MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

rename all remaining packages to internal/ (#12418)

Browse Source 
This is to ensure that there are no projects
that try to import `minio/minio/pkg` into
their own repo. Any such common packages should
go to `https://github.com/minio/pkg`
This commit is contained in:
Harshavardhana
2021-06-01 14:59:40 -07:00
committed by GitHub
parent bf87c4b1e4
commit 1f262daf6f
540 changed files with 757 additions and 778 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
internal/kms/context.go Normal file
View File

@@ -0,0 +1,259 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"bytes"
"sort"
"unicode/utf8"
)
// Context is a set of key-value pairs that
// are associated with a generate data encryption
// key (DEK).
//
// A KMS implementation may bind the context to the
// generated DEK such that the same context must be
// provided when decrypting an encrypted DEK.
type Context map[string]string
// MarshalText returns a canonical text representation of
// the Context.
// MarshalText sorts the context keys and writes the sorted
// key-value pairs as canonical JSON object. The sort order
// is based on the un-escaped keys. It never returns an error.
func (c Context) MarshalText() ([]byte, error) {
if len(c) == 0 {
return []byte{'{', '}'}, nil
}
// Pre-allocate a buffer - 128 bytes is an arbitrary
// heuristic value that seems like a good starting size.
var b = bytes.NewBuffer(make([]byte, 0, 128))
if len(c) == 1 {
for k, v := range c {
b.WriteString(`{"`)
escapeStringJSON(b, k)
b.WriteString(`":"`)
escapeStringJSON(b, v)
b.WriteString(`"}`)
}
return b.Bytes(), nil
}
sortedKeys := make([]string, 0, len(c))
for k := range c {
sortedKeys = append(sortedKeys, k)
}
sort.Strings(sortedKeys)
b.WriteByte('{')
for i, k := range sortedKeys {
b.WriteByte('"')
escapeStringJSON(b, k)
b.WriteString(`":"`)
escapeStringJSON(b, c[k])
b.WriteByte('"')
if i < len(sortedKeys)-1 {
b.WriteByte(',')
}
}
b.WriteByte('}')
return b.Bytes(), nil
}
// Adapted from Go stdlib.
var hexTable = "0123456789abcdef"
// escapeStringJSON will escape a string for JSON and write it to dst.
func escapeStringJSON(dst *bytes.Buffer, s string) {
start := 0
for i := 0; i < len(s); {
if b := s[i]; b < utf8.RuneSelf {
if htmlSafeSet[b] {
i++
continue
}
if start < i {
dst.WriteString(s[start:i])
}
dst.WriteByte('\\')
switch b {
case '\\', '"':
dst.WriteByte(b)
case '\n':
dst.WriteByte('n')
case '\r':
dst.WriteByte('r')
case '\t':
dst.WriteByte('t')
default:
// This encodes bytes < 0x20 except for \t, \n and \r.
// If escapeHTML is set, it also escapes <, >, and &
// because they can lead to security holes when
// user-controlled strings are rendered into JSON
// and served to some browsers.
dst.WriteString(`u00`)
dst.WriteByte(hexTable[b>>4])
dst.WriteByte(hexTable[b&0xF])
}
i++
start = i
continue
}
c, size := utf8.DecodeRuneInString(s[i:])
if c == utf8.RuneError && size == 1 {
if start < i {
dst.WriteString(s[start:i])
}
dst.WriteString(`\ufffd`)
i += size
start = i
continue
}
// U+2028 is LINE SEPARATOR.
// U+2029 is PARAGRAPH SEPARATOR.
// They are both technically valid characters in JSON strings,
// but don't work in JSONP, which has to be evaluated as JavaScript,
// and can lead to security holes there. It is valid JSON to
// escape them, so we do so unconditionally.
// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
if c == '\u2028' || c == '\u2029' {
if start < i {
dst.WriteString(s[start:i])
}
dst.WriteString(`\u202`)
dst.WriteByte(hexTable[c&0xF])
i += size
start = i
continue
}
i += size
}
if start < len(s) {
dst.WriteString(s[start:])
}
}
// htmlSafeSet holds the value true if the ASCII character with the given
// array position can be safely represented inside a JSON string, embedded
// inside of HTML <script> tags, without any additional escaping.
//
// All values are true except for the ASCII control characters (0-31), the
// double quote ("), the backslash character ("\"), HTML opening and closing
// tags ("<" and ">"), and the ampersand ("&").
var htmlSafeSet = [utf8.RuneSelf]bool{
' ': true,
'!': true,
'"': false,
'#': true,
'$': true,
'%': true,
'&': false,
'\'': true,
'(': true,
')': true,
'*': true,
'+': true,
',': true,
'-': true,
'.': true,
'/': true,
'0': true,
'1': true,
'2': true,
'3': true,
'4': true,
'5': true,
'6': true,
'7': true,
'8': true,
'9': true,
':': true,
';': true,
'<': false,
'=': true,
'>': false,
'?': true,
'@': true,
'A': true,
'B': true,
'C': true,
'D': true,
'E': true,
'F': true,
'G': true,
'H': true,
'I': true,
'J': true,
'K': true,
'L': true,
'M': true,
'N': true,
'O': true,
'P': true,
'Q': true,
'R': true,
'S': true,
'T': true,
'U': true,
'V': true,
'W': true,
'X': true,
'Y': true,
'Z': true,
'[': true,
'\\': false,
']': true,
'^': true,
'_': true,
'`': true,
'a': true,
'b': true,
'c': true,
'd': true,
'e': true,
'f': true,
'g': true,
'h': true,
'i': true,
'j': true,
'k': true,
'l': true,
'm': true,
'n': true,
'o': true,
'p': true,
'q': true,
'r': true,
's': true,
't': true,
'u': true,
'v': true,
'w': true,
'x': true,
'y': true,
'z': true,
'{': true,
'|': true,
'}': true,
'~': true,
'\u007f': true,
}

