From be34fc9134156caa59efbaa69ea7ca8dae102d56 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 6 Dec 2021 00:39:32 -0800 Subject: [PATCH] fix: kms-id header should have arn:aws:kms: prefix (#13833) arn:aws:kms: is a must for KMS keyID. --- cmd/encryption-v1.go | 15 +++++++++++++++ cmd/object-handlers.go | 8 ++++---- docs/logging/README.md | 2 +- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 317eea9f9..dc9a7c9ab 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -68,6 +68,21 @@ const ( ) +// KMSKeyID returns in AWS compatible KMS KeyID() format. +func (o ObjectInfo) KMSKeyID() string { + if len(o.UserDefined) == 0 { + return "" + } + kmsID, ok := o.UserDefined[crypto.MetaKeyID] + if !ok { + return "" + } + if strings.HasPrefix(kmsID, "arn:aws:kms:") { + return kmsID + } + return "arn:aws:kms:" + kmsID +} + // isMultipart returns true if the current object is // uploaded by the user using multipart mechanism: // initiate new multipart, upload part, complete upload diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 70e69eba9..11d093eba 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -282,7 +282,7 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES) case crypto.S3KMS: w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS) - w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID]) + w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID()) if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok { w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx) } @@ -481,7 +481,7 @@ func (api objectAPIHandlers) getObjectHandler(ctx context.Context, objectAPI Obj w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES) case crypto.S3KMS: w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS) - w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID]) + w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID()) if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok { w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx) } @@ -729,7 +729,7 @@ func (api objectAPIHandlers) headObjectHandler(ctx context.Context, objectAPI Ob w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES) case crypto.S3KMS: w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS) - w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID]) + w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID()) if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok { w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx) } @@ -1817,7 +1817,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req objInfo.ETag, _ = DecryptETag(objectEncryptionKey, ObjectInfo{ETag: objInfo.ETag}) case crypto.S3KMS: w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS) - w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID]) + w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID()) if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok { w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx) } diff --git a/docs/logging/README.md b/docs/logging/README.md index 602e3fdf9..7ea63c859 100644 --- a/docs/logging/README.md +++ b/docs/logging/README.md @@ -108,7 +108,7 @@ NOTE: "Vary": "Origin,Accept-Encoding", "X-Amz-Request-Id": "16ABE7A785E7AC2C", "X-Amz-Server-Side-Encryption": "aws:kms", - "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": "my-minio-key", + "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": "arn:aws:kms:my-minio-key", "X-Content-Type-Options": "nosniff", "X-Xss-Protection": "1; mode=block", "x-amz-version-id": "ac4639f6-c544-4f3f-af1e-b4c0736f67f9"