Add encryption package

[#103024166]

Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com>

Author: jenspinney

encryption/crypt.go

@@ -0,0 +1,74 @@
+package encryption
+
+import (
+	"crypto/cipher"
+	"errors"
+	"fmt"
+	"io"
+)
+
+type Encrypted struct {
+	Nonce      []byte
+	KeyLabel   string
+	CipherText []byte
+}
+
+type Encryptor interface {
+	Encrypt(plaintext []byte) (Encrypted, error)
+}
+
+type Decryptor interface {
+	Decrypt(encrypted Encrypted) ([]byte, error)
+}
+
+type Cryptor interface {
+	Encryptor
+	Decryptor
+}
+
+type cryptor struct {
+	keyManager KeyManager
+	prng       io.Reader
+}
+
+func NewCryptor(keyManager KeyManager, prng io.Reader) Cryptor {
+	return &cryptor{
+		keyManager: keyManager,
+		prng:       prng,
+	}
+}
+
+func (c *cryptor) Encrypt(plaintext []byte) (Encrypted, error) {
+	key := c.keyManager.EncryptionKey()
+
+	aead, err := cipher.NewGCM(key.Block())
+	if err != nil {
+		return Encrypted{}, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
+	}
+
+	nonce := make([]byte, aead.NonceSize())
+	n, err := c.prng.Read(nonce)
+	if err != nil {
+		return Encrypted{}, fmt.Errorf("Unable to generate random nonce: %q", err)
+	}
+	if n != len(nonce) {
+		return Encrypted{}, errors.New("Unable to generate random nonce")
+	}
+
+	ciphertext := aead.Seal(nil, nonce, plaintext, nil)
+	return Encrypted{KeyLabel: key.Label(), Nonce: nonce, CipherText: ciphertext}, nil
+}
+
+func (d *cryptor) Decrypt(encrypted Encrypted) ([]byte, error) {
+	key := d.keyManager.DecryptionKey(encrypted.KeyLabel)
+	if key == nil {
+		return nil, fmt.Errorf("Key with label %q was not found", encrypted.KeyLabel)
+	}
+
+	aead, err := cipher.NewGCM(key.Block())
+	if err != nil {
+		return nil, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
+	}
+
+	return aead.Open(nil, encrypted.Nonce, encrypted.CipherText, nil)
+}

