From 6a1a7ba49960f4d2b1b15172f162f1d3d3dd8a39 Mon Sep 17 00:00:00 2001 From: maze Date: Fri, 5 Sep 2025 08:41:03 +0200 Subject: [PATCH] More decryption functions and stub test cases for AWS --- aws_test.go | 31 ++++++++ decrypt.go | 191 ++++++++++++++++++++++++++++++++++++++++++++--- decrypt_test.go | 90 +++++++++++++++++----- provider_test.go | 9 +++ 4 files changed, 293 insertions(+), 28 deletions(-) create mode 100644 aws_test.go diff --git a/aws_test.go b/aws_test.go new file mode 100644 index 0000000..8d1ac84 --- /dev/null +++ b/aws_test.go @@ -0,0 +1,31 @@ +package secret + +import ( + "os" + "testing" +) + +func TestAWSKeyManagement(t *testing.T) { + if !testAWSAvailable(t) { + return + } +} + +func TestAWSParameterStorage(t *testing.T) { + if !testAWSAvailable(t) { + return + } +} + +func testAWSAvailable(t *testing.T) bool { + t.Helper() + if os.Getenv("AWS_ACCESS_KEY")+os.Getenv("AWS_ACCESS_KEY_ID") == "" { + t.Skip("AWS_ACCESS_KEY or AWS_ACCESS_KEY_ID not set, which should contain the access key for testing") + return false + } + if os.Getenv("AWS_SECRET_ACCESS_KEY")+os.Getenv("AWS_SECRET_KEY") == "" { + t.Skip("AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY not set, which should contain the secret key for testing") + return false + } + return true +} diff --git a/decrypt.go b/decrypt.go index ff4a0c6..ae97fa6 100644 --- a/decrypt.go +++ b/decrypt.go @@ -1,15 +1,27 @@ package secret import ( + "bytes" "crypto/aes" "crypto/cipher" + "crypto/ecdsa" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/hex" + "encoding/pem" "errors" + "fmt" + "hash" + "os" + "strings" "golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/nacl/secretbox" ) -type aead struct { +type aeadProvider struct { Provider aead cipher.AEAD } @@ -22,7 +34,7 @@ func WithChaCha20Poly1305(p Provider, key []byte) (Provider, error) { if err != nil { return nil, err } - return aead{ + return aeadProvider{ Provider: p, aead: cipher, }, nil @@ -36,13 +48,13 @@ func WithChaCha20Poly1305X(p Provider, key []byte) (Provider, error) { if err != nil { return nil, err } - return aead{ + return aeadProvider{ Provider: p, aead: cipher, }, nil } -// WithAESGCM wraps the returned value and decrypts it using AES GCM AEAD. +// WithAESGCM wraps the returned value and decrypts it using AES-GCM AEAD. // // The accepted key sizes are 16 bytes for AES-128 and 32 bytes for AES-256. func WithAESGCM(p Provider, key []byte) (Provider, error) { @@ -56,13 +68,13 @@ func WithAESGCM(p Provider, key []byte) (Provider, error) { return nil, err } - return aead{ + return aeadProvider{ Provider: p, aead: gcm, }, nil } -func (p aead) GetSecret(key string) (value []byte, err error) { +func (p aeadProvider) GetSecret(key string) (value []byte, err error) { if value, err = p.Provider.GetSecret(key); err != nil { return } @@ -76,19 +88,70 @@ func (p aead) GetSecret(key string) (value []byte, err error) { return p.aead.Open(nil, nonce, ciphertext, nil) } -type secretBox struct { +type oaepProvider struct { Provider - key [32]byte + key *rsa.PrivateKey + hash func() hash.Hash } -func WithSecretBox(p Provider, key [32]byte) Provider { - return &secretBox{ +// WithOAEP transparently decrypts secrets returned from the provider using RSA-OAEP. +// +// Encryption and decryption of a given message must use the same hash function and sha256.New() +// is a reasonable choice. When hashFunc is nil, then