diff --git a/client/client.go b/client/client.go index 0584450..ea5beb5 100644 --- a/client/client.go +++ b/client/client.go @@ -56,23 +56,28 @@ func (c *Connection) Close() error { func init() { gob.Register(crypto.SHA256) + gob.Register(crypto.SHA384) + gob.Register(crypto.SHA512) gob.Register(&rsa.PSSOptions{}) + gob.Register(&rsa.OAEPOptions{}) } -// SignArgs contains arguments to a crypto Signer.Sign method. +// SignArgs contains arguments for a Sign API call. type SignArgs struct { Digest []byte // The content to sign. - Opts crypto.SignerOpts // Options for signing, such as Hash identifier. + Opts crypto.SignerOpts // Options for signing. Must implement HashFunc(). } +// EncryptArgs contains arguments for an Encrypt API call. type EncryptArgs struct { - Plaintext []byte - Hash crypto.Hash + Plaintext []byte // The plaintext to encrypt. + Opts any // Options for encryption. Ex: an instance of crypto.Hash. } +// DecryptArgs contains arguments to for a Decrypt API call. type DecryptArgs struct { - Ciphertext []byte - Hash crypto.Hash + Ciphertext []byte // The ciphertext to decrypt. + Opts crypto.DecrypterOpts // Options for decryption. Ex: an instance of *rsa.OAEPOptions. } // Key implements credential.Credential by holding the executed signer subprocess. @@ -110,7 +115,7 @@ func (k *Key) Public() crypto.PublicKey { return k.publicKey } -// Sign signs a message digest, using the specified signer options. +// Sign signs a message digest, using the specified signer opts. Implements crypto.Signer interface. func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) { if opts != nil && opts.HashFunc() != 0 && len(digest) != opts.HashFunc().Size() { return nil, fmt.Errorf("Digest length of %v bytes does not match Hash function size of %v bytes", len(digest), opts.HashFunc().Size()) @@ -119,13 +124,15 @@ func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed [ return } -func (k *Key) Encrypt(plaintext []byte) (ciphertext []byte, err error) { - err = k.client.Call(encryptAPI, EncryptArgs{Plaintext: plaintext, Hash: crypto.SHA256}, &ciphertext) +// Encrypt encrypts a plaintext msg into ciphertext, using the specified encrypt opts. +func (k *Key) Encrypt(_ io.Reader, msg []byte, opts any) (ciphertext []byte, err error) { + err = k.client.Call(encryptAPI, EncryptArgs{Plaintext: msg, Opts: opts}, &ciphertext) return } -func (k *Key) Decrypt(ciphertext []byte) (plaintext []byte, err error) { - err = k.client.Call(decryptAPI, DecryptArgs{Ciphertext: ciphertext, Hash: crypto.SHA256}, &plaintext) +// Decrypt decrypts a ciphertext msg into plaintext, using the specified decrypter opts. Implements crypto.Decrypter interface. +func (k *Key) Decrypt(_ io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) { + err = k.client.Call(decryptAPI, DecryptArgs{Ciphertext: msg, Opts: opts}, &plaintext) return } diff --git a/client/client_test.go b/client/client_test.go index ef1d9fe..672642d 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -17,6 +17,7 @@ package client import ( "bytes" "crypto" + "crypto/rsa" "encoding/json" "errors" "os" @@ -103,7 +104,7 @@ func TestClientEncrypt(t *testing.T) { t.Fatal(err) } plaintext := []byte("Plain text to encrypt") - _, err = key.Encrypt(plaintext) + _, err = key.Encrypt(nil, plaintext, crypto.SHA256) if err != nil { t.Errorf("Universal Client API encryption: got %v, want nil err", err) return @@ -116,8 +117,8 @@ func TestClientDecrypt(t *testing.T) { t.Fatal(err) } byteSlice := []byte("Plain text to encrypt") - ciphertext, _ := key.Encrypt(byteSlice) - plaintext, err := key.Decrypt(ciphertext) + ciphertext, _ := key.Encrypt(nil, byteSlice, crypto.SHA256) + plaintext, err := key.Decrypt(nil, ciphertext, &rsa.OAEPOptions{Hash: crypto.SHA256}) if err != nil { t.Errorf("Universal Client API decryption: got %v, want nil err", err) return diff --git a/darwin/client.go b/darwin/client.go index 57c6a2f..8a124f2 100644 --- a/darwin/client.go +++ b/darwin/client.go @@ -40,17 +40,19 @@ func (sk *SecureKey) Public() crypto.PublicKey { return sk.key.Public() } -// Sign signs a message digest, using the specified signer options. +// Sign signs a message digest, using the specified signer opts. Implements crypto.Signer interface. func (sk *SecureKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) { return sk.key.Sign(nil, digest, opts) } -func (sk *SecureKey) Encrypt(plaintext []byte) ([]byte, error) { - return sk.key.Encrypt(plaintext) +// Encrypt encrypts a plaintext msg into ciphertext, using the specified encrypt opts. +func (sk *SecureKey) Encrypt(_ io.Reader, msg []byte, opts any) (ciphertext []byte, err error) { + return sk.key.Encrypt(msg, opts) } -func (sk *SecureKey) Decrypt(ciphertext []byte) ([]byte, error) { - return sk.key.Decrypt(ciphertext) +// Decrypt decrypts a ciphertext msg into plaintext, using the specified decrypter opts. Implements crypto.Decrypter interface. +func (sk *SecureKey) Decrypt(_ io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) { + return sk.key.Decrypt(msg, opts) } // Close frees up resources associated with the underlying key. diff --git a/darwin/client_test.go b/darwin/client_test.go index 50493b9..1246170 100644 --- a/darwin/client_test.go +++ b/darwin/client_test.go @@ -15,21 +15,21 @@ package darwin import ( "bytes" + "crypto" + "crypto/rsa" "testing" - - "github.com/googleapis/enterprise-certificate-proxy/internal/signer/darwin/keychain" ) const TEST_CREDENTIALS = "TestIssuer" func TestClientEncrypt(t *testing.T) { - secureKey, err := keychain.Cred(TEST_CREDENTIALS) + secureKey, err := NewSecureKey(TEST_CREDENTIALS) if err != nil { t.Errorf("Cred: got %v, want nil err", err) return } plaintext := []byte("Plain text to encrypt") - _, err = secureKey.Encrypt(plaintext) + _, err = secureKey.Encrypt(nil, plaintext, crypto.SHA256) if err != nil { t.Errorf("Client API encryption: got %v, want nil err", err) return @@ -37,14 +37,14 @@ func TestClientEncrypt(t *testing.T) { } func TestClientDecrypt(t *testing.T) { - secureKey, err := keychain.Cred(TEST_CREDENTIALS) + secureKey, err := NewSecureKey(TEST_CREDENTIALS) if err != nil { t.Errorf("Cred: got %v, want nil err", err) return } byteSlice := []byte("Plain text to encrypt") - ciphertext, _ := secureKey.Encrypt(byteSlice) - plaintext, err := secureKey.Decrypt(ciphertext) + ciphertext, _ := secureKey.Encrypt(nil, byteSlice, crypto.SHA256) + plaintext, err := secureKey.Decrypt(nil, ciphertext, &rsa.OAEPOptions{Hash:crypto.SHA256}) if err != nil { t.Errorf("Client API decryption: got %v, want nil err", err) return diff --git a/internal/signer/darwin/keychain/keychain.go b/internal/signer/darwin/keychain/keychain.go index c704807..1cf9016 100644 --- a/internal/signer/darwin/keychain/keychain.go +++ b/internal/signer/darwin/keychain/keychain.go @@ -533,7 +533,13 @@ func (k *Key) getDecryptAlgorithm() (C.SecKeyAlgorithm, error) { return k.getRSADecryptAlgorithm() } -func (k *Key) Encrypt(plaintext []byte) ([]byte, error) { +// Encrypt encrypts a plaintext message digest using the public key. Here, we pass off the encryption to Keychain library. +func (k *Key) Encrypt(plaintext []byte, opts any) ([]byte, error) { + if hash, ok := opts.