storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/cmd/crypto/header.go

storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/cmd/crypto/header.go (about)

     1  // MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //    http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package crypto
    16  
    17  import (
    18  	"bytes"
    19  	"crypto/md5"
    20  	"encoding/base64"
    21  	"net/http"
    22  
    23  	xhttp "storj.io/minio/cmd/http"
    24  )
    25  
    26  // RemoveSensitiveHeaders removes confidential encryption
    27  // information - e.g. the SSE-C key - from the HTTP headers.
    28  // It has the same semantics as RemoveSensitiveEntires.
    29  func RemoveSensitiveHeaders(h http.Header) {
    30  	h.Del(xhttp.AmzServerSideEncryptionCustomerKey)
    31  	h.Del(xhttp.AmzServerSideEncryptionCopyCustomerKey)
    32  	h.Del(xhttp.AmzMetaUnencryptedContentLength)
    33  	h.Del(xhttp.AmzMetaUnencryptedContentMD5)
    34  }
    35  
    36  var (
    37  	// SSECopy represents AWS SSE-C for copy requests. It provides
    38  	// functionality to handle SSE-C copy requests.
    39  	SSECopy = ssecCopy{}
    40  )
    41  
    42  type ssecCopy struct{}
    43  
    44  // IsRequested returns true if the HTTP headers contains
    45  // at least one SSE-C copy header. Regular SSE-C headers
    46  // are ignored.
    47  func (ssecCopy) IsRequested(h http.Header) bool {
    48  	if _, ok := h[xhttp.AmzServerSideEncryptionCopyCustomerAlgorithm]; ok {
    49  		return true
    50  	}
    51  	if _, ok := h[xhttp.AmzServerSideEncryptionCopyCustomerKey]; ok {
    52  		return true
    53  	}
    54  	if _, ok := h[xhttp.AmzServerSideEncryptionCopyCustomerKeyMD5]; ok {
    55  		return true
    56  	}
    57  	return false
    58  }
    59  
    60  // ParseHTTP parses the SSE-C copy headers and returns the SSE-C client key
    61  // on success. Regular SSE-C headers are ignored.
    62  func (ssecCopy) ParseHTTP(h http.Header) (key [32]byte, err error) {
    63  	if h.Get(xhttp.AmzServerSideEncryptionCopyCustomerAlgorithm) != xhttp.AmzEncryptionAES {
    64  		return key, ErrInvalidCustomerAlgorithm
    65  	}
    66  	if h.Get(xhttp.AmzServerSideEncryptionCopyCustomerKey) == "" {
    67  		return key, ErrMissingCustomerKey
    68  	}
    69  	if h.Get(xhttp.AmzServerSideEncryptionCopyCustomerKeyMD5) == "" {
    70  		return key, ErrMissingCustomerKeyMD5
    71  	}
    72  
    73  	clientKey, err := base64.StdEncoding.DecodeString(h.Get(xhttp.AmzServerSideEncryptionCopyCustomerKey))
    74  	if err != nil || len(clientKey) != 32 { // The client key must be 256 bits long
    75  		return key, ErrInvalidCustomerKey
    76  	}
    77  	keyMD5, err := base64.StdEncoding.DecodeString(h.Get(xhttp.AmzServerSideEncryptionCopyCustomerKeyMD5))
    78  	if md5Sum := md5.Sum(clientKey); err != nil || !bytes.Equal(md5Sum[:], keyMD5) {
    79  		return key, ErrCustomerKeyMD5Mismatch
    80  	}
    81  	copy(key[:], clientKey)
    82  	return key, nil
    83  }