Beispiel #1
0
func (a *memAccount) UnlockStaffKMS(clientKey *security.ManagedKey) (security.KMS, error) {
	if a.staffCapability == nil {
		return nil, proto.ErrAccessDenied
	}

	key := a.sec.UserKey.Clone()
	if err := key.Decrypt(clientKey); err != nil {
		return nil, err
	}

	ssc := &security.SharedSecretCapability{Capability: a.staffCapability}
	data, err := ssc.DecryptPayload(&key)
	if err != nil {
		return nil, err
	}

	var kmsType security.KMSType
	if err := json.Unmarshal(ssc.PublicPayload(), &kmsType); err != nil {
		return nil, err
	}

	kmsCred, err := kmsType.KMSCredential()
	if err != nil {
		return nil, err
	}

	if err := kmsCred.UnmarshalJSON(data); err != nil {
		return nil, err
	}

	return kmsCred.KMS(), nil
}
Beispiel #2
0
func (ab *AccountBinding) UnlockStaffKMS(clientKey *security.ManagedKey) (security.KMS, error) {
	if ab.StaffCapability == nil {
		return nil, proto.ErrAccessDenied
	}

	iv := make([]byte, proto.ClientKeyType.BlockSize())
	copy(iv, ab.Account.Nonce)
	key := &security.ManagedKey{
		KeyType:    proto.ClientKeyType,
		IV:         iv,
		Ciphertext: make([]byte, len(ab.Account.EncryptedUserKey)),
	}
	copy(key.Ciphertext, ab.Account.EncryptedUserKey)
	if err := key.Decrypt(clientKey); err != nil {
		return nil, err
	}

	ssc := &security.SharedSecretCapability{Capability: ab.StaffCapability}
	data, err := ssc.DecryptPayload(key)
	if err != nil {
		return nil, err
	}

	var kmsType security.KMSType
	if err := json.Unmarshal(ssc.PublicPayload(), &kmsType); err != nil {
		return nil, err
	}

	kmsCred, err := kmsType.KMSCredential()
	if err != nil {
		return nil, err
	}

	if err := kmsCred.UnmarshalJSON(data); err != nil {
		return nil, err
	}

	return kmsCred.KMS(), nil
}