diff --git a/.github/workflows/python_and_docker.yml b/.github/workflows/python_and_docker.yml index a3f5640e3..6bfefca61 100644 --- a/.github/workflows/python_and_docker.yml +++ b/.github/workflows/python_and_docker.yml @@ -74,7 +74,7 @@ jobs: - pyo3 uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_js.yml@develop with: - branch: ser_server_side + branch: develop target: wasm32-unknown-unknown kms-version: ${{ needs.build-and-push-image.outputs.image-tag }} findex-cloud-version: 0.3.1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f9ed02f6..7e15c906f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. +## [4.8.1] - 2023-10-12 + +### Bug Fixes + +Fix for [#64](https://github.com/Cosmian/kms/issues/64) + ## [4.8.0] - 2023-10-07 ### Bug Fixes diff --git a/Cargo.lock b/Cargo.lock index 6d52c87e0..6e07f0377 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1118,7 +1118,7 @@ dependencies = [ [[package]] name = "cosmian_kmip" -version = "4.8.0" +version = "4.8.1" dependencies = [ "bitflags 2.3.2", "cloudproof", @@ -1135,7 +1135,7 @@ dependencies = [ [[package]] name = "cosmian_kms_cli" -version = "4.8.0" +version = "4.8.1" dependencies = [ "actix-rt", "actix-server", @@ -1171,7 +1171,7 @@ dependencies = [ [[package]] name = "cosmian_kms_client" -version = "4.8.0" +version = "4.8.1" dependencies = [ "base64 0.21.4", "cosmian_kmip", @@ -1194,7 +1194,7 @@ dependencies = [ [[package]] name = "cosmian_kms_python" -version = "4.8.0" +version = "4.8.1" dependencies = [ "cloudproof", "cosmian_kmip", @@ -1208,7 +1208,7 @@ dependencies = [ [[package]] name = "cosmian_kms_server" -version = "4.8.0" +version = "4.8.1" dependencies = [ "acme-lib", "actix-cors", @@ -1259,7 +1259,7 @@ dependencies = [ [[package]] name = "cosmian_kms_utils" -version = "4.8.0" +version = "4.8.1" dependencies = [ "argon2", "cloudproof", @@ -1275,7 +1275,7 @@ dependencies = [ [[package]] name = "cosmian_logger" -version = "4.8.0" +version = "4.8.1" dependencies = [ "tracing", "tracing-subscriber", diff --git a/crate/cli/Cargo.toml b/crate/cli/Cargo.toml index 7b3b7e18b..c3c4b4250 100644 --- a/crate/cli/Cargo.toml +++ b/crate/cli/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_cli" -version = "4.8.0" +version = "4.8.1" edition = "2021" license-file = "../../LICENSE.md" description = "CLI used to manage the Cosmian KMS." diff --git a/crate/client/Cargo.toml b/crate/client/Cargo.toml index 7c6306be7..04536dded 100644 --- a/crate/client/Cargo.toml +++ b/crate/client/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_client" -version = "4.8.0" +version = "4.8.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/kmip/Cargo.toml b/crate/kmip/Cargo.toml index 4b6ea017b..22de33574 100644 --- a/crate/kmip/Cargo.toml +++ b/crate/kmip/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kmip" -version = "4.8.0" +version = "4.8.1" edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/logger/Cargo.toml b/crate/logger/Cargo.toml index c7e96b883..c07d7b62c 100644 --- a/crate/logger/Cargo.toml +++ b/crate/logger/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_logger" -version = "4.8.0" +version = "4.8.1" authors = ["Emmanuel Coste "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/pyo3/Cargo.toml b/crate/pyo3/Cargo.toml index f600e86d2..4f0d43e8e 100644 --- a/crate/pyo3/Cargo.toml +++ b/crate/pyo3/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_python" -version = "4.8.0" +version = "4.8.1" authors = ["Hugo Rosenkranz-Costa "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/server/Cargo.toml b/crate/server/Cargo.toml index 43c7f7381..d77b5cabc 100644 --- a/crate/server/Cargo.toml +++ b/crate/server/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_server" -version = "4.8.0" +version = "4.8.