diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 9760495af..5bdc58034 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -196,8 +196,9 @@ const (
ErrInvalidTagDirective
// Add new error codes here.
- // SSE-S3 related API errors
+ // SSE-S3/SSE-KMS related API errors
ErrInvalidEncryptionMethod
+ ErrInvalidEncryptionKeyID
// Server-Side-Encryption (with Customer provided key) related API errors.
ErrInsecureSSECustomerRequest
@@ -1072,6 +1073,11 @@ var errorCodes = errorCodeMap{
Description: "The encryption method specified is not supported",
HTTPStatusCode: http.StatusBadRequest,
},
+ ErrInvalidEncryptionKeyID: {
+ Code: "InvalidRequest",
+ Description: "The specified KMS KeyID contains unsupported characters",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
ErrInsecureSSECustomerRequest: {
Code: "InvalidRequest",
Description: "Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.",
@@ -1921,6 +1927,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
apiErr = ErrInvalidEncryptionParameters
case crypto.ErrInvalidEncryptionMethod:
apiErr = ErrInvalidEncryptionMethod
+ case crypto.ErrInvalidEncryptionKeyID:
+ apiErr = ErrInvalidEncryptionKeyID
case crypto.ErrInvalidCustomerAlgorithm:
apiErr = ErrInvalidSSECustomerAlgorithm
case crypto.ErrMissingCustomerKey:
diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go
index 4552d751f..4dc6b888b 100644
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
@@ -130,180 +130,181 @@ func _() {
_ = x[ErrObjectLockInvalidHeaders-119]
_ = x[ErrInvalidTagDirective-120]
_ = x[ErrInvalidEncryptionMethod-121]
- _ = x[ErrInsecureSSECustomerRequest-122]
- _ = x[ErrSSEMultipartEncrypted-123]
- _ = x[ErrSSEEncryptedObject-124]
- _ = x[ErrInvalidEncryptionParameters-125]
- _ = x[ErrInvalidSSECustomerAlgorithm-126]
- _ = x[ErrInvalidSSECustomerKey-127]
- _ = x[ErrMissingSSECustomerKey-128]
- _ = x[ErrMissingSSECustomerKeyMD5-129]
- _ = x[ErrSSECustomerKeyMD5Mismatch-130]
- _ = x[ErrInvalidSSECustomerParameters-131]
- _ = x[ErrIncompatibleEncryptionMethod-132]
- _ = x[ErrKMSNotConfigured-133]
- _ = x[ErrKMSKeyNotFoundException-134]
- _ = x[ErrNoAccessKey-135]
- _ = x[ErrInvalidToken-136]
- _ = x[ErrEventNotification-137]
- _ = x[ErrARNNotification-138]
- _ = x[ErrRegionNotification-139]
- _ = x[ErrOverlappingFilterNotification-140]
- _ = x[ErrFilterNameInvalid-141]
- _ = x[ErrFilterNamePrefix-142]
- _ = x[ErrFilterNameSuffix-143]
- _ = x[ErrFilterValueInvalid-144]
- _ = x[ErrOverlappingConfigs-145]
- _ = x[ErrUnsupportedNotification-146]
- _ = x[ErrContentSHA256Mismatch-147]
- _ = x[ErrReadQuorum-148]
- _ = x[ErrWriteQuorum-149]
- _ = x[ErrStorageFull-150]
- _ = x[ErrRequestBodyParse-151]
- _ = x[ErrObjectExistsAsDirectory-152]
- _ = x[ErrInvalidObjectName-153]
- _ = x[ErrInvalidObjectNamePrefixSlash-154]
- _ = x[ErrInvalidResourceName-155]
- _ = x[ErrServerNotInitialized-156]
- _ = x[ErrOperationTimedOut-157]
- _ = x[ErrClientDisconnected-158]
- _ = x[ErrOperationMaxedOut-159]
- _ = x[ErrInvalidRequest-160]
- _ = x[ErrTransitionStorageClassNotFoundError-161]
- _ = x[ErrInvalidStorageClass-162]
- _ = x[ErrBackendDown-163]
