feat: datakey support exportable

2024-11-15 01:26:09 +08:00
parent 82b38a2cf1
commit 655f9f5ede
2 changed files with 19 additions and 14 deletions
--- a/src/serve_datakey.rs
+++ b/src/serve_datakey.rs
@@ -20,6 +20,7 @@ struct DataKeyRequest {
    key_type: String,
    key_spec: String,
    key_name: Option<String>,
+    exportable: Option<bool>,
    return_plaintext: Option<bool>,
 }

@@ -36,12 +37,13 @@ async fn inner_generate(req: Request<Body>) -> XResult<(StatusCode, Value)> {
        None => return serve_common::error("status_not_ready"),
        Some(key) => key,
    };
-    let ret_key_plaintext = request.return_plaintext.unwrap_or(false);
+    let exportable = request.exportable.unwrap_or(true);
+    let ret_key_plaintext = iff!(exportable, false, request.return_plaintext.unwrap_or(false));

    let response_result = match (request.key_type.as_str(), request.key_spec.as_str()) {
-        ("aes", "128") => generate_aes("datakey:aes-128", key, 16, ret_key_plaintext),
-        ("aes", "192") => generate_aes("datakey:aes-192", key, 24, ret_key_plaintext),
-        ("aes", "256") => generate_aes("datakey:aes-256", key, 32, ret_key_plaintext),
+        ("aes", "128") => generate_aes("datakey:aes-128", exportable, key, 16, ret_key_plaintext),
+        ("aes", "192") => generate_aes("datakey:aes-192", exportable, key, 24, ret_key_plaintext),
+        ("aes", "256") => generate_aes("datakey:aes-256", exportable, key, 32, ret_key_plaintext),
        // TODO rsa 2048, rsa 3072, rsa 4096
        // TODO ec p256, p384, p521, ed25519, cv25519
        _ => return serve_common::error("invalid key_type or key_spec"),
@@ -68,10 +70,10 @@ async fn inner_generate(req: Request<Body>) -> XResult<(StatusCode, Value)> {
    }
 }

-fn generate_aes(data_key_type: &str, key: SecBytes, len: i32, ret_key_plaintext: bool) -> XResult<(Option<Vec<u8>>, String)> {
+fn generate_aes(data_key_type: &str, exportable: bool, key: SecBytes, len: i32, ret_key_plaintext: bool) -> XResult<(Option<Vec<u8>>, String)> {
    let bytes: [u8; 32] = random();
    let value = &bytes[0..len as usize];
    let key_plaintext = iff!(ret_key_plaintext, Some(value.to_vec()), None);
-    let key_ciphertext = jose::serialize_jwe_aes_with_data_type(data_key_type, value, &key.read())?;
+    let key_ciphertext = jose::serialize_jwe_aes_with_data_type(data_key_type, exportable, value, &key.read())?;
    Ok((key_plaintext, key_ciphertext))
 }