encryption/crypt_test.go

@@ -0,0 +1,140 @@
+package encryption_test
+
+import (
+	"bytes"
+	"crypto/des"
+	"crypto/rand"
+	"io"
+
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+	"github.com/cloudfoundry-incubator/bbs/encryption/fakes"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Crypt", func() {
+	var cryptor encryption.Cryptor
+	var keyManager encryption.KeyManager
+	var prng io.Reader
+
+	BeforeEach(func() {
+		key, err := encryption.NewKey("label", "pass phrase")
+		Expect(err).NotTo(HaveOccurred())
+		keyManager, err = encryption.NewKeyManager(key, nil)
+		Expect(err).NotTo(HaveOccurred())
+		prng = rand.Reader
+	})
+
+	JustBeforeEach(func() {
+		cryptor = encryption.NewCryptor(keyManager, prng)
+	})
+
+	It("successfully encrypts and decrypts with a key", func() {
+		input := []byte("some plaintext data")
+
+		encrypted, err := cryptor.Encrypt(input)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(encrypted.CipherText).NotTo(HaveLen(0))
+		Expect(encrypted.CipherText).NotTo(Equal(input))
+
+		plaintext, err := cryptor.Decrypt(encrypted)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(plaintext).NotTo(HaveLen(0))
+		Expect(plaintext).To(Equal(input))
+	})
+
+	Context("when the nonce is incorrect", func() {
+		It("fails to decrypt", func() {
+			input := []byte("some plaintext data")
+
+			encrypted, err := cryptor.Encrypt(input)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(encrypted.CipherText).NotTo(HaveLen(0))
+			Expect(encrypted.CipherText).NotTo(Equal(input))
+
+			encrypted.Nonce = []byte("123456789012")
+
+			_, err = cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError("cipher: message authentication failed"))
+		})
+	})
+
+	Context("when the key is not found", func() {
+		It("fails to decrypt", func() {
+			encrypted := encryption.Encrypted{
+				KeyLabel: "doesnt-exist",
+				Nonce:    []byte("123456789012"),
+			}
+
+			_, err := cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError(`Key with label "doesnt-exist" was not found`))
+		})
+	})
+
+	Context("when the ciphertext is modified", func() {
+		It("fails to decrypt", func() {
+			input := []byte("some plaintext data")
+
+			encrypted, err := cryptor.Encrypt(input)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(encrypted.CipherText).NotTo(HaveLen(0))
+			Expect(encrypted.CipherText).NotTo(Equal(input))
+
+			encrypted.CipherText[0] ^= 1
+
+			_, err = cryptor.Decrypt(encrypted)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError("cipher: message authentication failed"))
+		})
+	})
+
+	Context("when the random number generator fails", func() {
+		BeforeEach(func() {
+			prng = bytes.NewBuffer([]byte{})
+		})
+
+		It("fails to encrypt", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError(`Unable to generate random nonce: "EOF"`))
+		})
+	})
+
+	Context("when the random number generator fails to generate enough data", func() {
+		BeforeEach(func() {
+			prng = bytes.NewBufferString("goo")
+		})
+
+		It("fails to encrypt", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError("Unable to generate random nonce"))
+		})
+	})
+
+	Context("when the encryption key is invalid", func() {
+		var key *fakes.FakeKey
+
+		BeforeEach(func() {
+			desCipher, err := des.NewCipher([]byte("12345678"))
+			Expect(err).NotTo(HaveOccurred())
+
+			key = &fakes.FakeKey{}
+			key.BlockReturns(desCipher)
+			keyManager, err = encryption.NewKeyManager(key, nil)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("returns an error", func() {
+			input := []byte("some plaintext data")
+
+			_, err := cryptor.Encrypt(input)
+			Expect(err).To(MatchError(HavePrefix("Unable to create GCM-wrapped cipher:")))
+		})
+	})
+})

encryption/encryption_suite_test.go

@@ -0,0 +1,13 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestEncryption(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Encryption Suite")
+}

encryption/fakes/fake_key.go

@@ -0,0 +1,74 @@
+// This file was generated by counterfeiter
+package fakes
+
+import (
+	"crypto/cipher"
+	"sync"
+
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+)
+
+type FakeKey struct {
+	LabelStub        func() string
+	labelMutex       sync.RWMutex
+	labelArgsForCall []struct{}
+	labelReturns struct {
+		result1 string
+	}
+	BlockStub        func() cipher.Block
+	blockMutex       sync.RWMutex
+	blockArgsForCall []struct{}
+	blockReturns struct {
+		result1 cipher.Block
+	}
+}
+
+func (fake *FakeKey) Label() string {
+	fake.labelMutex.Lock()
+	fake.labelArgsForCall = append(fake.labelArgsForCall, struct{}{})
+	fake.labelMutex.Unlock()
+	if fake.LabelStub != nil {
+		return fake.LabelStub()
+	} else {
+		return fake.labelReturns.result1
+	}
+}
+
+func (fake *FakeKey) LabelCallCount() int {
+	fake.labelMutex.RLock()
+	defer fake.labelMutex.RUnlock()
+	return len(fake.labelArgsForCall)
+}
+
+func (fake *FakeKey) LabelReturns(result1 string) {
+	fake.LabelStub = nil
+	fake.labelReturns = struct {
+		result1 string
+	}{result1}
+}
+
+func (fake *FakeKey) Block() cipher.Block {
+	fake.blockMutex.Lock()
+	fake.blockArgsForCall = append(fake.blockArgsForCall, struct{}{})
+	fake.blockMutex.Unlock()
+	if fake.BlockStub != nil {
+		return fake.BlockStub()
+	} else {
+		return fake.blockReturns.result1
+	}
+}
+
+func (fake *FakeKey) BlockCallCount() int {
+	fake.blockMutex.RLock()
+	defer fake.blockMutex.RUnlock()
+	return len(fake.blockArgsForCall)
+}
+
+func (fake *FakeKey) BlockReturns(result1 cipher.Block) {
+	fake.BlockStub = nil
+	fake.blockReturns = struct {
+		result1 cipher.Block
+	}{result1}
+}
+
+var _ encryption.Key = new(FakeKey)

