Implement secure key via KDF for transparent data encryption/decryption #60

2025-08-30 14:59:39 -05:00
parent ee3fb40171
commit 76906b04ee
1 changed files with 17 additions and 1 deletions
--- a/repertory/librepertory/src/providers/s3/s3_provider.cpp
+++ b/repertory/librepertory/src/providers/s3/s3_provider.cpp
@@ -1359,6 +1359,8 @@ auto s3_provider::read_file_bytes(const std::string &api_path, std::size_t size,
      return ret;
    }

+    auto total_size{utils::string::to_uint64(size_str)};
+
    utils::hash::hash_256_t data_key;
    if (legacy_bucket_) {
      data_key = utils::encryption::generate_key<utils::hash::hash_256_t>(
@@ -1366,6 +1368,21 @@ auto s3_provider::read_file_bytes(const std::string &api_path, std::size_t size,
    } else {
      utils::encryption::kdf_config data_cfg;
      ret = get_kdf_config_from_meta(api_path, data_cfg);
+      if (ret == api_error::item_not_found) {
+        data_buffer header_buffer;
+        ret = read_bytes(utils::encryption::kdf_config::size(), 0U,
+                         header_buffer);
+        if (ret == api_error::success) {
+          if (utils::encryption::kdf_config::from_header(header_buffer,
+                                                         data_cfg)) {
+            ret = set_item_meta(api_path, META_KDF,
+                                nlohmann::json(data_cfg).dump());
+          } else {
+            ret = api_error::decryption_error;
+          }
+        }
+      }
+
      if (ret != api_error::success) {
        return ret;
      }
@@ -1374,7 +1391,6 @@ auto s3_provider::read_file_bytes(const std::string &api_path, std::size_t size,
                                          master_key_);
    }

-    auto total_size{utils::string::to_uint64(size_str)};
    return utils::encryption::read_encrypted_range(
               {
                   .begin = offset,