2018-09-18 03:03:00 +00:00
|
|
|
package seal
|
|
|
|
|
2018-10-19 21:43:57 +00:00
|
|
|
import (
|
|
|
|
"context"
|
2020-01-11 01:39:52 +00:00
|
|
|
"time"
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
metrics "github.com/armon/go-metrics"
|
|
|
|
wrapping "github.com/hashicorp/go-kms-wrapping"
|
2018-10-19 21:43:57 +00:00
|
|
|
)
|
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
type StoredKeysSupport int
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
const (
|
2020-01-11 01:39:52 +00:00
|
|
|
// The 0 value of StoredKeysSupport is an invalid option
|
|
|
|
StoredKeysInvalid StoredKeysSupport = iota
|
|
|
|
StoredKeysNotSupported
|
|
|
|
StoredKeysSupportedGeneric
|
2021-12-07 01:12:20 +00:00
|
|
|
StoredKeysSupportedShamirRoot
|
2018-09-18 03:03:00 +00:00
|
|
|
)
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
func (s StoredKeysSupport) String() string {
|
|
|
|
switch s {
|
|
|
|
case StoredKeysNotSupported:
|
|
|
|
return "Old-style Shamir"
|
|
|
|
case StoredKeysSupportedGeneric:
|
|
|
|
return "AutoUnseal"
|
2021-12-07 01:12:20 +00:00
|
|
|
case StoredKeysSupportedShamirRoot:
|
2020-01-11 01:39:52 +00:00
|
|
|
return "New-style Shamir"
|
|
|
|
default:
|
|
|
|
return "Invalid StoredKeys type"
|
|
|
|
}
|
2019-10-18 18:46:00 +00:00
|
|
|
}
|
|
|
|
|
2019-10-17 17:33:00 +00:00
|
|
|
// Access is the embedded implementation of autoSeal that contains logic
|
2018-10-19 21:43:57 +00:00
|
|
|
// specific to encrypting and decrypting data, or in this case keys.
|
2020-01-11 01:39:52 +00:00
|
|
|
type Access struct {
|
|
|
|
wrapping.Wrapper
|
|
|
|
OverriddenType string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *Access) SetType(t string) {
|
|
|
|
a.OverriddenType = t
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *Access) Type() string {
|
|
|
|
if a.OverriddenType != "" {
|
|
|
|
return a.OverriddenType
|
|
|
|
}
|
|
|
|
return a.Wrapper.Type()
|
|
|
|
}
|
|
|
|
|
2020-10-23 18:16:04 +00:00
|
|
|
// Encrypt uses the underlying seal to encrypt the plaintext and returns it.
|
2020-01-11 01:39:52 +00:00
|
|
|
func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.EncryptedBlobInfo, err error) {
|
|
|
|
defer func(now time.Time) {
|
|
|
|
metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now)
|
|
|
|
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "encrypt", "time"}, now)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1)
|
|
|
|
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt", "error"}, 1)
|
|
|
|
}
|
|
|
|
}(time.Now())
|
|
|
|
|
|
|
|
metrics.IncrCounter([]string{"seal", "encrypt"}, 1)
|
|
|
|
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt"}, 1)
|
|
|
|
|
|
|
|
return a.Wrapper.Encrypt(ctx, plaintext, aad)
|
|
|
|
}
|
|
|
|
|
2020-10-23 18:16:04 +00:00
|
|
|
// Decrypt uses the underlying seal to decrypt the cryptotext and returns it.
|
|
|
|
// Note that it is possible depending on the wrapper used that both pt and err
|
|
|
|
// are populated.
|
2020-01-11 01:39:52 +00:00
|
|
|
func (a *Access) Decrypt(ctx context.Context, data *wrapping.EncryptedBlobInfo, aad []byte) (pt []byte, err error) {
|
|
|
|
defer func(now time.Time) {
|
|
|
|
metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now)
|
|
|
|
metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "decrypt", "time"}, now)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1)
|
|
|
|
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt", "error"}, 1)
|
|
|
|
}
|
|
|
|
}(time.Now())
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
metrics.IncrCounter([]string{"seal", "decrypt"}, 1)
|
|
|
|
metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt"}, 1)
|
2018-10-19 21:43:57 +00:00
|
|
|
|
2020-01-11 01:39:52 +00:00
|
|
|
return a.Wrapper.Decrypt(ctx, data, aad)
|
2018-10-19 21:43:57 +00:00
|
|
|
}
|