fix: use key.Ciphertext for DecryptKey in KeyStatus (#12313)

enhance GlobalKMS.Stat() for kes to actually perform a network call to check Version() of kes and also implicitly that its reachable.
2025-11-10 05:59:43 -05:00 · 2021-05-18 07:22:31 -07:00
parent 267f12a2a1
commit c6b7dc012a
2 changed files with 8 additions and 5 deletions
--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@@ -1304,6 +1304,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
 		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
 		return
 	}
+
 	stat, err := GlobalKMS.Stat()
 	if err != nil {
 		writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL)
@@ -1333,7 +1334,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
 	}

 	// 2. Verify that we can indeed decrypt the (encrypted) key
-	decryptedKey, err := GlobalKMS.DecryptKey(key.KeyID, key.Plaintext, kmsContext)
+	decryptedKey, err := GlobalKMS.DecryptKey(key.KeyID, key.Ciphertext, kmsContext)
 	if err != nil {
 		response.DecryptionErr = err.Error()
 		resp, err := json.Marshal(response)
@@ -1800,10 +1801,6 @@ func fetchKMSStatus() madmin.KMS {
 		kmsStat.Status = stat.Name
 		return kmsStat
 	}
-	if err := checkConnection(stat.Endpoints[0], 15*time.Second); err != nil {
-		kmsStat.Status = string(madmin.ItemOffline)
-		return kmsStat
-	}
 	kmsStat.Status = string(madmin.ItemOnline)

 	kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation