mirror of
https://github.com/minio/minio.git
synced 2025-02-28 05:49:16 -05:00
kms: add support for KES enclaves (#16139)
Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
Andreas Auernhammer
GitHub
parent
90e37a8745
commit
d882ba2cb4
@ -854,6 +854,7 @@ func handleKMSConfig() {
|
||||
defaultKeyID := env.Get(config.EnvKESKeyName, "")
|
||||
KMS, err := kms.NewWithConfig(kms.Config{
|
||||
Endpoints: endpoints,
|
||||
Enclave: env.Get(config.EnvKESEnclave, ""),
|
||||
DefaultKeyID: defaultKeyID,
|
||||
Certificate: certificate,
|
||||
ReloadCertEvents: reloadCertEvents,
|
||||
|
||||
@ -70,6 +70,7 @@ const (
|
||||
EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY"
|
||||
EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE"
|
||||
EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT"
|
||||
EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE"
|
||||
EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME"
|
||||
EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE"
|
||||
EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD"
|
||||
|
||||
@ -42,6 +42,11 @@ type Config struct {
|
||||
// HTTP endpoints.
|
||||
Endpoints []string
|
||||
|
||||
// Enclave is the KES server enclave. If empty,
|
||||
// none resp. the default KES server enclave
|
||||
// will be used.
|
||||
Enclave string
|
||||
|
||||
// DefaultKeyID is the key ID used when
|
||||
// no explicit key ID is specified for
|
||||
// a cryptographic operation.
|
||||
@ -91,6 +96,7 @@ func NewWithConfig(config Config) (KMS, error) {
|
||||
|
||||
c := &kesClient{
|
||||
client: client,
|
||||
enclave: client.Enclave(config.Enclave),
|
||||
defaultKeyID: config.DefaultKeyID,
|
||||
bulkAvailable: bulkAvailable,
|
||||
}
|
||||
@ -121,6 +127,7 @@ func NewWithConfig(config Config) (KMS, error) {
|
||||
|
||||
c.lock.Lock()
|
||||
c.client = client
|
||||
c.enclave = c.client.Enclave(config.Enclave)
|
||||
c.lock.Unlock()
|
||||
|
||||
prevCertificate = certificate
|
||||
@ -135,6 +142,7 @@ type kesClient struct {
|
||||
lock sync.RWMutex
|
||||
defaultKeyID string
|
||||
client *kes.Client
|
||||
enclave *kes.Enclave
|
||||
|
||||
bulkAvailable bool
|
||||
}
|
||||
@ -189,7 +197,7 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
|
||||
return c.client.CreateKey(ctx, keyID)
|
||||
return c.enclave.CreateKey(ctx, keyID)
|
||||
}
|
||||
|
||||
// DeleteKey deletes a key at the KMS with the given key ID.
|
||||
@ -199,7 +207,8 @@ func (c *kesClient) CreateKey(ctx context.Context, keyID string) error {
|
||||
func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeleteKey(ctx, keyID)
|
||||
|
||||
return c.enclave.DeleteKey(ctx, keyID)
|
||||
}
|
||||
|
||||
// ListKeys List all key names that match the specified pattern. In particular,
|
||||
@ -207,7 +216,8 @@ func (c *kesClient) DeleteKey(ctx context.Context, keyID string) error {
|
||||
func (c *kesClient) ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListKeys(ctx, pattern)
|
||||
|
||||
return c.enclave.ListKeys(ctx, pattern)
|
||||
}
|
||||
|
||||
// GenerateKey generates a new data encryption key using
|
||||
@ -229,7 +239,8 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
|
||||
if err != nil {
|
||||
return DEK{}, err
|
||||
}
|
||||
dek, err := c.client.GenerateKey(ctx, keyID, ctxBytes)
|
||||
|
||||
dek, err := c.enclave.GenerateKey(ctx, keyID, ctxBytes)
|
||||
if err != nil {
|
||||
return DEK{}, err
|
||||
}
|
||||
@ -244,7 +255,8 @@ func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Con
|
||||
func (c *kesClient) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ImportKey(ctx, keyID, bytes)
|
||||
|
||||
return c.enclave.ImportKey(ctx, keyID, bytes)
|
||||
}
|
||||
|
||||
// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
|
||||
@ -257,7 +269,7 @@ func (c *kesClient) EncryptKey(keyID string, plaintext []byte, ctx Context) ([]b
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return c.client.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
|
||||
return c.enclave.Encrypt(context.Background(), keyID, plaintext, ctxBytes)
|
||||
}
|
||||
|
||||
// DecryptKey decrypts the ciphertext with the key at the KES
|
||||
@ -271,7 +283,7 @@ func (c *kesClient) DecryptKey(keyID string, ciphertext []byte, ctx Context) ([]
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return c.client.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
|
||||
return c.enclave.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
|
||||
}
|
||||
|
||||
func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
|
||||
@ -290,7 +302,8 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
|
||||
Context: bCtx,
|
||||
})
|
||||
}
|
||||
PCPs, err := c.client.DecryptAll(ctx, keyID, CCPs...)
