Adds an option to perform encryption operations with no HMAC required. (

#170) * Adds an option to perform encryption operations with no HMAC required. Certain AES mechanisms require an HMAC when used as a seal, but this behavior is not desired when used as a managed key. * Change option name from WithNoHMAC to WithoutHMAC.
hashicorp · Jun 21, 2023 · 7f7cee7 · 7f7cee7
1 parent 08d524b
commit 7f7cee7
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 51 deletions.
diff --git a/git.luolix.top.hashicorp.go.kms.wrapping.v2.types.pb.go b/git.luolix.top.hashicorp.go.kms.wrapping.v2.types.pb.go
diff --git a/git.luolix.top.hashicorp.go.kms.wrapping.v2.types.proto b/git.luolix.top.hashicorp.go.kms.wrapping.v2.types.proto
@@ -143,6 +143,9 @@ message Options {
   KeyEncoding with_wrapped_key_encoding = 80;
 
   bool with_disallow_env_vars = 90;
+
+  // WithoutHmac specifies that an HMAC is not necessary for the mechanism, even if marked as "required"
+  bool without_hmac = 100;
 }
 
 // SigInfo contains information about a cryptographic signature

diff --git a/options.go b/options.go
@@ -144,3 +144,13 @@ func WithDisallowEnvVars(disallowEnvVars bool) Option {
 		})
 	}
 }
+
+// WithoutHMAC disables the requirement for an HMAC to be included with the mechanism.
+func WithoutHMAC() Option {
+	return func() interface{} {
+		return OptionFunc(func(o *Options) error {
+			o.WithoutHmac = true
+			return nil
+		})
+	}
+}