Don't export key from subtle primitives.

Some primitives in tink-go subtle export a field "Key". This is not intentional, and should not be used. Using this might be a bug. So it is better to remove it directly. PiperOrigin-RevId: 617098822 Change-Id: Ieda3ef9e15f58f7662b5d7e2825b4f795db43161
tink-crypto · Mar 19, 2024 · 12f5f9e · 12f5f9e
1 parent 54a096c
commit 12f5f9e
Show file tree

Hide file tree

Showing 15 changed files with 45 additions and 73 deletions.
diff --git a/aead/aes_gcm_key_manager_test.go b/aead/aes_gcm_key_manager_test.go
@@ -445,9 +445,6 @@ func validateAESGCMKey(key *gcmpb.AesGcmKey, format *gcmpb.AesGcmKeyFormat) erro
 
 func validateAESGCMPrimitive(p any, key *gcmpb.AesGcmKey) error {
 	cipher := p.(*subtle.AESGCM)
-	if !bytes.Equal(cipher.Key(), key.KeyValue) {
-		return fmt.Errorf("key and primitive don't match")
-	}
 	// try to encrypt and decrypt
 	pt := random.GetRandomBytes(32)
 	aad := random.GetRandomBytes(32)

diff --git a/aead/aes_gcm_siv_key_manager_test.go b/aead/aes_gcm_siv_key_manager_test.go
@@ -299,9 +299,6 @@ func validateAESGCMSIVKey(key *gcmsivpb.AesGcmSivKey, format *gcmsivpb.AesGcmSiv
 
 func validateAESGCMSIVPrimitive(p any, key *gcmsivpb.AesGcmSivKey) error {
 	cipher := p.(*subtle.AESGCMSIV)
-	if !bytes.Equal(cipher.Key, key.KeyValue) {
-		return fmt.Errorf("Inputted key and primitive key don't match; input=%v, primitive=%v", key.KeyValue, cipher.Key)
-	}
 	// Try to encrypt and decrypt random data.
 	pt := random.GetRandomBytes(32)
 	aad := random.GetRandomBytes(32)

diff --git a/aead/subtle/aes_ctr.go b/aead/subtle/aes_ctr.go
@@ -32,7 +32,7 @@ const (
 
 // AESCTR is an implementation of AEAD interface.
 type AESCTR struct {
-	Key    []byte
+	key    []byte
 	IVSize int
 }
 
@@ -48,7 +48,7 @@ func NewAESCTR(key []byte, ivSize int) (*AESCTR, error) {
 	if ivSize < AESCTRMinIVSize || ivSize > aes.BlockSize {
 		return nil, fmt.Errorf("aes_ctr: invalid IV size: %d", ivSize)
 	}
-	return &AESCTR{Key: key, IVSize: ivSize}, nil
+	return &AESCTR{key: key, IVSize: ivSize}, nil
 }
 
 // Encrypt encrypts plaintext using AES in CTR mode.
@@ -59,7 +59,7 @@ func (a *AESCTR) Encrypt(plaintext []byte) ([]byte, error) {
 		return nil, fmt.Errorf("aes_ctr: plaintext too long")
 	}
 	iv := a.newIV()
-	stream, err := newCipher(a.Key, iv)
+	stream, err := newCipher(a.key, iv)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *AESCTR) Decrypt(ciphertext []byte) ([]byte, error) {
 	}
 
 	iv := ciphertext[:a.IVSize]
-	stream, err := newCipher(a.Key, iv)
+	stream, err := newCipher(a.key, iv)
 	if err != nil {
 		return nil, err
 	}