sha256 will be used. +func WithOAEP(p Provider, key *rsa.PrivateKey, hashFunc func() hash.Hash) Provider { + if hashFunc == nil { + hashFunc = func() hash.Hash { + return sha256.New() + } + } + return oaepProvider{ + Provider: p, + key: key, + hash: hashFunc, + } +} + +func (p oaepProvider) GetSecret(key string) (value []byte, err error) { + if value, err = p.Provider.GetSecret(key); err != nil { + return + } + return rsa.DecryptOAEP(p.hash(), nil, p.key, value, nil) +} + +type pkcs1v15Provider struct { + Provider + key *rsa.PrivateKey +} + +// WithPKCS1v15 transparently decrypts secrets returned from the provider using RSA and the padding scheme from PKCS #1 v1.5. +func WithPKCS1v15(p Provider, key *rsa.PrivateKey) Provider { + return pkcs1v15Provider{ Provider: p, key: key, } } -func (p secretBox) GetSecret(key string) (value []byte, err error) { +func (p pkcs1v15Provider) GetSecret(key string) (value []byte, err error) { + if value, err = p.Provider.GetSecret(key); err != nil { + return + } + return rsa.DecryptPKCS1v15(nil, p.key, value) +} + +type secretboxProvider struct { + Provider + key [32]byte +} + +// WithSecretBox transparently decrypts secrets returned from the provider using NaCL secretbox. +func WithSecretBox(p Provider, key [32]byte) Provider { + return &secretboxProvider{ + Provider: p, + key: key, + } +} + +func (p secretboxProvider) GetSecret(key string) (value []byte, err error) { if value, err = p.Provider.GetSecret(key); err != nil { return } @@ -105,3 +168,109 @@ func (p secretBox) GetSecret(key string) (value []byte, err error) { return } + +const ( + pemECPrivateKey = "EC PRIVATE KEY" + pemRSAPrivateKey = "RSA PRIVATE KEY" + pemPrivateKey = "PRIVATE KEY" +) + +func loadPrivateKey(name string, blockType string) (any, error) { + b, err := os.ReadFile(name) + if err != nil { + return nil, err + } + return ParsePrivateKey(b, blockType) +} + +func LoadECPrivateKey(name string) (*ecdsa.PrivateKey, error) { + k, err := loadPrivateKey(name, pemECPrivateKey) + if err != nil { + return nil, err + } + return k.(*ecdsa.PrivateKey), nil +} + +func LoadRSAPrivateKey(name string) (*rsa.PrivateKey, error) { + k, err := loadPrivateKey(name, pemRSAPrivateKey) + if err != nil { + return nil, err + } + return k.(*rsa.PrivateKey), nil +} + +func ParseECPrivateKey(b []byte) (*ecdsa.PrivateKey, error) { + k, err := ParsePrivateKey(b, pemECPrivateKey) + if err != nil { + return nil, err + } + return k.(*ecdsa.PrivateKey), nil +} + +func ParseRSAPrivateKey(b []byte) (*rsa.PrivateKey, error) { + k, err := ParsePrivateKey(b, pemRSAPrivateKey) + if err != nil { + return nil, err + } + return k.(*rsa.PrivateKey), nil +} + +const ( + secretBoxHexEncodedLen = 64 // hex.EncodedLen(32) + secretBoxRawBase64EncodedLen = 43 // base64.RawStdEncoding.EncodedLen(32) + secretBoxStdBase64EncodedLen = 44 // base64.StdEncoding.EncodedLen(32) +) + +// ParseSecretBoxKey decodes a hex or base64 encoded SecretBox key. +func ParseSecretBoxKey(b []byte) ([32]byte, error) { + var key [32]byte + b = bytes.TrimRight(b, "\r\n") + switch len(b) { + case secretBoxHexEncodedLen: + if _, err := hex.Decode(key[:], b); err != nil { + return key, err + } + case secretBoxRawBase64EncodedLen: + if _, err := base64.RawStdEncoding.Decode(key[:], b); err != nil { + return key, err + } + case secretBoxStdBase64EncodedLen: + if _, err := base64.StdEncoding.Decode(key[:], b); err != nil { + return key, err + } + default: + return key, fmt.Errorf("secret: secretbox expected %d hex bytes, or %d/%d base64 bytes, got %d", + secretBoxHexEncodedLen, secretBoxRawBase64EncodedLen, secretBoxStdBase64EncodedLen, len(b)) + } + return key, nil +} + +func ParsePrivateKey(b []byte, blockType string) (any, error) { + var ( + rest = b + block *pem.Block + ) + for { + if block, rest = pem.Decode(rest); block == nil { + return nil, errors.New("secret: no PEM encoded data remains") + } + if block.Type == blockType || block.Type == pemPrivateKey || blockType == "" { + break + } + } + + if strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED") { + return nil, fmt.Errorf("secret: can't decrypt encrypted %s PEM block", block.Type) + } + + switch block.Type { + case pemECPrivateKey: + return x509.ParseECPrivateKey(block.Bytes) + case pemRSAPrivateKey: + return x509.ParsePKCS1PrivateKey(block.Bytes) + case pemPrivateKey: + return x509.ParsePKCS8PrivateKey(block.Bytes) + default: + return nil, fmt.Errorf("secret: don't know how to decode a %s PEM block", block.Type) + } +} diff --git a/decrypt_test.go b/decrypt_test.go index d80bb1c..1b60047 100644 --- a/decrypt_test.go +++ b/decrypt_test.go @@ -11,7 +11,8 @@ func TestWithAES128GCM(t *testing.T) { 0x37, 0xe4, 0x62, 0x59, 0xa6, 0xef, 0xe9, 0x96, 0xb8, 0x5d, 0x2c, 0x35, 0xb5, 0x33, 0x3e, 0xff, } - env := environment{"test": []byte{ + + p, err := WithAESGCM(mockProvider{[]byte{ 0x1c, 0x74, 0x37, 0xe9, 0x9e, 0x37, 0xb8, 0x9e, 0xf0, 0x21, 0xc0, 0xec, 0xad, 0x9d, 0xdf, 0x67, 0x75, 0xfd, 0x00, 0x48, 0x20, 0x46, 0x2e, 0x14, @@ -21,9 +22,7 @@ func TestWithAES128GCM(t *testing.T) { 0x62, 0x55, 0x2b, 0x3b, 0x5e, 0xb5, 0x67, 0xb4, 0x32, 0x92, 0x68, 0xcc, 0x55, 0x8e, 0xd3, 0xc7, 0xce, - }} - - p, err := WithAESGCM(env, key) + }, nil}, key) if err != nil { t.Fatal(err) return @@ -47,7 +46,8 @@ func TestWithAES256GCM(t *testing.T) { 0x12, 0xbf, 0x7a, 0x47, 0x4d, 0x21, 0x09, 0xa0, 0x3e, 0x3f, 0x65, 0xc7, 0xae, 0x94, 0x6c, 0xe3, } - env := environment{"test": []byte{ + + p, err := WithAESGCM(mockProvider{[]byte{ 0x62, 0x97, 0x6b, 0xc1, 0x78, 0xef, 0x41, 0xa0, 0xd4, 0xdc, 0x05, 0x05, 0x66, 0xf6, 0x5f, 0x62, 0xca, 0x91, 0xae, 0xd7, 0x7c, 0xff, 0xad, 0xc1, @@ -57,9 +57,7 @@ func TestWithAES256GCM(t *testing.T) { 0xc7, 0x82, 0x24, 0xb4, 0x9e, 0x9e, 0xdc, 0x10, 0x96, 0x60, 0xa2, 0x92, 0x2a, 0x94, 0x9c, 0x3a, 0xd8, - }} - - p, err := WithAESGCM(env, key) + }, nil}, key) if err != nil { t.Fatal(err) return @@ -84,7 +82,7 @@ func TestWithChaCha20Poly1305(t *testing.T) { 0x12, 0x46, 0x2f, 0xae, 0x9e, 0xa7, 0x17, 0x09, } - env := environment{"test": []byte{ + p, err := WithChaCha20Poly1305(mockProvider{[]byte{ 0x76, 0x7c, 0x7d, 0x5d, 0x36, 0xd1, 0x27, 0xca, 0x0b, 0x64, 0x28, 0x82, 0xc3, 0x3a, 0xd3, 0x24, 0x30, 0x77, 0x8f, 0xef, 0xf1, 0x3a, 0x9f, 0xa7, @@ -94,9 +92,7 @@ func TestWithChaCha20Poly1305(t *testing.T) { 0x4c, 0x71, 0x6b, 0x24, 0x01, 0xd0, 0xf9, 0x88, 0xcf, 0x88, 0xbe, 0xee, 0xe2, 0x77, 0x07, 0x18, 0xf1, - }} - - p, err := WithChaCha20Poly1305(env, key) + }, nil}, key) if err != nil { t.Fatal(err) return @@ -121,7 +117,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) { 0xa1, 0x92, 0xd1, 0xa0, 0x08, 0x3e, 0xf5, 0xfd, } - env := environment{"test": []byte{ + p, err := WithChaCha20Poly1305X(mockProvider{[]byte{ 0x59, 0xaf, 0xc4, 0x65, 0x60, 0x3f, 0x02, 0xd3, 0x87, 0xd3, 0x15, 0xac, 0xf3, 