make the crypto error type a native go type (#8267)

This commit makes the `crypto.Error` type a native go (string)
type. That allows us to define error values as constants instead
of variables.

For reference see:
 - https://twitter.com/_aead_/status/1118170258215514115?s=20
 - https://dave.cheney.net/2016/04/07/constant-errors
master
Andreas Auernhammer 5 years ago committed by Harshavardhana
parent 1127293863
commit ffded5a930
  1. 6
      cmd/api-errors.go
  2. 16
      cmd/crypto/error.go
  3. 2
      cmd/crypto/key.go
  4. 14
      cmd/crypto/metadata.go
  5. 14
      cmd/crypto/metadata_test.go

@ -1723,6 +1723,12 @@ func toAPIError(ctx context.Context, err error) APIError {
// their internal error types. This code is only // their internal error types. This code is only
// useful with gateway implementations. // useful with gateway implementations.
switch e := err.(type) { switch e := err.(type) {
case crypto.Error:
apiErr = APIError{
Code: "XKMSInternalError",
Description: e.Error(),
HTTPStatusCode: http.StatusBadRequest,
}
case minio.ErrorResponse: case minio.ErrorResponse:
apiErr = APIError{ apiErr = APIError{
Code: e.Code, Code: e.Code,

@ -19,9 +19,9 @@ import "errors"
// Error is the generic type for any error happening during decrypting // Error is the generic type for any error happening during decrypting
// an object. It indicates that the object itself or its metadata was // an object. It indicates that the object itself or its metadata was
// modified accidentally or maliciously. // modified accidentally or maliciously.
type Error struct{ msg string } type Error string
func (e Error) Error() string { return e.msg } func (e Error) Error() string { return string(e) }
var ( var (
// ErrInvalidEncryptionMethod indicates that the specified SSE encryption method // ErrInvalidEncryptionMethod indicates that the specified SSE encryption method
@ -56,14 +56,14 @@ var (
ErrIncompatibleEncryptionMethod = errors.New("Server side encryption specified with both SSE-C and SSE-S3 headers") ErrIncompatibleEncryptionMethod = errors.New("Server side encryption specified with both SSE-C and SSE-S3 headers")
) )
var ( const (
errMissingInternalIV = Error{"The object metadata is missing the internal encryption IV"} errMissingInternalIV Error = "The object metadata is missing the internal encryption IV"
errMissingInternalSealAlgorithm = Error{"The object metadata is missing the internal seal algorithm"} errMissingInternalSealAlgorithm Error = "The object metadata is missing the internal seal algorithm"
errInvalidInternalIV = Error{"The internal encryption IV is malformed"} errInvalidInternalIV Error = "The internal encryption IV is malformed"
errInvalidInternalSealAlgorithm = Error{"The internal seal algorithm is invalid and not supported"} errInvalidInternalSealAlgorithm Error = "The internal seal algorithm is invalid and not supported"
errMissingUpdatedKey = Error{"The key update returned no error but also no sealed key"} errMissingUpdatedKey Error = "The key update returned no error but also no sealed key"
) )
var ( var (

@ -108,7 +108,7 @@ func (key *ObjectKey) Unseal(extKey [32]byte, sealedKey SealedKey, domain, bucke
) )
switch sealedKey.Algorithm { switch sealedKey.Algorithm {
default: default:
return Error{fmt.Sprintf("The sealing algorithm '%s' is not supported", sealedKey.Algorithm)} return Error(fmt.Sprintf("The sealing algorithm '%s' is not supported", sealedKey.Algorithm))
case SealAlgorithm: case SealAlgorithm:
mac := hmac.New(sha256.New, extKey[:]) mac := hmac.New(sha256.New, extKey[:])
mac.Write(sealedKey.IV[:]) mac.Write(sealedKey.IV[:])