diff --git a/aead/subtle/aes_ctr_test.go b/aead/subtle/aes_ctr_test.go
@@ -43,10 +43,6 @@ func TestNewAESCTR(t *testing.T) {
 			if err != nil {
 				t.Errorf("want: valid cipher (key size=%d), got: error %v", len(k), err)
 			}
-			// Verify that the struct contents are correctly set.
-			if len(c.Key) != len(k) {
-				t.Errorf("want: key size=%d, got: key size=%d", len(k), len(c.Key))
-			}
 			if c.IVSize != subtle.AESCTRMinIVSize {
 				t.Errorf("want: IV size=%d, got: IV size=%d", subtle.AESCTRMinIVSize, c.IVSize)
 			}
@@ -66,9 +62,6 @@ func TestNewAESCTR(t *testing.T) {
 			if err != nil {
 				t.Errorf("want: valid cipher (IV size=%d), got: error %v", i, err)
 			}
-			if len(c.Key) != len(k) {
-				t.Errorf("want: key size=%d, got: key size=%d", len(k), len(c.Key))
-			}
 			if c.IVSize != i {
 				t.Errorf("want: IV size=%d, got: IV size=%d", i, c.IVSize)
 			}

diff --git a/aead/subtle/aes_gcm.go b/aead/subtle/aes_gcm.go
@@ -64,8 +64,3 @@ func (a *AESGCM) Decrypt(ciphertext, associatedData []byte) ([]byte, error) {
 	iv := ciphertext[:AESGCMIVSize]
 	return a.aesGCMInsecureIV.Decrypt(iv, ciphertext, associatedData)
 }
-
-// Key returns the AES key.
-func (a *AESGCM) Key() []byte {
-	return a.aesGCMInsecureIV.Key
-}
diff --git a/aead/subtle/aes_gcm_siv.go b/aead/subtle/aes_gcm_siv.go
@@ -48,7 +48,7 @@ const (
 
 // AESGCMSIV is an implementation of AEAD interface.
 type AESGCMSIV struct {
-	Key []byte
+	key []byte
 }
 
 // NewAESGCMSIV returns an AESGCMSIV instance.
@@ -59,7 +59,7 @@ func NewAESGCMSIV(key []byte) (*AESGCMSIV, error) {
 	if err := ValidateAESKeySize(keySize); err != nil {
 		return nil, fmt.Errorf("aes_gcm_siv: %s", err)
 	}
-	return &AESGCMSIV{Key: key}, nil
+	return &AESGCMSIV{key: key}, nil
 }
 
 // Encrypt encrypts plaintext with associatedData.
@@ -155,7 +155,7 @@ func (a *AESGCMSIV) deriveKeys(nonce []byte) ([]byte, []byte, error) {
 	}
 	nonceBlock := make([]byte, aesgcmsivBlockSize)
 	copy(nonceBlock[aesgcmsivBlockSize-AESGCMSIVNonceSize:], nonce)
-	block, err := aes.NewCipher(a.Key)
+	block, err := aes.NewCipher(a.key)
 	if err != nil {
 		return nil, nil, fmt.Errorf("aes_gcm_siv: failed to create block cipher, error: %v", err)
 	}
@@ -171,11 +171,11 @@ func (a *AESGCMSIV) deriveKeys(nonce []byte) ([]byte, []byte, error) {
 	kdfAes(0, authKey[0:8])
 	kdfAes(1, authKey[8:16])
 
-	encKey := make([]byte, len(a.Key))
+	encKey := make([]byte, len(a.key))
 	kdfAes(2, encKey[0:8])
 	kdfAes(3, encKey[8:16])
 
-	if len(a.Key) == 32 {
+	if len(a.key) == 32 {
 		kdfAes(4, encKey[16:24])
 		kdfAes(5, encKey[24:32])
 	}

diff --git a/aead/subtle/xchacha20poly1305.go b/aead/subtle/xchacha20poly1305.go
@@ -27,7 +27,7 @@ import (
 
 // XChaCha20Poly1305 is an implementation of AEAD interface.
 type XChaCha20Poly1305 struct {
-	Key []byte
+	key []byte
 }
 
