1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
|
package s3api
import (
"context"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"io"
mathrand "math/rand"
"net/http"
"os"
"strings"
"sync"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/util"
)
// SSE-S3 uses AES-256 encryption with server-managed keys
const (
SSES3Algorithm = s3_constants.SSEAlgorithmAES256
SSES3KeySize = 32 // 256 bits
)
// SSES3Key represents a server-managed encryption key for SSE-S3
type SSES3Key struct {
Key []byte
KeyID string
Algorithm string
IV []byte // Initialization Vector for this key
}
// IsSSES3RequestInternal checks if the request specifies SSE-S3 encryption
func IsSSES3RequestInternal(r *http.Request) bool {
sseHeader := r.Header.Get(s3_constants.AmzServerSideEncryption)
result := sseHeader == SSES3Algorithm
// Debug: log header detection for SSE-S3 requests
if result {
glog.V(4).Infof("SSE-S3 detection: method=%s, header=%q, expected=%q, result=%t, copySource=%q", r.Method, sseHeader, SSES3Algorithm, result, r.Header.Get("X-Amz-Copy-Source"))
}
return result
}
// IsSSES3EncryptedInternal checks if the object metadata indicates SSE-S3 encryption
// An object is considered SSE-S3 encrypted only if it has BOTH the encryption header
// AND the actual encryption key metadata. This prevents false positives when an object
// has leftover headers from a previous encryption state (e.g., after being decrypted
// during a copy operation). Fixes GitHub issue #7562.
func IsSSES3EncryptedInternal(metadata map[string][]byte) bool {
// Check for SSE-S3 algorithm header
sseAlgorithm, hasHeader := metadata[s3_constants.AmzServerSideEncryption]
if !hasHeader || string(sseAlgorithm) != SSES3Algorithm {
return false
}
// Must also have the actual encryption key to be considered encrypted
// Without the key, the object cannot be decrypted and should be treated as unencrypted
_, hasKey := metadata[s3_constants.SeaweedFSSSES3Key]
return hasKey
}
// GenerateSSES3Key generates a new SSE-S3 encryption key
func GenerateSSES3Key() (*SSES3Key, error) {
key := make([]byte, SSES3KeySize)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
return nil, fmt.Errorf("failed to generate SSE-S3 key: %w", err)
}
// Generate a key ID for tracking
keyID := fmt.Sprintf("sse-s3-key-%d", mathrand.Int63())
return &SSES3Key{
Key: key,
KeyID: keyID,
Algorithm: SSES3Algorithm,
}, nil
}
// CreateSSES3EncryptedReader creates an encrypted reader for SSE-S3
// Returns the encrypted reader and the IV for metadata storage
func CreateSSES3EncryptedReader(reader io.Reader, key *SSES3Key) (io.Reader, []byte, error) {
// Create AES cipher
block, err := aes.NewCipher(key.Key)
if err != nil {
return nil, nil, fmt.Errorf("create AES cipher: %w", err)
}
// Generate random IV
iv := make([]byte, aes.BlockSize)
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, nil, fmt.Errorf("generate IV: %w", err)
}
// Create CTR mode cipher
stream := cipher.NewCTR(block, iv)
// Return encrypted reader and IV separately for metadata storage
encryptedReader := &cipher.StreamReader{S: stream, R: reader}
return encryptedReader, iv, nil
}
// CreateSSES3DecryptedReader creates a decrypted reader for SSE-S3 using IV from metadata
func CreateSSES3DecryptedReader(reader io.Reader, key *SSES3Key, iv []byte) (io.Reader, error) {
// Create AES cipher
block, err := aes.NewCipher(key.Key)
if err != nil {
return nil, fmt.Errorf("create AES cipher: %w", err)
}
// Create CTR mode cipher with the provided IV
stream := cipher.NewCTR(block, iv)
