More decryption functions and stub test cases for AWS

2025-09-05 08:41:03 +02:00
parent deb3c67d80
commit 6a1a7ba499
4 changed files with 293 additions and 28 deletions
--- a/aws_test.go
+++ b/aws_test.go
@@ -0,0 +1,31 @@
+package secret
+
+import (
+	"os"
+	"testing"
+)
+
+func TestAWSKeyManagement(t *testing.T) {
+	if !testAWSAvailable(t) {
+		return
+	}
+}
+
+func TestAWSParameterStorage(t *testing.T) {
+	if !testAWSAvailable(t) {
+		return
+	}
+}
+
+func testAWSAvailable(t *testing.T) bool {
+	t.Helper()
+	if os.Getenv("AWS_ACCESS_KEY")+os.Getenv("AWS_ACCESS_KEY_ID") == "" {
+		t.Skip("AWS_ACCESS_KEY or AWS_ACCESS_KEY_ID not set, which should contain the access key for testing")
+		return false
+	}
+	if os.Getenv("AWS_SECRET_ACCESS_KEY")+os.Getenv("AWS_SECRET_KEY") == "" {
+		t.Skip("AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY not set, which should contain the secret key for testing")
+		return false
+	}
+	return true
+}
--- a/decrypt.go
+++ b/decrypt.go
@@ -1,15 +1,27 @@
 package secret

 import (
+	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/pem"
 	"errors"
+	"fmt"
+	"hash"
+	"os"
+	"strings"

 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/nacl/secretbox"
 )

-type aead struct {
+type aeadProvider struct {
 	Provider
 	aead cipher.AEAD
 }
@@ -22,7 +34,7 @@ func WithChaCha20Poly1305(p Provider, key []byte) (Provider, error) {
 	if err != nil {
 		return nil, err
 	}
-	return aead{
+	return aeadProvider{
 		Provider: p,
 		aead:     cipher,
 	}, nil
@@ -36,13 +48,13 @@ func WithChaCha20Poly1305X(p Provider, key []byte) (Provider, error) {
 	if err != nil {
 		return nil, err
 	}
-	return aead{
+	return aeadProvider{
 		Provider: p,
 		aead:     cipher,
 	}, nil
 }

-// WithAESGCM wraps the returned value and decrypts it using AES GCM AEAD.
+// WithAESGCM wraps the returned value and decrypts it using AES-GCM AEAD.
 //
 // The accepted key sizes are 16 bytes for AES-128 and 32 bytes for AES-256.
 func WithAESGCM(p Provider, key []byte) (Provider, error) {
@@ -56,13 +68,13 @@ func WithAESGCM(p Provider, key []byte) (Provider, error) {
 		return nil, err
 	}

-	return aead{
+	return aeadProvider{
 		Provider: p,
 		aead:     gcm,
 	}, nil
 }

-func (p aead) GetSecret(key string) (value []byte, err error) {
+func (p aeadProvider) GetSecret(key string) (value []byte, err error) {
 	if value, err = p.Provider.GetSecret(key); err != nil {
 		return
 	}
@@ -76,19 +88,70 @@ func (p aead) GetSecret(key string) (value []byte, err error) {
 	return p.aead.Open(nil, nonce, ciphertext, nil)
 }

-type secretBox struct {
+type oaepProvider struct {
 	Provider
-	key [32]byte
+	key  *rsa.PrivateKey
+	hash func() hash.Hash
 }

-func WithSecretBox(p Provider, key [32]byte) Provider {
-	return &secretBox{
+// WithOAEP transparently decrypts secrets returned from the provider using RSA-OAEP.
+//
+// Encryption and decryption of a given message must use the same hash function and sha256.New()
+// is a reasonable choice. When hashFunc is nil, then sha256 will be used.
+func WithOAEP(p Provider, key *rsa.PrivateKey, hashFunc func() hash.Hash) Provider {
+	if hashFunc == nil {
+		hashFunc = func() hash.Hash {
+			return sha256.New()
+		}
+	}
+	return oaepProvider{
+		Provider: p,
+		key:      key,
+		hash:     hashFunc,
+	}
+}
+
+func (p oaepProvider) GetSecret(key string) (value []byte, err error) {
+	if value, err = p.Provider.GetSecret(key); err != nil {
+		return
+	}
+	return rsa.DecryptOAEP(p.hash(), nil, p.key, value, nil)
+}
+
+type pkcs1v15Provider struct {
+	Provider
+	key *rsa.PrivateKey
+}
+
+// WithPKCS1v15 transparently decrypts secrets returned from the provider using RSA and the padding scheme from PKCS #1 v1.5.
+func WithPKCS1v15(p Provider, key *rsa.PrivateKey) Provider {
+	return pkcs1v15Provider{
 		Provider: p,
 		key:      key,
 	}
 }

