-
Notifications
You must be signed in to change notification settings - Fork 128
/
kms_loader.go
91 lines (76 loc) · 2.65 KB
/
kms_loader.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package kms
import (
"context"
"crypto/subtle"
"github.com/cossacklabs/acra/keystore"
keystoreCE "github.com/cossacklabs/acra/keystore"
"github.com/cossacklabs/acra/keystore/kms/base"
keystoreV2CE "github.com/cossacklabs/acra/keystore/v2/keystore"
"github.com/cossacklabs/acra/network"
log "github.com/sirupsen/logrus"
)
// Loader is implementation of MasterKeyLoader for kms
type Loader struct {
encryptor base.Encryptor
}
// NewLoader create new kms MasterKeyLoader
func NewLoader(encryptor base.Encryptor) *Loader {
return &Loader{
encryptor: encryptor,
}
}
// LoadMasterKey implementation kms MasterKeyLoader for loading AcraMasterKey for keystore v1
func (loader *Loader) LoadMasterKey() ([]byte, error) {
rawKey, err := loader.decryptWithKMSKey([]byte(AcraMasterKeyKEKID))
if err != nil {
log.WithError(err).Warnf("Failed to decrypt ACRA_MASTER_KEY with KMS keyID %s", AcraMasterKeyKEKID)
return nil, err
}
if err := keystoreCE.ValidateMasterKey(rawKey); err != nil {
log.WithError(err).Warn("Decrypted key is invalid")
return nil, err
}
log.Infoln("Using KMS for ACRA_MASTER_KEY loading...")
return rawKey, nil
}
// LoadMasterKeys implementation kms MasterKeyLoader for loading AcraMasterKey for keystore v2
func (loader *Loader) LoadMasterKeys() (encryption []byte, signature []byte, err error) {
rawKey, err := loader.decryptWithKMSKey([]byte(AcraMasterKeyKEKID))
if err != nil {
log.WithError(err).Warnf("Failed to decrypt ACRA_MASTER_KEY with KMS keyID %s", AcraMasterKeyKEKID)
return nil, nil, err
}
keys := &keystoreV2CE.SerializedKeys{}
err = keys.Unmarshal(rawKey)
if err != nil {
log.WithError(err).Warn("Failed to parse KMS decrypted key as SerializedKeys")
return nil, nil, err
}
if subtle.ConstantTimeCompare(keys.Encryption, keys.Signature) == 1 {
log.Warn("ACRA_MASTER_KEYs must not be the same")
return nil, nil, keystoreV2CE.ErrEqualMasterKeys
}
err = keystoreCE.ValidateMasterKey(keys.Encryption)
if err != nil {
log.WithError(err).Warn("Invalid encryption key")
return nil, nil, err
}
err = keystoreCE.ValidateMasterKey(keys.Signature)
if err != nil {
log.WithError(err).Warn("Invalid signature key")
return nil, nil, err
}
return keys.Encryption, keys.Signature, nil
}
func (loader *Loader) decryptWithKMSKey(keyID []byte) ([]byte, error) {
cipherMasterKey, err := keystore.GetMasterKeyFromEnvironmentVariable(keystore.AcraMasterKeyVarName)
if err != nil {
return nil, err
}
ctx, _ := context.WithTimeout(context.Background(), network.DefaultNetworkTimeout)
masterKey, err := loader.encryptor.Decrypt(ctx, keyID, cipherMasterKey, nil)
if err != nil {
return nil, err
}
return masterKey, nil
}