From 73c74dd27ec1c58f5d05fd57bb9b6b395d85f931 Mon Sep 17 00:00:00 2001
From: Malte Bauch <malte.bauch@h-da.de>
Date: Wed, 9 Oct 2024 15:14:13 +0200
Subject: [PATCH] Crypto AES with nonce and tag as arguments in enc/dec
---
.../proto/go/kmsintercom/kmsintercom.pb.go | 150 ++++++++++--------
.../kmsintercom/kmsintercom/kmsintercom.proto | 3 +-
goKMS/kms/crypto/aes.go | 25 +--
goKMS/kms/crypto/aes_test.go | 80 +++++++---
goKMS/kms/crypto/crypto.go | 4 +-
goKMS/kms/crypto/otp.go | 8 +-
goKMS/kms/crypto/otp_test.go | 4 +-
goKMS/kms/kms.go | 10 +-
goKMS/kms/kmsintercom.go | 6 +-
goKMS/kms/peers/kmsPeer.go | 10 +-
10 files changed, 183 insertions(+), 117 deletions(-)
diff --git a/goKMS/api/gen/proto/go/kmsintercom/kmsintercom.pb.go b/goKMS/api/gen/proto/go/kmsintercom/kmsintercom.pb.go
index b7988dc7..190b5742 100644
--- a/goKMS/api/gen/proto/go/kmsintercom/kmsintercom.pb.go
+++ b/goKMS/api/gen/proto/go/kmsintercom/kmsintercom.pb.go
@@ -1027,9 +1027,10 @@ type Key struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
- Nonce string `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"`
- Key string `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"`
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+ Nonce string `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"`
+ AuthTag string `protobuf:"bytes,3,opt,name=authTag,proto3" json:"authTag,omitempty"`
+ Key string `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"`
}
func (x *Key) Reset() {
@@ -1078,6 +1079,13 @@ func (x *Key) GetNonce() string {
return ""
}
+func (x *Key) GetAuthTag() string {
+ if x != nil {
+ return x.AuthTag
+ }
+ return ""
+}
+
func (x *Key) GetKey() string {
if x != nil {
return x.Key
@@ -1196,77 +1204,79 @@ var file_kmsintercom_kmsintercom_proto_rawDesc = []byte{
0x33, 0x0a, 0x13, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65,
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74,
0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73,
- 0x74, 0x61, 0x6d, 0x70, 0x22, 0x3d, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69,
+ 0x74, 0x61, 0x6d, 0x70, 0x22, 0x57, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69,
0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x6e,
0x6f, 0x6e, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x6f, 0x6e, 0x63,
- 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
- 0x6b, 0x65, 0x79, 0x2a, 0x2b, 0x0a, 0x0f, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x41, 0x6c, 0x67,
- 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x41, 0x45, 0x53, 0x5f, 0x32, 0x35,
- 0x36, 0x5f, 0x47, 0x43, 0x4d, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x54, 0x50, 0x10, 0x01,
- 0x32, 0xb9, 0x06, 0x0a, 0x09, 0x4b, 0x6d, 0x73, 0x54, 0x61, 0x6c, 0x6b, 0x65, 0x72, 0x12, 0x6a,
- 0x0a, 0x14, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69,
- 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x28, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65,
- 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x43, 0x61, 0x70,
- 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
- 0x1a, 0x26, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49,
+ 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x75, 0x74, 0x68, 0x54, 0x61, 0x67, 0x18, 0x03, 0x20, 0x01,
+ 0x28, 0x09, 0x52, 0x07, 0x61, 0x75, 0x74, 0x68, 0x54, 0x61, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b,
+ 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x2a, 0x2b, 0x0a,
+ 0x0f, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
+ 0x12, 0x0f, 0x0a, 0x0b, 0x41, 0x45, 0x53, 0x5f, 0x32, 0x35, 0x36, 0x5f, 0x47, 0x43, 0x4d, 0x10,
+ 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x54, 0x50, 0x10, 0x01, 0x32, 0xb9, 0x06, 0x0a, 0x09, 0x4b,
+ 0x6d, 0x73, 0x54, 0x61, 0x6c, 0x6b, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x14, 0x49, 0x6e, 0x74, 0x65,
+ 0x72, 0x43, 0x6f, 0x6d, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73,
+ 0x12, 0x28, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49,
0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74,
- 0x69, 0x65, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x0b, 0x53, 0x79,
- 0x6e, 0x63, 0x51, 0x6b, 0x64, 0x42, 0x75, 0x6c, 0x6b, 0x12, 0x1f, 0x2e, 0x6b, 0x6d, 0x73, 0x69,
- 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x51, 0x6b, 0x64, 0x42,
- 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6b, 0x6d, 0x73,
- 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x51, 0x6b, 0x64,
- 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x64,
- 0x0a, 0x11, 0x53, 0x79, 0x6e, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72, 0x42,
- 0x75, 0x6c, 0x6b, 0x12, 0x25, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
- 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72, 0x42,
- 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x6b, 0x6d, 0x73,
- 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4b, 0x65, 0x79,
- 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72, 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
- 0x73, 0x65, 0x22, 0x00, 0x12, 0x8e, 0x01, 0x0a, 0x1f, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f,
