From 427826abc5789e4436b529a5eb22bff0a5d361d2 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Thu, 24 Apr 2025 17:33:57 +0200 Subject: [PATCH] update `minio/kms-go/kms` SDK (#21233) Signed-off-by: Andreas Auernhammer --- go.mod | 3 ++- go.sum | 6 ++++-- internal/kms/config.go | 3 ++- internal/kms/kms.go | 21 +++++++++------------ 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index ea893b7ec..6a92bce6e 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.24.0 toolchain go1.24.2 require ( + aead.dev/mtls v0.2.1 cloud.google.com/go/storage v1.46.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 @@ -50,7 +51,7 @@ require ( github.com/minio/dperf v0.6.3 github.com/minio/highwayhash v1.0.3 github.com/minio/kms-go/kes v0.3.1 - github.com/minio/kms-go/kms v0.4.0 + github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35 github.com/minio/madmin-go/v3 v3.0.109 github.com/minio/minio-go/v7 v7.0.90 github.com/minio/mux v1.9.2 diff --git a/go.sum b/go.sum index 6448ea5ff..9849d3525 100644 --- a/go.sum +++ b/go.sum @@ -3,6 +3,8 @@ aead.dev/mem v0.2.0/go.mod h1:4qj+sh8fjDhlvne9gm/ZaMRIX9EkmDrKOLwmyDtoMWM= aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ= aead.dev/minisign v0.3.0 h1:8Xafzy5PEVZqYDNP60yJHARlW1eOQtsKNp/Ph2c0vRA= aead.dev/minisign v0.3.0/go.mod h1:NLvG3Uoq3skkRMDuc3YHpWUTMTrSExqm+Ij73W13F6Y= +aead.dev/mtls v0.2.1 h1:47NHWciMvrmEhlkpnis8/RGEa9HR9gcbDPfcArG+Yqs= +aead.dev/mtls v0.2.1/go.mod h1:rZvRApIcPkCNu2AgpFoaMxKBee/XVkKs7wEuYgqLI3Q= cel.dev/expr v0.22.0 h1:+hFFhLPmquBImfs1BiN2PZmkr5ASse2ZOuaxIs9e4R8= cel.dev/expr v0.22.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cloud.google.com/go v0.118.0 h1:tvZe1mgqRxpiVa3XlIGMiPcEUbP1gNXELgD4y/IXmeQ= @@ -434,8 +436,8 @@ github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ= github.com/minio/kms-go/kes v0.3.1 h1:K3sPFAvFbJx33XlCTUBnQo8JRmSZyDvT6T2/MQ2iC3A= github.com/minio/kms-go/kes v0.3.1/go.mod h1:Q9Ct0KUAuN9dH0hSVa0eva45Jg99cahbZpPxeqR9rOQ= -github.com/minio/kms-go/kms v0.4.0 h1:cLPZceEp+05xHotVBaeFJrgL7JcXM4lBy6PU0idkE7I= -github.com/minio/kms-go/kms v0.4.0/go.mod h1:q12CehiIy2qgBnDKq6Q7wmPi2PHSyRVug5DKp0HAVeE= +github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35 h1:ISNz42SPD+heeHhpl9bwMRRusPTCsbYKd1YoED265E0= +github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35/go.mod h1:JFQu2srrnWxMn6KcwS5347oTwNKW7nkewgBlrodjF9k= github.com/minio/madmin-go/v3 v3.0.109 h1:hRHlJ6yaIB3tlIj5mz9L9mGcyLC37S9qL1WtFrRtyQ0= github.com/minio/madmin-go/v3 v3.0.109/go.mod h1:WOe2kYmYl1OIlY2DSRHVQ8j1v4OItARQ6jGyQqcCud8= github.com/minio/mc v0.0.0-20250312172924-c1d5d4cbb4ca h1:Zeu+Gbsw/yoqJofAFaU3zbIVr51j9LULUrQqKFLQnGA= diff --git a/internal/kms/config.go b/internal/kms/config.go index 906e9ec1c..7de651704 100644 --- a/internal/kms/config.go +++ b/internal/kms/config.go @@ -33,6 +33,7 @@ import ( "syscall" "time" + "aead.dev/mtls" "github.com/minio/kms-go/kes" "github.com/minio/kms-go/kms" "github.com/minio/pkg/v3/certs" @@ -131,7 +132,7 @@ func Connect(ctx context.Context, opts *ConnectionOptions) (*KMS, error) { return nil, err } - key, err := kms.ParseAPIKey(env.Get(EnvKMSAPIKey, "")) + key, err := mtls.ParsePrivateKey(env.Get(EnvKMSAPIKey, "")) if err != nil { return nil, err } diff --git a/internal/kms/kms.go b/internal/kms/kms.go index bae60d69b..414d3795f 100644 --- a/internal/kms/kms.go +++ b/internal/kms/kms.go @@ -335,15 +335,14 @@ func (c *kmsConn) ListKeys(ctx context.Context, req *ListRequest) ([]madmin.KMSK for i, v := range resp.Items { keyInfos[i].Name = v.Name keyInfos[i].CreatedAt = v.CreatedAt - keyInfos[i].CreatedBy = string(v.CreatedBy) + keyInfos[i].CreatedBy = v.CreatedBy.String() } return keyInfos, resp.ContinueAt, nil } func (c *kmsConn) CreateKey(ctx context.Context, req *CreateKeyRequest) error { - if err := c.client.CreateKey(ctx, &kms.CreateKeyRequest{ - Enclave: c.enclave, - Name: req.Name, + if err := c.client.CreateKey(ctx, c.enclave, &kms.CreateKeyRequest{ + Name: req.Name, }); err != nil { if errors.Is(err, kms.ErrKeyExists) { return ErrKeyExists @@ -367,8 +366,7 @@ func (c *kmsConn) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (DEK name = c.defaultKey } - resp, err := c.client.GenerateKey(ctx, &kms.GenerateKeyRequest{ - Enclave: c.enclave, + resp, err := c.client.GenerateKey(ctx, c.enclave, &kms.GenerateKeyRequest{ Name: name, AssociatedData: aad, Length: 32, @@ -385,9 +383,9 @@ func (c *kmsConn) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (DEK return DEK{ KeyID: name, - Version: resp.Version, - Plaintext: resp.Plaintext, - Ciphertext: resp.Ciphertext, + Version: resp[0].Version, + Plaintext: resp[0].Plaintext, + Ciphertext: resp[0].Ciphertext, }, nil } @@ -398,8 +396,7 @@ func (c *kmsConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, err } ciphertext, _ := parseCiphertext(req.Ciphertext) - resp, err := c.client.Decrypt(ctx, &kms.DecryptRequest{ - Enclave: c.enclave, + resp, err := c.client.Decrypt(ctx, c.enclave, &kms.DecryptRequest{ Name: req.Name, Ciphertext: ciphertext, AssociatedData: aad, @@ -413,7 +410,7 @@ func (c *kmsConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, err } return nil, errDecryptionFailed(err) } - return resp.Plaintext, nil + return resp[0].Plaintext, nil } // MAC generates the checksum of the given req.Message using the key