mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-16 09:57:07 -05:00
90b88e1cf9
In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
40 lines
900 B
Go
40 lines
900 B
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package cluster
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/crypto"
|
|
)
|
|
|
|
// KMS implements the kms.CloudKMS interface for in cluster key management.
|
|
type KMS struct {
|
|
masterKey []byte
|
|
salt []byte
|
|
}
|
|
|
|
// New creates a new ClusterKMS.
|
|
func New(salt []byte) *KMS {
|
|
return &KMS{salt: salt}
|
|
}
|
|
|
|
// CreateKEK sets the ClusterKMS masterKey.
|
|
func (c *KMS) CreateKEK(ctx context.Context, keyID string, kek []byte) error {
|
|
c.masterKey = kek
|
|
return nil
|
|
}
|
|
|
|
// GetDEK derives a key from the KMS masterKey.
|
|
func (c *KMS) GetDEK(ctx context.Context, kekID string, dekID string, dekSize int) ([]byte, error) {
|
|
if len(c.masterKey) == 0 {
|
|
return nil, errors.New("master key not set for Constellation KMS")
|
|
}
|
|
return crypto.DeriveKey(c.masterKey, c.salt, []byte(dekID), uint(dekSize))
|
|
}
|