- 0x6d, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x65, 0x67,
- 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x33, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e,
- 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x54,
- 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x65, 0x67, 0x6f, 0x74,
- 0x69, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x34, 0x2e,
- 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49, 0x6e, 0x74, 0x65,
- 0x72, 0x43, 0x6f, 0x6d, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4b, 0x65, 0x79,
- 0x4e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
- 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x0d, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77,
- 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x21, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65,
- 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69,
- 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x6b, 0x6d, 0x73, 0x69,
- 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61,
- 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
- 0x61, 0x0a, 0x10, 0x41, 0x63, 0x6b, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
- 0x69, 0x6e, 0x67, 0x12, 0x24, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
+ 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x6b, 0x6d, 0x73,
+ 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f,
+ 0x6d, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x70,
+ 0x6c, 0x79, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x0b, 0x53, 0x79, 0x6e, 0x63, 0x51, 0x6b, 0x64, 0x42,
+ 0x75, 0x6c, 0x6b, 0x12, 0x1f, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
+ 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x51, 0x6b, 0x64, 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x71,
+ 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63,
+ 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x51, 0x6b, 0x64, 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65,
+ 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x64, 0x0a, 0x11, 0x53, 0x79, 0x6e, 0x63,
+ 0x4b, 0x65, 0x79, 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72, 0x42, 0x75, 0x6c, 0x6b, 0x12, 0x25, 0x2e,
+ 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63,
+ 0x4b, 0x65, 0x79, 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72, 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x71,
+ 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63,
+ 0x6f, 0x6d, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x73, 0x46, 0x6f, 0x72,
+ 0x42, 0x75, 0x6c, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x8e,
+ 0x01, 0x0a, 0x1f, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x54, 0x72, 0x61, 0x6e, 0x73,
+ 0x70, 0x6f, 0x72, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69,
+ 0x6f, 0x6e, 0x12, 0x33, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d,
+ 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+ 0x72, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x34, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74,
+ 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x54, 0x72,
+ 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x65, 0x67, 0x6f, 0x74, 0x69,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
+ 0x58, 0x0a, 0x0d, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67,
+ 0x12, 0x21, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b,
+ 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75,
+ 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
+ 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52,
+ 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x61, 0x0a, 0x10, 0x41, 0x63, 0x6b,
+ 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x24, 0x2e,
+ 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x41, 0x63, 0x6b, 0x4b,
+ 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75,
+ 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
0x6d, 0x2e, 0x41, 0x63, 0x6b, 0x4b, 0x65, 0x79, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69,
- 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x6b, 0x6d, 0x73, 0x69,
- 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x41, 0x63, 0x6b, 0x4b, 0x65, 0x79, 0x46, 0x6f,
- 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
- 0x22, 0x00, 0x12, 0x64, 0x0a, 0x11, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x25, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74,
- 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26,
- 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79,
- 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65,
- 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x0b, 0x4b, 0x65, 0x79, 0x44,
- 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72, 0x79, 0x12, 0x1f, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74,
- 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72,
- 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e,
- 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65,
