in src/vtok_srv/src/worker.rs [291:324]
fn decrypt_token_keys(
encrypted_keys: Vec<schema::PrivateKey>,
envelope_key: schema::EnvelopeKey,
) -> Result<Vec<config::PrivateKey>, schema::ApiError> {
let mut private_keys = Vec::new();
for key in encrypted_keys {
private_keys.push(config::PrivateKey {
pem: match envelope_key {
schema::EnvelopeKey::Kms {
ref region,
ref access_key_id,
ref secret_access_key,
ref session_token,
} => aws_ne::kms_decrypt(
region.as_bytes(),
access_key_id.as_bytes(),
secret_access_key.as_bytes(),
session_token.as_bytes(),
&base64::decode(key.encrypted_pem_b64.as_str())
.map_err(|_| ApiError::TokenKeyDecodingFailed)?,
)
.map_err(|_| ApiError::KmsDecryptFailed)
.and_then(|v| {
String::from_utf8(v).map_err(|_| ApiError::TokenProvisioningFailed)
})?,
},
encrypted_pem_b64: key.encrypted_pem_b64,
id: key.id,
label: key.label,
cert_pem: key.cert_pem,
})
}
Ok(private_keys)
}