mirror of
https://github.com/minio/minio.git
synced 2025-01-25 21:53:16 -05:00
ListObjectParts: simplify ETag decryption and size adjustment (#14653)
This commit simplifies the ETag decryption and size adjustment when listing object parts. When listing object parts, MinIO has to decrypt the ETag of all parts if and only if the object resp. the parts is encrypted using SSE-S3. In case of SSE-KMS and SSE-C, MinIO returns a pseudo-random ETag. This is inline with AWS S3 behavior. Further, MinIO has to adjust the size of all encrypted parts due to the encryption overhead. The ListObjectParts does specifically not use the KMS bulk decryption API (4d2fc530d0a953e9957b8cc670ccdbdb568b3894) since the ETags of all parts are encrypted using the same object encryption key. Therefore, MinIO only has to connect to the KMS once, even if there are multiple parts resp. ETags. It can simply reuse the same object encryption key. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
54a4f93854
commit
ba17d46f15
@ -3025,34 +3025,29 @@ func (api objectAPIHandlers) ListObjectPartsHandler(w http.ResponseWriter, r *ht
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var ssec bool
|
// We have to adjust the size of encrypted parts since encrypted parts
|
||||||
if _, ok := crypto.IsEncrypted(listPartsInfo.UserDefined); ok && objectAPI.IsEncryptionSupported() {
|
// are slightly larger due to encryption overhead.
|
||||||
var key []byte
|
// Further, we have to adjust the ETags of parts when using SSE-S3.
|
||||||
if crypto.SSEC.IsEncrypted(listPartsInfo.UserDefined) {
|
// Due to AWS S3, SSE-S3 encrypted parts return the plaintext ETag
|
||||||
ssec = true
|
// being the content MD5 of that particular part. This is not the
|
||||||
}
|
// case for SSE-C and SSE-KMS objects.
|
||||||
|
if kind, ok := crypto.IsEncrypted(listPartsInfo.UserDefined); ok && objectAPI.IsEncryptionSupported() {
|
||||||
var objectEncryptionKey []byte
|
var objectEncryptionKey []byte
|
||||||
if crypto.S3.IsEncrypted(listPartsInfo.UserDefined) {
|
if kind == crypto.S3 {
|
||||||
// Calculating object encryption key
|
objectEncryptionKey, err = decryptObjectInfo(nil, bucket, object, listPartsInfo.UserDefined)
|
||||||
objectEncryptionKey, err = decryptObjectInfo(key, bucket, object, listPartsInfo.UserDefined)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for i := range listPartsInfo.Parts {
|
for i, p := range listPartsInfo.Parts {
|
||||||
curp := listPartsInfo.Parts[i]
|
listPartsInfo.Parts[i].ETag = tryDecryptETag(objectEncryptionKey, p.ETag, kind != crypto.S3)
|
||||||
curp.ETag = tryDecryptETag(objectEncryptionKey, curp.ETag, ssec)
|
size, err := sio.DecryptedSize(uint64(p.Size))
|
||||||
if !ssec {
|
|
||||||
var partSize uint64
|
|
||||||
partSize, err = sio.DecryptedSize(uint64(curp.Size))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
curp.Size = int64(partSize)
|
listPartsInfo.Parts[i].Size = int64(size)
|
||||||
}
|
|
||||||
listPartsInfo.Parts[i] = curp
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user