- 0x72, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xb0, 0x01, 0x0a,
- 0x0f, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d,
- 0x42, 0x10, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x50, 0x72, 0x6f,
- 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x63, 0x6f, 0x64, 0x65, 0x2e, 0x66, 0x62, 0x69, 0x2e, 0x68,
- 0x2d, 0x64, 0x61, 0x2e, 0x64, 0x65, 0x2f, 0x64, 0x61, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x61,
- 0x6e, 0x74, 0x2f, 0x67, 0x6f, 0x4b, 0x4d, 0x53, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e,
- 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74,
- 0x65, 0x72, 0x63, 0x6f, 0x6d, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x0b, 0x4b, 0x6d,
- 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0xca, 0x02, 0x0b, 0x4b, 0x6d, 0x73, 0x69,
- 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0xe2, 0x02, 0x17, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74,
- 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
- 0x61, 0xea, 0x02, 0x0b, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x62,
- 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x64, 0x0a, 0x11,
+ 0x4b, 0x65, 0x79, 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x12, 0x25, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e,
+ 0x4b, 0x65, 0x79, 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e,
+ 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x4e, 0x6f, 0x74, 0x69,
+ 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+ 0x22, 0x00, 0x12, 0x52, 0x0a, 0x0b, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72,
+ 0x79, 0x12, 0x1f, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x2e,
+ 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+ 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d,
+ 0x2e, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x6c, 0x69, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, 0x73, 0x70,
+ 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xb0, 0x01, 0x0a, 0x0f, 0x63, 0x6f, 0x6d, 0x2e, 0x6b,
+ 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x42, 0x10, 0x4b, 0x6d, 0x73, 0x69,
+ 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f,
+ 0x63, 0x6f, 0x64, 0x65, 0x2e, 0x66, 0x62, 0x69, 0x2e, 0x68, 0x2d, 0x64, 0x61, 0x2e, 0x64, 0x65,
+ 0x2f, 0x64, 0x61, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x61, 0x6e, 0x74, 0x2f, 0x67, 0x6f, 0x4b,
+ 0x4d, 0x53, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0xa2,
+ 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x0b, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72,
+ 0x63, 0x6f, 0x6d, 0xca, 0x02, 0x0b, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f,
+ 0x6d, 0xe2, 0x02, 0x17, 0x4b, 0x6d, 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x5c,
+ 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0b, 0x4b, 0x6d,
+ 0x73, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6d, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x33,
}
var (
diff --git a/goKMS/api/kmsintercom/kmsintercom/kmsintercom.proto b/goKMS/api/kmsintercom/kmsintercom/kmsintercom.proto
index ce066661..9eb48622 100644
--- a/goKMS/api/kmsintercom/kmsintercom/kmsintercom.proto
+++ b/goKMS/api/kmsintercom/kmsintercom/kmsintercom.proto
@@ -112,7 +112,8 @@ message KeyDeliveryResponse {
message Key {
string id = 1;
string nonce = 2;
- string key = 3;
+ string authTag = 3;
+ string key = 4;
}
enum CryptoAlgorithm {
diff --git a/goKMS/kms/crypto/aes.go b/goKMS/kms/crypto/aes.go
index 30ba3cab..4a52740b 100644
--- a/goKMS/kms/crypto/aes.go
+++ b/goKMS/kms/crypto/aes.go
@@ -26,47 +26,54 @@ func NewAES(name string) *AES {
// Encrypt encrypts the plaintext using a provided key.
// The key should have a length of 16, 24 or 32 bytes to select AES-128,
// AES-192 or AES-256.
-// The method returns the nonce, the encrypted output and an error if something
-// went wrong.
-func (a *AES) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error) {
+// The method returns the nonce, the authentication tag and the encrypted
+// output.
+// If something went wrong in the encryption process, an error is returned.
+func (a *AES) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, []byte, error) {
+ defaultTagSize := 16
// create a new cipher block from the key
c, err := aes.NewCipher(key)
if err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
// create a new block cipher wrapped in GCM with default nonce (12
// bytes) and tag size (16 bytes).
gcm, err := cipher.NewGCM(c)
if err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
// generate a random nonce of nonce size (12 bytes)
nonce := make([]byte, gcm.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
// Encrypt the plaintext using AES-GCM
// Destination is set to nil, therefore seal only contains the
// ciphertext with the tag appended.
seal := gcm.Seal(nil, nonce, plaintext, nil)
+ ciphertext := seal[:len(seal)-defaultTagSize]
+ authTag := seal[len(seal)-defaultTagSize:]
- return nonce, seal, nil
+ return nonce, authTag, ciphertext, nil
}
-// Decrypt decrypts the ciphertext using the provided key and nonce.
