[WIP] symmetric: Add symmetric crypto routines

Author: patzielinski

symmetric/aes.go

@@ -0,0 +1,97 @@
+package symmetric
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"errors"
+)
+
+var (
+	ErrInvalidKeyLength = errors.New("invalid key length")
+	ErrInvalidMode      = errors.New("invalid mode")
+)
+
+type AESMode uint8
+
+const (
+	GCM AESMode = iota
+)
+
+type AESEncrypterDecrypter struct {
+	keyID    string
+	keyBytes []byte
+	mode     AESMode
+}
+
+// NewAESEncrypterDecrypterFromSSLibSymmetricKey creates an
+// AESEncrypterDecrypter from an SSLibSymmetricKey.
+func NewAESEncrypterDecrypterFromSSLibSymmetricKey(key *SSLibSymmetricKey, mode AESMode) (*AESEncrypterDecrypter, error) {
+	switch mode {
+	case GCM:
+		break
+	default:
+		return nil, ErrInvalidMode
+	}
+
+	return &AESEncrypterDecrypter{
+		keyID:    key.KeyID,
+		keyBytes: key.KeyVal,
+		mode:     mode,
+	}, nil
+}
+
+func (ed *AESEncrypterDecrypter) Encrypt(data []byte) ([]byte, error) {
+	block, err := aes.NewCipher(ed.keyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	var ciphertext []byte
+
+	switch ed.mode {
+	case GCM:
+		gcm, err := cipher.NewGCMWithRandomNonce(block)
+		if err != nil {
+			return nil, err
+		}
+
+		ciphertext = gcm.Seal(nil, nil, data, nil)
+	}
+	return ciphertext, nil
+}
+
+func (ed *AESEncrypterDecrypter) Decrypt(data []byte) ([]byte, error) {
+	block, err := aes.NewCipher(ed.keyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	var plaintext []byte
+	switch ed.mode {
+	case GCM:
+		gcm, err := cipher.NewGCMWithRandomNonce(block)
+		if err != nil {
+			return nil, err
+		}
+
+		plaintext, err = gcm.Open(nil, nil, data, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return plaintext, nil
+}
+
+func (ed *AESEncrypterDecrypter) KeyID() (string, error) {
+	return ed.keyID, nil
+}
+
+func validateAESKeySize(key []byte) (int, error) {
+	switch len(key) {
+	// AES-128, AES-192, AES-256
+	case 16, 24, 32:
+		return len(key) / 8, nil
+	default:
+		return 0, ErrInvalidKeyLength
+	}
+}

symmetric/aes_test.go

@@ -0,0 +1,53 @@
+package symmetric
+
+import (
+	"encoding/hex"
+	"fmt"
+	"testing"
+
+	"github.com/secure-systems-lab/go-securesystemslib/symmetric/testdata"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var plaintext = []byte("reallyimportant")
+
+func TestRoundtrip(t *testing.T) {
+	key, err := hex.DecodeString(string(testdata.AESKey))
+	require.Nil(t, err)
+
+	fmt.Println(key)
+
+	aesED := &AESEncrypterDecrypter{
+		keyID:    "super secret key",
+		keyBytes: key,
+		mode:     GCM,
+	}
+
+	ciphertext, err := aesED.Encrypt(plaintext)
+	assert.Nil(t, err)
+
+	decryptedPlaintext, err := aesED.Decrypt(ciphertext)
+	assert.Nil(t, err)
+
+	assert.Equal(t, plaintext, decryptedPlaintext)
+}
+
+func TestRoundtripCorrupted(t *testing.T) {
+	key, err := hex.DecodeString(string(testdata.AESKey))
+	require.Nil(t, err)
+
+	aesED := &AESEncrypterDecrypter{
+		keyID:    "super secret key",
+		keyBytes: key,
+		mode:     GCM,
+	}
+
+	ciphertext, err := aesED.Encrypt(plaintext)
+	assert.Nil(t, err)
+
+	ciphertext[0] = ^ciphertext[0]
+
+	_, err = aesED.Decrypt(ciphertext)
+	assert.ErrorContains(t, err, "message authentication failed")
+}