72
internal/kms/dek_test.go Normal file
View File

@@ -0,0 +1,72 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"bytes"
"encoding/base64"
"testing"
)
var dekEncodeDecodeTests = []struct {
Key DEK
}{
{
Key: DEK{},
},
{
Key: DEK{
Plaintext: nil,
Ciphertext: mustDecodeB64("eyJhZWFkIjoiQUVTLTI1Ni1HQ00tSE1BQy1TSEEtMjU2IiwiaXYiOiJ3NmhLUFVNZXVtejZ5UlVZL29pTFVBPT0iLCJub25jZSI6IktMSEU3UE1jRGo2N2UweHkiLCJieXRlcyI6Ik1wUkhjQWJaTzZ1Sm5lUGJGcnpKTkxZOG9pdkxwTmlUcTNLZ0hWdWNGYkR2Y0RlbEh1c1lYT29zblJWVTZoSXIifQ=="),
},
},
{
Key: DEK{
Plaintext: mustDecodeB64("GM2UvLXp/X8lzqq0mibFC0LayDCGlmTHQhYLj7qAy7Q="),
Ciphertext: mustDecodeB64("eyJhZWFkIjoiQUVTLTI1Ni1HQ00tSE1BQy1TSEEtMjU2IiwiaXYiOiJ3NmhLUFVNZXVtejZ5UlVZL29pTFVBPT0iLCJub25jZSI6IktMSEU3UE1jRGo2N2UweHkiLCJieXRlcyI6Ik1wUkhjQWJaTzZ1Sm5lUGJGcnpKTkxZOG9pdkxwTmlUcTNLZ0hWdWNGYkR2Y0RlbEh1c1lYT29zblJWVTZoSXIifQ=="),
},
},
}
func TestEncodeDecodeDEK(t *testing.T) {
for i, test := range dekEncodeDecodeTests {
text, err := test.Key.MarshalText()
if err != nil {
t.Fatalf("Test %d: failed to marshal DEK: %v", i, err)
}
var key DEK
if err = key.UnmarshalText(text); err != nil {
t.Fatalf("Test %d: failed to unmarshal DEK: %v", i, err)
}
if key.Plaintext != nil {
t.Fatalf("Test %d: unmarshaled DEK contains non-nil plaintext", i)
}
if !bytes.Equal(key.Ciphertext, test.Key.Ciphertext) {
t.Fatalf("Test %d: ciphertext mismatch: got %x - want %x", i, key.Ciphertext, test.Key.Ciphertext)
}
}
}
func mustDecodeB64(s string) []byte {
b, err := base64.StdEncoding.DecodeString(s)
if err != nil {
panic(err)
}
return b
}

