in server/server.go [537:592]
func (s *SecureSessionService) ConfidentialWrap(ctx context.Context, req *cwpb.ConfidentialWrapRequest) (*cwpb.ConfidentialWrapResponse, error) {
if err := s.verifyToken(ctx); err != nil {
return nil, fmt.Errorf("failed to verify JWT: %w", err)
}
connID := base64.StdEncoding.EncodeToString(req.SessionContext)
ch, found := s.channels[connID]
if !found {
return nil, fmt.Errorf("session with id: %v not found", connID)
}
if ch.state != ServerStateAttestationAccepted {
return nil, fmt.Errorf("session with id: %v in unexpected state for ConfidentialWrap: %d. Expecting: %d", connID, ch.state, ServerStateAttestationAccepted)
}
ch.shim.QueueReceiveBuf(req.TlsRecords)
buf := make([]byte, len(req.TlsRecords))
bufLen, err := ch.conn.Read(buf)
if err != nil {
return nil, fmt.Errorf("error reading WrapRequest from TLS records: %w", err)
}
wrapRequest := cwpb.WrapRequest{}
if err := proto.Unmarshal(buf[:bufLen], &wrapRequest); err != nil {
return nil, fmt.Errorf("failed to parse WrapRequest from TLS records: %w", err)
}
keyURI := fmt.Sprintf("%v%v", wrapRequest.GetKeyUriPrefix(), wrapRequest.GetKeyPath())
key, found := s.keys[keyURI]
if !found {
return nil, fmt.Errorf("key URI unknown by this server: %v", keyURI)
}
if err := key.KeyAccessFunction(ch); err != nil {
return nil, fmt.Errorf("attestation did not meet policy for key %v: %w", keyURI, err)
}
wrapResponse := cwpb.WrapResponse{}
wrapResponse.WrappedBlob = s.Wrap(keyURI, wrapRequest.GetAdditionalAuthenticatedData(), wrapRequest.GetPlaintext())
buf, err = proto.Marshal(&wrapResponse)
if err != nil {
return nil, fmt.Errorf("failed to marshal server's WrapResponse: %w", err)
}
if _, err = ch.conn.Write(buf); err != nil {
return nil, fmt.Errorf("server failed to send WrapResponse via TLS connection: %w", err)
}
rep := &cwpb.ConfidentialWrapResponse{}
rep.TlsRecords = ch.shim.DrainSendBuf()
return rep, nil
}