@ -172,7 +172,7 @@ func (s3) ParseMetadata(metadata map[string]string) (keyID string, kmsKey []byte
} }
b64SealedKey, ok := metadata[S3SealedKey] b64SealedKey, ok := metadata[S3SealedKey]
if !ok { if !ok {
return keyID, kmsKey, sealedKey, Error{"The object metadata is missing the internal sealed key for SSE-S3"} return keyID, kmsKey, sealedKey, Error("The object metadata is missing the internal sealed key for SSE-S3")
} }
// There are two possibilites: // There are two possibilites:
@ -182,10 +182,10 @@ func (s3) ParseMetadata(metadata map[string]string) (keyID string, kmsKey []byte
keyID, idPresent := metadata[S3KMSKeyID] keyID, idPresent := metadata[S3KMSKeyID]
b64KMSSealedKey, kmsKeyPresent := metadata[S3KMSSealedKey] b64KMSSealedKey, kmsKeyPresent := metadata[S3KMSSealedKey]
if !idPresent && kmsKeyPresent { if !idPresent && kmsKeyPresent {
return keyID, kmsKey, sealedKey, Error{"The object metadata is missing the internal KMS key-ID for SSE-S3"} return keyID, kmsKey, sealedKey, Error("The object metadata is missing the internal KMS key-ID for SSE-S3")
} }
if idPresent && !kmsKeyPresent { if idPresent && !kmsKeyPresent {
return keyID, kmsKey, sealedKey, Error{"The object metadata is missing the internal sealed KMS data key for SSE-S3"} return keyID, kmsKey, sealedKey, Error("The object metadata is missing the internal sealed KMS data key for SSE-S3")
} }
// Check whether all extracted values are well-formed // Check whether all extracted values are well-formed
@ -198,12 +198,12 @@ func (s3) ParseMetadata(metadata map[string]string) (keyID string, kmsKey []byte
} }
encryptedKey, err := base64.StdEncoding.DecodeString(b64SealedKey) encryptedKey, err := base64.StdEncoding.DecodeString(b64SealedKey)
if err != nil || len(encryptedKey) != 64 { if err != nil || len(encryptedKey) != 64 {
return keyID, kmsKey, sealedKey, Error{"The internal sealed key for SSE-S3 is invalid"} return keyID, kmsKey, sealedKey, Error("The internal sealed key for SSE-S3 is invalid")
} }
if idPresent && kmsKeyPresent { // We are using a KMS -> parse the sealed KMS data key. if idPresent && kmsKeyPresent { // We are using a KMS -> parse the sealed KMS data key.
kmsKey, err = base64.StdEncoding.DecodeString(b64KMSSealedKey) kmsKey, err = base64.StdEncoding.DecodeString(b64KMSSealedKey)
if err != nil { if err != nil {
return keyID, kmsKey, sealedKey, Error{"The internal sealed KMS data key for SSE-S3 is invalid"} return keyID, kmsKey, sealedKey, Error("The internal sealed KMS data key for SSE-S3 is invalid")
} }
} }
@ -244,7 +244,7 @@ func (ssec) ParseMetadata(metadata map[string]string) (sealedKey SealedKey, err
} }
b64SealedKey, ok := metadata[SSECSealedKey] b64SealedKey, ok := metadata[SSECSealedKey]
if !ok { if !ok {
return sealedKey, Error{"The object metadata is missing the internal sealed key for SSE-C"} return sealedKey, Error("The object metadata is missing the internal sealed key for SSE-C")
} }
// Check whether all extracted values are well-formed // Check whether all extracted values are well-formed
@ -257,7 +257,7 @@ func (ssec) ParseMetadata(metadata map[string]string) (sealedKey SealedKey, err
} }
encryptedKey, err := base64.StdEncoding.DecodeString(b64SealedKey) encryptedKey, err := base64.StdEncoding.DecodeString(b64SealedKey)
if err != nil || len(encryptedKey) != 64 { if err != nil || len(encryptedKey) != 64 {
return sealedKey, Error{"The internal sealed key for SSE-C is invalid"} return sealedKey, Error("The internal sealed key for SSE-C is invalid")
} }
sealedKey.Algorithm = algorithm sealedKey.Algorithm = algorithm

