UpdateMasterKeysWithKeyServices encrypts the data key with all master keys using the provided key services
(dataKey []byte, svcs []keyservice.KeyServiceClient)
| 760 | |
| 761 | // UpdateMasterKeysWithKeyServices encrypts the data key with all master keys using the provided key services |
| 762 | func (m *Metadata) UpdateMasterKeysWithKeyServices(dataKey []byte, svcs []keyservice.KeyServiceClient) (errs []error) { |
| 763 | if len(svcs) == 0 { |
| 764 | return []error{ |
| 765 | fmt.Errorf("no key services provided, cannot update master keys"), |
| 766 | } |
| 767 | } |
| 768 | if len(m.KeyGroups) == 0 { |
| 769 | return []error{ |
| 770 | fmt.Errorf("no key groups provided"), |
| 771 | } |
| 772 | } |
| 773 | var parts [][]byte |
| 774 | if len(m.KeyGroups) == 1 { |
| 775 | // If there's only one key group, we can't do Shamir. All keys |
| 776 | // in the group encrypt the whole data key. |
| 777 | parts = append(parts, dataKey) |
| 778 | } else { |
| 779 | var err error |
| 780 | if m.ShamirThreshold == 0 { |
| 781 | m.ShamirThreshold = len(m.KeyGroups) |
| 782 | } |
| 783 | log.WithFields(logrus.Fields{ |
| 784 | "quorum": m.ShamirThreshold, |
| 785 | "parts": len(m.KeyGroups), |
| 786 | }).Info("Splitting data key with Shamir Secret Sharing") |
| 787 | parts, err = shamir.Split(dataKey, len(m.KeyGroups), int(m.ShamirThreshold)) |
| 788 | if err != nil { |
| 789 | errs = append(errs, fmt.Errorf("could not split data key into parts for Shamir: %s", err)) |
| 790 | return |
| 791 | } |
| 792 | if len(parts) != len(m.KeyGroups) { |
| 793 | errs = append(errs, fmt.Errorf("not enough parts obtained from Shamir: need %d, got %d", len(m.KeyGroups), len(parts))) |
| 794 | return |
| 795 | } |
| 796 | } |
| 797 | for i, group := range m.KeyGroups { |
| 798 | part := parts[i] |
| 799 | if len(group) == 0 { |
| 800 | return []error{ |
| 801 | fmt.Errorf("empty key group provided"), |
| 802 | } |
| 803 | } |
| 804 | for _, key := range group { |
| 805 | svcKey := keyservice.KeyFromMasterKey(key) |
| 806 | var keyErrs []error |
| 807 | encrypted := false |
| 808 | for _, svc := range svcs { |
| 809 | rsp, err := svc.Encrypt(context.Background(), &keyservice.EncryptRequest{ |
| 810 | Key: &svcKey, |
| 811 | Plaintext: part, |
| 812 | }) |
| 813 | if err != nil { |
| 814 | keyErrs = append(keyErrs, fmt.Errorf("failed to encrypt new data key with master key %q: %w", key.ToString(), err)) |
| 815 | continue |
| 816 | } |
| 817 | key.SetEncryptedDataKey(rsp.Ciphertext) |
| 818 | encrypted = true |
| 819 | // Only need to encrypt the key successfully with one service |
no test coverage detected