+// Decrypt decrypts the ciphertext using the provided nonce and authentication
+// tag.
// The key should have a length of 16, 24 or 32 bytes to select AES-128,
// AES-192 or AES-256.
// The method returns the decrypted input.
-func (a *AES) Decrypt(nonce, ciphertext []byte, key []byte) ([]byte, error) {
+func (a *AES) Decrypt(nonce, authTag, ciphertext []byte, key []byte) ([]byte, error) {
// create a new cipher block from the key
c, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
+ ciphertext = append(ciphertext, authTag...)
+
// create a new block cipher wrapped in GCM with default nonce (12
// bytes) and tag size (16 bytes).
gcm, err := cipher.NewGCM(c)
diff --git a/goKMS/kms/crypto/aes_test.go b/goKMS/kms/crypto/aes_test.go
index f6f4301c..3bc6b409 100644
--- a/goKMS/kms/crypto/aes_test.go
+++ b/goKMS/kms/crypto/aes_test.go
@@ -17,25 +17,25 @@ func TestCrypto_AES_Encrypt(t *testing.T) {
plaintext: []byte("testMessage"),
key: []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
error: false,
- expectedCipherTextLength: 27,
+ expectedCipherTextLength: 11,
},
"AES-192": {
plaintext: []byte("testMessage"),
key: []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
error: false,
- expectedCipherTextLength: 27,
+ expectedCipherTextLength: 11,
},
"AES-256": {
plaintext: []byte("testMessage"),
key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
error: false,
- expectedCipherTextLength: 27,
+ expectedCipherTextLength: 11,
},
"AES-256 longer plaintext": {
plaintext: []byte("testMessageThatIsLonger"),
key: []byte{0x54, 0x39, 0xc8, 0x71, 0x4e, 0x79, 0x27, 0x92, 0xa6, 0x1, 0xf0, 0xfc, 0xff, 0xa0, 0x3c, 0x76, 0x5f, 0x33, 0xc8, 0xa6, 0x42, 0x3c, 0x14, 0x67, 0x64, 0xbf, 0x22, 0xac, 0x84, 0x55, 0x9, 0x13},
error: false,
- expectedCipherTextLength: 39,
+ expectedCipherTextLength: 23,
},
"wrong key size": {
plaintext: []byte("testMessage"),
@@ -50,13 +50,14 @@ func TestCrypto_AES_Encrypt(t *testing.T) {
t.Parallel()
aes := NewAES("AES-256-GCM")
- nonce, cipherText, err := aes.Encrypt(test.plaintext, test.key)
+ nonce, authTag, cipherText, err := aes.Encrypt(test.plaintext, test.key)
if test.error {
assert.Error(t, err)
assert.Len(t, nonce, 0)
} else {
assert.NoError(t, err)
assert.Len(t, nonce, 12)
+ assert.Len(t, authTag, 16)
}
assert.Len(t, cipherText, test.expectedCipherTextLength)
})
@@ -68,20 +69,31 @@ func TestCrypto_AES_Decrypt(t *testing.T) {
cipherText []byte
key []byte
nonce []byte
+ authTag []byte
error bool
expectedPlainText string
}{
"AES-128": {
- cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+ cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10},
key: []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
nonce: []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+ authTag: []byte{0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
error: false,
expectedPlainText: "testMessage",
},
"AES-128 faulty nonce": {
- cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+ cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10},
key: []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
nonce: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+ authTag: []byte{0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+ error: true,
+ expectedPlainText: "",
+ },
+ "AES-128 faulty authentication tag": {
+ cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10},
+ key: []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
+ nonce: []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+ authTag: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93, 0xf9, 0xe7, 0x38, 0xac},
error: true,
expectedPlainText: "",
},
@@ -89,6 +101,7 @@ func TestCrypto_AES_Decrypt(t *testing.T) {
cipherText: []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
key: []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32},
nonce: []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+ authTag: []byte{0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
error: true,
expectedPlainText: "",
},
