move kms definitions to the sdk package

This is the first step to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 14:50:55 +03:00 · 2022-01-04 12:49:30 +01:00
parent ad483b7581
commit a6fe802370
38 changed files with 520 additions and 502 deletions
--- a/kms/builtin.go
+++ b/kms/builtin.go
@@ -6,18 +6,25 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"io"
+
+	sdkkms "github.com/drakkan/sftpgo/v2/sdk/kms"
+)
+
+var (
+	errMalformedCiphertext = errors.New("malformed ciphertext")
 )

 type builtinSecret struct {
-	BaseSecret
+	sdkkms.BaseSecret
 }

 func init() {
-	RegisterSecretProvider(SchemeBuiltin, SecretStatusAES256GCM, newBuiltinSecret)
+	sdkkms.RegisterSecretProvider(sdkkms.SchemeBuiltin, sdkkms.SecretStatusAES256GCM, newBuiltinSecret)
 }

-func newBuiltinSecret(base BaseSecret, url, masterKey string) SecretProvider {
+func newBuiltinSecret(base sdkkms.BaseSecret, url, masterKey string) sdkkms.SecretProvider {
 	return &builtinSecret{
 		BaseSecret: base,
 	}
@@ -28,7 +35,7 @@ func (s *builtinSecret) Name() string {
 }

 func (s *builtinSecret) IsEncrypted() bool {
-	return s.Status == SecretStatusAES256GCM
+	return s.Status == sdkkms.SecretStatusAES256GCM
 }

 func (s *builtinSecret) deriveKey(key []byte) []byte {
@@ -44,10 +51,10 @@ func (s *builtinSecret) deriveKey(key []byte) []byte {

 func (s *builtinSecret) Encrypt() error {
 	if s.Payload == "" {
-		return ErrInvalidSecret
+		return sdkkms.ErrInvalidSecret
 	}
 	switch s.Status {
-	case SecretStatusPlain:
+	case sdkkms.SecretStatusPlain:
 		key := make([]byte, 32)
 		if _, err := io.ReadFull(rand.Reader, key); err != nil {
 			return err
@@ -71,16 +78,16 @@ func (s *builtinSecret) Encrypt() error {
 		ciphertext := gcm.Seal(nonce, nonce, []byte(s.Payload), aad)
 		s.Key = hex.EncodeToString(key)
 		s.Payload = hex.EncodeToString(ciphertext)
-		s.Status = SecretStatusAES256GCM
+		s.Status = sdkkms.SecretStatusAES256GCM
 		return nil
 	default:
-		return ErrWrongSecretStatus
+		return sdkkms.ErrWrongSecretStatus
 	}
 }

 func (s *builtinSecret) Decrypt() error {
 	switch s.Status {
-	case SecretStatusAES256GCM:
+	case sdkkms.SecretStatusAES256GCM:
 		encrypted, err := hex.DecodeString(s.Payload)
 		if err != nil {
 			return err
@@ -110,18 +117,18 @@ func (s *builtinSecret) Decrypt() error {
 		if err != nil {
 			return err
 		}
-		s.Status = SecretStatusPlain
+		s.Status = sdkkms.SecretStatusPlain
 		s.Payload = string(plaintext)
 		s.Key = ""
 		s.AdditionalData = ""
 		return nil
 	default:
-		return ErrWrongSecretStatus
+		return sdkkms.ErrWrongSecretStatus
 	}
 }

-func (s *builtinSecret) Clone() SecretProvider {
-	baseSecret := BaseSecret{
+func (s *builtinSecret) Clone() sdkkms.SecretProvider {
+	baseSecret := sdkkms.BaseSecret{
 		Status:         s.Status,
 		Payload:        s.Payload,
 		Key:            s.Key,