MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-02-28 13:59:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

kms: add support for KES enclaves (#16139)

Browse Source 
Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
Andreas Auernhammer 2022-12-04 11:34:24 +01:00 committed by GitHub
parent 90e37a8745
commit d882ba2cb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 44 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/common-main.go
View File

@ -854,6 +854,7 @@ func handleKMSConfig() {
defaultKeyID := env.Get(config.EnvKESKeyName, "") defaultKeyID := env.Get(config.EnvKESKeyName, "")
KMS, err := kms.NewWithConfig(kms.Config{ KMS, err := kms.NewWithConfig(kms.Config{
Endpoints: endpoints, Endpoints: endpoints,
Enclave: env.Get(config.EnvKESEnclave, ""),
DefaultKeyID: defaultKeyID, DefaultKeyID: defaultKeyID,
Certificate: certificate, Certificate: certificate,
ReloadCertEvents: reloadCertEvents, ReloadCertEvents: reloadCertEvents,

1
internal/config/constants.go
View File

@ -70,6 +70,7 @@ const (
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY" EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT"
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE"
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME"
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE"
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD"

61
internal/kms/kes.go
View File

@ -42,6 +42,11 @@ type Config struct {
// HTTP endpoints. // HTTP endpoints.
Endpoints []string Endpoints []string
// Enclave is the KES server enclave. If empty,
// none resp. the default KES server enclave
// will be used.
Enclave string
// DefaultKeyID is the key ID used when // DefaultKeyID is the key ID used when
// no explicit key ID is specified for // no explicit key ID is specified for
// a cryptographic operation. // a cryptographic operation.
@ -91,6 +96,7 @@ func NewWithConfig(config Config) (KMS, error) {
c := &kesClient{ c := &kesClient{
client: client, client: client,
enclave: client.Enclave(config.Enclave),
defaultKeyID: config.DefaultKeyID, defaultKeyID: config.DefaultKeyID,
bulkAvailable: bulkAvailable, bulkAvailable: bulkAvailable,
} }
@ -121,6 +127,7 @@ func NewWithConfig(config Config) (KMS, error) {
c.lock.Lock() c.lock.Lock()
c.client = client c.client = client
c.enclave = c.client.Enclave(config.Enclave)
c.lock.Unlock() c.lock.Unlock()
prevCertificate = certificate prevCertificate = certificate
@ -135,6 +142,7 @@ type kesClient struct {
lock sync.RWMutex lock sync.RWMutex
defaultKeyID string defaultKeyID string
client *kes.Client client *kes.Client
enclave *kes.Enclave
bulkAvailable bool bulkAvailable bool
} }
@ -189,7 +197,7 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.CreateKey(ctx, keyID) return c.enclave.CreateKey(ctx, keyID)
} }
// DeleteKey deletes a key at the KMS with the given key ID. // DeleteKey deletes a key at the KMS with the given key ID.
@ -199,7 +207,8 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error { func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DeleteKey(ctx, keyID)
return c.enclave.DeleteKey(ctx, keyID)
} }
// ListKeys List all key names that match the specified pattern. In particular, // ListKeys List all key names that match the specified pattern. In particular,
@ -207,7 +216,8 @@ func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) { func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.ListKeys(ctx, pattern)
return c.enclave.ListKeys(ctx, pattern)
} }
// GenerateKey generates a new data encryption key using // GenerateKey generates a new data encryption key using
@ -229,7 +239,8 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
if err != nil { if err != nil {
return DEK{}, err return DEK{}, err
} }
dek, err := c.client.GenerateKey(ctx, keyID, ctxBytes)
dek, err := c.enclave.GenerateKey(ctx, keyID, ctxBytes)
if err != nil { if err != nil {
return DEK{}, err return DEK{}, err
} }
@ -244,7 +255,8 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error { func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.ImportKey(ctx, keyID, bytes)
return c.enclave.ImportKey(ctx, keyID, bytes)
} }
// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key // EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
@ -257,7 +269,7 @@ func (c *kesClient) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]b
if err != nil { if err != nil {
return nil, err return nil, err
} }
return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes) return c.enclave.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
} }
// DecryptKey decrypts the ciphertext with the key at the KES // DecryptKey decrypts the ciphertext with the key at the KES