-func (p secretBox) GetSecret(key string) (value []byte, err error) {
+func (p pkcs1v15Provider) GetSecret(key string) (value []byte, err error) {
+	if value, err = p.Provider.GetSecret(key); err != nil {
+		return
+	}
+	return rsa.DecryptPKCS1v15(nil, p.key, value)
+}
+
+type secretboxProvider struct {
+	Provider
+	key [32]byte
+}
+
+// WithSecretBox transparently decrypts secrets returned from the provider using NaCL secretbox.
+func WithSecretBox(p Provider, key [32]byte) Provider {
+	return &secretboxProvider{
+		Provider: p,
+		key:      key,
+	}
+}
+
+func (p secretboxProvider) GetSecret(key string) (value []byte, err error) {
 	if value, err = p.Provider.GetSecret(key); err != nil {
 		return
 	}
@@ -105,3 +168,109 @@ func (p secretBox) GetSecret(key string) (value []byte, err error) {

 	return
 }
+
+const (
+	pemECPrivateKey  = "EC PRIVATE KEY"
+	pemRSAPrivateKey = "RSA PRIVATE KEY"
+	pemPrivateKey    = "PRIVATE KEY"
+)
+
+func loadPrivateKey(name string, blockType string) (any, error) {
+	b, err := os.ReadFile(name)
+	if err != nil {
+		return nil, err
+	}
+	return ParsePrivateKey(b, blockType)
+}
+
+func LoadECPrivateKey(name string) (*ecdsa.PrivateKey, error) {
+	k, err := loadPrivateKey(name, pemECPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	return k.(*ecdsa.PrivateKey), nil
+}
+
+func LoadRSAPrivateKey(name string) (*rsa.PrivateKey, error) {
+	k, err := loadPrivateKey(name, pemRSAPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	return k.(*rsa.PrivateKey), nil
+}
+
+func ParseECPrivateKey(b []byte) (*ecdsa.PrivateKey, error) {
+	k, err := ParsePrivateKey(b, pemECPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	return k.(*ecdsa.PrivateKey), nil
+}
+
+func ParseRSAPrivateKey(b []byte) (*rsa.PrivateKey, error) {
+	k, err := ParsePrivateKey(b, pemRSAPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	return k.(*rsa.PrivateKey), nil
+}
+
+const (
+	secretBoxHexEncodedLen       = 64 // hex.EncodedLen(32)
+	secretBoxRawBase64EncodedLen = 43 // base64.RawStdEncoding.EncodedLen(32)
+	secretBoxStdBase64EncodedLen = 44 // base64.StdEncoding.EncodedLen(32)
+)
+
+// ParseSecretBoxKey decodes a hex or base64 encoded SecretBox key.
+func ParseSecretBoxKey(b []byte) ([32]byte, error) {
+	var key [32]byte
+	b = bytes.TrimRight(b, "\r\n")
+	switch len(b) {
+	case secretBoxHexEncodedLen:
+		if _, err := hex.Decode(key[:], b); err != nil {
+			return key, err
+		}
+	case secretBoxRawBase64EncodedLen:
+		if _, err := base64.RawStdEncoding.Decode(key[:], b); err != nil {
+			return key, err
+		}
+	case secretBoxStdBase64EncodedLen:
+		if _, err := base64.StdEncoding.Decode(key[:], b); err != nil {
+			return key, err
+		}
+	default:
+		return key, fmt.Errorf("secret: secretbox expected %d hex bytes, or %d/%d base64 bytes, got %d",
+			secretBoxHexEncodedLen, secretBoxRawBase64EncodedLen, secretBoxStdBase64EncodedLen, len(b))
+	}
+	return key, nil
+}
+
+func ParsePrivateKey(b []byte, blockType string) (any, error) {
+	var (
+		rest  = b
+		block *pem.Block
+	)
+	for {
+		if block, rest = pem.Decode(rest); block == nil {
+			return nil, errors.New("secret: no PEM encoded data remains")
+		}
+		if block.Type == blockType || block.Type == pemPrivateKey || blockType == "" {
+			break
+		}
+	}
+
+	if strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED") {
+		return nil, fmt.Errorf("secret: can't decrypt encrypted %s PEM block", block.Type)
+	}
+
+	switch block.Type {
+	case pemECPrivateKey:
+		return x509.ParseECPrivateKey(block.Bytes)
+	case pemRSAPrivateKey:
+		return x509.ParsePKCS1PrivateKey(block.Bytes)
+	case pemPrivateKey:
+		return x509.ParsePKCS8PrivateKey(block.Bytes)
+	default:
+		return nil, fmt.Errorf("secret: don't know how to decode a %s PEM block", block.Type)
+	}
+}
--- a/decrypt_test.go
+++ b/decrypt_test.go
@@ -11,7 +11,8 @@ func TestWithAES128GCM(t *testing.T) {
 		0x37, 0xe4, 0x62, 0x59, 0xa6, 0xef, 0xe9, 0x96,
 		0xb8, 0x5d, 0x2c, 0x35, 0xb5, 0x33, 0x3e, 0xff,
 	}
-	env := environment{"test": []byte{
+
+	p, err := WithAESGCM(mockProvider{[]byte{
 		0x1c, 0x74, 0x37, 0xe9, 0x9e, 0x37, 0xb8, 0x9e,
 		0xf0, 0x21, 0xc0, 0xec, 0xad, 0x9d, 0xdf, 0x67,
 		0x75, 0xfd, 0x00, 0x48, 0x20, 0x46, 0x2e, 0x14,
@@ -21,9 +22,7 @@ func TestWithAES128GCM(t *testing.T) {
 		0x62, 0x55, 0x2b, 0x3b, 0x5e, 0xb5, 0x67, 0xb4,
 		0x32, 0x92, 0x68, 0xcc, 0x55, 0x8e, 0xd3, 0xc7,
 		0xce,
-	}}
-
-	p, err := WithAESGCM(env, key)
+	}, nil}, key)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -47,7 +46,8 @@ func TestWithAES256GCM(t *testing.T) {
 		0x12, 0xbf, 0x7a, 0x47, 0x4d, 0x21, 0x09, 0xa0,
 		0x3e, 0x3f, 0x65, 0xc7, 0xae, 0x94, 0x6c, 0xe3,
 	}
-	env := environment{"test": []byte{
+
+	p, err := WithAESGCM(mockProvider{[]byte{
 		0x62, 0x97, 0x6b, 0xc1, 0x78, 0xef, 0x41, 0xa0,
 		0xd4, 0xdc, 0x05, 0x05, 0x66, 0xf6, 0x5f, 0x62,
 		0xca, 0x91, 0xae, 0xd7, 0x7c, 0xff, 0xad, 0xc1,
@@ -57,9 +57,7 @@ func TestWithAES256GCM(t *testing.T) {
 		0xc7, 0x82, 0x24, 0xb4, 0x9e, 0x9e, 0xdc, 0x10,
 		0x96, 0x60, 0xa2, 0x92, 0x2a, 0x94, 0x9c, 0x3a,
 		0xd8,
-	}}
-
-	p, err := WithAESGCM(env, key)
+	}, nil}, key)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -84,7 +82,7 @@ func TestWithChaCha20Poly1305(t *testing.T) {
 		0x12, 0x46, 0x2f, 0xae, 0x9e, 0xa7, 0x17, 0x09,
 	}

