Hi Denis,
I have produced 2 test images for you:
image: osimis/orthanc:s3test-b64-decoder
and
image: osimis/orthanc:s3test-hex-decoder
The ‘hex’ one is identical to the current one with more logs. The ‘b64’ has a fix and logs.
Both these images display the master key at startup:
orthanc_1 | I0830 08:05:49.722095 PluginsManager.cpp:161] (plugins) AWS S3 storage initialized
orthanc_1 | ReadKey CFACC2B6A12FDFA086799352C4C5EFBF0529C315F82AFC84BB6C769CE777E966
With the ‘hex’ version, the master key may have 2 values while the “b64” version always display the same value (at least on my machine)
Only change in the code is here:
void EncryptionHelpers::ReadKey(CryptoPP::SecByteBlock& key, const std::string& path)
{
try
{
FileSource fs(path.c_str(), true,
// new HexDecoder(
new Base64Decoder(
new ArraySink(key.begin(), key.size())
)
);
std::cout << "ReadKey " << ToHexString(key) << std::endl;
The documentation of the s3 plugin states that you should feed it with a master key encoded in base64 so, the current code with the HexDecoder is clearly wrong. According to the Crypto++ doc, the HexDecoder should ignore any character that is not Hex → that is bad wrt the key entropy of course but that should make it deterministic (which does not seem to happen).
I have also converted the key from base64 to hex with this command:
cat test.key | base64 -d -i | hexdump -v -e '/1 “%02x” ’ >> test.hex.key
And it seems that the output is deterministic even with the “hex” image (which is expected of course !)
Could you give it a try on your side ?
Then, we’ll decide if we upgrade the documentation or the code but, anyway, that will trigger a breaking change. I don’t think that there are many users of this client-side encryption feature and I would favor b64 keys (generating hex keys is a bit tricky)
Best regards,
Alain.