(crypto.Hash); ok { + k.hash = hash + } else { + return nil, fmt.Errorf("Unsupported encrypt opts: %v", opts) + } pub := k.publicKeyRef algorithm, err := k.getEncryptAlgorithm() if err != nil { @@ -554,7 +560,14 @@ func (k *Key) Encrypt(plaintext []byte) ([]byte, error) { return ciphertext, cfErrorFromRef(cfErr) } -func (k *Key) Decrypt(ciphertext []byte) ([]byte, error) { +// Decrypt decrypts a ciphertext message digest using the private key. Here, we pass off the decryption to Keychain library. +// Currently, only *rsa.OAEPOptions is supported for opts. +func (k *Key) Decrypt(ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error) { + if oaepOpts, ok := opts.(*rsa.OAEPOptions); ok { + k.hash = oaepOpts.Hash + } else { + return nil, fmt.Errorf("Unsupported DecrypterOpts: %v", opts) + } priv := k.privateKeyRef algorithm, err := k.getDecryptAlgorithm() if err != nil { diff --git a/internal/signer/darwin/keychain/keychain_test.go b/internal/signer/darwin/keychain/keychain_test.go index 9e00080..a0f32f4 100644 --- a/internal/signer/darwin/keychain/keychain_test.go +++ b/internal/signer/darwin/keychain/keychain_test.go @@ -18,6 +18,8 @@ package keychain import ( "bytes" + "crypto" + "crypto/rsa" "testing" "unsafe" ) @@ -56,7 +58,7 @@ func TestEncrypt(t *testing.T) { return } plaintext := []byte("Plain text to encrypt") - _, err = key.Encrypt(plaintext) + _, err = key.Encrypt(plaintext, crypto.SHA256) if err != nil { t.Errorf("Encrypt: got %v, want nil err", err) return @@ -71,7 +73,7 @@ func BenchmarkEncrypt(b *testing.B) { } plaintext := []byte("Plain text to encrypt") for i := 0; i < b.N; i++ { - _, err := key.Encrypt(plaintext) + _, err := key.Encrypt(plaintext, crypto.SHA256) if err != nil { b.Errorf("Encrypt: got %v, want nil err", err) } @@ -85,8 +87,8 @@ func TestDecrypt(t *testing.T) { return } byteSlice := []byte("Plain text to encrypt") - ciphertext, _ := key.Encrypt(byteSlice) - plaintext, err := key.Decrypt(ciphertext) + ciphertext, _ := key.Encrypt(byteSlice, crypto.SHA256) + plaintext, err := key.Decrypt(ciphertext, &rsa.OAEPOptions{Hash: crypto.SHA256}) if err != nil { t.Errorf("Decrypt: got %v, want nil err", err) return @@ -103,9 +105,9 @@ func BenchmarkDecrypt(b *testing.B) { return } byteSlice := []byte("Plain text to encrypt") - ciphertext, _ := key.Encrypt(byteSlice) + ciphertext, _ := key.Encrypt(byteSlice, crypto.SHA256) for i := 0; i < b.N; i++ { - _, err := key.Decrypt(ciphertext) + _, err := key.Decrypt(ciphertext, &rsa.OAEPOptions{Hash: crypto.SHA256}) if err != nil { b.Errorf("Decrypt: got %v, want nil err", err) } diff --git a/internal/signer/darwin/signer.go b/internal/signer/darwin/signer.go index 6938ae8..bf34174 100644 --- a/internal/signer/darwin/signer.go +++ b/internal/signer/darwin/signer.go @@ -48,22 +48,25 @@ func init() { gob.Register(crypto.SHA384) gob.Register(crypto.SHA512) gob.Register(&rsa.PSSOptions{}) + gob.Register(&rsa.OAEPOptions{}) } -// SignArgs contains arguments to a crypto Signer.Sign method. +// SignArgs contains