- _ = x[ErrMalformedJSON-164]
- _ = x[ErrAdminNoSuchUser-165]
- _ = x[ErrAdminNoSuchGroup-166]
- _ = x[ErrAdminGroupNotEmpty-167]
- _ = x[ErrAdminNoSuchPolicy-168]
- _ = x[ErrAdminInvalidArgument-169]
- _ = x[ErrAdminInvalidAccessKey-170]
- _ = x[ErrAdminInvalidSecretKey-171]
- _ = x[ErrAdminConfigNoQuorum-172]
- _ = x[ErrAdminConfigTooLarge-173]
- _ = x[ErrAdminConfigBadJSON-174]
- _ = x[ErrAdminNoSuchConfigTarget-175]
- _ = x[ErrAdminConfigEnvOverridden-176]
- _ = x[ErrAdminConfigDuplicateKeys-177]
- _ = x[ErrAdminCredentialsMismatch-178]
- _ = x[ErrInsecureClientRequest-179]
- _ = x[ErrObjectTampered-180]
- _ = x[ErrSiteReplicationInvalidRequest-181]
- _ = x[ErrSiteReplicationPeerResp-182]
- _ = x[ErrSiteReplicationBackendIssue-183]
- _ = x[ErrSiteReplicationServiceAccountError-184]
- _ = x[ErrSiteReplicationBucketConfigError-185]
- _ = x[ErrSiteReplicationBucketMetaError-186]
- _ = x[ErrSiteReplicationIAMError-187]
- _ = x[ErrSiteReplicationConfigMissing-188]
- _ = x[ErrAdminBucketQuotaExceeded-189]
- _ = x[ErrAdminNoSuchQuotaConfiguration-190]
- _ = x[ErrHealNotImplemented-191]
- _ = x[ErrHealNoSuchProcess-192]
- _ = x[ErrHealInvalidClientToken-193]
- _ = x[ErrHealMissingBucket-194]
- _ = x[ErrHealAlreadyRunning-195]
- _ = x[ErrHealOverlappingPaths-196]
- _ = x[ErrIncorrectContinuationToken-197]
- _ = x[ErrEmptyRequestBody-198]
- _ = x[ErrUnsupportedFunction-199]
- _ = x[ErrInvalidExpressionType-200]
- _ = x[ErrBusy-201]
- _ = x[ErrUnauthorizedAccess-202]
- _ = x[ErrExpressionTooLong-203]
- _ = x[ErrIllegalSQLFunctionArgument-204]
- _ = x[ErrInvalidKeyPath-205]
- _ = x[ErrInvalidCompressionFormat-206]
- _ = x[ErrInvalidFileHeaderInfo-207]
- _ = x[ErrInvalidJSONType-208]
- _ = x[ErrInvalidQuoteFields-209]
- _ = x[ErrInvalidRequestParameter-210]
- _ = x[ErrInvalidDataType-211]
- _ = x[ErrInvalidTextEncoding-212]
- _ = x[ErrInvalidDataSource-213]
- _ = x[ErrInvalidTableAlias-214]
- _ = x[ErrMissingRequiredParameter-215]
- _ = x[ErrObjectSerializationConflict-216]
- _ = x[ErrUnsupportedSQLOperation-217]
- _ = x[ErrUnsupportedSQLStructure-218]
- _ = x[ErrUnsupportedSyntax-219]
- _ = x[ErrUnsupportedRangeHeader-220]
- _ = x[ErrLexerInvalidChar-221]
- _ = x[ErrLexerInvalidOperator-222]
- _ = x[ErrLexerInvalidLiteral-223]
- _ = x[ErrLexerInvalidIONLiteral-224]
- _ = x[ErrParseExpectedDatePart-225]
- _ = x[ErrParseExpectedKeyword-226]
- _ = x[ErrParseExpectedTokenType-227]
- _ = x[ErrParseExpected2TokenTypes-228]
- _ = x[ErrParseExpectedNumber-229]
- _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-230]
- _ = x[ErrParseExpectedTypeName-231]
- _ = x[ErrParseExpectedWhenClause-232]
- _ = x[ErrParseUnsupportedToken-233]
- _ = x[ErrParseUnsupportedLiteralsGroupBy-234]
- _ = x[ErrParseExpectedMember-235]
- _ = x[ErrParseUnsupportedSelect-236]
- _ = x[ErrParseUnsupportedCase-237]
- _ = x[ErrParseUnsupportedCaseClause-238]
- _ = x[ErrParseUnsupportedAlias-239]
- _ = x[ErrParseUnsupportedSyntax-240]
- _ = x[ErrParseUnknownOperator-241]
- _ = x[ErrParseMissingIdentAfterAt-242]
- _ = x[ErrParseUnexpectedOperator-243]
- _ = x[ErrParseUnexpectedTerm-244]
