Add Seal/Unseal and crypto token creation (#23)

rdner · web-flow · commit c0ecf9290324 · 2020-01-31T13:40:06.000+01:00
Now it's possible to use Authenticated Encryption using
MAC-then-Encrypt (MtE) approach.

Also, now it's easier to create a state or CSRF token using
`GenerateToken` and then verify it using `DecodeAndVerifyToken`.
diff --git a/pkg/crypto/encrypt.go b/pkg/crypto/encrypt.go
@@ -3,8 +3,10 @@ package crypto
 import (
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/hmac"
 	"crypto/rand"
 	"crypto/sha512"
+	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"io"
@@ -14,31 +16,34 @@ var (
 	// ErrCipherTooShort occurs when `Decrypt` does not
 	// have input of enough length to decrypt using AES256
 	ErrCipherTooShort = errors.New("crypto: cipher plainText is too short for AES encryption")
+	// ErrCorruptedMessage occurs when an attempt of unsealing a message
+	// does not pass the authentication check
+	ErrCorruptedMessage = errors.New("crypto: the message didn't pass the authentication check")
 )
 
 // PassphraseToKey converts a string to a key for encryption.
 //
 // This function must be used STRICTLY ONLY for generating
 // an encryption key out of a passphrase.
 // Please don't use this function for hashing user-provided values.
-// It uses SHA2 for simplicity but it's slower. User-provided data should use SHA3
-// because of its better performance.
+// It uses SHA2 for simplicity and it's faster but less secure than SHA3.
+// User-provided data should use SHA3 or bcrypt.
 func PassphraseToKey(passphrase string) (key []byte) {
 	// SHA512/256 will return exactly 32 bytes which is exactly
 	// the length of the key needed for AES256 encryption
 	hash := sha512.Sum512_256([]byte(passphrase))
 	return hash[:]
 }
 
-// Encrypt encrypts content with a key using AES256
-func Encrypt(plainText, key []byte) (encrypted []byte, err error) {
+// Encrypt encrypts content with a key using AES256 CFB mode
+func Encrypt(plainText, key []byte) (cipherText []byte, err error) {
 	// code is taken from here https://golang.org/pkg/crypto/cipher/#NewCFBEncrypter
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
 
-	cipherText := make([]byte, aes.BlockSize+len(plainText))
+	cipherText = make([]byte, aes.BlockSize+len(plainText))
 	iv := cipherText[:aes.BlockSize]
 	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
 		return nil, err
@@ -60,8 +65,8 @@ func EncryptToString(plainText, key []byte) (string, error) {
 	return hex.EncodeToString(bytes), nil
 }
 
-// Decrypt decrypts content with a key using AES256
-func Decrypt(cipherText, key []byte) (decrypted []byte, err error) {
+// Decrypt decrypts content with a key using AES256 CFB mode
+func Decrypt(cipherText, key []byte) (plainText []byte, err error) {
 	// code is taken from here https://golang.org/pkg/crypto/cipher/#NewCFBDecrypter
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -75,17 +80,78 @@ func Decrypt(cipherText, key []byte) (decrypted []byte, err error) {
 
 	stream := cipher.NewCFBDecrypter(block, iv)
 
-	plainText := make([]byte, len(cipherText))
+	plainText = make([]byte, len(cipherText))
 	stream.XORKeyStream(plainText, cipherText)
 
 	return plainText, nil
 }
 
 // DecryptFromString decrypts a string with a key
-func DecryptFromString(cipherTextStr string, key []byte) (decrypted []byte, err error) {
+func DecryptFromString(cipherTextStr string, key []byte) ([]byte, error) {
 	cipherText, err := hex.DecodeString(cipherTextStr)
 	if err != nil {
 		return nil, err
 	}
 	return Decrypt(cipherText, key)
 }
+
+// Seal implements authenticated encryption using the MAC-then-Encrypt (MtE) approach.
+// It's using SHA3-256 for MAC and AES256 CFB for encryption.
+// https://en.wikipedia.org/wiki/Authenticated_encryption#MAC-then-Encrypt_(MtE)
+func Seal(plainText, key []byte) (cipherText []byte, err error) {
+	mac := hmac.New(sha512.New512_256, key)
+
+	// the doc says it never returns an error, but we don't trust it
+	_, err = mac.Write(plainText)
+	if err != nil {
+		return nil, err
+	}
+	messageMAC := mac.Sum(nil)
+	messageAndMAC := append(plainText, messageMAC...)
+
+	return Encrypt(messageAndMAC, key)
+}
+
+// SealToString runs `Seal` and then encodes the result into base64.
+func SealToString(plainText, key []byte) (string, error) {
+	bytes, err := Seal(plainText, key)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(bytes), nil
+}
+
+// Unseal decrypts and authenticates the data encrypted by Seal
+func Unseal(cipherText, key []byte) (plainText []byte, err error) {
+	messageAndMAC, err := Decrypt(cipherText, key)
+	if err != nil {
+		return nil, err
+	}
+
+	splitPoint := len(messageAndMAC) - sha512.Size256
+	messageMAC := messageAndMAC[splitPoint:]
+	plainText = messageAndMAC[:splitPoint]
+
+	mac := hmac.New(sha512.New512_256, key)
+	// the doc says it never returns an error, but we don't trust it
+	_, err = mac.Write(plainText)
+	if err != nil {
+		return nil, err
+	}
+	expectedMAC := mac.Sum(nil)
+
+	if !hmac.Equal(expectedMAC, messageMAC) {
+		return nil, ErrCorruptedMessage
+	}
+
+	return plainText, err
+}
+
+// UnsealFromString decodes from Base64 and applies `Unseal`.
+func UnsealFromString(cipherTextStr string, key []byte) ([]byte, error) {
+	cipherText, err := base64.StdEncoding.DecodeString(cipherTextStr)
+	if err != nil {
+		return nil, err
+	}
+	return Unseal(cipherText, key)
+}
diff --git a/pkg/crypto/encrypt_test.go b/pkg/crypto/encrypt_test.go
@@ -17,7 +17,7 @@ func TestPassphraseToKey(t *testing.T) {
 	}
 }
 