decryptReader := &cipher.StreamReader{S: stream, R: reader}
// Wrap with closer if the underlying reader implements io.Closer
if closer, ok := reader.(io.Closer); ok {
return &decryptReaderCloser{
Reader: decryptReader,
underlyingCloser: closer,
}, nil
}
return decryptReader, nil
}
// GetSSES3Headers returns the headers for SSE-S3 encrypted objects
func GetSSES3Headers() map[string]string {
return map[string]string{
s3_constants.AmzServerSideEncryption: SSES3Algorithm,
}
}
// SerializeSSES3Metadata serializes SSE-S3 metadata for storage using envelope encryption
func SerializeSSES3Metadata(key *SSES3Key) ([]byte, error) {
if err := ValidateSSES3Key(key); err != nil {
return nil, err
}
// Encrypt the DEK using the global key manager's super key
keyManager := GetSSES3KeyManager()
encryptedDEK, nonce, err := keyManager.encryptKeyWithSuperKey(key.Key)
if err != nil {
return nil, fmt.Errorf("failed to encrypt DEK: %w", err)
}
metadata := map[string]string{
"algorithm": key.Algorithm,
"keyId": key.KeyID,
"encryptedDEK": base64.StdEncoding.EncodeToString(encryptedDEK),
"nonce": base64.StdEncoding.EncodeToString(nonce),
}
// Include IV if present (needed for chunk-level decryption)
if key.IV != nil {
metadata["iv"] = base64.StdEncoding.EncodeToString(key.IV)
}
// Use JSON for proper serialization
data, err := json.Marshal(metadata)
if err != nil {
return nil, fmt.Errorf("marshal SSE-S3 metadata: %w", err)
}
return data, nil
}
// DeserializeSSES3Metadata deserializes SSE-S3 metadata from storage and decrypts the DEK
func DeserializeSSES3Metadata(data []byte, keyManager *SSES3KeyManager) (*SSES3Key, error) {
if len(data) == 0 {
return nil, fmt.Errorf("empty SSE-S3 metadata")
}
// Parse the JSON metadata
var metadata map[string]string
if err := json.Unmarshal(data, &metadata); err != nil {
return nil, fmt.Errorf("failed to parse SSE-S3 metadata: %w", err)
}
keyID, exists := metadata["keyId"]
if !exists {
return nil, fmt.Errorf("keyId not found in SSE-S3 metadata")
}
algorithm, exists := metadata["algorithm"]
if !exists {
algorithm = s3_constants.SSEAlgorithmAES256 // Default algorithm
}
// Decode the encrypted DEK and nonce
encryptedDEKStr, exists := metadata["encryptedDEK"]
if !exists {
return nil, fmt.Errorf("encryptedDEK not found in SSE-S3 metadata")
}
encryptedDEK, err := base64.StdEncoding.DecodeString(encryptedDEKStr)
if err != nil {
return nil, fmt.Errorf("failed to decode encrypted DEK: %w", err)
}
nonceStr, exists := metadata["nonce"]
if !exists {
return nil, fmt.Errorf("nonce not found in SSE-S3 metadata")
}
nonce, err := base64.StdEncoding.DecodeString(nonceStr)
if err != nil {
return nil, fmt.Errorf("failed to decode nonce: %w", err)
}
// Decrypt the DEK using the key manager
if keyManager == nil {
return nil, fmt.Errorf("key manager is required for SSE-S3 key retrieval")
}
dekBytes, err := keyManager.decryptKeyWithSuperKey(encryptedDEK, nonce)
if err != nil {
return nil, fmt.Errorf("failed to decrypt DEK: %w", err)
}
// Reconstruct the key
key := &SSES3Key{
Key: dekBytes,
KeyID: keyID,
Algorithm: algorithm,
}
// Restore IV if present in metadata (for chunk-level decryption)
if ivStr, exists := metadata["iv"]; exists {
iv, err := base64.StdEncoding.DecodeString(ivStr)
if err != nil {
return nil, fmt.Errorf("failed to decode IV: %w", err)
}
key.IV = iv
}
return key, nil
}
// SSES3KeyManager manages SSE-S3 encryption keys using envelope encryption
// Instead of storing keys in memory, it uses a super key (KEK) to encrypt/decrypt DEKs
type SSES3KeyManager struct {