@ -271,7 +283,7 @@ func (c *kesClient) DecryptKey(keyID string, ciphertext []byte, ctx Context) ([]
if err != nil { if err != nil {
return nil, err return nil, err
} }
return c.client.Decrypt(context.Background(), keyID, ciphertext, ctxBytes) return c.enclave.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
} }
func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) { func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
@ -290,7 +302,8 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
Context: bCtx, Context: bCtx,
}) })
} }
PCPs, err := c.client.DecryptAll(ctx, keyID, CCPs...)
PCPs, err := c.enclave.DecryptAll(ctx, keyID, CCPs...)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -307,7 +320,7 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
if err != nil { if err != nil {
return nil, err return nil, err
} }
plaintext, err := c.client.Decrypt(ctx, keyID, ciphertexts[i], ctxBytes) plaintext, err := c.enclave.Decrypt(ctx, keyID, ciphertexts[i], ctxBytes)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -321,7 +334,8 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) { func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DescribePolicy(ctx, policy)
return c.enclave.DescribePolicy(ctx, policy)
} }
// AssignPolicy assigns a policy to an identity. // AssignPolicy assigns a policy to an identity.
@ -332,7 +346,8 @@ func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.Pol
func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error { func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.AssignPolicy(ctx, policy, kes.Identity(identity))
return c.enclave.AssignPolicy(ctx, policy, kes.Identity(identity))
} }
// DeletePolicy deletes a policy from KMS. // DeletePolicy deletes a policy from KMS.
@ -340,7 +355,8 @@ func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) e
func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error { func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DeletePolicy(ctx, policy)
return c.enclave.DeletePolicy(ctx, policy)
} }
// ListPolicies list all policy metadata that match the specified pattern. // ListPolicies list all policy metadata that match the specified pattern.
@ -348,21 +364,24 @@ func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) { func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.ListPolicies(ctx, pattern)
return c.enclave.ListPolicies(ctx, pattern)
} }
// SetPolicy creates or updates a policy. // SetPolicy creates or updates a policy.
func (c *kesClient) SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error { func (c *kesClient) SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.SetPolicy(ctx, policy, policyItem)
return c.enclave.SetPolicy(ctx, policy, policyItem)
} }
// GetPolicy gets a policy from KMS. // GetPolicy gets a policy from KMS.
func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) { func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.GetPolicy(ctx, policy)
return c.enclave.GetPolicy(ctx, policy)
} }
// DescribeIdentity describes an identity by returning its metadata. // DescribeIdentity describes an identity by returning its metadata.
@ -370,7 +389,8 @@ func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy,
func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) { func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DescribeIdentity(ctx, kes.Identity(identity))
return c.enclave.DescribeIdentity(ctx, kes.Identity(identity))
} }
// DescribeSelfIdentity describes the identity issuing the request. // DescribeSelfIdentity describes the identity issuing the request.
@ -379,7 +399,8 @@ func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes
func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) { func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DescribeSelf(ctx)
return c.enclave.DescribeSelf(ctx)
} }
// DeleteIdentity deletes an identity from KMS. // DeleteIdentity deletes an identity from KMS.
@ -388,7 +409,8 @@ func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo
func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error { func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.DeleteIdentity(ctx, kes.Identity(identity))
return c.enclave.DeleteIdentity(ctx, kes.Identity(identity))
} }
// ListIdentities list all identity metadata that match the specified pattern. // ListIdentities list all identity metadata that match the specified pattern.
@ -396,5 +418,6 @@ func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) { func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
return c.client.ListIdentities(ctx, pattern)
return c.enclave.ListIdentities(ctx, pattern)
} }