142
internal/kms/kes.go Normal file
View File

@@ -0,0 +1,142 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"time"
"github.com/minio/kes"
)
// Config contains various KMS-related configuration
// parameters - like KMS endpoints or authentication
// credentials.
type Config struct {
// Endpoints contains a list of KMS server
// HTTP endpoints.
Endpoints []string
// DefaultKeyID is the key ID used when
// no explicit key ID is specified for
// a cryptographic operation.
DefaultKeyID string
// Certificate is the client TLS certificate
// to authenticate to KMS via mTLS.
Certificate tls.Certificate
// RootCAs is a set of root CA certificates
// to verify the KMS server TLS certificate.
RootCAs *x509.CertPool
}
// NewWithConfig returns a new KMS using the given
// configuration.
func NewWithConfig(config Config) (KMS, error) {
if len(config.Endpoints) == 0 {
return nil, errors.New("kms: no server endpoints")
}
var endpoints = make([]string, len(config.Endpoints)) // Copy => avoid being affect by any changes to the original slice
copy(endpoints, config.Endpoints)
client := kes.NewClientWithConfig("", &tls.Config{
MinVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{config.Certificate},
RootCAs: config.RootCAs,
})
client.Endpoints = endpoints
return &kesClient{
client: client,
defaultKeyID: config.DefaultKeyID,
}, nil
}
type kesClient struct {
defaultKeyID string
client *kes.Client
}
var _ KMS = (*kesClient)(nil) // compiler check
// Stat returns the current KES status containing a
// list of KES endpoints and the default key ID.
func (c *kesClient) Stat() (Status, error) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
if _, err := c.client.Version(ctx); err != nil {
return Status{}, err
}
var endpoints = make([]string, len(c.client.Endpoints))
copy(endpoints, c.client.Endpoints)
return Status{
Name: "KES",
Endpoints: endpoints,
DefaultKey: c.defaultKeyID,
}, nil
}
// CreateKey tries to create a new key at the KMS with the
// given key ID.
//
// If the a key with the same keyID already exists then
// CreateKey returns kes.ErrKeyExists.
func (c *kesClient) CreateKey(keyID string) error {
return c.client.CreateKey(context.Background(), keyID)
}
// GenerateKey generates a new data encryption key using
// the key at the KES server referenced by the key ID.
//
// The default key ID will be used if keyID is empty.
//
// The context is associated and tied to the generated DEK.
// The same context must be provided when the generated
// key should be decrypted.
func (c *kesClient) GenerateKey(keyID string, ctx Context) (DEK, error) {
if keyID == "" {
keyID = c.defaultKeyID
}
ctxBytes, err := ctx.MarshalText()
if err != nil {
return DEK{}, err
}
dek, err := c.client.GenerateKey(context.Background(), keyID, ctxBytes)
if err != nil {
return DEK{}, err
}
return DEK{
KeyID: keyID,
Plaintext: dek.Plaintext,
Ciphertext: dek.Ciphertext,
}, nil
}
// DecryptKey decrypts the ciphertext with the key at the KES
// server referenced by the key ID. The context must match the
// context value used to generate the ciphertext.
func (c *kesClient) DecryptKey(keyID string, ciphertext []byte, ctx Context) ([]byte, error) {
ctxBytes, err := ctx.MarshalText()
if err != nil {
return nil, err
}
return c.client.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
}