mu sync.RWMutex
superKey []byte // 256-bit master key (KEK - Key Encryption Key)
filerClient filer_pb.FilerClient // Filer client for KEK persistence
kekPath string // Path in filer where KEK is stored (e.g., /etc/s3/sse_kek)
}
const (
// KEK storage directory and file name in filer
SSES3KEKDirectory = "/etc/s3"
SSES3KEKParentDir = "/etc"
SSES3KEKDirName = "s3"
SSES3KEKFileName = "sse_kek"
// Full KEK path in filer
defaultKEKPath = SSES3KEKDirectory + "/" + SSES3KEKFileName
)
// NewSSES3KeyManager creates a new SSE-S3 key manager with envelope encryption
func NewSSES3KeyManager() *SSES3KeyManager {
// This will be initialized properly when attached to an S3ApiServer
return &SSES3KeyManager{
kekPath: defaultKEKPath,
}
}
// InitializeWithFiler initializes the key manager with a filer client
func (km *SSES3KeyManager) InitializeWithFiler(filerClient filer_pb.FilerClient) error {
km.mu.Lock()
defer km.mu.Unlock()
km.filerClient = filerClient
// Try to load existing KEK from filer
if err := km.loadSuperKeyFromFiler(); err != nil {
// Only generate a new key if it does not exist.
// For other errors (e.g. connectivity), we should fail fast to prevent creating a new key
// and making existing data undecryptable.
if errors.Is(err, filer_pb.ErrNotFound) {
glog.V(1).Infof("SSE-S3 KeyManager: KEK not found, generating new KEK (load from filer %s: %v)", km.kekPath, err)
if genErr := km.generateAndSaveSuperKeyToFiler(); genErr != nil {
return fmt.Errorf("failed to generate and save SSE-S3 super key: %w", genErr)
}
} else {
// A different error occurred (e.g., network issue, permission denied).
// Return the error to prevent starting with a broken state.
return fmt.Errorf("failed to load SSE-S3 super key from %s: %w", km.kekPath, err)
}
} else {
glog.V(1).Infof("SSE-S3 KeyManager: Loaded KEK from filer %s", km.kekPath)
}
return nil
}
// loadSuperKeyFromFiler loads the KEK from the filer
func (km *SSES3KeyManager) loadSuperKeyFromFiler() error {
if km.filerClient == nil {
return fmt.Errorf("filer client not initialized")
}
// Get the entry from filer
entry, err := filer_pb.GetEntry(context.Background(), km.filerClient, util.FullPath(km.kekPath))
if err != nil {
return fmt.Errorf("failed to get KEK entry from filer: %w", err)
}
// Read the content
if len(entry.Content) == 0 {
return fmt.Errorf("KEK entry is empty")
}
// Decode hex-encoded key
key, err := hex.DecodeString(string(entry.Content))
if err != nil {
return fmt.Errorf("failed to decode KEK: %w", err)
}
if len(key) != SSES3KeySize {
return fmt.Errorf("invalid KEK size: expected %d bytes, got %d", SSES3KeySize, len(key))
}
km.superKey = key
return nil
}
// generateAndSaveSuperKeyToFiler generates a new KEK and saves it to the filer
func (km *SSES3KeyManager) generateAndSaveSuperKeyToFiler() error {
if km.filerClient == nil {
return fmt.Errorf("filer client not initialized")
}
// Generate a random 256-bit super key (KEK)
superKey := make([]byte, SSES3KeySize)
if _, err := io.ReadFull(rand.Reader, superKey); err != nil {
return fmt.Errorf("failed to generate KEK: %w", err)
}
// Encode as hex for storage
encodedKey := []byte(hex.EncodeToString(superKey))
// Create the entry in filer
// First ensure the parent directory exists
if err := filer_pb.Mkdir(context.Background(), km.filerClient, SSES3KEKParentDir, SSES3KEKDirName, func(entry *filer_pb.Entry) {
// Set appropriate permissions for the directory
entry.Attributes.FileMode = uint32(0700 | os.ModeDir)
}); err != nil {
// Only ignore "file exists" errors.