symmetric/encrypterdecrypter.go

@@ -0,0 +1,22 @@
+package symmetric
+
+// Encrypter is the interface for an abstract symmetric block encryption
+// algorithm. The Encrypter interface is used to encrypt arbitrary byte
+// payloads, and returns the ciphertext, or an error. It is
+// cipher-agnostic.
+type Encrypter interface {
+	Encrypt([]byte) ([]byte, []byte, error)
+	KeyID() (string, error)
+}
+
+// Decrypter is the interface to decrypt ciphertext.
+type Decrypter interface {
+	Decrypt([]byte, []byte) ([]byte, error)
+	KeyID() (string, error)
+}
+
+// EncrypterDecrypter is the combined interface of Encrypter and Decrypter.
+type EncrypterDecrypter interface {
+	Encrypter
+	Decrypter
+}

symmetric/symmetric.go

@@ -0,0 +1,56 @@
+package symmetric
+
+import (
+	"encoding/hex"
+	"errors"
+)
+
+var ErrUnknownKeyType = errors.New("unknown key type")
+
+type SSLibSymmetricCipher uint8
+
+const (
+	AES SSLibSymmetricCipher = iota
+)
+
+type SSLibSymmetricKey struct {
+	KeyID   string               `json:"keyid"`
+	Cipher  SSLibSymmetricCipher `json:"scheme"`
+	KeySize int                  `json:"keysize"`
+	KeyVal  []byte               `json:"keyval"`
+}
+
+// LoadSymmetricKey returns an SSLibSymmetricKey object when provided a byte
+// array and cipher. Currently, AES-128/192/256 are supported.
+func LoadSymmetricKey(keyBytes []byte, cipher SSLibSymmetricCipher) (*SSLibSymmetricKey, error) {
+	var key *SSLibSymmetricKey
+
+	switch cipher {
+	case AES:
+		keyBytes, err := hex.DecodeString(string(keyBytes))
+		if err != nil {
+			return nil, err
+		}
+
+		keySize, err := validateAESKeySize(keyBytes)
+		if err != nil {
+			return nil, err
+		}
+
+		key = &SSLibSymmetricKey{
+			KeyID:   "",
+			Cipher:  cipher,
+			KeySize: keySize,
+			KeyVal:  keyBytes,
+		}
+	default:
+		return nil, ErrUnknownKeyType
+	}
+
+	keyID, err := calculateKeyID(key)
+	if err != nil {
+		return nil, err
+	}
+	key.KeyID = keyID
+	return key, nil
+}

symmetric/symmetric_test.go

@@ -0,0 +1,30 @@
+package symmetric
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/secure-systems-lab/go-securesystemslib/symmetric/testdata"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLoadSymmetricKey(t *testing.T) {
+	tests := map[string]struct {
+		keyBytes      []byte
+		cipher        SSLibSymmetricCipher
+		expectedKeyID string
+	}{
+		"AES key": {
+			keyBytes:      testdata.AESKey,
+			cipher:        AES,
+			expectedKeyID: "3365676914098a99b563b1d5b90822916e78d1109640bbdaf196208db3edf908",
+		},
+	}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			key, err := LoadSymmetricKey(test.keyBytes, test.cipher)
+			assert.Nil(t, err, fmt.Sprintf("unexpected error in test '%s'", name))
+			assert.Equal(t, test.expectedKeyID, key.KeyID)
+		})
+	}
+}

symmetric/testdata/aes-key

@@ -0,0 +1 @@
+6368616e676520746869732070617373776f726420746f206120736563726574

symmetric/testdata/testdata.go

@@ -0,0 +1,8 @@
+package testdata
+
+import (
+	_ "embed"
+)
+
+//go:embed aes-key
+var AESKey []byte

symmetric/utils.go

@@ -0,0 +1,22 @@
+package symmetric
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+
+	"github.com/secure-systems-lab/go-securesystemslib/cjson"
+)
+
+func calculateKeyID(k *SSLibSymmetricKey) (string, error) {
+	key := map[string]any{
+		"cipher":  k.Cipher,
+		"keysize": k.KeySize,
+		"keyval":  k.KeyVal,
+	}
+	canonical, err := cjson.EncodeCanonical(key)
+	if err != nil {
+		return "", err
+	}
+	digest := sha256.Sum256(canonical)
+	return hex.EncodeToString(digest[:]), nil
+}