Add support for SSE-S3 server side encryption with vault (#6192)

Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2025-11-21 02:09:08 -05:00 · 2018-08-17 12:52:14 -07:00
parent 3d197c1449
commit e71ef905f9
236 changed files with 23463 additions and 608 deletions
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -145,6 +145,9 @@ const (
 	ErrMissingSSECustomerKeyMD5
 	ErrSSECustomerKeyMD5Mismatch
 	ErrInvalidSSECustomerParameters
+	ErrIncompatibleEncryptionMethod
+	ErrKMSNotConfigured
+	ErrKMSAuthFailure

 	// Bucket notification related errors.
 	ErrEventNotification
@@ -777,6 +780,21 @@ var errorCodeResponse = map[APIErrorCode]APIError{
 		Description:    "The provided encryption parameters did not match the ones used originally.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrIncompatibleEncryptionMethod: {
+		Code:           "InvalidArgument",
+		Description:    "Server side encryption specified with both SSE-C and SSE-S3 headers",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrKMSNotConfigured: {
+		Code:           "InvalidArgument",
+		Description:    "Server side encryption specified but KMS is not configured",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrKMSAuthFailure: {
+		Code:           "InvalidArgument",
+		Description:    "Server side encryption specified but KMS authorization failed",
+		HTTPStatusCode: http.StatusBadRequest,
+	},

 	/// S3 extensions.
 	ErrContentSHA256Mismatch: {
@@ -1395,15 +1413,15 @@ func toAPIErrorCode(err error) (apiErr APIErrorCode) {
 		apiErr = ErrInvalidEncryptionMethod
 	case errInsecureSSERequest:
 		apiErr = ErrInsecureSSECustomerRequest
-	case errInvalidSSEAlgorithm, crypto.ErrInvalidCustomerAlgorithm:
+	case crypto.ErrInvalidCustomerAlgorithm:
 		apiErr = ErrInvalidSSECustomerAlgorithm
-	case errInvalidSSEKey, crypto.ErrInvalidCustomerKey:
+	case crypto.ErrInvalidCustomerKey:
 		apiErr = ErrInvalidSSECustomerKey
-	case errMissingSSEKey, crypto.ErrMissingCustomerKey:
+	case crypto.ErrMissingCustomerKey:
 		apiErr = ErrMissingSSECustomerKey
-	case errMissingSSEKeyMD5, crypto.ErrMissingCustomerKeyMD5:
+	case crypto.ErrMissingCustomerKeyMD5:
 		apiErr = ErrMissingSSECustomerKeyMD5
-	case errSSEKeyMD5Mismatch, crypto.ErrCustomerKeyMD5Mismatch:
+	case crypto.ErrCustomerKeyMD5Mismatch:
 		apiErr = ErrSSECustomerKeyMD5Mismatch
 	case errObjectTampered:
 		apiErr = ErrObjectTampered
@@ -1411,8 +1429,14 @@ func toAPIErrorCode(err error) (apiErr APIErrorCode) {
 		apiErr = ErrSSEEncryptedObject
 	case errInvalidSSEParameters:
 		apiErr = ErrInvalidSSECustomerParameters
-	case errSSEKeyMismatch:
+	case crypto.ErrInvalidCustomerKey:
 		apiErr = ErrAccessDenied // no access without correct key
+	case crypto.ErrIncompatibleEncryptionMethod:
+		apiErr = ErrIncompatibleEncryptionMethod
+	case errKMSNotConfigured:
+		apiErr = ErrKMSNotConfigured
+	case crypto.ErrKMSAuthLogin:
+		apiErr = ErrKMSAuthFailure
 	case context.Canceled, context.DeadlineExceeded:
 		apiErr = ErrOperationTimedOut
 	}