if !strings.Contains(err.Error(), "file exists") {
return fmt.Errorf("failed to create KEK directory %s: %w", SSES3KEKDirectory, err)
}
glog.V(3).Infof("Parent directory %s already exists, continuing.", SSES3KEKDirectory)
}
// Create the KEK file
if err := filer_pb.MkFile(context.Background(), km.filerClient, SSES3KEKDirectory, SSES3KEKFileName, nil, func(entry *filer_pb.Entry) {
entry.Content = encodedKey
entry.Attributes.FileMode = 0600 // Read/write for owner only
entry.Attributes.FileSize = uint64(len(encodedKey))
}); err != nil {
return fmt.Errorf("failed to create KEK file in filer: %w", err)
}
km.superKey = superKey
glog.Infof("SSE-S3 KeyManager: Generated and saved new KEK to filer %s", km.kekPath)
return nil
}
// GetOrCreateKey gets an existing key or creates a new one
// With envelope encryption, we always generate a new DEK since we don't store them
func (km *SSES3KeyManager) GetOrCreateKey(keyID string) (*SSES3Key, error) {
// Always generate a new key - we use envelope encryption so no need to cache DEKs
return GenerateSSES3Key()
}
// encryptKeyWithSuperKey encrypts a DEK using the super key (KEK) with AES-GCM
func (km *SSES3KeyManager) encryptKeyWithSuperKey(dek []byte) ([]byte, []byte, error) {
km.mu.RLock()
defer km.mu.RUnlock()
block, err := aes.NewCipher(km.superKey)
if err != nil {
return nil, nil, fmt.Errorf("failed to create cipher: %w", err)
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return nil, nil, fmt.Errorf("failed to create GCM: %w", err)
}
// Generate random nonce
nonce := make([]byte, gcm.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return nil, nil, fmt.Errorf("failed to generate nonce: %w", err)
}
// Encrypt the DEK
encryptedDEK := gcm.Seal(nil, nonce, dek, nil)
return encryptedDEK, nonce, nil
}
// decryptKeyWithSuperKey decrypts a DEK using the super key (KEK) with AES-GCM
func (km *SSES3KeyManager) decryptKeyWithSuperKey(encryptedDEK, nonce []byte) ([]byte, error) {
km.mu.RLock()
defer km.mu.RUnlock()
block, err := aes.NewCipher(km.superKey)
if err != nil {
return nil, fmt.Errorf("failed to create cipher: %w", err)
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return nil, fmt.Errorf("failed to create GCM: %w", err)
}
if len(nonce) != gcm.NonceSize() {
return nil, fmt.Errorf("invalid nonce size: expected %d, got %d", gcm.NonceSize(), len(nonce))
}
// Decrypt the DEK
dek, err := gcm.Open(nil, nonce, encryptedDEK, nil)
if err != nil {
return nil, fmt.Errorf("failed to decrypt DEK: %w", err)
}
return dek, nil
}
// StoreKey is now a no-op since we use envelope encryption and don't cache DEKs
// The encrypted DEK is stored in the object metadata, not in the key manager
func (km *SSES3KeyManager) StoreKey(key *SSES3Key) {
// No-op: With envelope encryption, we don't need to store keys in memory
// The DEK is encrypted with the super key and stored in object metadata
}
// GetKey is now a no-op since we don't cache keys
// Keys are retrieved by decrypting the encrypted DEK from object metadata
func (km *SSES3KeyManager) GetKey(keyID string) (*SSES3Key, bool) {
// No-op: With envelope encryption, keys are not cached
// Each object's metadata contains the encrypted DEK
return nil, false
}
// Global SSE-S3 key manager instance
var globalSSES3KeyManager = NewSSES3KeyManager()
// GetSSES3KeyManager returns the global SSE-S3 key manager
func GetSSES3KeyManager() *SSES3KeyManager {
return globalSSES3KeyManager
}
