aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3_validation_utils.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/s3_validation_utils.go')
-rw-r--r--weed/s3api/s3_validation_utils.go27
1 files changed, 26 insertions, 1 deletions
diff --git a/weed/s3api/s3_validation_utils.go b/weed/s3api/s3_validation_utils.go
index da53342b1..e0e80d0a8 100644
--- a/weed/s3api/s3_validation_utils.go
+++ b/weed/s3api/s3_validation_utils.go
@@ -66,10 +66,35 @@ func ValidateSSECKey(customerKey *SSECustomerKey) error {
return nil
}
-// ValidateSSES3Key validates that an SSE-S3 key is not nil
+// ValidateSSES3Key validates that an SSE-S3 key has valid structure and contents
func ValidateSSES3Key(sseKey *SSES3Key) error {
if sseKey == nil {
return fmt.Errorf("SSE-S3 key cannot be nil")
}
+
+ // Validate key bytes
+ if sseKey.Key == nil {
+ return fmt.Errorf("SSE-S3 key bytes cannot be nil")
+ }
+ if len(sseKey.Key) != SSES3KeySize {
+ return fmt.Errorf("invalid SSE-S3 key size: expected %d bytes, got %d", SSES3KeySize, len(sseKey.Key))
+ }
+
+ // Validate algorithm
+ if sseKey.Algorithm != SSES3Algorithm {
+ return fmt.Errorf("invalid SSE-S3 algorithm: expected %q, got %q", SSES3Algorithm, sseKey.Algorithm)
+ }
+
+ // Validate key ID (should not be empty)
+ if sseKey.KeyID == "" {
+ return fmt.Errorf("SSE-S3 key ID cannot be empty")
+ }
+
+ // IV validation is optional during key creation - it will be set during encryption
+ // If IV is set, validate its length
+ if len(sseKey.IV) > 0 && len(sseKey.IV) != s3_constants.AESBlockSize {
+ return fmt.Errorf("invalid SSE-S3 IV length: expected %d bytes, got %d", s3_constants.AESBlockSize, len(sseKey.IV))
+ }
+
return nil
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 11:46:01 +0000