GetDataKeyWithKeyServices retrieves the data key, asking KeyServices to decrypt it with each MasterKey in the Metadata's KeySources until one of them succeeds.
(svcs []keyservice.KeyServiceClient, decryptionOrder []string)
| 838 | // GetDataKeyWithKeyServices retrieves the data key, asking KeyServices to decrypt it with each |
| 839 | // MasterKey in the Metadata's KeySources until one of them succeeds. |
| 840 | func (m *Metadata) GetDataKeyWithKeyServices(svcs []keyservice.KeyServiceClient, decryptionOrder []string) ([]byte, error) { |
| 841 | if m.DataKey != nil { |
| 842 | return m.DataKey, nil |
| 843 | } |
| 844 | getDataKeyErr := getDataKeyError{ |
| 845 | RequiredSuccessfulKeyGroups: m.ShamirThreshold, |
| 846 | GroupResults: make([]error, len(m.KeyGroups)), |
| 847 | } |
| 848 | var parts [][]byte |
| 849 | for i, group := range m.KeyGroups { |
| 850 | part, err := decryptKeyGroup(group, svcs, decryptionOrder) |
| 851 | if err == nil { |
| 852 | parts = append(parts, part) |
| 853 | } |
| 854 | getDataKeyErr.GroupResults[i] = err |
| 855 | } |
| 856 | var dataKey []byte |
| 857 | if len(m.KeyGroups) > 1 { |
| 858 | if len(parts) < m.ShamirThreshold { |
| 859 | return nil, &getDataKeyErr |
| 860 | } |
| 861 | var err error |
| 862 | dataKey, err = shamir.Combine(parts) |
| 863 | if err != nil { |
| 864 | return nil, fmt.Errorf("could not get data key from shamir parts: %s", err) |
| 865 | } |
| 866 | } else { |
| 867 | if len(parts) != 1 { |
| 868 | return nil, &getDataKeyErr |
| 869 | } |
| 870 | dataKey = parts[0] |
| 871 | } |
| 872 | log.Info("Data key recovered successfully") |
| 873 | m.DataKey = dataKey |
| 874 | return dataKey, nil |
| 875 | } |
| 876 | |
| 877 | // decryptKeyGroup tries to decrypt the contents of the provided KeyGroup with |
| 878 | // any of the MasterKeys in the KeyGroup with any of the provided key services, |
no test coverage detected