Add sha512 hmac check for file upload/download, and encrypt metadata
Closed this issue · 1 comments
braydonf commented
For compatibility with decryption checks with libstorj:
Scheme for generating hmac:
The hmac is a hash of all shard hashes sequentially, as all that is necessary is all shard hashes, and to update the create bucket entry JSON body with the hmac.
{
"hmac": {
"type": "sha512",
"value": "<hex-string-of-hmac-value>"
}
}
- Use hmac to verify decryption was successful on download
References:
- https://github.com/Storj/libstorj-c/blob/master/src/uploader.c
- https://github.com/Storj/libstorj-c/blob/master/src/downloader.c
Scheme for encrypting metadata:
- Generate the deterministic bucket key
- Take the left half of a sha512 hmac with bucket key of a known constant
- Take the left half of a sha512 hmac with bucket key of the bucket id and filename for the iv
- Encrypt with AES-256-GCM
- Digest (GCM_DIGEST_SIZE) is concatenated with iv (SHA512_DIGEST_SIZE/2) and ciphertext (variable length)
References:
braydonf commented
As BridgeClient is deprecated, closing.