func()

in fakekms/symmetric_rpcs.go [348:423]

• 62 lines of code
• 16 McCabe index (conditional complexity)

func (f *fakeKMS) MacVerify(ctx context.Context, req *kmspb.MacVerifyRequest) (*kmspb.MacVerifyResponse, error) {
	if err := allowlist("name", "data", "data_crc32c", "mac", "mac_crc32c").check(req); err != nil {
		return nil, err
	}

	name, err := parseCryptoKeyVersionName(req.Name)
	if err != nil {
		return nil, err
	}

	ckv, err := f.cryptoKeyVersion(name)
	if err != nil {
		return nil, err
	}

	if ckv.pb.State != kmspb.CryptoKeyVersion_ENABLED {
		return nil, errFailedPrecondition("key version %s is not enabled", name)
	}

	def, _ := algorithmDef(ckv.pb.Algorithm)
	if def.Purpose != kmspb.CryptoKey_MAC {
		return nil, errFailedPrecondition("keys with algorithm %s may not be used for MAC verification",
			nameForValue(kmspb.CryptoKeyVersion_CryptoKeyVersionAlgorithm_name, int32(ckv.pb.Algorithm)))
	}

	if req.Data == nil {
		return nil, errInvalidArgument("data is empty")
	}
	var data []byte = req.Data

	if len(data) > 64*1024 {
		return nil, errInvalidArgument("len(data)=%d, want len(data)<=%d", len(data), 64*1024)
	}

	dataChecksum := crc32c(data)
	if req.DataCrc32C != nil && dataChecksum.Value != req.DataCrc32C.Value {
		return nil, errInvalidArgument("invalid data checksum")
	}

	hash := def.Opts.(crypto.Hash)

	if req.Mac == nil {
		return nil, errInvalidArgument("mac is empty")
	}

	if len(req.Mac) != hash.Size() {
		return nil, errInvalidArgument("len(mac)=%d, want %d", len(req.Mac), hash.Size())
	}

	macChecksum := crc32c(req.Mac)
	if req.MacCrc32C != nil && macChecksum.Value != req.MacCrc32C.Value {
		return nil, errInvalidArgument("invalid mac checksum")
	}

	var key []byte
	var ok bool
	if key, ok = ckv.keyMaterial.([]byte); !ok {
		return nil, err
	}

	mac := hmac.New(hash.New, key)
	_, err = mac.Write(data)
	if err != nil {
		return nil, errInternal("MAC signing failed: %v", err)
	}
	macTag := mac.Sum(nil)

	return &kmspb.MacVerifyResponse{
		Name:                     req.Name,
		Success:                  hmac.Equal(req.Mac, macTag),
		VerifiedSuccessIntegrity: hmac.Equal(req.Mac, macTag),
		VerifiedDataCrc32C:       req.DataCrc32C != nil,
		VerifiedMacCrc32C:        req.MacCrc32C != nil,
		ProtectionLevel:          ckv.pb.ProtectionLevel,
	}, nil
}