hatter/local-mini-kms
1
1
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

feat: v0.2.1 add seckey support

Browse Source
This commit is contained in:
Hatter Jiang
2022-07-27 23:52:25 +08:00
parent 77591990ad
commit 4bab656dfb
3 changed files with 73 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/serve.rs
View File

@@ -1,4 +1,4 @@
use std::sync::RwLock;
use std::sync::Mutex;
use clap::{App, Arg, ArgMatches, SubCommand};
use hyper::{Body, Client, Method, Request, Response, Server, StatusCode};
@@ -9,6 +9,7 @@ use josekit::jwk::alg::rsa::RsaKeyPair;
use josekit::jwk::KeyPair;
use rust_util::{debugging, failure_and_exit, information, opt_result, simple_error, success, XResult};
use rust_util::util_clap::{Command, CommandError};
use seckey::SecBytes;
use serde::{Deserialize, Serialize};
use serde_json::{json, Map, Value};
use zeroize::Zeroize;
@@ -97,18 +98,18 @@ macro_rules! do_response {
struct MemoryKey {
database_file: String,
instance_rsa_key_pair: RsaKeyPair,
master_key: Option<Vec<u8>>,
master_key: Option<SecBytes>,
}
lazy_static::lazy_static! {
static ref STATUP_RW_LOCK: RwLock<Option<MemoryKey>> = RwLock::new(None);
static ref STATUP_RW_LOCK: Mutex<Option<MemoryKey>> = Mutex::new(None);
}
fn init_instance(db: &str) -> XResult<bool> {
let conn = db::open_db(db)?;
db::init_db(&conn)?;
let mut startup_rw_lock = STATUP_RW_LOCK.write().expect("Lock write startup rw lock error");
let mut startup_rw_lock = STATUP_RW_LOCK.lock().expect("Lock write startup rw lock error");
match &*startup_rw_lock {
Some(_) => Ok(false),
None => {
@@ -124,7 +125,7 @@ fn init_instance(db: &str) -> XResult<bool> {
}
fn update_instance_rsa_key_pair() -> XResult<bool> {
let mut startup_rw_lock = STATUP_RW_LOCK.write().expect("Lock write startup rw lock error");
let mut startup_rw_lock = STATUP_RW_LOCK.lock().expect("Lock write startup rw lock error");
match &mut *startup_rw_lock {
Some(k) => {
k.instance_rsa_key_pair = jose::generate_rsa_key(4096)?;
@@ -180,12 +181,12 @@ async fn inner_decrypt(req: Request<Body>) -> XResult<(StatusCode, Value)> {
let data: DecryptRequest = serde_json::from_reader(whole_body.reader())?;
debugging!("To be decrypted value: {}", &data.encrypted_value);
let mut key = match get_master_key() {
let key = match get_master_key() {
None => return Ok((StatusCode::BAD_REQUEST, json!({ "error": "status_not_ready" }))),
Some(key) => key,
};
let decrypted_value = jose::deserialize_jwe_aes(&data.encrypted_value, &key);
key.zeroize();
let decrypted_value = jose::deserialize_jwe_aes(&data.encrypted_value, &*key.read());
drop(key);
decrypted_value.map(|v| {
let v = MultipleViewValue::from(&v.0);
@@ -211,12 +212,12 @@ async fn inner_encrypt(req: Request<Body>) -> XResult<(StatusCode, Value)> {
let whole_body = hyper::body::aggregate(req).await?;
let data: MultipleViewValue = serde_json::from_reader(whole_body.reader())?;
let value = data.to_bytes()?;
let mut key = match get_master_key() {
let key = match get_master_key() {
None => return Ok((StatusCode::BAD_REQUEST, json!({ "error": "status_not_ready" }))),
Some(key) => key,
};
let encrypt_result = jose::serialize_jwe_aes(&value, &key);
key.zeroize();
let encrypt_result = jose::serialize_jwe_aes(&value, &*key.read());
drop(key);
encrypt_result.map(|e| {
(StatusCode::OK, json!({
@@ -251,7 +252,7 @@ async fn inner_init(req: Request<Body>) -> XResult<(StatusCode, Value)> {
let whole_body = hyper::body::aggregate(req).await?;
let init_request: InitRequest = serde_json::from_reader(whole_body.reader())?;
let mut startup_rw_lock = STATUP_RW_LOCK.write().expect("Lock read startup rw lock error");
let mut startup_rw_lock = STATUP_RW_LOCK.lock().expect("Lock read startup rw lock error");
match &*startup_rw_lock {
None => return Ok((StatusCode::INTERNAL_SERVER_ERROR, json!({ "error": "internal_error", "error_message": "not init " }))),
Some(memory_key) => match memory_key.master_key {
@@ -297,7 +298,10 @@ async fn inner_init(req: Request<Body>) -> XResult<(StatusCode, Value)> {
}
}
information!("Set master key success");
k.master_key = Some(clear_master_key);
let sec_bytes = SecBytes::with(clear_master_key.len(), |buf| buf.copy_from_slice(&clear_master_key.as_slice()[..]));
let mut clear_master_key = clear_master_key;
clear_master_key.zeroize();
k.master_key = Some(sec_bytes);
k.instance_rsa_key_pair = jose::generate_rsa_key(4096)?;
}
Ok((StatusCode::OK, json!({})))
@@ -308,7 +312,7 @@ async fn status() -> Result<Response<Body>> {
}
async fn inner_status() -> XResult<(StatusCode, Value)> {
let startup_rw_lock = STATUP_RW_LOCK.read().expect("Lock read startup rw lock error");
let startup_rw_lock = STATUP_RW_LOCK.lock().expect("Lock read startup rw lock error");
let body = match &*startup_rw_lock {
None => json!({ "status": "n/a" }),
Some(memory_key) => match memory_key.master_key {
@@ -331,10 +335,16 @@ async fn get_version() -> Result<Response<Body>> {
).into())?)
}
fn get_master_key() -> Option<Vec<u8>> {
let startup_rw_lock = STATUP_RW_LOCK.read().expect("Lock read startup rw lock error");
fn get_master_key() -> Option<SecBytes> {
let startup_rw_lock = STATUP_RW_LOCK.lock().expect("Lock read startup rw lock error");
match &*startup_rw_lock {
None => None,
Some(k) => k.master_key.clone(),
Some(k) => match &k.master_key {
None => None,
Some(k) => {
let k = &*k.read();
Some(SecBytes::with(k.len(), |buf| buf.copy_from_slice(k)))
}
},
}
}