s3proxy: add keyservice integration

Encrypt each object with a random DEK and attach the encrypted DEK as object metadata. Encrpt the DEK with a key from the keyservice. All objects use the same KEK until a keyrotation takes place.
2025-05-02 06:16:08 -04:00 · 2023-10-02 09:00:38 +02:00 · 2023-10-02 09:00:38 +02:00 · 887dcda78b
commit 887dcda78b
parent a7ceda37ea
15 changed files with 414 additions and 71 deletions
--- a/s3proxy/internal/crypto/crypto_test.go
+++ b/s3proxy/internal/crypto/crypto_test.go
@ -0,0 +1,48 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package crypto
+
+import (
+	"crypto/rand"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEncryptDecrypt(t *testing.T) {
+	tests := map[string]struct {
+		plaintext []byte
+	}{
+		"simple": {
+			plaintext: []byte("hello, world"),
+		},
+		"long": {
+			plaintext: []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed non risus. Suspendisse lectus tortor, dignissim sit amet, adipiscing nec, ultricies sed, dolor."),
+		},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			kek := [32]byte{}
+			_, err := rand.Read(kek[:])
+			require.NoError(t, err)
+
+			ciphertext, encryptedDEK, err := Encrypt(tt.plaintext, kek)
+			require.NoError(t, err)
+
+			assert.NotContains(t, ciphertext, tt.plaintext)
+
+			// Decrypt the ciphertext using the KEK and encrypted DEK
+			decrypted, err := Decrypt(ciphertext, encryptedDEK, kek)
+			require.NoError(t, err)
+
+			// Verify that the decrypted plaintext matches the original plaintext
+			assert.Equal(t, tt.plaintext, decrypted, fmt.Sprintf("expected plaintext %s, got %s", tt.plaintext, decrypted))
+		})
+	}
+}