Merge pull request #225 from gschei/gschei/fix-ssec-base64-md5

fix ssec: missing base64 encoding and md5 hash
vmware-tanzu · Dec 16, 2024 · e5b0f0d · e5b0f0d
2 parents 2dd6bcb + 3e1572f
commit e5b0f0d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/backupstoragelocation.md b/backupstoragelocation.md
@@ -74,12 +74,13 @@ spec:
     kmsKeyId: "502b409c-4da1-419f-a16e-eif453b3i49f"
 
     # Specify the file that contains the SSE-C customer key to enable customer key encryption of the backups
-    # stored in S3. The referenced file should contain a 32-byte string.
+    # stored in S3. The referenced file should exist within the velero container and
+    # should contain a 32-byte string. It is typically mounted from a secret.
     #  
-    # The customerKeyEncryptionFile points to a mounted secret within the velero container.
-    # Add the below values to the velero cloud-credentials secret:
+    # Eg. add to the velero "cloud-credentials" secret this entry with the base64 encoded key
+    # (will be decoded when the secret is mounted)
     # customer-key: <your_b64_encoded_32byte_string>
-    # The default value below points to the already mounted secret.
+    # The value below points to the already mounted secret. 
     # 
     # Cannot be used in conjunction with kmsKeyId.
     #

diff --git a/velero-plugin-for-aws/object_store.go b/velero-plugin-for-aws/object_store.go
@@ -18,6 +18,8 @@ package main
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
@@ -74,6 +76,7 @@ type ObjectStore struct {
 	s3Uploader           *manager.Uploader
 	kmsKeyID             string
 	sseCustomerKey       string
+	sseCustomerKeyMd5    string
 	signatureVersion     string
 	serverSideEncryption string
 	tagging              string
@@ -186,7 +189,9 @@ func (o *ObjectStore) Init(config map[string]string) error {
 		if err != nil {
 			return err
 		}
-		o.sseCustomerKey = customerKey
+		o.sseCustomerKey = base64.StdEncoding.EncodeToString([]byte(customerKey))
+		hash := md5.Sum([]byte(customerKey))
+		o.sseCustomerKeyMd5 = base64.StdEncoding.EncodeToString(hash[:])
 	}
 
 	if publicURL != "" {
@@ -242,7 +247,7 @@ func readCustomerKey(customerKeyEncryptionFile string) (string, error) {
 	fileHandle.Close()
 
 	if nBytes != 32 {
-		return "", errors.Wrapf(err, "contents of %s (%s) are not exactly 32 bytes", customerKeyEncryptionFileKey, customerKeyEncryptionFile)
+		return "", errors.Errorf("contents of %s (%s) are not exactly 32 bytes", customerKeyEncryptionFileKey, customerKeyEncryptionFile)
 	}
 
 	key := string(keyBytes)
@@ -267,6 +272,7 @@ func (o *ObjectStore) PutObject(bucket, key string, body io.Reader) error {
 	case o.sseCustomerKey != "":
 		input.SSECustomerAlgorithm = aws.String("AES256")
 		input.SSECustomerKey = &o.sseCustomerKey
+		input.SSECustomerKeyMD5 = &o.sseCustomerKeyMd5
 	// otherwise, use the SSE algorithm specified, if any
 	case o.serverSideEncryption != "":
 		input.ServerSideEncryption = types.ServerSideEncryption(o.serverSideEncryption)
@@ -298,6 +304,7 @@ func (o *ObjectStore) ObjectExists(bucket, key string) (bool, error) {
 	if o.sseCustomerKey != "" {
 		input.SSECustomerAlgorithm = aws.String("AES256")
 		input.SSECustomerKey = &o.sseCustomerKey
+		input.SSECustomerKeyMD5 = &o.sseCustomerKeyMd5
 	}
 
 	log.Debug("Checking if object exists")
@@ -329,6 +336,7 @@ func (o *ObjectStore) GetObject(bucket, key string) (io.ReadCloser, error) {
 	if o.sseCustomerKey != "" {
 		input.SSECustomerAlgorithm = aws.String("AES256")
 		input.SSECustomerKey = &o.sseCustomerKey
+		input.SSECustomerKeyMD5 = &o.sseCustomerKeyMd5
 	}
 
 	output, err := o.s3.GetObject(context.Background(), input)