|
||||
|
||||
PCPs, err := c.enclave.DecryptAll(ctx, keyID, CCPs...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -307,7 +320,7 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
plaintext, err := c.client.Decrypt(ctx, keyID, ciphertexts[i], ctxBytes)
|
||||
plaintext, err := c.enclave.Decrypt(ctx, keyID, ciphertexts[i], ctxBytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -321,7 +334,8 @@ func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts []
|
||||
func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribePolicy(ctx, policy)
|
||||
|
||||
return c.enclave.DescribePolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// AssignPolicy assigns a policy to an identity.
|
||||
@ -332,7 +346,8 @@ func (c *kesClient) DescribePolicy(ctx context.Context, policy string) (*kes.Pol
|
||||
func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.AssignPolicy(ctx, policy, kes.Identity(identity))
|
||||
|
||||
return c.enclave.AssignPolicy(ctx, policy, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// DeletePolicy deletes a policy from KMS.
|
||||
@ -340,7 +355,8 @@ func (c *kesClient) AssignPolicy(ctx context.Context, policy, identity string) e
|
||||
func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeletePolicy(ctx, policy)
|
||||
|
||||
return c.enclave.DeletePolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// ListPolicies list all policy metadata that match the specified pattern.
|
||||
@ -348,21 +364,24 @@ func (c *kesClient) DeletePolicy(ctx context.Context, policy string) error {
|
||||
func (c *kesClient) ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListPolicies(ctx, pattern)
|
||||
|
||||
return c.enclave.ListPolicies(ctx, pattern)
|
||||
}
|
||||
|
||||
// SetPolicy creates or updates a policy.
|
||||
func (c *kesClient) SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.SetPolicy(ctx, policy, policyItem)
|
||||
|
||||
return c.enclave.SetPolicy(ctx, policy, policyItem)
|
||||
}
|
||||
|
||||
// GetPolicy gets a policy from KMS.
|
||||
func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.GetPolicy(ctx, policy)
|
||||
|
||||
return c.enclave.GetPolicy(ctx, policy)
|
||||
}
|
||||
|
||||
// DescribeIdentity describes an identity by returning its metadata.
|
||||
@ -370,7 +389,8 @@ func (c *kesClient) GetPolicy(ctx context.Context, policy string) (*kes.Policy,
|
||||
func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribeIdentity(ctx, kes.Identity(identity))
|
||||
|
||||
return c.enclave.DescribeIdentity(ctx, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// DescribeSelfIdentity describes the identity issuing the request.
|
||||
@ -379,7 +399,8 @@ func (c *kesClient) DescribeIdentity(ctx context.Context, identity string) (*kes
|
||||
func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DescribeSelf(ctx)
|
||||
|
||||
return c.enclave.DescribeSelf(ctx)
|
||||
}
|
||||
|
||||
// DeleteIdentity deletes an identity from KMS.
|
||||
@ -388,7 +409,8 @@ func (c *kesClient) DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo
|
||||
func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.DeleteIdentity(ctx, kes.Identity(identity))
|
||||
|
||||
return c.enclave.DeleteIdentity(ctx, kes.Identity(identity))
|
||||
}
|
||||
|
||||
// ListIdentities list all identity metadata that match the specified pattern.
|
||||
@ -396,5 +418,6 @@ func (c *kesClient) DeleteIdentity(ctx context.Context, identity string) error {
|
||||
func (c *kesClient) ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.client.ListIdentities(ctx, pattern)
|
||||
|
||||
return c.enclave.ListIdentities(ctx, pattern)
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user