encryption/key.go

@@ -0,0 +1,44 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"errors"
+)
+
+//go:generate counterfeiter . Key
+type Key interface {
+	Label() string
+	Block() cipher.Block
+}
+
+type key struct {
+	block cipher.Block
+	label string
+}
+
+func NewKey(label, phrase string) (Key, error) {
+	if label == "" {
+		return nil, errors.New("A key label is required")
+	}
+
+	hash := sha256.Sum256([]byte(phrase))
+	block, err := aes.NewCipher(hash[:])
+	if err != nil {
+		return nil, err
+	}
+
+	return &key{
+		label: label,
+		block: block,
+	}, nil
+}
+
+func (k *key) Label() string {
+	return k.label
+}
+
+func (k *key) Block() cipher.Block {
+	return k.block
+}

encryption/key_manager.go

@@ -0,0 +1,39 @@
+package encryption
+
+import "fmt"
+
+type keyManager struct {
+	encryptionKey  Key
+	decryptionKeys map[string]Key
+}
+
+type KeyManager interface {
+	EncryptionKey() Key
+	DecryptionKey(label string) Key
+}
+
+func NewKeyManager(encryptionKey Key, decryptionKeys []Key) (KeyManager, error) {
+	decryptionKeyMap := map[string]Key{
+		encryptionKey.Label(): encryptionKey,
+	}
+
+	for _, key := range decryptionKeys {
+		if existingKey, ok := decryptionKeyMap[key.Label()]; ok && key != existingKey {
+			return nil, fmt.Errorf("Multiple keys with the same label: %q", key.Label())
+		}
+		decryptionKeyMap[key.Label()] = key
+	}
+
+	return &keyManager{
+		encryptionKey:  encryptionKey,
+		decryptionKeys: decryptionKeyMap,
+	}, nil
+}
+
+func (m *keyManager) EncryptionKey() Key {
+	return m.encryptionKey
+}
+
+func (m *keyManager) DecryptionKey(label string) Key {
+	return m.decryptionKeys[label]
+}