@@ -96,76 +109,103 @@ func TestCrypto_AES_Decrypt(t *testing.T) {
cipherText: []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
key: []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
nonce: []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+ authTag: []byte{0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
error: true,
expectedPlainText: "",
},
"AES-192": {
- cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+ cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1},
key: []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
nonce: []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+ authTag: []byte{0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
error: false,
expectedPlainText: "testMessage",
},
"AES-192 faulty nonce": {
- cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+ cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1},
key: []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
nonce: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+ authTag: []byte{0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+ error: true,
+ expectedPlainText: "",
+ },
+ "AES-192 faulty authentication tag": {
+ cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1},
+ key: []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
+ nonce: []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+ authTag: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93, 0xf9, 0xe7, 0x38, 0xac},
error: true,
expectedPlainText: "",
},
"AES-192 faulty key": {
- cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+ cipherText: []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1},
key: []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32, 0x24, 0x78, 0xb2, 0xc1, 0x15, 0x9f, 0x8b, 0xf3},
nonce: []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+ authTag: []byte{0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
error: true,
expectedPlainText: "",
},
"AES-192 faulty cipherText": {
- cipherText: []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
+ cipherText: []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad},
key: []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
nonce: []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+ authTag: []byte{0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
error: true,
expectedPlainText: "",
},
"AES-256": {
- cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+ cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0},
key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
nonce: []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+ authTag: []byte{0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
error: false,
expectedPlainText: "testMessage",
},
"AES-256 faulty nonce": {
- cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+ cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0},
key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
nonce: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+ authTag: []byte{0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+ error: true,
+ expectedPlainText: "",
+ },
+ "AES-256 faulty autentication tag": {
+ cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0},
+ key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
+ nonce: []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+ authTag: []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93, 0xf9, 0xe7, 0x38, 0xac},
error: true,
expectedPlainText: "",
},
"AES-256 faulty key": {
- cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+ cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0},
key: []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32, 0x24, 0x78, 0xb2, 0xc1, 0x15, 0x9f, 0x8b, 0xf3, 0xa9, 0x54, 0xc4, 0x90, 0x26, 0x33, 0x9, 0x60},
nonce: []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+ authTag: []byte{0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
error: true,
expectedPlainText: "",
},
"AES-256 faulty cipherText": {
- cipherText: []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