- _ = x[ErrParseUnexpectedToken-245]
- _ = x[ErrParseUnexpectedKeyword-246]
- _ = x[ErrParseExpectedExpression-247]
- _ = x[ErrParseExpectedLeftParenAfterCast-248]
- _ = x[ErrParseExpectedLeftParenValueConstructor-249]
- _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-250]
- _ = x[ErrParseExpectedArgumentDelimiter-251]
- _ = x[ErrParseCastArity-252]
- _ = x[ErrParseInvalidTypeParam-253]
- _ = x[ErrParseEmptySelect-254]
- _ = x[ErrParseSelectMissingFrom-255]
- _ = x[ErrParseExpectedIdentForGroupName-256]
- _ = x[ErrParseExpectedIdentForAlias-257]
- _ = x[ErrParseUnsupportedCallWithStar-258]
- _ = x[ErrParseNonUnaryAgregateFunctionCall-259]
- _ = x[ErrParseMalformedJoin-260]
- _ = x[ErrParseExpectedIdentForAt-261]
- _ = x[ErrParseAsteriskIsNotAloneInSelectList-262]
- _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-263]
- _ = x[ErrParseInvalidContextForWildcardInSelectList-264]
- _ = x[ErrIncorrectSQLFunctionArgumentType-265]
- _ = x[ErrValueParseFailure-266]
- _ = x[ErrEvaluatorInvalidArguments-267]
- _ = x[ErrIntegerOverflow-268]
- _ = x[ErrLikeInvalidInputs-269]
- _ = x[ErrCastFailed-270]
- _ = x[ErrInvalidCast-271]
- _ = x[ErrEvaluatorInvalidTimestampFormatPattern-272]
- _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-273]
- _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-274]
- _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-275]
- _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-276]
- _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-277]
- _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-278]
- _ = x[ErrEvaluatorBindingDoesNotExist-279]
- _ = x[ErrMissingHeaders-280]
- _ = x[ErrInvalidColumnIndex-281]
- _ = x[ErrAdminConfigNotificationTargetsFailed-282]
- _ = x[ErrAdminProfilerNotEnabled-283]
- _ = x[ErrInvalidDecompressedSize-284]
- _ = x[ErrAddUserInvalidArgument-285]
- _ = x[ErrAdminResourceInvalidArgument-286]
- _ = x[ErrAdminAccountNotEligible-287]
- _ = x[ErrAccountNotEligible-288]
- _ = x[ErrAdminServiceAccountNotFound-289]
- _ = x[ErrPostPolicyConditionInvalidFormat-290]
+ _ = x[ErrInvalidEncryptionKeyID-122]
+ _ = x[ErrInsecureSSECustomerRequest-123]
+ _ = x[ErrSSEMultipartEncrypted-124]
+ _ = x[ErrSSEEncryptedObject-125]
+ _ = x[ErrInvalidEncryptionParameters-126]
+ _ = x[ErrInvalidSSECustomerAlgorithm-127]
+ _ = x[ErrInvalidSSECustomerKey-128]
+ _ = x[ErrMissingSSECustomerKey-129]
+ _ = x[ErrMissingSSECustomerKeyMD5-130]
+ _ = x[ErrSSECustomerKeyMD5Mismatch-131]
+ _ = x[ErrInvalidSSECustomerParameters-132]
+ _ = x[ErrIncompatibleEncryptionMethod-133]
+ _ = x[ErrKMSNotConfigured-134]
+ _ = x[ErrKMSKeyNotFoundException-135]
+ _ = x[ErrNoAccessKey-136]
+ _ = x[ErrInvalidToken-137]
+ _ = x[ErrEventNotification-138]
+ _ = x[ErrARNNotification-139]
+ _ = x[ErrRegionNotification-140]
+ _ = x[ErrOverlappingFilterNotification-141]
+ _ = x[ErrFilterNameInvalid-142]
+ _ = x[ErrFilterNamePrefix-143]
+ _ = x[ErrFilterNameSuffix-144]
+ _ = x[ErrFilterValueInvalid-145]
+ _ = x[ErrOverlappingConfigs-146]
+ _ = x[ErrUnsupportedNotification-147]
+ _ = x[ErrContentSHA256Mismatch-148]
+ _ = x[ErrReadQuorum-149]
