add SSE-KMS support and use SSE-KMS for auto encryption (#12237)

This commit adds basic SSE-KMS support. Now, a client can specify the SSE-KMS headers (algorithm, optional key-id, optional context) such that the object gets encrypted using the SSE-KMS method. Further, auto-encryption now defaults to SSE-KMS. This commit does not try to do any refactoring and instead tries to implement SSE-KMS as a minimal change to the code base. However, refactoring the entire crypto-related code is planned - but needs a separate effort. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-07 21:02:58 -05:00 · 2021-05-07 00:24:01 +02:00
parent 989e394a32
commit af0c65be93
7 changed files with 229 additions and 94 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@@ -1011,16 +1011,28 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
 				writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL, guessIsBrowserReq(r))
 				return
 			}
-			var reader io.Reader
-			var key []byte
-			if crypto.SSEC.IsRequested(formValues) {
+			var (
+				reader io.Reader
+				keyID  string
+				key    []byte
+				kmsCtx crypto.Context
+			)
+			kind, _ := crypto.IsRequested(formValues)
+			switch kind {
+			case crypto.SSEC:
 				key, err = ParseSSECustomerHeader(formValues)
 				if err != nil {
 					writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
 					return
 				}
+			case crypto.S3KMS:
+				keyID, kmsCtx, err = crypto.S3KMS.ParseHTTP(formValues)
+				if err != nil {
+					writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
+					return
+				}
 			}
-			reader, objectEncryptionKey, err = newEncryptReader(hashReader, key, bucket, object, metadata, crypto.S3.IsRequested(formValues))
+			reader, objectEncryptionKey, err = newEncryptReader(hashReader, kind, keyID, key, bucket, object, metadata, kmsCtx)
 			if err != nil {
 				writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
 				return