func()

in client/securesession/securesession.go [580:638]

• 47 lines of code
• 7 McCabe index (conditional complexity)

func (c *SecureSessionClient) ConfidentialWrap(ctx context.Context, keyPath, resourceName string, plaintext []byte) ([]byte, error) {
	if c.state != clientStateAttestationAccepted {
		return nil, errors.New("Called ConfidentialWrap with unestablished secure session")
	}

	// Create a WrapRequest, marshal, then session-encrypt it.
	wrapReq := &cwpb.WrapRequest{
		KeyPath:   keyPath,
		Plaintext: plaintext,
		AdditionalContext: &cwpb.RequestContext{
			RelativeResourceName: resourceName,
			AccessReasonContext:  &cwpb.AccessReasonContext{Reason: cwpb.AccessReasonContext_CUSTOMER_INITIATED_ACCESS},
		},
		AdditionalAuthenticatedData: nil,
		KeyUriPrefix:                "",
	}

	marshaledWrapReq, err := proto.Marshal(wrapReq)
	if err != nil {
		return nil, fmt.Errorf("error marshalling the WrapRequest to proto: %v", err)
	}

	if _, err := c.tls.Write(marshaledWrapReq); err != nil {
		return nil, fmt.Errorf("error writing the WrapRequest to the TLS session: %v", err)
	}

	req := &cwpb.ConfidentialWrapRequest{
		SessionContext: c.ctx,
		TlsRecords:     c.shim.DrainSendBuf(),
		RequestMetadata: &cwpb.RequestMetadata{
			KeyPath:           wrapReq.GetKeyPath(),
			KeyUriPrefix:      wrapReq.GetKeyUriPrefix(),
			AdditionalContext: wrapReq.GetAdditionalContext(),
		},
	}

	// Make RPC, session-encrypt the records, and unmarshal the inner WrapResponse.
	resp, err := c.client.ConfidentialWrap(ctx, req)
	if err != nil {
		return nil, fmt.Errorf("error session-encrypting the records: %v", err)
	}

	records := resp.GetTlsRecords()
	c.shim.QueueReceiveBuf(records)

	readBuf := make([]byte, recordBufferSize)
	n, err := c.tls.Read(readBuf)

	if err != nil {
		return nil, fmt.Errorf("error reading WrapResponse from TLS session: %v", err)
	}

	var wrapResp cwpb.WrapResponse
	if err = proto.Unmarshal(readBuf[:n], &wrapResp); err != nil {
		return nil, fmt.Errorf("error parsing WrapResponse to proto: %v", err)
	}

	return wrapResp.GetWrappedBlob(), nil
}