diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 77c462f5b..6967c8162 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -247,22 +247,6 @@ func EncryptRequest(content io.Reader, r *http.Request, bucket, object string, m return newEncryptReader(content, key, bucket, object, metadata, crypto.S3.IsRequested(r.Header)) } -// DecryptCopyRequest decrypts the object with the client provided key. It also removes -// the client-side-encryption metadata from the object and sets the correct headers. -func DecryptCopyRequest(client io.Writer, r *http.Request, bucket, object string, metadata map[string]string) (io.WriteCloser, error) { - var ( - key []byte - err error - ) - if crypto.SSECopy.IsRequested(r.Header) { - key, err = ParseSSECopyCustomerRequest(r.Header, metadata) - if err != nil { - return nil, err - } - } - return newDecryptWriter(client, key, bucket, object, 0, metadata) -} - func decryptObjectInfo(key []byte, bucket, object string, metadata map[string]string) ([]byte, error) { switch { default: @@ -317,14 +301,6 @@ func decryptObjectInfo(key []byte, bucket, object string, metadata map[string]st } } -func newDecryptWriter(client io.Writer, key []byte, bucket, object string, seqNumber uint32, metadata map[string]string) (io.WriteCloser, error) { - objectEncryptionKey, err := decryptObjectInfo(key, bucket, object, metadata) - if err != nil { - return nil, err - } - return newDecryptWriterWithObjectKey(client, objectEncryptionKey, seqNumber, metadata) -} - func newDecryptWriterWithObjectKey(client io.Writer, objectEncryptionKey []byte, seqNumber uint32, metadata map[string]string) (io.WriteCloser, error) { writer, err := sio.DecryptWriter(client, sio.Config{ Key: objectEncryptionKey, @@ -450,26 +426,6 @@ func DecryptBlocksRequestR(inputReader io.Reader, h http.Header, offset, return w, nil } -// DecryptRequestWithSequenceNumber decrypts the object with the client provided key. It also removes -// the client-side-encryption metadata from the object and sets the correct headers. -func DecryptRequestWithSequenceNumber(client io.Writer, r *http.Request, bucket, object string, seqNumber uint32, metadata map[string]string) (io.WriteCloser, error) { - if crypto.S3.IsEncrypted(metadata) { - return newDecryptWriter(client, nil, bucket, object, seqNumber, metadata) - } - - key, err := ParseSSECustomerRequest(r) - if err != nil { - return nil, err - } - return newDecryptWriter(client, key, bucket, object, seqNumber, metadata) -} - -// DecryptRequest decrypts the object with client provided key for SSE-C and SSE-S3. It also removes -// the encryption metadata from the object and sets the correct headers. -func DecryptRequest(client io.Writer, r *http.Request, bucket, object string, metadata map[string]string) (io.WriteCloser, error) { - return DecryptRequestWithSequenceNumber(client, r, bucket, object, 0, metadata) -} - // DecryptBlocksReader - decrypts multipart parts, while implementing // a io.Reader compatible interface. type DecryptBlocksReader struct { diff --git a/cmd/encryption-v1_test.go b/cmd/encryption-v1_test.go index 71843efdb..75ca56ac7 100644 --- a/cmd/encryption-v1_test.go +++ b/cmd/encryption-v1_test.go @@ -78,135 +78,6 @@ func TestEncryptRequest(t *testing.T) { } } -var decryptRequestTests = []struct { - bucket, object string - header map[string]string - metadata map[string]string - shouldFail bool -}{ - { - bucket: "bucket", - object: "object", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ=", - crypto.SSECKeyMD5: "7PpPLAK26ONlVUGOWlusfg==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: crypto.InsecureSealAlgorithm, - crypto.SSEIV: "7nQqotA8xgrPx6QK7Ap3GCfjKitqJSrGP7xzgErSJlw=", - crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA==", - }, - shouldFail: false, - }, - { - bucket: "bucket", - object: "object", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ=", - crypto.SSECKeyMD5: "7PpPLAK26ONlVUGOWlusfg==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: crypto.SealAlgorithm, - crypto.SSEIV: "qEqmsONcorqlcZXJxaw32H04eyXyXwUgjHzlhkaIYrU=", - crypto.SSECSealedKey: "IAAfAIM14ugTGcM/dIrn4iQMrkl1sjKyeBQ8FBEvRebYj8vWvxG+0cJRpC6NXRU1wJN50JaUOATjO7kz0wZ2mA==", - }, - shouldFail: false, - }, - { - bucket: "bucket", - object: "object", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", - crypto.SSECKeyMD5: "bY4wkxQejw9mUJfo72k53A==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: "HMAC-SHA3", - crypto.SSEIV: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", - crypto.SSECSealedKey: "SY5E9AvI2tI7/nUrUAssIGE32Hcs4rR9z/CUuPqu5N4=", - }, - shouldFail: true, - }, - { - bucket: "bucket", - object: "object", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", - crypto.SSECKeyMD5: "bY4wkxQejw9mUJfo72k53A==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: crypto.InsecureSealAlgorithm, - crypto.SSEIV: "RrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", - crypto.SSECSealedKey: "SY5E9AvI2tI7/nUrUAssIGE32Hcs4rR9z/CUuPqu5N4=", - }, - shouldFail: true, - }, - { - bucket: "bucket", - object: "object", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", - crypto.SSECKeyMD5: "bY4wkxQejw9mUJfo72k53A==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: crypto.InsecureSealAlgorithm, - crypto.SSEIV: "XAm0dRrJsEsyPb1UuFNezv1bl9ehxuYsgUVC/MUctE2k=", - crypto.SSECSealedKey: "SY5E9AvI2tI7/nUrUAssIGE32Hds4rR9z/CUuPqu5N4=", - }, - shouldFail: true, - }, - { - bucket: "bucket", - object: "object-2", - header: map[string]string{ - crypto.SSECAlgorithm: "AES256", - crypto.SSECKey: "MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ=", - crypto.SSECKeyMD5: "7PpPLAK26ONlVUGOWlusfg==", - }, - metadata: map[string]string{ - crypto.SSESealAlgorithm: crypto.SealAlgorithm, - crypto.SSEIV: "qEqmsONcorqlcZXJxaw32H04eyXyXwUgjHzlhkaIYrU=", - crypto.SSECSealedKey: "IAAfAIM14ugTGcM/dIrn4iQMrkl1sjKyeBQ8FBEvRebYj8vWvxG+0cJRpC6NXRU1wJN50JaUOATjO7kz0wZ2mA==", - }, - shouldFail: true, - }, -} - -func TestDecryptRequest(t *testing.T) { - defer func(flag bool) { globalIsSSL = flag }(globalIsSSL) - globalIsSSL = true - for i, test := range decryptRequestTests[1:] { - client := bytes.NewBuffer(nil) - req := &http.Request{Header: http.Header{}} - for k, v := range test.header { - req.Header.Set(k, v) - } - _, err := DecryptRequest(client, req, test.bucket, test.object, test.metadata) - if err != nil && !test.shouldFail { - t.Fatalf("Test %d: Failed to encrypt request: %v", i, err) - } - if err == nil && test.shouldFail { - t.Fatalf("Test %d: should fail but passed", i) - } - if key, ok := test.metadata[crypto.SSECKey]; ok { - t.Errorf("Test %d: Client provided key survived in metadata - key: %s", i, key) - } - if kdf, ok := test.metadata[crypto.SSESealAlgorithm]; ok && !test.shouldFail { - t.Errorf("Test %d: ServerSideEncryptionKDF should not be part of metadata: %v", i, kdf) - } - if iv, ok := test.metadata[crypto.SSEIV]; ok && !test.shouldFail { - t.Errorf("Test %d: crypto.SSEIV should not be part of metadata: %v", i, iv) - } - if mac, ok := test.metadata[crypto.SSECSealedKey]; ok && !test.shouldFail { - t.Errorf("Test %d: ServerSideEncryptionKeyMAC should not be part of metadata: %v", i, mac) - } - } -} - var decryptObjectInfoTests = []struct { info ObjectInfo headers http.Header