117
internal/kms/kms.go Normal file
View File

@@ -0,0 +1,117 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"encoding"
"encoding/json"
jsoniter "github.com/json-iterator/go"
)
// KMS is the generic interface that abstracts over
// different KMS implementations.
type KMS interface {
// Stat returns the current KMS status.
Stat() (Status, error)
// CreateKey creates a new key at the KMS with the given key ID.
CreateKey(keyID string) error
// GenerateKey generates a new data encryption key using the
// key referenced by the key ID.
//
// The KMS may use a default key if the key ID is empty.
// GenerateKey returns an error if the referenced key does
// not exist.
//
// The context is associated and tied to the generated DEK.
// The same context must be provided when the generated key
// should be decrypted. Therefore, it is the callers
// responsibility to remember the corresponding context for
// a particular DEK. The context may be nil.
GenerateKey(keyID string, context Context) (DEK, error)
// DecryptKey decrypts the ciphertext with the key referenced
// by the key ID. The context must match the context value
// used to generate the ciphertext.
DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error)
}
// Status describes the current state of a KMS.
type Status struct {
Name string // The name of the KMS
Endpoints []string // A set of the KMS endpoints
// DefaultKey is the key used when no explicit key ID
// is specified. It is empty if the KMS does not support
// a default key.
DefaultKey string
}
// DEK is a data encryption key. It consists of a
// plaintext-ciphertext pair and the ID of the key
// used to generate the ciphertext.
//
// The plaintext can be used for cryptographic
// operations - like encrypting some data. The
// ciphertext is the encrypted version of the
// plaintext data and can be stored on untrusted
// storage.
type DEK struct {
KeyID string
Plaintext []byte
Ciphertext []byte
}
var (
_ encoding.TextMarshaler = (*DEK)(nil)
_ encoding.TextUnmarshaler = (*DEK)(nil)
)
// MarshalText encodes the DEK's key ID and ciphertext
// as JSON.
func (d DEK) MarshalText() ([]byte, error) {
type JSON struct {
KeyID string `json:"keyid"`
Ciphertext []byte `json:"ciphertext"`
}
return json.Marshal(JSON{
KeyID: d.KeyID,
Ciphertext: d.Ciphertext,
})
}
// UnmarshalText tries to decode text as JSON representation
// of a DEK and sets DEK's key ID and ciphertext to the
// decoded values.
//
// It sets DEK's plaintext to nil.
func (d *DEK) UnmarshalText(text []byte) error {
type JSON struct {
KeyID string `json:"keyid"`
Ciphertext []byte `json:"ciphertext"`
}
var v JSON
var json = jsoniter.ConfigCompatibleWithStandardLibrary
if err := json.Unmarshal(text, &v); err != nil {
return err
}
d.KeyID, d.Plaintext, d.Ciphertext = v.KeyID, nil, v.Ciphertext
return nil
}