+ _ = x[ErrWriteQuorum-150]
+ _ = x[ErrStorageFull-151]
+ _ = x[ErrRequestBodyParse-152]
+ _ = x[ErrObjectExistsAsDirectory-153]
+ _ = x[ErrInvalidObjectName-154]
+ _ = x[ErrInvalidObjectNamePrefixSlash-155]
+ _ = x[ErrInvalidResourceName-156]
+ _ = x[ErrServerNotInitialized-157]
+ _ = x[ErrOperationTimedOut-158]
+ _ = x[ErrClientDisconnected-159]
+ _ = x[ErrOperationMaxedOut-160]
+ _ = x[ErrInvalidRequest-161]
+ _ = x[ErrTransitionStorageClassNotFoundError-162]
+ _ = x[ErrInvalidStorageClass-163]
+ _ = x[ErrBackendDown-164]
+ _ = x[ErrMalformedJSON-165]
+ _ = x[ErrAdminNoSuchUser-166]
+ _ = x[ErrAdminNoSuchGroup-167]
+ _ = x[ErrAdminGroupNotEmpty-168]
+ _ = x[ErrAdminNoSuchPolicy-169]
+ _ = x[ErrAdminInvalidArgument-170]
+ _ = x[ErrAdminInvalidAccessKey-171]
+ _ = x[ErrAdminInvalidSecretKey-172]
+ _ = x[ErrAdminConfigNoQuorum-173]
+ _ = x[ErrAdminConfigTooLarge-174]
+ _ = x[ErrAdminConfigBadJSON-175]
+ _ = x[ErrAdminNoSuchConfigTarget-176]
+ _ = x[ErrAdminConfigEnvOverridden-177]
+ _ = x[ErrAdminConfigDuplicateKeys-178]
+ _ = x[ErrAdminCredentialsMismatch-179]
+ _ = x[ErrInsecureClientRequest-180]
+ _ = x[ErrObjectTampered-181]
+ _ = x[ErrSiteReplicationInvalidRequest-182]
+ _ = x[ErrSiteReplicationPeerResp-183]
+ _ = x[ErrSiteReplicationBackendIssue-184]
+ _ = x[ErrSiteReplicationServiceAccountError-185]
+ _ = x[ErrSiteReplicationBucketConfigError-186]
+ _ = x[ErrSiteReplicationBucketMetaError-187]
+ _ = x[ErrSiteReplicationIAMError-188]
+ _ = x[ErrSiteReplicationConfigMissing-189]
+ _ = x[ErrAdminBucketQuotaExceeded-190]
+ _ = x[ErrAdminNoSuchQuotaConfiguration-191]
+ _ = x[ErrHealNotImplemented-192]
+ _ = x[ErrHealNoSuchProcess-193]
+ _ = x[ErrHealInvalidClientToken-194]
+ _ = x[ErrHealMissingBucket-195]
+ _ = x[ErrHealAlreadyRunning-196]
+ _ = x[ErrHealOverlappingPaths-197]
+ _ = x[ErrIncorrectContinuationToken-198]
+ _ = x[ErrEmptyRequestBody-199]
+ _ = x[ErrUnsupportedFunction-200]
+ _ = x[ErrInvalidExpressionType-201]
+ _ = x[ErrBusy-202]
+ _ = x[ErrUnauthorizedAccess-203]
+ _ = x[ErrExpressionTooLong-204]
+ _ = x[ErrIllegalSQLFunctionArgument-205]
+ _ = x[ErrInvalidKeyPath-206]
+ _ = x[ErrInvalidCompressionFormat-207]
+ _ = x[ErrInvalidFileHeaderInfo-208]
+ _ = x[ErrInvalidJSONType-209]
+ _ = x[ErrInvalidQuoteFields-210]
+ _ = x[ErrInvalidRequestParameter-211]
+ _ = x[ErrInvalidDataType-212]
+ _ = x[ErrInvalidTextEncoding-213]
+ _ = x[ErrInvalidDataSource-214]
+ _ = x[ErrInvalidTableAlias-215]
+ _ = x[ErrMissingRequiredParameter-216]
+ _ = x[ErrObjectSerializationConflict-217]
+ _ = x[ErrUnsupportedSQLOperation-218]
+ _ = x[ErrUnsupportedSQLStructure-219]
+ _ = x[ErrUnsupportedSyntax-220]
+ _ = x[ErrUnsupportedRangeHeader-221]
+ _ = x[ErrLexerInvalidChar-222]
+ _ = x[ErrLexerInvalidOperator-223]
+ _ = x[ErrLexerInvalidLiteral-224]
+ _ = x[ErrLexerInvalidIONLiteral-225]
+ _ = x[ErrParseExpectedDatePart-226]
+ _ = x[ErrParseExpectedKeyword-227]
+ _ = x[ErrParseExpectedTokenType-228]
+ _ = x[ErrParseExpected2TokenTypes-229]
+ _ = x[ErrParseExpectedNumber-230]
+ _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-231]
+ _ = x[ErrParseExpectedTypeName-232]