arguments for a Sign API call. type SignArgs struct { Digest []byte // The content to sign. - Opts crypto.SignerOpts // Options for signing, such as Hash identifier. + Opts crypto.SignerOpts // Options for signing. Must implement HashFunc(). } +// EncryptArgs contains arguments for an Encrypt API call. type EncryptArgs struct { - Plaintext []byte - Hash crypto.Hash + Plaintext []byte // The plaintext to encrypt. + Opts any // Options for encryption. Ex: an instance of crypto.Hash. } +// DecryptArgs contains arguments to for a Decrypt API call. type DecryptArgs struct { - Ciphertext []byte - Hash crypto.Hash + Ciphertext []byte // The ciphertext to decrypt. + Opts crypto.DecrypterOpts // Options for decryption. Ex: an instance of *rsa.OAEPOptions. } // A EnterpriseCertSigner exports RPC methods for signing. @@ -100,21 +103,21 @@ func (k *EnterpriseCertSigner) Public(ignored struct{}, publicKey *[]byte) (err return } -// Sign signs a message digest. +// Sign signs a message digest. Stores result in "resp". func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) { *resp, err = k.key.Sign(nil, args.Digest, args.Opts) return } -func (k *EnterpriseCertSigner) Encrypt(args EncryptArgs, plaintext *[]byte) (err error) { - k.key.WithHash(args.Hash) - *plaintext, err = k.key.Encrypt(args.Plaintext) +// Encrypt encrypts a plaintext message digest. Stores result in "resp". +func (k *EnterpriseCertSigner) Encrypt(args EncryptArgs, resp *[]byte) (err error) { + *resp, err = k.key.Encrypt(args.Plaintext, args.Opts) return } -func (k *EnterpriseCertSigner) Decrypt(args DecryptArgs, ciphertext *[]byte) (err error) { - k.key.WithHash(args.Hash) - *ciphertext, err = k.key.Decrypt(args.Ciphertext) +// Decrypt decrypts a ciphertext message digest. Stores result in "resp". +func (k *EnterpriseCertSigner) Decrypt(args DecryptArgs, resp *[]byte) (err error) { + *resp, err = k.key.Decrypt(args.Ciphertext, args.Opts) return } diff --git a/internal/signer/linux/pkcs11/pkcs11.go b/internal/signer/linux/pkcs11/pkcs11.go index f4d0e60..4afa875 100644 --- a/internal/signer/linux/pkcs11/pkcs11.go +++ b/internal/signer/linux/pkcs11/pkcs11.go @@ -161,11 +161,17 @@ func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, return k.signer.Sign(nil, digest, opts) } -func (k *Key) Encrypt(data []byte) ([]byte, error) { +// Encrypt encrypts a plaintext message digest using the public key. Here, we use standard golang API. +func (k *Key) Encrypt(plaintext []byte, opts any) ([]byte, error) { + if hash, ok := opts.(crypto.Hash); ok { + k.hash = hash + } else { + return nil, fmt.Errorf("Unsupported encrypt opts: %v", opts) + } publicKey := k.Public() _, ok := publicKey.(*rsa.PublicKey) if ok { - return k.encryptRSA(data) + return k.encryptRSA(plaintext) } _, ok = publicKey.(*ecdsa.PublicKey) if ok { @@ -175,11 +181,17 @@ func (k *Key) Encrypt(data []byte) ([]byte, error) { return nil, errors.New("encrypt error: Unsupported key type") } -func (k *Key) Decrypt(encryptedData []byte) ([]byte, error) { +// Decrypt decrypts a ciphertext message digest using the private key. Here, we pass off the decryption to pkcs11 library. +func (k *Key) Decrypt(msg []byte, opts crypto.DecrypterOpts) ([]byte, error) { + if oaepOpts, ok := opts.(*rsa.OAEPOptions); ok { + k.hash = oaepOpts.Hash + } else { + return nil, fmt.Errorf("Unsupported DecrypterOpts: %v", opts) + } publicKey := k.Public() _, ok := publicKey.