@ -125,15 +125,15 @@ var s3ParseMetadataTests = []struct {
DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 1 }, // 1
{ {
ExpectedErr: Error{"The object metadata is missing the internal sealed key for SSE-S3"}, ExpectedErr: Error("The object metadata is missing the internal sealed key for SSE-S3"),
Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: ""}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: ""}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 2 }, // 2
{ {
ExpectedErr: Error{"The object metadata is missing the internal KMS key-ID for SSE-S3"}, ExpectedErr: Error("The object metadata is missing the internal KMS key-ID for SSE-S3"),
Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: "", S3SealedKey: "", S3KMSSealedKey: "IAAF0b=="}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: "", S3SealedKey: "", S3KMSSealedKey: "IAAF0b=="}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 3 }, // 3
{ {
ExpectedErr: Error{"The object metadata is missing the internal sealed KMS data key for SSE-S3"}, ExpectedErr: Error("The object metadata is missing the internal sealed KMS data key for SSE-S3"),
Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: "", S3SealedKey: "", S3KMSKeyID: ""}, Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: "", S3SealedKey: "", S3KMSKeyID: ""},
DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 4 }, // 4
@ -150,7 +150,7 @@ var s3ParseMetadataTests = []struct {
DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 6 }, // 6
{ {
ExpectedErr: Error{"The internal sealed key for SSE-S3 is invalid"}, ExpectedErr: Error("The internal sealed key for SSE-S3 is invalid"),
Metadata: map[string]string{ Metadata: map[string]string{
SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm, S3SealedKey: "", SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm, S3SealedKey: "",
S3KMSKeyID: "", S3KMSSealedKey: "", S3KMSKeyID: "", S3KMSSealedKey: "",
@ -158,7 +158,7 @@ var s3ParseMetadataTests = []struct {
DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{}, DataKey: []byte{}, KeyID: "", SealedKey: SealedKey{},
}, // 7 }, // 7
{ {
ExpectedErr: Error{"The internal sealed KMS data key for SSE-S3 is invalid"}, ExpectedErr: Error("The internal sealed KMS data key for SSE-S3 is invalid"),
Metadata: map[string]string{ Metadata: map[string]string{
SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm, SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm,
S3SealedKey: base64.StdEncoding.EncodeToString(make([]byte, 64)), S3KMSKeyID: "key-1", S3SealedKey: base64.StdEncoding.EncodeToString(make([]byte, 64)), S3KMSKeyID: "key-1",
@ -218,7 +218,7 @@ var ssecParseMetadataTests = []struct {
{ExpectedErr: errMissingInternalIV, Metadata: map[string]string{}, SealedKey: SealedKey{}}, // 0 {ExpectedErr: errMissingInternalIV, Metadata: map[string]string{}, SealedKey: SealedKey{}}, // 0
{ExpectedErr: errMissingInternalSealAlgorithm, Metadata: map[string]string{SSEIV: ""}, SealedKey: SealedKey{}}, // 1 {ExpectedErr: errMissingInternalSealAlgorithm, Metadata: map[string]string{SSEIV: ""}, SealedKey: SealedKey{}}, // 1
{ {
ExpectedErr: Error{"The object metadata is missing the internal sealed key for SSE-C"}, ExpectedErr: Error("The object metadata is missing the internal sealed key for SSE-C"),
Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: ""}, SealedKey: SealedKey{}, Metadata: map[string]string{SSEIV: "", SSESealAlgorithm: ""}, SealedKey: SealedKey{},
}, // 2 }, // 2
{ {
@ -233,7 +233,7 @@ var ssecParseMetadataTests = []struct {
SealedKey: SealedKey{}, SealedKey: SealedKey{},
}, // 4 }, // 4
{ {
ExpectedErr: Error{"The internal sealed key for SSE-C is invalid"}, ExpectedErr: Error("The internal sealed key for SSE-C is invalid"),
Metadata: map[string]string{ Metadata: map[string]string{
SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm, SSECSealedKey: "", SSEIV: base64.StdEncoding.EncodeToString(make([]byte, 32)), SSESealAlgorithm: SealAlgorithm, SSECSealedKey: "",
}, },

Loading…
Cancel
Save