kms: remember if a secret was saved without a master key

So we will be able to decrypt secret stored without a master key if a such key is provided later
2025-12-08 15:28:05 +03:00 · 2020-12-01 22:18:16 +01:00
parent 940836b25b
commit 87b51a6fd5
6 changed files with 144 additions and 5 deletions
--- a/kms/local.go
+++ b/kms/local.go
@@ -46,7 +46,7 @@ func (s *localSecret) Encrypt() error {
 	if err != nil {
 		return err
 	}
-	key, err := s.deriveKey(secretKey[:])
+	key, err := s.deriveKey(secretKey[:], false)
 	if err != nil {
 		return err
 	}
@@ -60,6 +60,7 @@ func (s *localSecret) Encrypt() error {
 	s.Key = hex.EncodeToString(secretKey[:])
 	s.Payload = base64.StdEncoding.EncodeToString(ciphertext)
 	s.Status = SecretStatusSecretBox
+	s.Mode = s.getEncryptionMode()
 	return nil
 }

@@ -75,7 +76,7 @@ func (s *localSecret) Decrypt() error {
 	if err != nil {
 		return err
 	}
-	key, err := s.deriveKey(secretKey[:])
+	key, err := s.deriveKey(secretKey[:], true)
 	if err != nil {
 		return err
 	}
@@ -90,12 +91,13 @@ func (s *localSecret) Decrypt() error {
 	s.Payload = string(plaintext)
 	s.Key = ""
 	s.AdditionalData = ""
+	s.Mode = 0
 	return nil
 }

-func (s *localSecret) deriveKey(key []byte) ([32]byte, error) {
+func (s *localSecret) deriveKey(key []byte, isForDecryption bool) ([32]byte, error) {
 	var masterKey []byte
-	if s.masterKey == "" {
+	if s.masterKey == "" || (isForDecryption && s.Mode == 0) {
 		var combined []byte
 		combined = append(combined, key...)
 		if s.AdditionalData != "" {
@@ -118,3 +120,10 @@ func (s *localSecret) deriveKey(key []byte) ([32]byte, error) {
 	}
 	return derivedKey, nil
 }
+
+func (s *localSecret) getEncryptionMode() int {
+	if s.masterKey == "" {
+		return 0
+	}
+	return 1
+}