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/server/src/database/redis/objects_db.rs b/crate/server/src/database/redis/objects_db.rs index a81279f87..8d130a282 100644 --- a/crate/server/src/database/redis/objects_db.rs +++ b/crate/server/src/database/redis/objects_db.rs @@ -1,8 +1,14 @@ -use std::collections::{HashMap, HashSet}; +use std::{ + collections::{HashMap, HashSet}, + sync::Mutex, +}; use async_trait::async_trait; use cloudproof::reexport::{ - crypto_core::{kdf256, Aes256Gcm, Dem, Instantiable, Nonce, SymmetricKey}, + crypto_core::{ + reexport::rand_core::SeedableRng, Aes256Gcm, CsRng, Dem, Instantiable, Nonce, + RandomFixedSizeCBytes, SymmetricKey, + }, findex::{ implementations::redis::{FindexRedisError, RemovedLocationsFinder}, Keyword, Location, @@ -15,7 +21,7 @@ use cosmian_kmip::kmip::{ use redis::{aio::ConnectionManager, pipe, AsyncCommands}; use serde::{Deserialize, Serialize}; -use crate::result::KResult; +use crate::{error::KmsError, result::KResult}; /// Extract the keywords from the attributes pub(crate) fn keywords_from_attributes(attributes: &Attributes) -> HashSet { @@ -93,6 +99,7 @@ pub const DB_KEY_LENGTH: usize = 32; pub(crate) struct ObjectsDB { mgr: ConnectionManager, dem: Aes256Gcm, + rng: Mutex, } impl ObjectsDB { @@ -100,6 +107,7 @@ impl ObjectsDB { Ok(Self { mgr, dem: Aes256Gcm::new(&db_key), + rng: Mutex::new(CsRng::from_entropy()), }) } @@ -108,22 +116,33 @@ impl ObjectsDB { } fn encrypt_object(&self, uid: &str, redis_db_object: &RedisDbObject) -> KResult> { - let mut nonce_bytes = [0; Aes256Gcm::NONCE_LENGTH]; - kdf256!(&mut nonce_bytes, uid.as_bytes()); - let ciphertext = self.dem.encrypt( - &Nonce::from(nonce_bytes), + let nonce = { + let mut rng = self.rng.lock().expect("failed acquiring a lock on the RNG"); + Nonce::new(&mut *rng) + }; + let ct = self.dem.encrypt( + &nonce, &serde_json::to_vec(redis_db_object)?, - None, + Some(uid.as_bytes()), )?; + let mut ciphertext = Vec::with_capacity(Aes256Gcm::NONCE_LENGTH + ct.len()); + ciphertext.extend_from_slice(nonce.as_bytes()); + ciphertext.extend(ct); Ok(ciphertext) } fn decrypt_object(&self, uid: &str, ciphertext: &[u8]) -> KResult { - let mut nonce_bytes = [0; Aes256Gcm::NONCE_LENGTH]; - kdf256!(&mut nonce_bytes, uid.as_bytes()); - let plaintext = self - .dem - .decrypt(&Nonce::from(nonce_bytes), ciphertext, None)?; + if ciphertext.len() <= Aes256Gcm::NONCE_LENGTH { + return Err(KmsError::CryptographicError( + "invalid ciphertext".to_string(), + )) + } + let nonce_bytes = &ciphertext[..Aes256Gcm::NONCE_LENGTH]; + let plaintext = self.dem.decrypt( + &Nonce::try_from(nonce_bytes)?, + &ciphertext[Aes256Gcm::NONCE_LENGTH..], + Some(uid.as_bytes()), + )?; let redis_db_object: RedisDbObject = serde_json::from_slice(&plaintext)?; Ok(redis_db_object) } @@ -141,6 +160,9 @@ impl ObjectsDB { pub async fn object_get(&self, uid: &str) -> KResult { let ciphertext: Vec = self.mgr.clone().get(ObjectsDB::object_key(uid)).await?; + if ciphertext.is_empty() { + return Err(KmsError::ItemNotFound(uid.to_string())) + } let mut dbo: RedisDbObject = self.decrypt_object(uid, &ciphertext)?; dbo.object = Object::post_fix(dbo.object_type, dbo.object); Ok(dbo) diff --git a/crate/utils/Cargo.toml b/crate/utils/Cargo.toml index 85c6295fe..822550310 100644 --- a/crate/utils/Cargo.toml +++ b/crate/utils/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_utils" -version = "4.8.0" +version = "4.8.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/delivery/Dockerfile.standalone b/delivery/Dockerfile.standalone index f77990828..25e11321f 100644 --- a/delivery/Dockerfile.standalone +++ b/delivery/Dockerfile.standalone @@ -1,6 +1,6 @@ FROM ubuntu:22.04 as builder -LABEL version="4.8.0" +LABEL version="4.8.1" LABEL name="Cosmian KMS docker container" ENV DEBIAN_FRONTEND=noninteractive