// InitializeGlobalSSES3KeyManager initializes the global key manager with filer access
func InitializeGlobalSSES3KeyManager(s3ApiServer *S3ApiServer) error {
return globalSSES3KeyManager.InitializeWithFiler(s3ApiServer)
}
// ProcessSSES3Request processes an SSE-S3 request and returns encryption metadata
func ProcessSSES3Request(r *http.Request) (map[string][]byte, error) {
if !IsSSES3RequestInternal(r) {
return nil, nil
}
// Generate or retrieve encryption key
keyManager := GetSSES3KeyManager()
key, err := keyManager.GetOrCreateKey("")
if err != nil {
return nil, fmt.Errorf("get SSE-S3 key: %w", err)
}
// Serialize key metadata
keyData, err := SerializeSSES3Metadata(key)
if err != nil {
return nil, fmt.Errorf("serialize SSE-S3 metadata: %w", err)
}
// Store key in manager
keyManager.StoreKey(key)
// Return metadata
metadata := map[string][]byte{
s3_constants.AmzServerSideEncryption: []byte(SSES3Algorithm),
s3_constants.SeaweedFSSSES3Key: keyData,
}
return metadata, nil
}
// GetSSES3KeyFromMetadata extracts SSE-S3 key from object metadata
func GetSSES3KeyFromMetadata(metadata map[string][]byte, keyManager *SSES3KeyManager) (*SSES3Key, error) {
keyData, exists := metadata[s3_constants.SeaweedFSSSES3Key]
if !exists {
return nil, fmt.Errorf("SSE-S3 key not found in metadata")
}
return DeserializeSSES3Metadata(keyData, keyManager)
}
// GetSSES3IV extracts the IV for single-part SSE-S3 objects
// Priority: 1) object-level metadata (for inline/small files), 2) first chunk metadata
func GetSSES3IV(entry *filer_pb.Entry, sseS3Key *SSES3Key, keyManager *SSES3KeyManager) ([]byte, error) {
// First check if IV is in the object-level key (for small/inline files)
if len(sseS3Key.IV) > 0 {
return sseS3Key.IV, nil
}
// Fallback: Get IV from first chunk's metadata (for chunked files)
if len(entry.GetChunks()) > 0 {
chunk := entry.GetChunks()[0]
if len(chunk.GetSseMetadata()) > 0 {
chunkKey, err := DeserializeSSES3Metadata(chunk.GetSseMetadata(), keyManager)
if err != nil {
return nil, fmt.Errorf("failed to deserialize chunk SSE-S3 metadata: %w", err)
}
if len(chunkKey.IV) > 0 {
return chunkKey.IV, nil
}
}
}
return nil, fmt.Errorf("SSE-S3 IV not found in object or chunk metadata")
}
// CreateSSES3EncryptedReaderWithBaseIV creates an encrypted reader using a base IV for multipart upload consistency.
// The returned IV is the offset-derived IV, calculated from the input baseIV and offset.
func CreateSSES3EncryptedReaderWithBaseIV(reader io.Reader, key *SSES3Key, baseIV []byte, offset int64) (io.Reader, []byte /* derivedIV */, error) {
// Validate key to prevent panics and security issues
if key == nil {
return nil, nil, fmt.Errorf("SSES3Key is nil")
}
if key.Key == nil || len(key.Key) != SSES3KeySize {
return nil, nil, fmt.Errorf("invalid SSES3Key: must be %d bytes, got %d", SSES3KeySize, len(key.Key))
}
if err := ValidateSSES3Key(key); err != nil {
return nil, nil, err
}
block, err := aes.NewCipher(key.Key)
if err != nil {
return nil, nil, fmt.Errorf("create AES cipher: %w", err)
}
// Calculate the proper IV with offset to ensure unique IV per chunk/part
// This prevents the severe security vulnerability of IV reuse in CTR mode
// Skip is not used here because we're encrypting from the start (not reading a range)
iv, _ := calculateIVWithOffset(baseIV, offset)
stream := cipher.NewCTR(block, iv)
encryptedReader := &cipher.StreamReader{S: stream, R: reader}
return encryptedReader, iv, nil
}
|
