mirror of https://github.com/minio/minio.git
avoid parsing MINIO_KMS_MASTER_KEY as base64 (#12149)
This commit reverts a change that added support for parsing base64-encoded keys set via `MINIO_KMS_MASTER_KEY`. The env. variable `MINIO_KMS_MASTER_KEY` is deprecated and should ONLY support parsing existing keys - not the new format. Any new deployment should use `MINIO_KMS_SECRET_KEY`. The legacy env. variable `MINIO_KMS_MASTER_KEY` will be removed at some point in time. Signed-off-by: Andreas Auernhammer <aead@mail.de>
This commit is contained in:
Andreas Auernhammer
GitHub
parent
4eb9b6eaf8
commit
f7feff8665
|
|
@ -332,9 +332,6 @@ func handleCommonEnvVars() {
|
|||
globalActiveCred = cred
|
||||
}
|
||||
|
||||
if env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint) {
|
||||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
|
||||
}
|
||||
switch {
|
||||
case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint):
|
||||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
|
||||
|
|
@ -342,34 +339,24 @@ func handleCommonEnvVars() {
|
|||
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSMasterKey, config.EnvKESEndpoint))
|
||||
}
|
||||
|
||||
parseMasterKey := func(key string) error {
|
||||
KMS, err := kms.Parse(env.Get(key, ""))
|
||||
if err != nil {
|
||||
v := strings.SplitN(env.Get(key, ""), ":", 2)
|
||||
if len(v) != 2 {
|
||||
return errors.New("invalid " + key)
|
||||
}
|
||||
secretKey, err := hex.DecodeString(v[1])
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
KMS, err = kms.New(v[0], secretKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
GlobalKMS = KMS
|
||||
return nil
|
||||
}
|
||||
|
||||
if env.IsSet(config.EnvKMSSecretKey) {
|
||||
if err = parseMasterKey(config.EnvKMSSecretKey); err != nil {
|
||||
GlobalKMS, err = kms.Parse(config.EnvKMSSecretKey)
|
||||
if err != nil {
|
||||
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
|
||||
}
|
||||
} else if env.IsSet(config.EnvKMSMasterKey) {
|
||||
logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"),
|
||||
fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
|
||||
if err = parseMasterKey(config.EnvKMSMasterKey); err != nil {
|
||||
logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"), fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
|
||||
|
||||
v := strings.SplitN(env.Get(config.EnvKMSMasterKey, ""), ":", 2)
|
||||
if len(v) != 2 {
|
||||
logger.Fatal(errors.New("invalid "+config.EnvKMSMasterKey), "Unable to parse the KMS secret key inherited from the shell environment")
|
||||
}
|
||||
secretKey, err := hex.DecodeString(v[1])
|
||||
if err != nil {
|
||||
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
|
||||
}
|
||||
GlobalKMS, err = kms.New(v[0], secretKey)
|
||||
if err != nil {
|
||||
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,9 +28,7 @@ import (
|
|||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"unicode/utf8"
|
||||
|
||||
"github.com/minio/sio"
|
||||
"github.com/secure-io/sio-go/sioutil"
|
||||
"golang.org/x/crypto/chacha20"
|
||||
"golang.org/x/crypto/chacha20poly1305"
|
||||
|
|
@ -170,39 +168,11 @@ func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func (kms secretKey) legacyDecryptKey(keyID string, sealedKey []byte, ctx Context) ([]byte, error) {
|
||||
var derivedKey = kms.deriveKey(keyID, ctx)
|
||||
|
||||
var key [32]byte
|
||||
out, err := sio.DecryptBuffer(key[:0], sealedKey, sio.Config{Key: derivedKey[:]})
|
||||
if err != nil || len(out) != 32 {
|
||||
return nil, err // TODO(aead): upgrade sio to use sio.Error
|
||||
}
|
||||
return key[:], nil
|
||||
}
|
||||
|
||||
func (kms secretKey) deriveKey(keyID string, context Context) (key [32]byte) {
|
||||
if context == nil {
|
||||
context = Context{}
|
||||
}
|
||||
ctxBytes, _ := context.MarshalText()
|
||||
|
||||
mac := hmac.New(sha256.New, kms.key[:])
|
||||
mac.Write([]byte(keyID))
|
||||
mac.Write(ctxBytes)
|
||||
mac.Sum(key[:0])
|
||||
return key
|
||||
}
|
||||
|
||||
func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) {
|
||||
if keyID != kms.keyID {
|
||||
return nil, fmt.Errorf("kms: key %q does not exist", keyID)
|
||||
}
|
||||
|
||||
if !utf8.Valid(ciphertext) {
|
||||
return kms.legacyDecryptKey(keyID, ciphertext, context)
|
||||
}
|
||||
|
||||
var encryptedKey encryptedKey
|
||||
if err := json.Unmarshal(ciphertext, &encryptedKey); err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
Loading…
Reference in New Issue