 // Assert that XChaCha20Poly1305 implements the AEAD interface.
@@ -40,7 +40,7 @@ func NewXChaCha20Poly1305(key []byte) (*XChaCha20Poly1305, error) {
 		return nil, errors.New("xchacha20poly1305: bad key length")
 	}
 
-	return &XChaCha20Poly1305{Key: key}, nil
+	return &XChaCha20Poly1305{key: key}, nil
 }
 
 // Encrypt encrypts plaintext with associatedData.
@@ -52,7 +52,7 @@ func (x *XChaCha20Poly1305) Encrypt(plaintext []byte, associatedData []byte) ([]
 	if len(plaintext) > maxInt-chacha20poly1305.NonceSizeX-poly1305TagSize {
 		return nil, fmt.Errorf("xchacha20poly1305: plaintext too long")
 	}
-	c, err := chacha20poly1305.NewX(x.Key)
+	c, err := chacha20poly1305.NewX(x.key)
 	if err != nil {
 		return nil, err
 	}
@@ -75,7 +75,7 @@ func (x *XChaCha20Poly1305) Decrypt(ciphertext []byte, associatedData []byte) ([
 		return nil, fmt.Errorf("xchacha20poly1305: ciphertext too short")
 	}
 
-	c, err := chacha20poly1305.NewX(x.Key)
+	c, err := chacha20poly1305.NewX(x.key)
 	if err != nil {
 		return nil, err
 	}

diff --git a/aead/xchacha20poly1305_key_manager_test.go b/aead/xchacha20poly1305_key_manager_test.go
@@ -305,9 +305,6 @@ func TestXChaCha20Poly1305DeriveKeyFailsWithInsufficientRandomness(t *testing.T)
 
 func validateXChaCha20Poly1305Primitive(p any, key *xpb.XChaCha20Poly1305Key) error {
 	cipher := p.(*subtle.XChaCha20Poly1305)
-	if !bytes.Equal(cipher.Key, key.KeyValue) {
-		return fmt.Errorf("key and primitive don't match")
-	}
 
 	// Try to encrypt and decrypt.
 	pt := random.GetRandomBytes(32)

diff --git a/daead/subtle/aes_siv.go b/daead/subtle/aes_siv.go
@@ -52,11 +52,11 @@ import (
 // and RFC 5297 only supports same size encryption and MAC keys this
 // implies that keys must be 64 bytes (2*256 bits) long.
 type AESSIV struct {
-	K1     []byte
-	K2     []byte
-	CmacK1 []byte
-	CmacK2 []byte
-	Cipher cipher.Block
+	k1     []byte
+	k2     []byte
+	cmacK1 []byte
+	cmacK2 []byte
+	cipher cipher.Block
 }
 
 const (
@@ -90,11 +90,11 @@ func NewAESSIV(key []byte) (*AESSIV, error) {
 	copy(cmacK2, block)
 
 	return &AESSIV{
-		K1:     k1,
-		K2:     k2,
-		CmacK1: cmacK1,
-		CmacK2: cmacK2,
-		Cipher: c,
+		k1:     k1,
+		k2:     k2,
+		cmacK1: cmacK1,
+		cmacK2: cmacK2,
+		cipher: c,
 	}, nil
 }
 
@@ -159,7 +159,7 @@ func (asc *AESSIV) ctrCrypt(siv, in, out []byte) error {
 	iv[8] &= 0x7f
 	iv[12] &= 0x7f
 