232
internal/kms/single-key.go Normal file
View File

@@ -0,0 +1,232 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"crypto/aes"
"crypto/cipher"
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"strconv"
"strings"
jsoniter "github.com/json-iterator/go"
"github.com/secure-io/sio-go/sioutil"
"golang.org/x/crypto/chacha20"
"golang.org/x/crypto/chacha20poly1305"
)
// Parse parses s as single-key KMS. The given string
// is expected to have the following format:
// <key-id>:<base64-key>
//
// The returned KMS implementation uses the parsed
// key ID and key to derive new DEKs and decrypt ciphertext.
func Parse(s string) (KMS, error) {
v := strings.SplitN(s, ":", 2)
if len(v) != 2 {
return nil, errors.New("kms: invalid master key format")
}
var keyID, b64Key = v[0], v[1]
key, err := base64.StdEncoding.DecodeString(b64Key)
if err != nil {
return nil, err
}
return New(keyID, key)
}
// New returns a single-key KMS that derives new DEKs from the
// given key.
func New(keyID string, key []byte) (KMS, error) {
if len(key) != 32 {
return nil, errors.New("kms: invalid key length " + strconv.Itoa(len(key)))
}
return secretKey{
keyID: keyID,
key: key,
}, nil
}
// secretKey is a KMS implementation that derives new DEKs
// from a single key.
type secretKey struct {
keyID string
key []byte
}
var _ KMS = secretKey{} // compiler check
const ( // algorithms used to derive and encrypt DEKs
algorithmAESGCM = "AES-256-GCM-HMAC-SHA-256"
algorithmChaCha20Poly1305 = "ChaCha20Poly1305"
)
func (kms secretKey) Stat() (Status, error) {
return Status{
Name: "SecretKey",
DefaultKey: kms.keyID,
}, nil
}
func (secretKey) CreateKey(string) error {
return errors.New("kms: creating keys is not supported")
}
func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) {
if keyID == "" {
keyID = kms.keyID
}
if keyID != kms.keyID {
return DEK{}, fmt.Errorf("kms: key %q does not exist", keyID)
}
iv, err := sioutil.Random(16)
if err != nil {
return DEK{}, err
}
var algorithm string
if sioutil.NativeAES() {
algorithm = algorithmAESGCM
} else {
algorithm = algorithmChaCha20Poly1305
}
var aead cipher.AEAD
switch algorithm {
case algorithmAESGCM:
mac := hmac.New(sha256.New, kms.key)
mac.Write(iv)
sealingKey := mac.Sum(nil)
var block cipher.Block
block, err = aes.NewCipher(sealingKey)
if err != nil {
return DEK{}, err
}
aead, err = cipher.NewGCM(block)
if err != nil {
return DEK{}, err
}
case algorithmChaCha20Poly1305:
var sealingKey []byte
sealingKey, err = chacha20.HChaCha20(kms.key, iv)
if err != nil {
return DEK{}, err
}
aead, err = chacha20poly1305.New(sealingKey)
if err != nil {
return DEK{}, err
}
default:
return DEK{}, errors.New("invalid algorithm: " + algorithm)
}
nonce, err := sioutil.Random(aead.NonceSize())
if err != nil {
return DEK{}, err
}
plaintext, err := sioutil.Random(32)
if err != nil {
return DEK{}, err
}
associatedData, _ := context.MarshalText()
ciphertext := aead.Seal(nil, nonce, plaintext, associatedData)
var json = jsoniter.ConfigCompatibleWithStandardLibrary
ciphertext, err = json.Marshal(encryptedKey{
Algorithm: algorithm,
IV: iv,
Nonce: nonce,
Bytes: ciphertext,
})
if err != nil {
return DEK{}, err
}
return DEK{
KeyID: keyID,
Plaintext: plaintext,
Ciphertext: ciphertext,
}, nil
}
func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) {
if keyID != kms.keyID {
return nil, fmt.Errorf("kms: key %q does not exist", keyID)
}
var encryptedKey encryptedKey
var json = jsoniter.ConfigCompatibleWithStandardLibrary
if err := json.Unmarshal(ciphertext, &encryptedKey); err != nil {
return nil, err
}
if n := len(encryptedKey.IV); n != 16 {
return nil, fmt.Errorf("kms: invalid iv size")
}
var aead cipher.AEAD
switch encryptedKey.Algorithm {
case algorithmAESGCM:
mac := hmac.New(sha256.New, kms.key)
mac.Write(encryptedKey.IV)
sealingKey := mac.Sum(nil)
block, err := aes.NewCipher(sealingKey[:])
if err != nil {
return nil, err
}
aead, err = cipher.NewGCM(block)
if err != nil {
return nil, err
}
case algorithmChaCha20Poly1305:
sealingKey, err := chacha20.HChaCha20(kms.key, encryptedKey.IV)
if err != nil {
return nil, err
}
aead, err = chacha20poly1305.New(sealingKey)
if err != nil {
return nil, err
}
default:
return nil, fmt.Errorf("kms: invalid algorithm: %q", encryptedKey.Algorithm)
}
if n := len(encryptedKey.Nonce); n != aead.NonceSize() {
return nil, fmt.Errorf("kms: invalid nonce size %d", n)
}
associatedData, _ := context.MarshalText()
plaintext, err := aead.Open(nil, encryptedKey.Nonce, encryptedKey.Bytes, associatedData)
if err != nil {
return nil, fmt.Errorf("kms: encrypted key is not authentic")
}
return plaintext, nil
}
type encryptedKey struct {
Algorithm string `json:"aead"`
IV []byte `json:"iv"`
Nonce []byte `json:"nonce"`
Bytes []byte `json:"bytes"`
}