+ _ = x[ErrParseExpectedWhenClause-233]
+ _ = x[ErrParseUnsupportedToken-234]
+ _ = x[ErrParseUnsupportedLiteralsGroupBy-235]
+ _ = x[ErrParseExpectedMember-236]
+ _ = x[ErrParseUnsupportedSelect-237]
+ _ = x[ErrParseUnsupportedCase-238]
+ _ = x[ErrParseUnsupportedCaseClause-239]
+ _ = x[ErrParseUnsupportedAlias-240]
+ _ = x[ErrParseUnsupportedSyntax-241]
+ _ = x[ErrParseUnknownOperator-242]
+ _ = x[ErrParseMissingIdentAfterAt-243]
+ _ = x[ErrParseUnexpectedOperator-244]
+ _ = x[ErrParseUnexpectedTerm-245]
+ _ = x[ErrParseUnexpectedToken-246]
+ _ = x[ErrParseUnexpectedKeyword-247]
+ _ = x[ErrParseExpectedExpression-248]
+ _ = x[ErrParseExpectedLeftParenAfterCast-249]
+ _ = x[ErrParseExpectedLeftParenValueConstructor-250]
+ _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-251]
+ _ = x[ErrParseExpectedArgumentDelimiter-252]
+ _ = x[ErrParseCastArity-253]
+ _ = x[ErrParseInvalidTypeParam-254]
+ _ = x[ErrParseEmptySelect-255]
+ _ = x[ErrParseSelectMissingFrom-256]
+ _ = x[ErrParseExpectedIdentForGroupName-257]
+ _ = x[ErrParseExpectedIdentForAlias-258]
+ _ = x[ErrParseUnsupportedCallWithStar-259]
+ _ = x[ErrParseNonUnaryAgregateFunctionCall-260]
+ _ = x[ErrParseMalformedJoin-261]
+ _ = x[ErrParseExpectedIdentForAt-262]
+ _ = x[ErrParseAsteriskIsNotAloneInSelectList-263]
+ _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-264]
+ _ = x[ErrParseInvalidContextForWildcardInSelectList-265]
+ _ = x[ErrIncorrectSQLFunctionArgumentType-266]
+ _ = x[ErrValueParseFailure-267]
+ _ = x[ErrEvaluatorInvalidArguments-268]
+ _ = x[ErrIntegerOverflow-269]
+ _ = x[ErrLikeInvalidInputs-270]
+ _ = x[ErrCastFailed-271]
+ _ = x[ErrInvalidCast-272]
+ _ = x[ErrEvaluatorInvalidTimestampFormatPattern-273]
+ _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-274]
+ _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-275]
+ _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-276]
+ _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-277]
+ _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-278]
+ _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-279]
+ _ = x[ErrEvaluatorBindingDoesNotExist-280]
+ _ = x[ErrMissingHeaders-281]
+ _ = x[ErrInvalidColumnIndex-282]
+ _ = x[ErrAdminConfigNotificationTargetsFailed-283]
+ _ = x[ErrAdminProfilerNotEnabled-284]
+ _ = x[ErrInvalidDecompressedSize-285]
+ _ = x[ErrAddUserInvalidArgument-286]
+ _ = x[ErrAdminResourceInvalidArgument-287]
+ _ = x[ErrAdminAccountNotEligible-288]
+ _ = x[ErrAccountNotEligible-289]
+ _ = x[ErrAdminServiceAccountNotFound-290]
+ _ = x[ErrPostPolicyConditionInvalidFormat-291]
}
-const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledMalformedPolicyMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectiveInvalidEncryptionMethodInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchPolicyAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormat"
+const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledMalformedPolicyMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectiveInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchPolicyAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormat"