-	env := environment{"test": []byte{
+	p, err := WithChaCha20Poly1305(mockProvider{[]byte{
 		0x76, 0x7c, 0x7d, 0x5d, 0x36, 0xd1, 0x27, 0xca,
 		0x0b, 0x64, 0x28, 0x82, 0xc3, 0x3a, 0xd3, 0x24,
 		0x30, 0x77, 0x8f, 0xef, 0xf1, 0x3a, 0x9f, 0xa7,
@@ -94,9 +92,7 @@ func TestWithChaCha20Poly1305(t *testing.T) {
 		0x4c, 0x71, 0x6b, 0x24, 0x01, 0xd0, 0xf9, 0x88,
 		0xcf, 0x88, 0xbe, 0xee, 0xe2, 0x77, 0x07, 0x18,
 		0xf1,
-	}}
-
-	p, err := WithChaCha20Poly1305(env, key)
+	}, nil}, key)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -121,7 +117,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) {
 		0xa1, 0x92, 0xd1, 0xa0, 0x08, 0x3e, 0xf5, 0xfd,
 	}

-	env := environment{"test": []byte{
+	p, err := WithChaCha20Poly1305X(mockProvider{[]byte{
 		0x59, 0xaf, 0xc4, 0x65, 0x60, 0x3f, 0x02, 0xd3,
 		0x87, 0xd3, 0x15, 0xac, 0xf3, 0x6b, 0x4a, 0x4f,
 		0xe8, 0x40, 0xe5, 0x4d, 0x80, 0x30, 0x7b, 0x3d,
@@ -132,9 +128,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) {
 		0x3c, 0x2b, 0x59, 0x6f, 0xc7, 0x92, 0x3b, 0x40,
 		0x89, 0x13, 0x93, 0x6b, 0xa0, 0x35, 0x4e, 0x6f,
 		0xd8, 0x31, 0x67, 0xee, 0xa2,
-	}}
-
-	p, err := WithChaCha20Poly1305X(env, key)
+	}, nil}, key)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -175,7 +169,7 @@ func TestWithSecretBox(t *testing.T) {
 		0xe1, 0xbd, 0xfe, 0xd3, 0x86, 0x12, 0x8d, 0x09,
 		0x85, 0x34, 0xae, 0xa3, 0xfd)