-func Test_EncryptDecrypt(t *testing.T) {
+func TestEncryptDecrypt(t *testing.T) {
 	key := PassphraseToKey("some very secure passphrase no hacker can hack")
 	text := []byte("some very secret text to encrypt")
 
@@ -64,3 +64,60 @@ func Test_EncryptDecrypt(t *testing.T) {
 		}
 	})
 }
+
+func TestSealUnseal(t *testing.T) {
+	key := PassphraseToKey("some very secure passphrase no hacker can hack")
+	text := []byte("some very secret text to encrypt")
+
+	t.Run("seals/unseals bytes", func(t *testing.T) {
+		cipherText, err := Seal(text, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if bytes.Equal(text, cipherText) {
+			t.Fatal("cipher text must differ the original text")
+		}
+
+		plainText, err := Unseal(cipherText, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !bytes.Equal(text, plainText) {
+			t.Fatal("decrypted text must match the original text")
+		}
+	})
+
+	t.Run("seals/unseals a string", func(t *testing.T) {
+		cipherTextString, err := SealToString(text, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(text) == cipherTextString {
+			t.Fatal("cipher text must differ the original text")
+		}
+
+		plainText, err := UnsealFromString(cipherTextString, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !bytes.Equal(text, plainText) {
+			t.Fatal("decrypted text must match the original text")
+		}
+	})
+
+	t.Run("authenticates the message", func(t *testing.T) {
+		cipherText, err := Seal(text, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		cipherText[1] = 'x'
+
+		plainText, err := Unseal(cipherText, key)
+		if err != ErrCorruptedMessage {
+			t.Fatal(err)
+		}
+		if len(plainText) != 0 {
+			t.Fatal("decrypted text must be empty in case of error")
+		}
+	})
+}
diff --git a/pkg/crypto/generate.go b/pkg/crypto/generate.go
@@ -1,11 +1,25 @@
 package crypto
 
 import (
+	"bytes"
 	"crypto/rand"
+	"encoding/gob"
 	"encoding/hex"
+	"errors"
 	"io"
+	"time"
 )
 
+var (
+	// ErrTokenExpired occurs when the token lifetime is exceeded
+	ErrTokenExpired = errors.New("crypto: token expired")
+)
+
+type token struct {
+	Data      []byte
+	CreatedAt time.Time
+}
+
 // GenerateRandomString generates a random string with a given length
 func GenerateRandomString(length int) (string, error) {
 	size := length
@@ -20,3 +34,42 @@ func GenerateRandomString(length int) (string, error) {
 	}
 	return hex.EncodeToString(bytes)[0:length], nil
 }
+
+// GenerateToken generates a sealed token with a given ID and timestamp for
+// future verification.
+func GenerateToken(data, key []byte) (tokenStr string, err error) {
+	t := token{
+		Data:      data,
+		CreatedAt: time.Now(),
+	}
+	b := bytes.NewBuffer(nil)
+	enc := gob.NewEncoder(b)
+	err = enc.Encode(t)
+	if err != nil {
+		return "", err
+	}
+
+	return SealToString(b.Bytes(), key)
+}
+
+// DecodeAndVerify unseals the token and verifies its lifetime
+func DecodeAndVerifyToken(tokenStr string, key []byte, lifetime time.Duration) (data []byte, err error) {
+	plainText, err := UnsealFromString(tokenStr, key)
+	if err != nil {
+		return nil, err
+	}
+	b := bytes.NewBuffer(plainText)
+	dec := gob.NewDecoder(b)
+
+	var t token
+	err = dec.Decode(&t)
+	if err != nil {
+		return nil, err
+	}
+
+	if t.CreatedAt.Add(lifetime).Before(time.Now()) {
+		return nil, ErrTokenExpired
+	}
+
+	return t.Data, nil
+}
diff --git a/pkg/crypto/generate_test.go b/pkg/crypto/generate_test.go
@@ -1,6 +1,10 @@
 package crypto
 
-import "testing"
+import (
+	"bytes"
+	"testing"
+	"time"
+)
 
 func TestRandomString(t *testing.T) {
 	t.Run("does not repeat the same value twice", func(t *testing.T) {
@@ -35,3 +39,41 @@ func TestRandomString(t *testing.T) {
 		}
 	})
 }
+
+func TestGenerateDecodeAndVerifyToken(t *testing.T) {
+	key := PassphraseToKey("some very secure passphrase no hacker can hack")
+	text := []byte("some very secret text to encrypt")
+
+	t.Run("preserves the data", func(t *testing.T) {
+		token, err := GenerateToken(text, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		data, err := DecodeAndVerifyToken(token, key, time.Hour)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if !bytes.Equal(text, data) {
+			t.Fatal("data does not match with the initial text")
+		}
+	})
+
+	t.Run("expires", func(t *testing.T) {
+		token, err := GenerateToken(text, key)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		<-time.After(2 * time.Second)
+
+		data, err := DecodeAndVerifyToken(token, key, time.Second)
+		if err != ErrTokenExpired {
+			t.Fatal(err)
+		}
+		if len(data) != 0 {
+			t.Fatal("data should be empty")
+		}
+	})
+}