-var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1587, 1600, 1614, 1627, 1640, 1656, 1673, 1694, 1708, 1729, 1742, 1764, 1787, 1812, 1828, 1843, 1858, 1879, 1897, 1912, 1929, 1954, 1972, 1995, 2010, 2029, 2045, 2064, 2078, 2086, 2105, 2115, 2130, 2166, 2197, 2230, 2259, 2271, 2291, 2315, 2339, 2360, 2384, 2403, 2426, 2452, 2473, 2491, 2518, 2545, 2566, 2587, 2611, 2636, 2664, 2692, 2708, 2731, 2742, 2754, 2771, 2786, 2804, 2833, 2850, 2866, 2882, 2900, 2918, 2941, 2962, 2972, 2983, 2994, 3010, 3033, 3050, 3078, 3097, 3117, 3134, 3152, 3169, 3183, 3218, 3237, 3248, 3261, 3276, 3292, 3310, 3327, 3347, 3368, 3389, 3408, 3427, 3445, 3468, 3492, 3516, 3540, 3561, 3575, 3604, 3627, 3654, 3688, 3720, 3750, 3773, 3801, 3825, 3854, 3872, 3889, 3911, 3928, 3946, 3966, 3992, 4008, 4027, 4048, 4052, 4070, 4087, 4113, 4127, 4151, 4172, 4187, 4205, 4228, 4243, 4262, 4279, 4296, 4320, 4347, 4370, 4393, 4410, 4432, 4448, 4468, 4487, 4509, 4530, 4550, 4572, 4596, 4615, 4657, 4678, 4701, 4722, 4753, 4772, 4794, 4814, 4840, 4861, 4883, 4903, 4927, 4950, 4969, 4989, 5011, 5034, 5065, 5103, 5144, 5174, 5188, 5209, 5225, 5247, 5277, 5303, 5331, 5364, 5382, 5405, 5440, 5480, 5522, 5554, 5571, 5596, 5611, 5628, 5638, 5649, 5687, 5741, 5787, 5839, 5887, 5930, 5974, 6002, 6016, 6034, 6070, 6093, 6116, 6138, 6166, 6189, 6207, 6234, 6266}
+var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1587, 1600, 1614, 1627, 1640, 1656, 1673, 1694, 1708, 1729, 1742, 1764, 1787, 1812, 1828, 1843, 1858, 1879, 1897, 1912, 1929, 1954, 1972, 1995, 2010, 2029, 2045, 2064, 2078, 2086, 2105, 2115, 2130, 2166, 2197, 2230, 2259, 2271, 2291, 2315, 2339, 2360, 2384, 2403, 2426, 2448, 2474, 2495, 2513, 2540, 2567, 2588, 2609, 2633, 2658, 2686, 2714, 2730, 2753, 2764, 2776, 2793, 2808, 2826, 2855, 2872, 2888, 2904, 2922, 2940, 2963, 2984, 2994, 3005, 3016, 3032, 3055, 3072, 3100, 3119, 3139, 3156, 3174, 3191, 3205, 3240, 3259, 3270, 3283, 3298, 3314, 3332, 3349, 3369, 3390, 3411, 3430, 3449, 3467, 3490, 3514, 3538, 3562, 3583, 3597, 3626, 3649, 3676, 3710, 3742, 3772, 3795, 3823, 3847, 3876, 3894, 3911, 3933, 3950, 3968, 3988, 4014, 4030, 4049, 4070, 4074, 4092, 4109, 4135, 4149, 4173, 4194, 4209, 4227, 4250, 4265, 4284, 4301, 4318, 4342, 4369, 4392, 4415, 4432, 4454, 4470, 4490, 4509, 4531, 4552, 4572, 4594, 4618, 4637, 4679, 4700, 4723, 4744, 4775, 4794, 4816, 4836, 4862, 4883, 4905, 4925, 4949, 4972, 4991, 5011, 5033, 5056, 5087, 5125, 5166, 5196, 5210, 5231, 5247, 5269, 5299, 5325, 5353, 5386, 5404, 5427, 5462, 5502, 5544, 5576, 5593, 5618, 5633, 5650, 5660, 5671, 5709, 5763, 5809, 5861, 5909, 5952, 5996, 6024, 6038, 6056, 6092, 6115, 6138, 6160, 6188, 6211, 6229, 6256, 6288}
func (i APIErrorCode) String() string {
if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) {
diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go
index 925ed1bcc..9a947905a 100644
--- a/cmd/encryption-v1.go
+++ b/cmd/encryption-v1.go
@@ -82,7 +82,7 @@ func (o *MultipartInfo) KMSKeyID() string { return kmsKeyIDFromMetadata(o.UserDe
// metadata, if any. It returns an empty ID if no key ID is
// present.
