MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-03-31 09:43:43 -04:00
Code Issues Packages Projects Releases Wiki Activity

avoid parsing MINIO_KMS_MASTER_KEY as base64 (#12149)

Browse Source 
This commit reverts a change that added support for
parsing base64-encoded keys set via `MINIO_KMS_MASTER_KEY`.

The env. variable `MINIO_KMS_MASTER_KEY` is deprecated and
should ONLY support parsing existing keys - not the new format.

Any new deployment should use `MINIO_KMS_SECRET_KEY`. The legacy
env. variable `MINIO_KMS_MASTER_KEY` will be removed at some point
in time.

Signed-off-by: Andreas Auernhammer <aead@mail.de>
This commit is contained in:
Andreas Auernhammer 2021-04-25 20:04:31 +02:00 committed by GitHub
parent 4eb9b6eaf8
commit f7feff8665
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cmd/common-main.go
View File

@ -332,9 +332,6 @@ func handleCommonEnvVars() {
globalActiveCred = cred globalActiveCred = cred
} }
if env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint) {
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
}
switch { switch {
case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint): case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint):
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint)) logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
@ -342,34 +339,24 @@ func handleCommonEnvVars() {
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSMasterKey, config.EnvKESEndpoint)) logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSMasterKey, config.EnvKESEndpoint))
} }
parseMasterKey := func(key string) error {
KMS, err := kms.Parse(env.Get(key, ""))
if err != nil {
v := strings.SplitN(env.Get(key, ""), ":", 2)
if len(v) != 2 {
return errors.New("invalid " + key)
}
secretKey, err := hex.DecodeString(v[1])
if err != nil {
return err
}
KMS, err = kms.New(v[0], secretKey)
if err != nil {
return err
}
}
GlobalKMS = KMS
return nil
}
if env.IsSet(config.EnvKMSSecretKey) { if env.IsSet(config.EnvKMSSecretKey) {
if err = parseMasterKey(config.EnvKMSSecretKey); err != nil { GlobalKMS, err = kms.Parse(config.EnvKMSSecretKey)
if err != nil {
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment") logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
} }
} else if env.IsSet(config.EnvKMSMasterKey) { } else if env.IsSet(config.EnvKMSMasterKey) {
logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"), logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"), fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
if err = parseMasterKey(config.EnvKMSMasterKey); err != nil { v := strings.SplitN(env.Get(config.EnvKMSMasterKey, ""), ":", 2)
if len(v) != 2 {
logger.Fatal(errors.New("invalid "+config.EnvKMSMasterKey), "Unable to parse the KMS secret key inherited from the shell environment")
}
secretKey, err := hex.DecodeString(v[1])
if err != nil {
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
}
GlobalKMS, err = kms.New(v[0], secretKey)
if err != nil {
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment") logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
} }
} }

30
pkg/kms/single-key.go
View File

@ -28,9 +28,7 @@ import (
"fmt" "fmt"
"strconv" "strconv"
"strings" "strings"
"unicode/utf8"
"github.com/minio/sio"
"github.com/secure-io/sio-go/sioutil" "github.com/secure-io/sio-go/sioutil"
"golang.org/x/crypto/chacha20" "golang.org/x/crypto/chacha20"
"golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/chacha20poly1305"
@ -170,39 +168,11 @@ func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) {
}, nil }, nil
} }
func (kms secretKey) legacyDecryptKey(keyID string, sealedKey []byte, ctx Context) ([]byte, error) {
var derivedKey = kms.deriveKey(keyID, ctx)
var key [32]byte
out, err := sio.DecryptBuffer(key[:0], sealedKey, sio.Config{Key: derivedKey[:]})
if err != nil || len(out) != 32 {
return nil, err // TODO(aead): upgrade sio to use sio.Error
}
return key[:], nil
}
func (kms secretKey) deriveKey(keyID string, context Context) (key [32]byte) {
if context == nil {
context = Context{}
}
ctxBytes, _ := context.MarshalText()
mac := hmac.New(sha256.New, kms.key[:])
mac.Write([]byte(keyID))
mac.Write(ctxBytes)
mac.Sum(key[:0])
return key
}
func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) { func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) {
if keyID != kms.keyID { if keyID != kms.keyID {
return nil, fmt.Errorf("kms: key %q does not exist", keyID) return nil, fmt.Errorf("kms: key %q does not exist", keyID)
} }
if !utf8.Valid(ciphertext) {
return kms.legacyDecryptKey(keyID, ciphertext, context)
}
var encryptedKey encryptedKey var encryptedKey encryptedKey
if err := json.Unmarshal(ciphertext, &encryptedKey); err != nil { if err := json.Unmarshal(ciphertext, &encryptedKey); err != nil {
return nil, err return nil, err