admin: new API for creating KMS master keys (#9982)

This commit adds a new admin API for creating master keys.
An admin client can send a POST request to:
```
/minio/admin/v3/kms/key/create?key-id=<keyID>
```

The name / ID of the new key is specified as request
query parameter `key-id=<ID>`.

Creating new master keys requires KES - it does not work with
the native Vault KMS (deprecated) nor with a static master key
(deprecated).

Further, this commit removes the `UpdateKey` method from the `KMS`
interface. This method is not needed and not used anymore.

cmd/crypto/kes.go

@@ -34,9 +34,9 @@ import (
 	xnet "github.com/minio/minio/pkg/net"
 )
 
-// ErrKESKeyNotFound is the error returned a KES server
-// when a master key does not exist.
-var ErrKESKeyNotFound = NewKESError(http.StatusNotFound, "key does not exist")
+// ErrKESKeyExists is the error returned a KES server
+// when a master key does exist.
+var ErrKESKeyExists = NewKESError(http.StatusBadRequest, "key does already exist")
 
 // KesConfig contains the configuration required
 // to initialize and connect to a kes server.
@@ -134,20 +134,27 @@ func NewKes(cfg KesConfig) (KMS, error) {
 	}, nil
 }
 
-// KeyID returns the default key ID.
-func (kes *kesService) KeyID() string {
+// DefaultKeyID returns the default key ID that should be
+// used for SSE-S3 or SSE-KMS when the S3 client does not
+// provide an explicit key ID.
+func (kes *kesService) DefaultKeyID() string {
 	return kes.defaultKeyID
 }
 
-// Info returns some status information about the KMS.
+// Info returns some information about the KES,
+// configuration - like the endpoint or authentication
+// method.
 func (kes *kesService) Info() KMSInfo {
 	return KMSInfo{
 		Endpoint: kes.endpoint,
-		Name:     kes.KeyID(),
+		Name:     kes.DefaultKeyID(),
 		AuthType: "TLS",
 	}
 }
 
+// CreateKey tries to create a new master key with the given keyID.
+func (kes *kesService) CreateKey(keyID string) error { return kes.client.CreateKey(keyID) }
+
 // GenerateKey returns a new plaintext key, generated by the KMS,
 // and a sealed version of this plaintext key encrypted using the
 // named key referenced by keyID. It also binds the generated key
@@ -158,12 +165,6 @@ func (kes *kesService) GenerateKey(keyID string, ctx Context) (key [32]byte, sea
 
 	var plainKey []byte
 	plainKey, sealedKey, err = kes.client.GenerateDataKey(keyID, context.Bytes())
-	if err == ErrKESKeyNotFound { // Try to create the key if it does not exist.
-		if err = kes.client.CreateKey(keyID); err != nil {
-			return key, nil, err
-		}
-		plainKey, sealedKey, err = kes.client.GenerateDataKey(keyID, context.Bytes())
-	}
 	if err != nil {
 		return key, nil, err
 	}
@@ -197,28 +198,11 @@ func (kes *kesService) UnsealKey(keyID string, sealedKey []byte, ctx Context) (k
 	return key, nil
 }
 
-// UpdateKey re-wraps the sealedKey if the master key referenced by the keyID
-// has been changed by the KMS operator - i.e. the master key has been rotated.
-// If the master key hasn't changed since the sealedKey has been created / updated
-// it may return the same sealedKey as rotatedKey.
-//
-// The context must be same context as the one provided while
-// generating the plaintext key / sealedKey.
-func (kes *kesService) UpdateKey(keyID string, sealedKey []byte, ctx Context) ([]byte, error) {
-	_, err := kes.UnsealKey(keyID, sealedKey, ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	// Currently a kes server does not support key rotation (of the same key)
-	// Therefore, we simply return the same sealedKey.
-	return sealedKey, nil
-}
-
 // kesClient implements the bare minimum functionality needed for
 // MinIO to talk to a KES server. In particular, it implements
-// GenerateDataKey (API: /v1/key/generate/) and
-// DecryptDataKey  (API: /v1/key/decrypt/).
+//   • CreateKey       (API: /v1/key/create/)
+//   • GenerateDataKey (API: /v1/key/generate/)
+//   • DecryptDataKey  (API: /v1/key/decrypt/)
 type kesClient struct {
 	addr       string
 	httpClient http.Client