(*rsa.PublicKey) if ok { - return k.decryptRSAWithPKCS11(encryptedData) + return k.decryptRSAWithPKCS11(msg) } _, ok = publicKey.(*ecdsa.PublicKey) if ok { diff --git a/internal/signer/linux/pkcs11/pkcs11_test.go b/internal/signer/linux/pkcs11/pkcs11_test.go index 04e7c65..ccadea8 100644 --- a/internal/signer/linux/pkcs11/pkcs11_test.go +++ b/internal/signer/linux/pkcs11/pkcs11_test.go @@ -16,6 +16,7 @@ package pkcs11 import ( "bytes" "crypto" + "crypto/rsa" "flag" "testing" ) @@ -88,7 +89,7 @@ func TestEncrypt(t *testing.T) { defer key.Close() msg := "Plain text to encrypt" bMsg := []byte(msg) - _, err := key.Encrypt(bMsg) + _, err := key.Encrypt(bMsg, crypto.SHA1) if err != nil { t.Errorf("Encrypt error: %q", err) } @@ -104,12 +105,11 @@ func TestDecrypt(t *testing.T) { msg := "Plain text to encrypt" bMsg := []byte(msg) // Softhsm only supports SHA1 - key = key.WithHash(crypto.SHA1) - ciphertext, err := key.Encrypt(bMsg) + ciphertext, err := key.Encrypt(bMsg, crypto.SHA1) if err != nil { t.Errorf("Encrypt error: %q", err) } - decrypted, err := key.Decrypt(ciphertext) + decrypted, err := key.Decrypt(ciphertext, &rsa.OAEPOptions{Hash: crypto.SHA1}) if err != nil { t.Fatalf("Decrypt error: %v", err) } diff --git a/internal/signer/linux/signer.go b/internal/signer/linux/signer.go index 4e07a78..d234182 100644 --- a/internal/signer/linux/signer.go +++ b/internal/signer/linux/signer.go @@ -49,22 +49,25 @@ func init() { gob.Register(crypto.SHA384) gob.Register(crypto.SHA512) gob.Register(&rsa.PSSOptions{}) + gob.Register(&rsa.OAEPOptions{}) } -// SignArgs contains arguments to a crypto Signer.Sign method. +// SignArgs contains arguments for a Sign API call. type SignArgs struct { Digest []byte // The content to sign. - Opts crypto.SignerOpts // Options for signing, such as Hash identifier. + Opts crypto.SignerOpts // Options for signing. Must implement HashFunc(). } +// EncryptArgs contains arguments for an Encrypt API call. type EncryptArgs struct { - Plaintext []byte - Hash crypto.Hash + Plaintext []byte // The plaintext to encrypt. + Opts any // Options for encryption. Ex: an instance of crypto.Hash. } +// DecryptArgs contains arguments to for a Decrypt API call. type DecryptArgs struct { - Ciphertext []byte - Hash crypto.Hash + Ciphertext []byte // The ciphertext to decrypt. + Opts crypto.DecrypterOpts // Options for decryption. Ex: an instance of *rsa.OAEPOptions. } // A EnterpriseCertSigner exports RPC methods for signing. @@ -101,21 +104,21 @@ func (k *EnterpriseCertSigner) Public(ignored struct{}, publicKey *[]byte) (err return } -// Sign signs a message digest. +// Sign signs a message digest. Stores result in "resp". func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) { *resp, err = k.key.Sign(nil, args.Digest, args.Opts) return } -func (k *EnterpriseCertSigner) Encrypt(args EncryptArgs, encryptedData *[]byte) (err error) { - k.key = k.key.WithHash(args.Hash) - *encryptedData, err = k.key.Encrypt(args.Plaintext) +// Encrypt encrypts a plaintext msg. Stores result in "resp". +func (k *EnterpriseCertSigner) Encrypt(args EncryptArgs, resp *[]byte) (err error) { + *resp, err = k.key.Encrypt(args.Plaintext, args.Opts) return } -func (k *EnterpriseCertSigner) Decrypt(args DecryptArgs, decryptedData *[]byte) (err error) { - k.key = k.key.WithHash(args.Hash) - *decryptedData, err = k.key.Decrypt(args.Ciphertext) +// Decrypt