func()

in server/server.go [599:660]

• 50 lines of code
• 13 McCabe index (conditional complexity)

func (s *SecureSessionService) ConfidentialUnwrap(ctx context.Context, req *cwpb.ConfidentialUnwrapRequest) (*cwpb.ConfidentialUnwrapResponse, error) {
	if err := s.verifyToken(ctx); err != nil {
		return nil, fmt.Errorf("failed to verify JWT: %w", err)
	}

	connID := base64.StdEncoding.EncodeToString(req.SessionContext)
	ch, found := s.channels[connID]

	if !found {
		return nil, fmt.Errorf("session with id: %v not found", connID)
	}

	if ch.state != ServerStateAttestationAccepted {
		return nil, fmt.Errorf("session with id: %v in unexpected state: %d. Expecting: %d", connID, ch.state, ServerStateAttestationAccepted)
	}

	ch.shim.QueueReceiveBuf(req.TlsRecords)
	buf := make([]byte, len(req.TlsRecords))
	bufLen, err := ch.conn.Read(buf)
	if err != nil {
		return nil, fmt.Errorf("error reading UnwrapRequest from TLS Records %w", err)
	}

	unwrapRequest := cwpb.UnwrapRequest{}
	if err := proto.Unmarshal(buf[:bufLen], &unwrapRequest); err != nil {
		return nil, fmt.Errorf("failed to parse UnwrapRequest from TLS records: %w", err)
	}

	keyURI := fmt.Sprintf("%v%v", unwrapRequest.GetKeyUriPrefix(), unwrapRequest.GetKeyPath())
	key, found := s.keys[keyURI]
	if !found {
		return nil, fmt.Errorf("key URI unknown by this server: %v", keyURI)
	}

	if err := key.KeyAccessFunction(ch); err != nil {
		return nil, fmt.Errorf("attestation did not meet policy for key %v: %w", keyURI, err)
	}

	unwrapResponse := cwpb.UnwrapResponse{}
	parts := bytes.SplitN(unwrapRequest.GetWrappedBlob(), []byte(key.EncryptionScheme), 2)
	if len(parts) != 2 {
		return nil, fmt.Errorf("failed to decrypt wrapped blob")
	}
	if len(unwrapRequest.GetAdditionalAuthenticatedData()) != 0 && bytes.Compare(parts[0], unwrapRequest.GetAdditionalAuthenticatedData()) != 0 {
		return nil, fmt.Errorf("failed to match additional authenticated data")
	}
	unwrapResponse.Plaintext = parts[1]

	buf, err = proto.Marshal(&unwrapResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to marshal server's UnwrapResponse: %w", err)
	}

	if _, err = ch.conn.Write(buf); err != nil {
		return nil, fmt.Errorf("server failed to send UnwrapResponse via TLS connection: %w", err)
	}

	rep := &cwpb.ConfidentialUnwrapResponse{}
	rep.TlsRecords = ch.shim.DrainSendBuf()

	return rep, nil
}