealedKey, ctx, err := s3.ParseMetadata(metadata)
 	if err != nil {
 		return key, err
 	}
-	if _, ok := ctx[bucket]; !ok {
+	if ctx == nil {
+		ctx = kms.Context{bucket: path.Join(bucket, object)}
+	} else if _, ok := ctx[bucket]; !ok {
 		ctx[bucket] = path.Join(bucket, object)
 	}
-	unsealKey, err := kms.DecryptKey(keyID, kmsKey, ctx)
+	unsealKey, err := KMS.DecryptKey(keyID, kmsKey, ctx)
 	if err != nil {
 		return key, err
 	}