87
internal/kms/single-key_test.go Normal file
View File

@@ -0,0 +1,87 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package kms
import (
"bytes"
"encoding/base64"
"testing"
)
func TestSingleKeyRoundtrip(t *testing.T) {
KMS, err := Parse("my-key:eEm+JI9/q4JhH8QwKvf3LKo4DEBl6QbfvAl1CAbMIv8=")
if err != nil {
t.Fatalf("Failed to initialize KMS: %v", err)
}
key, err := KMS.GenerateKey("my-key", Context{})
if err != nil {
t.Fatalf("Failed to generate key: %v", err)
}
plaintext, err := KMS.DecryptKey(key.KeyID, key.Ciphertext, Context{})
if err != nil {
t.Fatalf("Failed to decrypt key: %v", err)
}
if !bytes.Equal(key.Plaintext, plaintext) {
t.Fatalf("Decrypted key does not match generated one: got %x - want %x", key.Plaintext, plaintext)
}
}
func TestDecryptKey(t *testing.T) {
KMS, err := Parse("my-key:eEm+JI9/q4JhH8QwKvf3LKo4DEBl6QbfvAl1CAbMIv8=")
if err != nil {
t.Fatalf("Failed to initialize KMS: %v", err)
}
for i, test := range decryptKeyTests {
dataKey, err := base64.StdEncoding.DecodeString(test.Plaintext)
if err != nil {
t.Fatalf("Test %d: failed to decode plaintext key: %v", i, err)
}
ciphertext, err := base64.StdEncoding.DecodeString(test.Ciphertext)
if err != nil {
t.Fatalf("Test %d: failed to decode ciphertext key: %v", i, err)
}
plaintext, err := KMS.DecryptKey(test.KeyID, ciphertext, test.Context)
if err != nil {
t.Fatalf("Test %d: failed to decrypt key: %v", i, err)
}
if !bytes.Equal(plaintext, dataKey) {
t.Fatalf("Test %d: decrypted key does not generated one: got %x - want %x", i, plaintext, dataKey)
}
}
}
var decryptKeyTests = []struct {
KeyID string
Plaintext string
Ciphertext string
Context Context
}{
{
KeyID: "my-key",
Plaintext: "zmS7NrG765UZ0ZN85oPjybelxqVvpz01vxsSpOISy2M=",
Ciphertext: "eyJhZWFkIjoiQ2hhQ2hhMjBQb2x5MTMwNSIsIml2IjoiSmJJK3Z3dll3dzFsQ2I1VnBrQUZ1UT09Iiwibm9uY2UiOiJBUmpJakp4QlNENTQxR3o4IiwiYnl0ZXMiOiJLQ2JFYzJzQTBUTHZBN2FXVFdhMjNBZGNjVmZKTXBPeHdnRzhobSs0UGFOcnhZZnkxeEZXWmcyZ0VlblZyT2d2In0=",
},
{
KeyID: "my-key",
Plaintext: "UnPWsZgVI+T4L9WGNzFlP1PsP1Z6hn2Fx8ISeZfDGnA=",
Ciphertext: "eyJhZWFkIjoiQ2hhQ2hhMjBQb2x5MTMwNSIsIml2IjoicjQreWZpVmJWSVlSMFoySTlGcSs2Zz09Iiwibm9uY2UiOiIyWXB3R3dFNTlHY1ZyYUkzIiwiYnl0ZXMiOiJrL3N2TWdsT1U3L0tnd3Y3M2hlRzM4TldXNTc1WExjRnAzU2F4UUhETWpKR1l5UkkzRml5Z3UyT2V1dEdQWE5MIn0=",
Context: Context{"key": "value"},
},
}