func kmsKeyIDFromMetadata(metadata map[string]string) string {
- const ARNPrefix = "arn:aws:kms:"
+ const ARNPrefix = crypto.ARNPrefix
if len(metadata) == 0 {
return ""
}
diff --git a/internal/bucket/encryption/bucket-sse-config.go b/internal/bucket/encryption/bucket-sse-config.go
index 13e6114f6..dbf65dc57 100644
--- a/internal/bucket/encryption/bucket-sse-config.go
+++ b/internal/bucket/encryption/bucket-sse-config.go
@@ -22,6 +22,7 @@ import (
"errors"
"io"
"net/http"
+ "strings"
"github.com/minio/minio/internal/crypto"
xhttp "github.com/minio/minio/internal/http"
@@ -102,9 +103,14 @@ func ParseBucketSSEConfig(r io.Reader) (*BucketSSEConfig, error) {
return nil, errors.New("MasterKeyID is allowed with aws:kms only")
}
case AWSKms:
- if rule.DefaultEncryptionAction.MasterKeyID == "" {
+ keyID := rule.DefaultEncryptionAction.MasterKeyID
+ if keyID == "" {
return nil, errors.New("MasterKeyID is missing with aws:kms")
}
+ spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
+ if spaces {
+ return nil, errors.New("MasterKeyID contains unsupported characters")
+ }
}
}
@@ -164,7 +170,7 @@ func (b *BucketSSEConfig) Algo() Algorithm {
// empty key ID.
func (b *BucketSSEConfig) KeyID() string {
for _, rule := range b.Rules {
- return rule.DefaultEncryptionAction.MasterKeyID
+ return strings.TrimPrefix(rule.DefaultEncryptionAction.MasterKeyID, crypto.ARNPrefix)
}
return ""
}
diff --git a/internal/bucket/encryption/bucket-sse-config_test.go b/internal/bucket/encryption/bucket-sse-config_test.go
index d1f6c6b42..5918e22a7 100644
--- a/internal/bucket/encryption/bucket-sse-config_test.go
+++ b/internal/bucket/encryption/bucket-sse-config_test.go
@@ -62,7 +62,7 @@ func TestParseBucketSSEConfig(t *testing.T) {
{
DefaultEncryptionAction: EncryptionAction{
Algorithm: AWSKms,
- MasterKeyID: "arn:aws:kms:us-east-1:1234/5678example",
+ MasterKeyID: "arn:aws:kms:my-minio-key",
},
},
},
@@ -70,6 +70,7 @@ func TestParseBucketSSEConfig(t *testing.T) {
testCases := []struct {
inputXML string
+ keyID string
expectedErr error
shouldPass bool
expectedConfig *BucketSSEConfig
@@ -83,10 +84,11 @@ func TestParseBucketSSEConfig(t *testing.T) {
},
// 2. Valid XML SSE-KMS
{
- inputXML: `aws:kmsarn:aws:kms:us-east-1:1234/5678example`,
+ inputXML: `aws:kmsarn:aws:kms:my-minio-key`,
expectedErr: nil,
shouldPass: true,
expectedConfig: actualKMSConfig,
+ keyID: "my-minio-key",
},
// 3. Invalid - more than one rule
{
@@ -119,23 +121,33 @@ func TestParseBucketSSEConfig(t *testing.T) {
shouldPass: true,
expectedConfig: actualAES256NoNSConfig,
},
+ // 8. Space characters in MasterKeyID
+ {
+ inputXML: `aws:kms arn:aws:kms:my-minio-key `,
+ expectedErr: errors.New("MasterKeyID contains unsupported characters"),
+ shouldPass: false,
+ },
}
for i, tc := range testCases {
- _, err := ParseBucketSSEConfig(bytes.NewReader([]byte(tc.inputXML)))
+ ssec, err := ParseBucketSSEConfig(bytes.NewReader([]byte(tc.inputXML)))
if tc.shouldPass && err != nil {
- t.Fatalf("Test case %d: Expected to succeed but got %s", i+1, err)
+ t.Errorf("Test case %d: Expected to succeed but got %s", i+1, err)
}
if !tc.shouldPass {
if err == nil || err != nil && err.Error() != tc.expectedErr.Error() {
- t.Fatalf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err)
+ t.Errorf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err)
