refine the KMS admin API (#8943)

This commit removes the `Update` functionality
from the admin API. While this is technically
a breaking change I think this will not cause
any harm because:
 - The KMS admin API is not complete, yet.
   At the moment only the status can be fetched.
 - The `mc` integration hasn't been merged yet.
   So no `mc` client could have used this API
   in the past.

The `Update`/`Rewrap` status is not useful anymore.
It provided a way to migrate from one master key version
to another. However, KES does not support the concept of
key versions. Instead, key migration should be implemented
as migration from one master key to another.

Basically, the `Update` functionality has been implemented just
for Vault.
This commit is contained in:
Andreas Auernhammer 2020-02-05 18:17:35 +01:00 committed by GitHub
parent 026265f8f7
commit 4f37c8ccf2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 16 deletions

View File

@ -1270,20 +1270,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
return return
} }
// 2. Check whether we can update / re-wrap the sealed key. // 2. Verify that we can indeed decrypt the (encrypted) key
sealedKey, err = GlobalKMS.UpdateKey(keyID, sealedKey, kmsContext)
if err != nil {
response.UpdateErr = err.Error()
resp, err := json.Marshal(response)
if err != nil {
writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL)
return
}
writeSuccessResponseJSON(w, resp)
return
}
// 3. Verify that we can indeed decrypt the (encrypted) key
decryptedKey, err := GlobalKMS.UnsealKey(keyID, sealedKey, kmsContext) decryptedKey, err := GlobalKMS.UnsealKey(keyID, sealedKey, kmsContext)
if err != nil { if err != nil {
response.DecryptionErr = err.Error() response.DecryptionErr = err.Error()
@ -1296,7 +1283,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
return return
} }
// 4. Compare generated key with decrypted key // 3. Compare generated key with decrypted key
if subtle.ConstantTimeCompare(key[:], decryptedKey[:]) != 1 { if subtle.ConstantTimeCompare(key[:], decryptedKey[:]) != 1 {
response.DecryptionErr = "The generated and the decrypted data key do not match" response.DecryptionErr = "The generated and the decrypted data key do not match"
resp, err := json.Marshal(response) resp, err := json.Marshal(response)

View File

@ -57,6 +57,5 @@ func (adm *AdminClient) GetKeyStatus(keyID string) (*KMSKeyStatus, error) {
type KMSKeyStatus struct { type KMSKeyStatus struct {
KeyID string `json:"key-id"` KeyID string `json:"key-id"`
EncryptionErr string `json:"encryption-error,omitempty"` // An empty error == success EncryptionErr string `json:"encryption-error,omitempty"` // An empty error == success
UpdateErr string `json:"update-error,omitempty"` // An empty error == success
DecryptionErr string `json:"decryption-error,omitempty"` // An empty error == success DecryptionErr string `json:"decryption-error,omitempty"` // An empty error == success
} }