Add encryption package

jenspinney · sykesm · commit 81cdd265ba47 · 2015-09-16T07:50:20.000-07:00
[#103024166]

Signed-off-by: Matthew Sykes &lt;matthew.sykes@gmail.com&gt;
diff --git a/encryption/crypt.go b/encryption/crypt.go
@@ -0,0 +1,74 @@
+package encryption
+
+import (
+	"crypto/cipher"
+	"errors"
+	"fmt"
+	"io"
+)
+
+type Encrypted struct {
+	Nonce      []byte
+	KeyLabel   string
+	CipherText []byte
+}
+
+type Encryptor interface {
+	Encrypt(plaintext []byte) (Encrypted, error)
+}
+
+type Decryptor interface {
+	Decrypt(encrypted Encrypted) ([]byte, error)
+}
+
+type Cryptor interface {
+	Encryptor
+	Decryptor
+}
+
+type cryptor struct {
+	keyManager KeyManager
+	prng       io.Reader
+}
+
+func NewCryptor(keyManager KeyManager, prng io.Reader) Cryptor {
+	return &cryptor{
+		keyManager: keyManager,
+		prng:       prng,
+	}
+}
+
+func (c *cryptor) Encrypt(plaintext []byte) (Encrypted, error) {
+	key := c.keyManager.EncryptionKey()
+
+	aead, err := cipher.NewGCM(key.Block())
+	if err != nil {
+		return Encrypted{}, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
+	}
+
+	nonce := make([]byte, aead.NonceSize())
+	n, err := c.prng.Read(nonce)
+	if err != nil {
+		return Encrypted{}, fmt.Errorf("Unable to generate random nonce: %q", err)
+	}
+	if n != len(nonce) {
+		return Encrypted{}, errors.New("Unable to generate random nonce")
+	}
+
+	ciphertext := aead.Seal(nil, nonce, plaintext, nil)
+	return Encrypted{KeyLabel: key.Label(), Nonce: nonce, CipherText: ciphertext}, nil
+}
+
+func (d *cryptor) Decrypt(encrypted Encrypted) ([]byte, error) {
+	key := d.keyManager.DecryptionKey(encrypted.KeyLabel)
+	if key == nil {
+		return nil, fmt.Errorf("Key with label %q was not found", encrypted.KeyLabel)
+	}
+
+	aead, err := cipher.NewGCM(key.Block())
+	if err != nil {
+		return nil, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
+	}
+
+	return aead.Open(nil, encrypted.Nonce, encrypted.CipherText, nil)
+}
diff --git a/encryption/crypt_test.go b/encryption/crypt_test.go
@@ -0,0 +1,140 @@
+package encryption_test
+
+import (
+	"bytes"
+	"crypto/des"
+	"crypto/rand"
+	"io"
+
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+	"github.com/cloudfoundry-incubator/bbs/encryption/fakes"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Crypt", func() {
+	var cryptor encryption.Cryptor
+	var keyManager encryption.KeyManager
+	var prng io.Reader
+
+	BeforeEach(func() {
+		key, err := encryption.NewKey("label", "pass phrase")
+		Expect(err).NotTo(HaveOccurred())
+		keyManager, err = encryption.NewKeyManager(key, nil)
+		Expect(err).NotTo(HaveOccurred())
+		prng = rand.Reader
+	})
+
+	JustBeforeEach(func() {
+		cryptor = encryption.NewCryptor(keyManager, prng)
+	})
+
+	It("successfully encrypts and decrypts with a key", func() {
+		input := []byte("some plaintext data")
+
+		encrypted, err := cryptor.Encrypt(input)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(encrypted.CipherText).NotTo(HaveLen(0))
+		Expect(encrypted.CipherText).NotTo(Equal(input))
+
+		plaintext, err := cryptor.Decrypt(encrypted)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(plaintext).NotTo(HaveLen(0))
+		Expect(plaintext).To(Equal(input))
+	})
+
+	Context("when the nonce is incorrect", func() {
+		It("fails to decrypt", func() {
+			input := []byte("some plaintext data")
+
+			encrypted, err := cryptor.Encrypt(input)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(encrypted.CipherText).NotTo(HaveLen(0))
+			Expect(encrypted.CipherText).NotTo(Equal(input))
+
+			encrypted.Nonce = []byte("123456789012")
+
+			_, err = cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError("cipher: message authentication failed"))
+		})
+	})
+
+	Context("when the key is not found", func() {
+		It("fails to decrypt", func() {
+			encrypted := encryption.Encrypted{
+				KeyLabel: "doesnt-exist",
+				Nonce:    []byte("123456789012"),
+			}
+
+			_, err := cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError(`Key with label "doesnt-exist" was not found`))
+		})
+	})
+
+	Context("when the ciphertext is modified", func() {
+		It("fails to decrypt", func() {
+			input := []byte("some plaintext data")
+
+			encrypted, err := cryptor.Encrypt(input)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(encrypted.CipherText).NotTo(HaveLen(0))
+			Expect(encrypted.CipherText).NotTo(Equal(input))
+
+			encrypted.CipherText[0] ^= 1
+
+			_, err = cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError("cipher: message authentication failed"))
+		})
+	})
+
+	Context("when the random number generator fails", func() {
+		BeforeEach(func() {
+			prng = bytes.NewBuffer([]byte{})
+		})
+
+		It("fails to encrypt", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError(`Unable to generate random nonce: "EOF"`))
+		})
+	})
+
+	Context("when the random number generator fails to generate enough data", func() {
+		BeforeEach(func() {
+			prng = bytes.NewBufferString("goo")
+		})
+
+		It("fails to encrypt", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError("Unable to generate random nonce"))
+		})
+	})
+
+	Context("when the encryption key is invalid", func() {
+		var key *fakes.FakeKey
+
+		BeforeEach(func() {
+			desCipher, err := des.NewCipher([]byte("12345678"))
+			Expect(err).NotTo(HaveOccurred())
+
+			key = &fakes.FakeKey{}
+			key.BlockReturns(desCipher)
+			keyManager, err = encryption.NewKeyManager(key, nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("returns an error", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError(HavePrefix("Unable to create GCM-wrapped cipher:")))
+		})
+	})
+})
diff --git a/encryption/encryption_suite_test.go b/encryption/encryption_suite_test.go
@@ -0,0 +1,13 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestEncryption(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Encryption Suite")
+}
diff --git a/encryption/fakes/fake_key.go b/encryption/fakes/fake_key.go
@@ -0,0 +1,74 @@
+// This file was generated by counterfeiter
+package fakes
+
+import (
+	"crypto/cipher"
+	"sync"
+
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+)
+
+type FakeKey struct {
+	LabelStub        func() string
+	labelMutex       sync.RWMutex
+	labelArgsForCall []struct{}
+	labelReturns struct {
+		result1 string
+	}
+	BlockStub        func() cipher.Block
+	blockMutex       sync.RWMutex
+	blockArgsForCall []struct{}
+	blockReturns struct {
+		result1 cipher.Block
+	}
+}
+
+func (fake *FakeKey) Label() string {
+	fake.labelMutex.Lock()
+	fake.labelArgsForCall = append(fake.labelArgsForCall, struct{}{})
+	fake.labelMutex.Unlock()
+	if fake.LabelStub != nil {
+		return fake.LabelStub()
+	} else {
+		return fake.labelReturns.result1
+	}
+}
+
+func (fake *FakeKey) LabelCallCount() int {
+	fake.labelMutex.RLock()
+	defer fake.labelMutex.RUnlock()
+	return len(fake.labelArgsForCall)
+}
+
+func (fake *FakeKey) LabelReturns(result1 string) {
+	fake.LabelStub = nil
+	fake.labelReturns = struct {
+		result1 string
+	}{result1}
+}
+
+func (fake *FakeKey) Block() cipher.Block {
+	fake.blockMutex.Lock()
+	fake.blockArgsForCall = append(fake.blockArgsForCall, struct{}{})
+	fake.blockMutex.Unlock()
+	if fake.BlockStub != nil {
+		return fake.BlockStub()
+	} else {
+		return fake.blockReturns.result1
+	}
+}
+
+func (fake *FakeKey) BlockCallCount() int {
+	fake.blockMutex.RLock()
+	defer fake.blockMutex.RUnlock()
+	return len(fake.blockArgsForCall)
+}
+
+func (fake *FakeKey) BlockReturns(result1 cipher.Block) {
+	fake.BlockStub = nil
+	fake.blockReturns = struct {
+		result1 cipher.Block
+	}{result1}
+}
+
+var _ encryption.Key = new(FakeKey)
diff --git a/encryption/key.go b/encryption/key.go
@@ -0,0 +1,44 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"errors"
+)
+
+//go:generate counterfeiter . Key
+type Key interface {
+	Label() string
+	Block() cipher.Block
+}
+
+type key struct {
+	block cipher.Block
+	label string
+}
+
+func NewKey(label, phrase string) (Key, error) {
+	if label == "" {
+		return nil, errors.New("A key label is required")
+	}
+
+	hash := sha256.Sum256([]byte(phrase))
+	block, err := aes.NewCipher(hash[:])
+	if err != nil {
+		return nil, err
+	}
+
+	return &key{
+		label: label,
+		block: block,
+	}, nil
+}
+
+func (k *key) Label() string {
+	return k.label
+}
+
+func (k *key) Block() cipher.Block {
+	return k.block
+}
diff --git a/encryption/key_manager.go b/encryption/key_manager.go
@@ -0,0 +1,39 @@
+package encryption
+
+import "fmt"
+
+type keyManager struct {
+	encryptionKey  Key
+	decryptionKeys map[string]Key
+}
+
+type KeyManager interface {
+	EncryptionKey() Key
+	DecryptionKey(label string) Key
+}
+
+func NewKeyManager(encryptionKey Key, decryptionKeys []Key) (KeyManager, error) {
+	decryptionKeyMap := map[string]Key{
+		encryptionKey.Label(): encryptionKey,
+	}
+
+	for _, key := range decryptionKeys {
+		if existingKey, ok := decryptionKeyMap[key.Label()]; ok && key != existingKey {
+			return nil, fmt.Errorf("Multiple keys with the same label: %q", key.Label())
+		}
+		decryptionKeyMap[key.Label()] = key
+	}
+
+	return &keyManager{
+		encryptionKey:  encryptionKey,
+		decryptionKeys: decryptionKeyMap,
+	}, nil
+}
+
+func (m *keyManager) EncryptionKey() Key {
+	return m.encryptionKey
+}
+
+func (m *keyManager) DecryptionKey(label string) Key {
+	return m.decryptionKeys[label]
+}
diff --git a/encryption/key_manager_test.go b/encryption/key_manager_test.go
diff --git a/encryption/key_test.go b/encryption/key_test.go
