update minio/kms-go/kms SDK (#21233)

Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-10-29 15:55:00 -04:00 · 2025-04-24 17:33:57 +02:00 · 2025-04-24 17:33:57 +02:00 · 427826abc5
commit 427826abc5
parent 2780778c10
4 changed files with 17 additions and 16 deletions
--- a/go.mod
+++ b/go.mod
@ -5,6 +5,7 @@ go 1.24.0
 toolchain go1.24.2

 require (
+	aead.dev/mtls v0.2.1
 	cloud.google.com/go/storage v1.46.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
@ -50,7 +51,7 @@ require (
 	github.com/minio/dperf v0.6.3
 	github.com/minio/highwayhash v1.0.3
 	github.com/minio/kms-go/kes v0.3.1
-	github.com/minio/kms-go/kms v0.4.0
+	github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35
 	github.com/minio/madmin-go/v3 v3.0.109
 	github.com/minio/minio-go/v7 v7.0.90
 	github.com/minio/mux v1.9.2
--- a/go.sum
+++ b/go.sum
@ -3,6 +3,8 @@ aead.dev/mem v0.2.0/go.mod h1:4qj+sh8fjDhlvne9gm/ZaMRIX9EkmDrKOLwmyDtoMWM=
 aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ=
 aead.dev/minisign v0.3.0 h1:8Xafzy5PEVZqYDNP60yJHARlW1eOQtsKNp/Ph2c0vRA=
 aead.dev/minisign v0.3.0/go.mod h1:NLvG3Uoq3skkRMDuc3YHpWUTMTrSExqm+Ij73W13F6Y=
+aead.dev/mtls v0.2.1 h1:47NHWciMvrmEhlkpnis8/RGEa9HR9gcbDPfcArG+Yqs=
+aead.dev/mtls v0.2.1/go.mod h1:rZvRApIcPkCNu2AgpFoaMxKBee/XVkKs7wEuYgqLI3Q=
 cel.dev/expr v0.22.0 h1:+hFFhLPmquBImfs1BiN2PZmkr5ASse2ZOuaxIs9e4R8=
 cel.dev/expr v0.22.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.118.0 h1:tvZe1mgqRxpiVa3XlIGMiPcEUbP1gNXELgD4y/IXmeQ=
@ -434,8 +436,8 @@ github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD
 github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/minio/kms-go/kes v0.3.1 h1:K3sPFAvFbJx33XlCTUBnQo8JRmSZyDvT6T2/MQ2iC3A=
 github.com/minio/kms-go/kes v0.3.1/go.mod h1:Q9Ct0KUAuN9dH0hSVa0eva45Jg99cahbZpPxeqR9rOQ=
-github.com/minio/kms-go/kms v0.4.0 h1:cLPZceEp+05xHotVBaeFJrgL7JcXM4lBy6PU0idkE7I=
-github.com/minio/kms-go/kms v0.4.0/go.mod h1:q12CehiIy2qgBnDKq6Q7wmPi2PHSyRVug5DKp0HAVeE=
+github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35 h1:ISNz42SPD+heeHhpl9bwMRRusPTCsbYKd1YoED265E0=
+github.com/minio/kms-go/kms v0.5.1-0.20250225090116-4e64ce8d0f35/go.mod h1:JFQu2srrnWxMn6KcwS5347oTwNKW7nkewgBlrodjF9k=
 github.com/minio/madmin-go/v3 v3.0.109 h1:hRHlJ6yaIB3tlIj5mz9L9mGcyLC37S9qL1WtFrRtyQ0=
 github.com/minio/madmin-go/v3 v3.0.109/go.mod h1:WOe2kYmYl1OIlY2DSRHVQ8j1v4OItARQ6jGyQqcCud8=
 github.com/minio/mc v0.0.0-20250312172924-c1d5d4cbb4ca h1:Zeu+Gbsw/yoqJofAFaU3zbIVr51j9LULUrQqKFLQnGA=
--- a/internal/kms/config.go
+++ b/internal/kms/config.go
@ -33,6 +33,7 @@ import (
 	"syscall"
 	"time"

+	"aead.dev/mtls"
 	"github.com/minio/kms-go/kes"
 	"github.com/minio/kms-go/kms"
 	"github.com/minio/pkg/v3/certs"
@ -131,7 +132,7 @@ func Connect(ctx context.Context, opts *ConnectionOptions) (*KMS, error) {
 			return nil, err
 		}

-		key, err := kms.ParseAPIKey(env.Get(EnvKMSAPIKey, ""))
+		key, err := mtls.ParsePrivateKey(env.Get(EnvKMSAPIKey, ""))
 		if err != nil {
 			return nil, err
 		}
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@ -335,15 +335,14 @@ func (c *kmsConn) ListKeys(ctx context.Context, req *ListRequest) ([]madmin.KMSK
 	for i, v := range resp.Items {
 		keyInfos[i].Name = v.Name
 		keyInfos[i].CreatedAt = v.CreatedAt
-		keyInfos[i].CreatedBy = string(v.CreatedBy)
+		keyInfos[i].CreatedBy = v.CreatedBy.String()
 	}
 	return keyInfos, resp.ContinueAt, nil
 }

 func (c *kmsConn) CreateKey(ctx context.Context, req *CreateKeyRequest) error {
-	if err := c.client.CreateKey(ctx, &kms.CreateKeyRequest{
-		Enclave: c.enclave,
-		Name:    req.Name,
+	if err := c.client.CreateKey(ctx, c.enclave, &kms.CreateKeyRequest{
+		Name: req.Name,
 	}); err != nil {
 		if errors.Is(err, kms.ErrKeyExists) {
 			return ErrKeyExists
@ -367,8 +366,7 @@ func (c *kmsConn) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (DEK
 		name = c.defaultKey
 	}

-	resp, err := c.client.GenerateKey(ctx, &kms.GenerateKeyRequest{
-		Enclave:        c.enclave,
+	resp, err := c.client.GenerateKey(ctx, c.enclave, &kms.GenerateKeyRequest{
 		Name:           name,
 		AssociatedData: aad,
 		Length:         32,
@ -385,9 +383,9 @@ func (c *kmsConn) GenerateKey(ctx context.Context, req *GenerateKeyRequest) (DEK

 	return DEK{
 		KeyID:      name,
-		Version:    resp.Version,
-		Plaintext:  resp.Plaintext,
-		Ciphertext: resp.Ciphertext,
+		Version:    resp[0].Version,
+		Plaintext:  resp[0].Plaintext,
+		Ciphertext: resp[0].Ciphertext,
 	}, nil
 }

@ -398,8 +396,7 @@ func (c *kmsConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, err
 	}

 	ciphertext, _ := parseCiphertext(req.Ciphertext)
-	resp, err := c.client.Decrypt(ctx, &kms.DecryptRequest{
-		Enclave:        c.enclave,
+	resp, err := c.client.Decrypt(ctx, c.enclave, &kms.DecryptRequest{
 		Name:           req.Name,
 		Ciphertext:     ciphertext,
 		AssociatedData: aad,
@ -413,7 +410,7 @@ func (c *kmsConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, err
 		}
 		return nil, errDecryptionFailed(err)
 	}
-	return resp.Plaintext, nil
+	return resp[0].Plaintext, nil
 }

 // MAC generates the checksum of the given req.Message using the key