-	c, err := aes.NewCipher(asc.K2)
+	c, err := aes.NewCipher(asc.k2)
 	if err != nil {
 		return fmt.Errorf("aes_siv: aes.NewCipher() failed: %v", err)
 	}
@@ -202,7 +202,7 @@ func (asc *AESSIV) cmacLong(data, last, mac []byte) {
 
 	idx := aes.BlockSize
 	for aes.BlockSize <= len(data)-idx {
-		asc.Cipher.Encrypt(block, block)
+		asc.cipher.Encrypt(block, block)
 		xorBlock(data[idx:idx+aes.BlockSize], block)
 		idx += aes.BlockSize
 	}
@@ -212,18 +212,18 @@ func (asc *AESSIV) cmacLong(data, last, mac []byte) {
 		block[remaining+i] ^= last[i]
 	}
 	if remaining == 0 {
-		xorBlock(asc.CmacK1, block)
+		xorBlock(asc.cmacK1, block)
 	} else {
-		asc.Cipher.Encrypt(block, block)
+		asc.cipher.Encrypt(block, block)
 		for i := 0; i < remaining; i++ {
 			block[i] ^= last[aes.BlockSize-remaining+i]
 			block[i] ^= data[idx+i]
 		}
 		block[remaining] ^= 0x80
-		xorBlock(asc.CmacK2, block)
+		xorBlock(asc.cmacK2, block)
 	}
 
-	asc.Cipher.Encrypt(mac, block)
+	asc.cipher.Encrypt(mac, block)
 }
 
 // cmac computes a CMAC of some data.
@@ -238,21 +238,21 @@ func (asc *AESSIV) cmac(data, mac []byte) {
 	idx := 0
 	for i := 0; i < numBs-1; i++ {
 		xorBlock(data[idx:idx+aes.BlockSize], block)
-		asc.Cipher.Encrypt(block, block)
+		asc.cipher.Encrypt(block, block)
 		idx += aes.BlockSize
 	}
 	for j := 0; j < lastBSize; j++ {
 		block[j] ^= data[idx+j]
 	}
 
 	if lastBSize == aes.BlockSize {
-		xorBlock(asc.CmacK1, block)
+		xorBlock(asc.cmacK1, block)
 	} else {
 		block[lastBSize] ^= 0x80
-		xorBlock(asc.CmacK2, block)
+		xorBlock(asc.cmacK2, block)
 	}
 
-	asc.Cipher.Encrypt(mac, block)
+	asc.cipher.Encrypt(mac, block)
 }
 
 // xorBlock sets block[i] = x[i] ^ block[i].

diff --git a/internal/aead/aes_gcm_insecure_iv.go b/internal/aead/aes_gcm_insecure_iv.go
@@ -42,7 +42,7 @@ const (
 // AESGCMInsecureIV is an insecure implementation of the AEAD interface that
 // permits the user to set the IV.
 type AESGCMInsecureIV struct {
-	Key       []byte
+	key       []byte
 	prependIV bool
 }
 
@@ -57,7 +57,7 @@ func NewAESGCMInsecureIV(key []byte, prependIV bool) (*AESGCMInsecureIV, error)
 		return nil, fmt.Errorf("invalid AES key size: %s", err)
 	}
 	return &AESGCMInsecureIV{
-		Key:       key,
+		key:       key,
 		prependIV: prependIV,
 	}, nil
 }
@@ -144,7 +144,7 @@ func (i *AESGCMInsecureIV) Decrypt(iv, ciphertext, associatedData []byte) ([]byt
 // newCipher creates a new AES-GCM cipher using the given key and the crypto
 // library.
 func (i *AESGCMInsecureIV) newCipher() (cipher.AEAD, error) {
-	aesCipher, err := aes.NewCipher(i.Key)
+	aesCipher, err := aes.NewCipher(i.key)
 	if err != nil {
 		return nil, errors.New("failed to initialize cipher")
 	}

diff --git a/mac/subtle/hmac.go b/mac/subtle/hmac.go
@@ -39,7 +39,7 @@ var errHMACInvalidInput = errors.New("HMAC: invalid input")
 // HMAC implementation of interface tink.MAC
 type HMAC struct {
 	HashFunc func() hash.Hash
-	Key      []byte
+	key      []byte
 	TagSize  uint32
 }
 