decrypts a ciphertext msg. Stores result in "resp". +func (k *EnterpriseCertSigner) Decrypt(args DecryptArgs, resp *[]byte) (err error) { + *resp, err = k.key.Decrypt(args.Ciphertext, args.Opts) return } diff --git a/internal/signer/test/signer.go b/internal/signer/test/signer.go index b153173..4d2f77d 100644 --- a/internal/signer/test/signer.go +++ b/internal/signer/test/signer.go @@ -17,8 +17,10 @@ package main import ( "crypto" + "crypto/rsa" "crypto/tls" "crypto/x509" + "encoding/gob" "io" "log" "net/rpc" @@ -26,6 +28,14 @@ import ( "time" ) +func init() { + gob.Register(crypto.SHA256) + gob.Register(crypto.SHA384) + gob.Register(crypto.SHA512) + gob.Register(&rsa.PSSOptions{}) + gob.Register(&rsa.OAEPOptions{}) +} + // SignArgs encapsulate the parameters for the Sign method. type SignArgs struct { Digest []byte diff --git a/linux/client.go b/linux/client.go index 35acf87..aed42d7 100644 --- a/linux/client.go +++ b/linux/client.go @@ -37,11 +37,21 @@ func (sk *SecureKey) Public() crypto.PublicKey { return sk.key.Public() } -// Sign signs a message digest, using the specified signer options. +// Sign signs a message digest, using the specified signer opts. Implements crypto.Signer interface. func (sk *SecureKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) { return sk.key.Sign(nil, digest, opts) } +// Encrypt encrypts a plaintext msg into ciphertext, using the specified encrypt opts. +func (sk *SecureKey) Encrypt(_ io.Reader, msg []byte, opts any) (ciphertext []byte, err error) { + return sk.key.Encrypt(msg, opts) +} + +// Decrypt decrypts a ciphertext msg into plaintext, using the specified decrypter opts. Implements crypto.Decrypter interface. +func (sk *SecureKey) Decrypt(_ io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) { + return sk.key.Decrypt(msg, opts) +} + // Close frees up resources associated with the underlying key. func (sk *SecureKey) Close() { sk.key.Close() @@ -56,11 +66,3 @@ func NewSecureKey(pkcs11Module string, slotUint32Str string, label string, userP } return &SecureKey{key: k}, nil } - -func (sk *SecureKey) Encrypt(data []byte) ([]byte, error) { - return sk.key.Encrypt(data) -} - -func (sk *SecureKey) Decrypt(encryptedData []byte) ([]byte, error) { - return sk.key.Decrypt(encryptedData) -} \ No newline at end of file diff --git a/linux/client_test.go b/linux/client_test.go index 0545eb9..060ee1c 100644 --- a/linux/client_test.go +++ b/linux/client_test.go @@ -16,6 +16,7 @@ package linux import ( "bytes" "crypto" + "crypto/rsa" "flag" "testing" ) @@ -36,9 +37,7 @@ func TestEncrypt(t *testing.T) { message := "Plain text to encrypt" bMessage := []byte(message) //Softhsm only supports SHA1 - res := (sk.key).WithHash(crypto.SHA1) - sk.key = res - _, err = sk.Encrypt(bMessage) + _, err = sk.Encrypt(nil, bMessage, crypto.SHA1) if err != nil { t.Errorf("Client Encrypt error: %q", err) } @@ -52,13 +51,11 @@ func TestDecrypt(t *testing.T) { message := "Plain text to encrypt" bMessage := []byte(message) //Softhsm only supports SHA1 - res := (sk.key).WithHash(crypto.SHA1) - sk.key = res - cipher, err := sk.Encrypt(bMessage) + cipher, err := sk.Encrypt(nil, bMessage, crypto.SHA1) if err != nil { t.Errorf("Client Encrypt error: %q", err) } - decrypted, err := sk.Decrypt(cipher) + decrypted, err := sk.Decrypt(nil, cipher, &rsa.OAEPOptions{Hash: crypto.SHA1}) if err != nil { t.Fatalf("Client Decrypt error: %v", err) }