From f7feff8665dfeaf5847523b45a653b85f433e9f2 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <aead@mail.de>
Date: Sun, 25 Apr 2021 20:04:31 +0200
Subject: [PATCH] avoid parsing MINIO_KMS_MASTER_KEY as base64 (#12149)

This commit reverts a change that added support for
parsing base64-encoded keys set via `MINIO_KMS_MASTER_KEY`.

The env. variable `MINIO_KMS_MASTER_KEY` is deprecated and
should ONLY support parsing existing keys - not the new format.

Any new deployment should use `MINIO_KMS_SECRET_KEY`. The legacy
env. variable `MINIO_KMS_MASTER_KEY` will be removed at some point
in time.

Signed-off-by: Andreas Auernhammer <aead@mail.de>
---
 cmd/common-main.go    | 41 ++++++++++++++---------------------------
 pkg/kms/single-key.go | 30 ------------------------------
 2 files changed, 14 insertions(+), 57 deletions(-)

diff --git a/cmd/common-main.go b/cmd/common-main.go
index 3322a9bca..cb52aa41f 100644
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -332,9 +332,6 @@ func handleCommonEnvVars() {
 		globalActiveCred = cred
 	}
 
-	if env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint) {
-		logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
-	}
 	switch {
 	case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint):
 		logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
@@ -342,34 +339,24 @@ func handleCommonEnvVars() {
 		logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSMasterKey, config.EnvKESEndpoint))
 	}
 
-	parseMasterKey := func(key string) error {
-		KMS, err := kms.Parse(env.Get(key, ""))
-		if err != nil {
-			v := strings.SplitN(env.Get(key, ""), ":", 2)
-			if len(v) != 2 {
-				return errors.New("invalid " + key)
-			}
-			secretKey, err := hex.DecodeString(v[1])
-			if err != nil {
-				return err
-			}
-			KMS, err = kms.New(v[0], secretKey)
-			if err != nil {
-				return err
-			}
-		}
-		GlobalKMS = KMS
-		return nil
-	}
-
 	if env.IsSet(config.EnvKMSSecretKey) {
-		if err = parseMasterKey(config.EnvKMSSecretKey); err != nil {
+		GlobalKMS, err = kms.Parse(config.EnvKMSSecretKey)
+		if err != nil {
 			logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
 		}
 	} else if env.IsSet(config.EnvKMSMasterKey) {
-		logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"),
-			fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
-		if err = parseMasterKey(config.EnvKMSMasterKey); err != nil {
+		logger.LogIf(GlobalContext, errors.New("legacy KMS configuration"), fmt.Sprintf("The environment variable %q is deprecated and will be removed in the future", config.EnvKMSMasterKey))
+
+		v := strings.SplitN(env.Get(config.EnvKMSMasterKey, ""), ":", 2)
+		if len(v) != 2 {
+			logger.Fatal(errors.New("invalid "+config.EnvKMSMasterKey), "Unable to parse the KMS secret key inherited from the shell environment")
+		}
+		secretKey, err := hex.DecodeString(v[1])
+		if err != nil {
+			logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
+		}
+		GlobalKMS, err = kms.New(v[0], secretKey)
+		if err != nil {
 			logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
 		}
 	}
diff --git a/pkg/kms/single-key.go b/pkg/kms/single-key.go
index 6354f1947..4ede66a82 100644
--- a/pkg/kms/single-key.go
+++ b/pkg/kms/single-key.go
@@ -28,9 +28,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"unicode/utf8"
 
-	"github.com/minio/sio"
 	"github.com/secure-io/sio-go/sioutil"
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/chacha20poly1305"
@@ -170,39 +168,11 @@ func (kms secretKey) GenerateKey(keyID string, context Context) (DEK, error) {
 	}, nil
 }
 
-func (kms secretKey) legacyDecryptKey(keyID string, sealedKey []byte, ctx Context) ([]byte, error) {
-	var derivedKey = kms.deriveKey(keyID, ctx)
-
-	var key [32]byte
-	out, err := sio.DecryptBuffer(key[:0], sealedKey, sio.Config{Key: derivedKey[:]})
-	if err != nil || len(out) != 32 {
-		return nil, err // TODO(aead): upgrade sio to use sio.Error
-	}
-	return key[:], nil
-}
-
-func (kms secretKey) deriveKey(keyID string, context Context) (key [32]byte) {
-	if context == nil {
-		context = Context{}
-	}
-	ctxBytes, _ := context.MarshalText()
-
-	mac := hmac.New(sha256.New, kms.key[:])
-	mac.Write([]byte(keyID))
-	mac.Write(ctxBytes)
-	mac.Sum(key[:0])
-	return key
-}
-
 func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) {
 	if keyID != kms.keyID {
 		return nil, fmt.Errorf("kms: key %q does not exist", keyID)
 	}
 
-	if !utf8.Valid(ciphertext) {
-		return kms.legacyDecryptKey(keyID, ciphertext, context)
-	}
-
 	var encryptedKey encryptedKey
 	if err := json.Unmarshal(ciphertext, &encryptedKey); err != nil {
 		return nil, err