@@ -55,7 +55,7 @@ func NewHMAC(hashAlg string, key []byte, tagSize uint32) (*HMAC, error) {
 	}
 	return &HMAC{
 		HashFunc: hashFunc,
-		Key:      key,
+		key:      key,
 		TagSize:  tagSize,
 	}, nil
 }
@@ -85,7 +85,7 @@ func (h *HMAC) ComputeMAC(data []byte) ([]byte, error) {
 	if h.HashFunc == nil {
 		return nil, fmt.Errorf("hmac: invalid hash algorithm")
 	}
-	mac := hmac.New(h.HashFunc, h.Key)
+	mac := hmac.New(h.HashFunc, h.key)
 	mac.Write(data)
 	tag := mac.Sum(nil)
 	return tag[:h.TagSize], nil

diff --git a/streamingaead/aes_ctr_hmac_key_manager_test.go b/streamingaead/aes_ctr_hmac_key_manager_test.go
@@ -17,7 +17,6 @@
 package streamingaead_test
 
 import (
-	"bytes"
 	"fmt"
 	"testing"
 
@@ -340,8 +339,5 @@ func validateAESCTRHMACKey(key *ctrhmacpb.AesCtrHmacStreamingKey, format *ctrhma
 
 func validateAESCTRHMACPrimitive(p any, key *ctrhmacpb.AesCtrHmacStreamingKey) error {
 	cipher := p.(*subtle.AESCTRHMAC)
-	if !bytes.Equal(cipher.MainKey, key.KeyValue) {
-		return fmt.Errorf("main key and primitive don't match")
-	}
 	return encryptDecrypt(cipher, cipher, 32, 32)
 }
diff --git a/streamingaead/aes_gcm_hkdf_key_manager_test.go b/streamingaead/aes_gcm_hkdf_key_manager_test.go
@@ -591,8 +591,5 @@ func validateAESGCMHKDFKey(key *gcmhkdfpb.AesGcmHkdfStreamingKey, format *gcmhkd
 
 func validatePrimitive(p any, key *gcmhkdfpb.AesGcmHkdfStreamingKey) error {
 	cipher := p.(*subtle.AESGCMHKDF)
-	if !bytes.Equal(cipher.MainKey, key.KeyValue) {
-		return fmt.Errorf("main key and primitive don't match")
-	}
 	return encryptDecrypt(cipher, cipher, 32, 32)
 }
diff --git a/streamingaead/subtle/aes_ctr_hmac.go b/streamingaead/subtle/aes_ctr_hmac.go
@@ -48,7 +48,7 @@ const (
 // HKDF and are derived from the key derivation key, a randomly chosen salt of
 // the same size as the key and a nonce prefix.
 type AESCTRHMAC struct {
-	MainKey                      []byte
+	mainKey                      []byte
 	hkdfAlg                      string
 	keySizeInBytes               int
 	tagAlg                       string
@@ -102,7 +102,7 @@ func NewAESCTRHMAC(mainKey []byte, hkdfAlg string, keySizeInBytes int, tagAlg st
 	copy(keyClone, mainKey)
 
 	return &AESCTRHMAC{
-		MainKey:                      keyClone,
+		mainKey:                      keyClone,
 		hkdfAlg:                      hkdfAlg,
 		keySizeInBytes:               keySizeInBytes,
 		tagAlg:                       tagAlg,
@@ -123,7 +123,7 @@ func (a *AESCTRHMAC) HeaderLength() int {
 // They are derived from the main key using salt and aad as parameters.
 func (a *AESCTRHMAC) deriveKeys(salt, aad []byte) ([]byte, []byte, error) {
 	keyMaterialSize := a.keySizeInBytes + AESCTRHMACKeySizeInBytes
-	km, err := subtle.ComputeHKDF(a.hkdfAlg, a.MainKey, salt, aad, uint32(keyMaterialSize))
+	km, err := subtle.ComputeHKDF(a.hkdfAlg, a.mainKey, salt, aad, uint32(keyMaterialSize))
 	if err != nil {
 		return nil, nil, err
 	}