0x6b, 0x4a, 0x4f, 0xe8, 0x40, 0xe5, 0x4d, 0x80, 0x30, 0x7b, 0x3d, @@ -132,9 +128,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) { 0x3c, 0x2b, 0x59, 0x6f, 0xc7, 0x92, 0x3b, 0x40, 0x89, 0x13, 0x93, 0x6b, 0xa0, 0x35, 0x4e, 0x6f, 0xd8, 0x31, 0x67, 0xee, 0xa2, - }} - - p, err := WithChaCha20Poly1305X(env, key) + }, nil}, key) if err != nil { t.Fatal(err) return @@ -175,7 +169,7 @@ func TestWithSecretBox(t *testing.T) { 0xe1, 0xbd, 0xfe, 0xd3, 0x86, 0x12, 0x8d, 0x09, 0x85, 0x34, 0xae, 0xa3, 0xfd) - p := WithSecretBox(environment{"test": box}, key) + p := WithSecretBox(mockProvider{box, nil}, key) v, err := p.GetSecret("test") if err != nil { t.Fatal(err) @@ -185,3 +179,65 @@ func TestWithSecretBox(t *testing.T) { t.Errorf(`expected "Hello, boxed Gophers!", got %q`, v) } } + +func TestParseECPrivateKey(t *testing.T) { + b := []byte(`-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIFsSWzsfH0GiukSATicV/N69C3q0VQQySIItoeBo/73NoAoGCCqGSM49 +AwEHoUQDQgAE5fgRgzJYEunuVV4560q+Ddt6Sj1fJR3EETgjmJTqVn3z3cf9VEmF +37+SIL2vagDV9paD1L9l3+E9New89oHxxw== +-----END EC PRIVATE KEY----- +`) + k, err := ParseECPrivateKey(b) + if err != nil { + t.Error(err) + return + } else if k == nil { + t.Error("key is nil") + } +} + +func TestParseRSAPrivateKey(t *testing.T) { + b := []byte(`-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALzubkr6QNzwgmHQ +XbYnHEtisSAkQItPTODYhUiUStTF8RauT7iTFBNb7UP1dprAl3aBIsB/aFQUmSJr +9SaCxmqrwihygxNWzPQnhTRculy12HqRsPmJ0F6hlnrc6CppPY731/5Wpq1epUBE +V75z0tYSaoQ058XvF7m5rELkbwkbAgMBAAECgYBEcx4CjChz469ZQOSy2fimV1tV +Cc1Yq6Ju1AN2CEQUUqLGVOENPjxHx0ZvGL+f0acOiDrPA1oJHG1eyz5GdZrs6uJA +mY/CriRgwXFbg268/ET9jzBlE5GuWMbHlo3rPmAV/KQ3TCdmtLP0VvkHpZcPPFja +7GfO88FbYQetllF6AQJBAO8qR54LBrz0s601jjmIjB2iwdhLUPdYN+fPJFZUG0Vb +CJ0c6L6QvvetP3nuiuyIGvJGz7Swqnux97m5T7Z5FQUCQQDKOvIgMg1QR+AoAKx3 +9RaDfNxjVpq6ly6MWqeh8pLNgmQ7vfl4tBbPkL8ey4uFlK8vk+23Y1GqbH6ySbxY +D/+fAkA7+Qwwc29jHrGXs6BQiQ8pt1CInopVHAgY1vazty+HesZ0L3Wlo8JfdVA/ +kTPBEHhBXMRk+RAnKH+IURHOHhrJAkAnLTQquIeLveDW3wqKUpiB8HZhaC2haBhE +aGuBHBUEavYv/KWPlJO2sjvUI2pr/lnRxb6PgFYZxdrlfxNVnAPRAkEAp7c2iWTq +h0/8YIAw1J95m9WCkQ1/7U6SiJQRzPhYR4EJuDSVbYtgTb1WkDpriySKQ1CL2q8Q +H41cEKgY5m+lDA== +-----END PRIVATE KEY----- +`) + k, err := ParseRSAPrivateKey(b) + if err != nil { + t.Error(err) + return + } else if k == nil { + t.Error("key is nil") + } +} + +func TestParseSecretBoxKey(t *testing.T) { + var validKeys = [][]byte{ + []byte("0000000000000000000000000000000000000000000000000000000000000000"), // nil hex + []byte("079cdef09061cc8ee120b069cde548da0b829bf51a560c45bcfa4de53f16e0d4"), // hex + []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"), // nil raw base64 + []byte("6WpELgf5/agd0/IB+vZrw57S6TPMl9ruFcRUgRJk/lc"), // raw base64 + []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="), // nil std base64 + []byte("Ra5SbhE9KYxcPMxKp8AAZsw35B5rWLkMv9d2+NjkV/o="), // std base64 + } + + for _, b := range validKeys { + t.Run("", func(it *testing.T) { + if _, err := ParseSecretBoxKey(b); err != nil { + it.Error(err) + } + }) + } +} diff --git a/provider_test.go b/provider_test.go index 9c464b7..03d923c 100644 --- a/provider_test.go +++ b/provider_test.go @@ -8,6 +8,15 @@ import ( "testing" ) +type mockProvider struct { + out []byte + err error +} + +func (p mockProvider) GetSecret(_ string) ([]byte, error) { + return p.out, p.err +} + type testProviderCase struct { Name string Key string