+ cipherText: []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad},
key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
nonce: []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+ authTag: []byte{0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
error: true,
expectedPlainText: "",
},
"AES-256 longer cipherText": {
- cipherText: []byte{0x44, 0x35, 0x7a, 0x70, 0x19, 0x31, 0x11, 0xbf, 0xab, 0xf1, 0x32, 0x9d, 0x7b, 0x73, 0xcc, 0x78, 0x7b, 0x5, 0xe7, 0x87, 0xcf, 0xd9, 0xe6, 0x28, 0xa8, 0x53, 0xbf, 0x70, 0x37, 0x64, 0x2f, 0x14, 0x2c, 0xc, 0xeb, 0x53, 0x1, 0x22, 0xd0},
+ cipherText: []byte{0x44, 0x35, 0x7a, 0x70, 0x19, 0x31, 0x11, 0xbf, 0xab, 0xf1, 0x32, 0x9d, 0x7b, 0x73, 0xcc, 0x78, 0x7b, 0x5, 0xe7, 0x87, 0xcf, 0xd9, 0xe6},
key: []byte{0x54, 0x39, 0xc8, 0x71, 0x4e, 0x79, 0x27, 0x92, 0xa6, 0x1, 0xf0, 0xfc, 0xff, 0xa0, 0x3c, 0x76, 0x5f, 0x33, 0xc8, 0xa6, 0x42, 0x3c, 0x14, 0x67, 0x64, 0xbf, 0x22, 0xac, 0x84, 0x55, 0x9, 0x13},
nonce: []byte{0x59, 0xf6, 0x94, 0xeb, 0x6a, 0x5a, 0xdc, 0x3a, 0x89, 0xa9, 0xbb, 0x53},
+ authTag: []byte{0x28, 0xa8, 0x53, 0xbf, 0x70, 0x37, 0x64, 0x2f, 0x14, 0x2c, 0xc, 0xeb, 0x53, 0x1, 0x22, 0xd0},
error: false,
expectedPlainText: "testMessageThatIsLonger",
},
"wrong key size": {
- cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+ cipherText: []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0},
key: []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9},
nonce: []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+ authTag: []byte{0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
error: true,
expectedPlainText: "",
},
@@ -176,7 +216,7 @@ func TestCrypto_AES_Decrypt(t *testing.T) {
t.Parallel()
aes := NewAES("AES-256-GCM")
- plainText, err := aes.Decrypt(test.nonce, test.cipherText, test.key)
+ plainText, err := aes.Decrypt(test.nonce, test.authTag, test.cipherText, test.key)
if test.error {
assert.Error(t, err)
} else {
@@ -194,11 +234,11 @@ func TestCrypto_AES_EncryptAndDecryptPlaintext(t *testing.T) {
aes := NewAES("AES-256-GCM")
// encrypt the secret with encrypt method
- nonce, encryptedSecret, err := aes.Encrypt(secret, key)
+ nonce, authTag, encryptedSecret, err := aes.Encrypt(secret, key)
assert.NoError(t, err)
// decrypt the encryptedSecret with decrypt method
- decryptedSecret, err := aes.Decrypt(nonce, encryptedSecret, key)
+ decryptedSecret, err := aes.Decrypt(nonce, authTag, encryptedSecret, key)
assert.NoError(t, err)
assert.Equal(t, secret, decryptedSecret)
}
diff --git a/goKMS/kms/crypto/crypto.go b/goKMS/kms/crypto/crypto.go
index 0b5b4e7b..18f6eef6 100644
--- a/goKMS/kms/crypto/crypto.go
+++ b/goKMS/kms/crypto/crypto.go
@@ -5,7 +5,7 @@ package crypto
// Currently only AES is supported, but this could be extended to support other
// algorithms in the future.
type CryptoAlgorithm interface {
- Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error)
- Decrypt(nonce, ciphertext []byte, key []byte) ([]byte, error)
+ Encrypt(plaintext []byte, key []byte) ([]byte, []byte, []byte, error)
+ Decrypt(nonce, authTag, ciphertext []byte, key []byte) ([]byte, error)
Name() string
}
diff --git a/goKMS/kms/crypto/otp.go b/goKMS/kms/crypto/otp.go
index 9deed97f..c3209f80 100644
--- a/goKMS/kms/crypto/otp.go
+++ b/goKMS/kms/crypto/otp.go
@@ -12,11 +12,11 @@ func NewOTP(name string) *OTP {
}
}
-func (o *OTP) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error) {
+func (o *OTP) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, []byte, error) {
plainTextLen := len(plaintext)
keyLen := len(key)
if plainTextLen != keyLen {
- return nil, nil, fmt.Errorf("For OTP the length of plaintext and key must not differ. Length of plaintext: %d, length of key: %d", plainTextLen, keyLen)
+ return nil, nil, nil, fmt.Errorf("For OTP the length of plaintext and key must not differ. Length of plaintext: %d, length of key: %d", plainTextLen, keyLen)
}
ciphertext := make([]byte, plainTextLen)
@@ -25,10 +25,10 @@ func (o *OTP) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error) {
ciphertext[i] = plaintext[i] ^ key[i]
}