encryption/key_manager_test.go

@@ -0,0 +1,110 @@
+package encryption_test
+
+import (
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("KeyManager", func() {
+	var (
+		encryptionKey  encryption.Key
+		decryptionKeys []encryption.Key
+		manager        encryption.KeyManager
+		cerr           error
+	)
+
+	BeforeEach(func() {
+		var err error
+		encryptionKey, err = encryption.NewKey("key label", "pass phrase")
+		Expect(err).NotTo(HaveOccurred())
+		decryptionKeys = []encryption.Key{}
+		cerr = nil
+	})
+
+	JustBeforeEach(func() {
+		manager, cerr = encryption.NewKeyManager(encryptionKey, decryptionKeys)
+	})
+
+	It("stores the correct encryption key", func() {
+		Expect(cerr).NotTo(HaveOccurred())
+		Expect(manager.EncryptionKey()).To(Equal(encryptionKey))
+	})
+
+	It("adds the encryption key as a decryption key", func() {
+		Expect(manager.DecryptionKey(encryptionKey.Label())).To(Equal(manager.EncryptionKey()))
+	})
+
+	Context("when decryption keys are provided", func() {
+		BeforeEach(func() {
+			key1, err := encryption.NewKey("label1", "some pass phrase")
+			Expect(err).NotTo(HaveOccurred())
+
+			key2, err := encryption.NewKey("label2", "some other pass phrase")
+			Expect(err).NotTo(HaveOccurred())
+
+			key3, err := encryption.NewKey("label3", "")
+			Expect(err).NotTo(HaveOccurred())
+
+			decryptionKeys = []encryption.Key{key1, key2, key3}
+		})
+
+		It("stores the decryption keys", func() {
+			for _, decryptionKey := range decryptionKeys {
+				key := manager.DecryptionKey(decryptionKey.Label())
+				Expect(key).To(Equal(decryptionKey))
+			}
+		})
+
+		It("includes the encryption key", func() {
+			key := manager.DecryptionKey(encryptionKey.Label())
+			Expect(key).To(Equal(manager.EncryptionKey()))
+		})
+	})
+
+	Context("when the encryption key and a decryption key have the same label but different blocks", func() {
+		BeforeEach(func() {
+			decryptKey, err := encryption.NewKey("key label", "a different pass phrase")
+			Expect(err).NotTo(HaveOccurred())
+
+			decryptionKeys = []encryption.Key{decryptKey}
+		})
+
+		It("returns a multiple key error", func() {
+			Expect(cerr).To(MatchError(`Multiple keys with the same label: "key label"`))
+		})
+	})
+
+	Context("when different keys with the same label are provided in decryption keys", func() {
+		BeforeEach(func() {
+			duplicateLabelKey1, err := encryption.NewKey("label", "a pass phrase")
+			duplicateLabelKey2, err := encryption.NewKey("label", "a different pass phrase")
+			Expect(err).NotTo(HaveOccurred())
+
+			decryptionKeys = []encryption.Key{duplicateLabelKey1, duplicateLabelKey2}
+		})
+
+		It("returns a multiple key error", func() {
+			Expect(cerr).To(MatchError(`Multiple keys with the same label: "label"`))
+		})
+	})
+
+	Context("when attempting to retrieve a key that does not exist", func() {
+		It("returns nil", func() {
+			key := manager.DecryptionKey("bogus")
+			Expect(key).To(BeNil())
+		})
+	})
+
+	Context("when no decryption keys are provided", func() {
+		BeforeEach(func() {
+			decryptionKeys = nil
+		})
+
+		It("still includes the encryption key", func() {
+			key := manager.DecryptionKey(encryptionKey.Label())
+			Expect(key).To(Equal(encryptionKey))
+		})
+	})
+})

encryption/key_test.go

@@ -0,0 +1,46 @@
+package encryption_test
+
+import (
+	"crypto/aes"
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/cloudfoundry-incubator/bbs/encryption"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Key", func() {
+	Describe("NewKey", func() {
+		It("generates a 256 bit key from a string that can be used as aes keys", func() {
+			phrases := []string{
+				"",
+				"a",
+				"a short phrase",
+				"12345678901234567890123456789012",
+				"1234567890123456789012345678901234567890123456789012345678901234567890",
+			}
+
+			for i, phrase := range phrases {
+				label := fmt.Sprintf("%d", i)
+				key, err := encryption.NewKey(label, phrase)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(key.Label()).To(Equal(label))
+				Expect(key.Block().BlockSize()).To(Equal(aes.BlockSize))
+
+				phraseHash := sha256.Sum256([]byte(phrase))
+				block, err := aes.NewCipher(phraseHash[:])
+				Expect(err).NotTo(HaveOccurred())
+				Expect(key.Block()).To(Equal(block))
+			}
+		})
+
+		Context("when a key label is not specified", func() {
+			It("returns a meaningful error", func() {
+				_, err := encryption.NewKey("", "phrase")
+				Expect(err).To(MatchError("A key label is required"))
+			})
+		})
+	})
+})