-	p := WithSecretBox(environment{"test": box}, key)
+	p := WithSecretBox(mockProvider{box, nil}, key)
 	v, err := p.GetSecret("test")
 	if err != nil {
 		t.Fatal(err)
@@ -185,3 +179,65 @@ func TestWithSecretBox(t *testing.T) {
 		t.Errorf(`expected "Hello, boxed Gophers!", got %q`, v)
 	}
 }
+
+func TestParseECPrivateKey(t *testing.T) {
+	b := []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFsSWzsfH0GiukSATicV/N69C3q0VQQySIItoeBo/73NoAoGCCqGSM49
+AwEHoUQDQgAE5fgRgzJYEunuVV4560q+Ddt6Sj1fJR3EETgjmJTqVn3z3cf9VEmF
+37+SIL2vagDV9paD1L9l3+E9New89oHxxw==
+-----END EC PRIVATE KEY-----
+`)
+	k, err := ParseECPrivateKey(b)
+	if err != nil {
+		t.Error(err)
+		return
+	} else if k == nil {
+		t.Error("key is nil")
+	}
+}
+
+func TestParseRSAPrivateKey(t *testing.T) {
+	b := []byte(`-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALzubkr6QNzwgmHQ
+XbYnHEtisSAkQItPTODYhUiUStTF8RauT7iTFBNb7UP1dprAl3aBIsB/aFQUmSJr
+9SaCxmqrwihygxNWzPQnhTRculy12HqRsPmJ0F6hlnrc6CppPY731/5Wpq1epUBE
+V75z0tYSaoQ058XvF7m5rELkbwkbAgMBAAECgYBEcx4CjChz469ZQOSy2fimV1tV
+Cc1Yq6Ju1AN2CEQUUqLGVOENPjxHx0ZvGL+f0acOiDrPA1oJHG1eyz5GdZrs6uJA
+mY/CriRgwXFbg268/ET9jzBlE5GuWMbHlo3rPmAV/KQ3TCdmtLP0VvkHpZcPPFja
+7GfO88FbYQetllF6AQJBAO8qR54LBrz0s601jjmIjB2iwdhLUPdYN+fPJFZUG0Vb
+CJ0c6L6QvvetP3nuiuyIGvJGz7Swqnux97m5T7Z5FQUCQQDKOvIgMg1QR+AoAKx3
+9RaDfNxjVpq6ly6MWqeh8pLNgmQ7vfl4tBbPkL8ey4uFlK8vk+23Y1GqbH6ySbxY
+D/+fAkA7+Qwwc29jHrGXs6BQiQ8pt1CInopVHAgY1vazty+HesZ0L3Wlo8JfdVA/
+kTPBEHhBXMRk+RAnKH+IURHOHhrJAkAnLTQquIeLveDW3wqKUpiB8HZhaC2haBhE
+aGuBHBUEavYv/KWPlJO2sjvUI2pr/lnRxb6PgFYZxdrlfxNVnAPRAkEAp7c2iWTq
+h0/8YIAw1J95m9WCkQ1/7U6SiJQRzPhYR4EJuDSVbYtgTb1WkDpriySKQ1CL2q8Q
+H41cEKgY5m+lDA==
+-----END PRIVATE KEY-----
+`)
+	k, err := ParseRSAPrivateKey(b)
+	if err != nil {
+		t.Error(err)
+		return
+	} else if k == nil {
+		t.Error("key is nil")
+	}
+}
+
+func TestParseSecretBoxKey(t *testing.T) {
+	var validKeys = [][]byte{
+		[]byte("0000000000000000000000000000000000000000000000000000000000000000"), // nil hex
+		[]byte("079cdef09061cc8ee120b069cde548da0b829bf51a560c45bcfa4de53f16e0d4"), // hex
+		[]byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"),                      // nil raw base64
+		[]byte("6WpELgf5/agd0/IB+vZrw57S6TPMl9ruFcRUgRJk/lc"),                      // raw base64
+		[]byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="),                     // nil std base64
+		[]byte("Ra5SbhE9KYxcPMxKp8AAZsw35B5rWLkMv9d2+NjkV/o="),                     // std base64
+	}
+
+	for _, b := range validKeys {
+		t.Run("", func(it *testing.T) {
+			if _, err := ParseSecretBoxKey(b); err != nil {
+				it.Error(err)
+			}
+		})
+	}
+}
--- a/provider_test.go
+++ b/provider_test.go
@@ -8,6 +8,15 @@ import (
 	"testing"
 )

+type mockProvider struct {
+	out []byte
+	err error
+}
+
+func (p mockProvider) GetSecret(_ string) ([]byte, error) {
+	return p.out, p.err
+}
+
 type testProviderCase struct {
 	Name string
 	Key  string