}
continue
}
+ if tc.keyID != "" && tc.keyID != ssec.KeyID() {
+ t.Errorf("Test case %d: Expected bucket encryption KeyID %s but got %s", i+1, tc.keyID, ssec.KeyID())
+ }
+
if expectedXML, err := xml.Marshal(tc.expectedConfig); err != nil || !bytes.Equal(expectedXML, []byte(tc.inputXML)) {
- t.Fatalf("Test case %d: Expected bucket encryption XML %s but got %s", i+1, string(expectedXML), tc.inputXML)
+ t.Errorf("Test case %d: Expected bucket encryption XML %s but got %s", i+1, string(expectedXML), tc.inputXML)
}
}
}
diff --git a/internal/crypto/error.go b/internal/crypto/error.go
index 7711a05a8..702063431 100644
--- a/internal/crypto/error.go
+++ b/internal/crypto/error.go
@@ -76,6 +76,9 @@ var (
// ErrIncompatibleEncryptionMethod indicates that both SSE-C headers and SSE-S3 headers were specified, and are incompatible
// The client needs to remove the SSE-S3 header or the SSE-C headers
ErrIncompatibleEncryptionMethod = Errorf("Server side encryption specified with both SSE-C and SSE-S3 headers")
+
+ // ErrInvalidEncryptionKeyID returns error when KMS key id contains invalid characters
+ ErrInvalidEncryptionKeyID = Errorf("KMS KeyID contains unsupported characters")
)
var (
diff --git a/internal/crypto/metadata.go b/internal/crypto/metadata.go
index 68867fcc3..d9dd2415e 100644
--- a/internal/crypto/metadata.go
+++ b/internal/crypto/metadata.go
@@ -56,6 +56,9 @@ const (
// be part of the object. Therefore, the bucket/object name must be added
// to the context, if not present, whenever a decryption is performed.
MetaContext = "X-Minio-Internal-Server-Side-Encryption-Context"
+
+ // ARNPrefix prefix for "arn:aws:kms"
+ ARNPrefix = "arn:aws:kms:"
)
// IsMultiPart returns true if the object metadata indicates
diff --git a/internal/crypto/sse-kms.go b/internal/crypto/sse-kms.go
index 588ccdb34..9d554792b 100644
--- a/internal/crypto/sse-kms.go
+++ b/internal/crypto/sse-kms.go
@@ -55,7 +55,8 @@ func (ssekms) IsRequested(h http.Header) bool {
return true
}
if _, ok := h[xhttp.AmzServerSideEncryption]; ok {
- return strings.ToUpper(h.Get(xhttp.AmzServerSideEncryption)) != xhttp.AmzEncryptionAES // Return only true if the SSE header is specified and does not contain the SSE-S3 value
+ // Return only true if the SSE header is specified and does not contain the SSE-S3 value
+ return strings.ToUpper(h.Get(xhttp.AmzServerSideEncryption)) != xhttp.AmzEncryptionAES
}
return false
}
@@ -63,6 +64,10 @@ func (ssekms) IsRequested(h http.Header) bool {
// ParseHTTP parses the SSE-KMS headers and returns the SSE-KMS key ID
// and the KMS context on success.
func (ssekms) ParseHTTP(h http.Header) (string, kms.Context, error) {
+ if h == nil {
+ return "", nil, ErrInvalidEncryptionMethod
+ }
+
algorithm := h.Get(xhttp.AmzServerSideEncryption)
if algorithm != xhttp.AmzEncryptionKMS {
return "", nil, ErrInvalidEncryptionMethod
@@ -80,7 +85,13 @@ func (ssekms) ParseHTTP(h http.Header) (string, kms.Context, error) {
return "", nil, err
}
}
- return h.Get(xhttp.AmzServerSideEncryptionKmsID), ctx, nil
+
+ keyID := h.Get(xhttp.AmzServerSideEncryptionKmsID)
+ spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
+ if spaces {
+ return "", nil, ErrInvalidEncryptionKeyID
+ }
+ return strings.TrimPrefix(keyID, ARNPrefix), ctx, nil
}
// IsEncrypted returns true if the object metadata indicates