- return nil, ciphertext, nil
+ return nil, nil, ciphertext, nil
}
-func (o *OTP) Decrypt(nonce, ciphertext []byte, key []byte) ([]byte, error) {
+func (o *OTP) Decrypt(nonce, authTag, ciphertext []byte, key []byte) ([]byte, error) {
cipherTextLen := len(ciphertext)
keyLen := len(key)
if cipherTextLen != keyLen {
diff --git a/goKMS/kms/crypto/otp_test.go b/goKMS/kms/crypto/otp_test.go
index 0f6bf530..376dea58 100644
--- a/goKMS/kms/crypto/otp_test.go
+++ b/goKMS/kms/crypto/otp_test.go
@@ -30,11 +30,11 @@ func TestCrypto_OTP_EncryptAndDecryptPlaintext(t *testing.T) {
otp := NewOTP("OTP")
// encrypt the secret with encrypt method
- _, encryptedSecret, err := otp.Encrypt(secret, key)
+ _, _, encryptedSecret, err := otp.Encrypt(secret, key)
assert.NoError(t, err)
// decrypt the encryptedSecret with decrypt method
- decryptedSecret, err := otp.Decrypt(nil, encryptedSecret, key)
+ decryptedSecret, err := otp.Decrypt(nil, nil, encryptedSecret, key)
assert.NoError(t, err)
assert.Equal(t, secret, decryptedSecret)
}
diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index 702573c8..e1c51117 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -630,7 +630,7 @@ func generateNewKSAKey(cryptoAlgo crypto.CryptoAlgorithm, platformKeyValue []byt
}
// encrypt the key
- nonce, encryptedKSAKey, err := cryptoAlgo.Encrypt(ksaKey.Key, platformKeyValue)
+ nonce, authTag, encryptedKSAKey, err := cryptoAlgo.Encrypt(ksaKey.Key, platformKeyValue)
if err != nil {
log.Error(err)
return nil, nil, err
@@ -639,11 +639,13 @@ func generateNewKSAKey(cryptoAlgo crypto.CryptoAlgorithm, platformKeyValue []byt
ksaKeyAsString := base64.StdEncoding.EncodeToString(ksaKey.Key)
encryptedKSAKeyAsString := base64.StdEncoding.EncodeToString(encryptedKSAKey)
nonceAsString := base64.StdEncoding.EncodeToString(nonce)
+ authTagAsString := base64.StdEncoding.EncodeToString(authTag)
ksaKeyToSend := &pbIC.Key{
- Id: ksaKeyId.String(),
- Nonce: nonceAsString,
- Key: encryptedKSAKeyAsString,
+ Id: ksaKeyId.String(),
+ Nonce: nonceAsString,
+ AuthTag: authTagAsString,
+ Key: encryptedKSAKeyAsString,
}
akmsKSAKey := &crypto.KSAKey{
diff --git a/goKMS/kms/kmsintercom.go b/goKMS/kms/kmsintercom.go
index 09c6bff8..b38e395e 100644
--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -355,8 +355,12 @@ func (s *kmsTalkerServer) getDecryptedKey(keyForDecryption []byte, cryptoAlgorit
if err != nil {
return nil, err
}
+ authTagAsByte, err := base64.StdEncoding.DecodeString(encryptedKey.GetAuthTag())
+ if err != nil {
+ return nil, err
+ }
- decryptedKey, err := cryptoAlgorithm.Decrypt(nonceAsByte, keyAsByte, keyForDecryption)
+ decryptedKey, err := cryptoAlgorithm.Decrypt(nonceAsByte, authTagAsByte, keyAsByte, keyForDecryption)
if err != nil {
return nil, err
}
diff --git a/goKMS/kms/peers/kmsPeer.go b/goKMS/kms/peers/kmsPeer.go
index caf14e1f..0c408682 100644
--- a/goKMS/kms/peers/kmsPeer.go
+++ b/goKMS/kms/peers/kmsPeer.go
@@ -172,13 +172,14 @@ func (kp *KmsPeer) SendPayload(payload *crypto.Key, pathId, processId uuid.UUID)
kp.servingQuantumModul.KeyStore().DeleteKey(key.KeyID)
- nonce, encryptedPayload, err := kp.cryptoAlgorithm.Encrypt(payload.Key, key.Key)
+ nonce, authTag, encryptedPayload, err := kp.cryptoAlgorithm.Encrypt(payload.Key, key.Key)
if err != nil {
return err
}
encryptedPayloadAsString := base64.StdEncoding.EncodeToString(encryptedPayload)
nonceAsString := base64.StdEncoding.EncodeToString(nonce)
+ authTagAsString := base64.StdEncoding.EncodeToString(authTag)
log.Infof("Sent encrypted Payload: %s with nonce: %s", encryptedPayloadAsString, nonceAsString)
@@ -196,9 +197,10 @@ func (kp *KmsPeer) SendPayload(payload *crypto.Key, pathId, processId uuid.UUID)
ProcessId: processId.String(),
CryptoAlgorithm: pbIC.CryptoAlgorithm(cryptoAlgorithmEnum),
Key: &pbIC.Key{
- Id: payload.ID.String(),
- Nonce: nonceAsString,
- Key: encryptedPayloadAsString,
+ Id: payload.ID.String(),
+ Nonce: nonceAsString,
+ AuthTag: authTagAsString,
+ Key: encryptedPayloadAsString,
},
})
if err != nil {
--
GitLab