From d178deb05cbb62e23be7b7ac66f934f4203434ae Mon Sep 17 00:00:00 2001 From: Ganesh Date: Thu, 21 Sep 2023 15:41:26 -0700 Subject: [PATCH 1/4] Change encryption/decryption algorithm to A256CBC --- go.mod | 2 +- go.sum | 4 ++-- services/security/keyvault/key/key.go | 2 ++ services/security/keyvault/keyvault.go | 4 +++- wrapper/cpp/main.go | 4 ++-- 5 files changed, 10 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 946d52e9..c7cf6bcc 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Azure/go-autorest/autorest v0.9.0 github.com/Azure/go-autorest/autorest/date v0.2.0 github.com/google/uuid v1.3.0 - github.com/microsoft/moc v0.11.0-alpha.28 + github.com/microsoft/moc v0.11.0-alpha.29 google.golang.org/grpc v1.54.0 k8s.io/klog v1.0.0 ) diff --git a/go.sum b/go.sum index 937d8e4d..b41aadaa 100644 --- a/go.sum +++ b/go.sum @@ -579,8 +579,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= -github.com/microsoft/moc v0.11.0-alpha.28 h1:cdMgpkoyn937QZZMZ5NmYYAUHlonkeHw4vgeIPvZoKQ= -github.com/microsoft/moc v0.11.0-alpha.28/go.mod h1:EuYNwYdC667rnJSYcLcLHKTuQURy9GLm7n+SMDhK6ps= +github.com/microsoft/moc v0.11.0-alpha.29 h1:SXqPMIXXdYlM5o3qlLU/cUf5kTByg/n8VWMMJ+Ls2bM= +github.com/microsoft/moc v0.11.0-alpha.29/go.mod h1:EuYNwYdC667rnJSYcLcLHKTuQURy9GLm7n+SMDhK6ps= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= diff --git a/services/security/keyvault/key/key.go b/services/security/keyvault/key/key.go index 6bafafdb..2fa766c8 100644 --- a/services/security/keyvault/key/key.go +++ b/services/security/keyvault/key/key.go @@ -257,6 +257,8 @@ func getMOCAlgorithm(algo keyvault.JSONWebKeyEncryptionAlgorithm) (wssdcloudcomm return wssdcloudcommon.Algorithm_RSAOAEP256, nil case keyvault.A256KW: return wssdcloudcommon.Algorithm_A256KW, nil + case keyvault.A256CBC: + return wssdcloudcommon.Algorithm_A256CBC, nil } return wssdcloudcommon.Algorithm_A_UNKNOWN, errors.Wrapf(errors.InvalidInput, "Invalid Algorithm [%s]", algo) } diff --git a/services/security/keyvault/keyvault.go b/services/security/keyvault/keyvault.go index ac8f4b38..a64a9ed6 100644 --- a/services/security/keyvault/keyvault.go +++ b/services/security/keyvault/keyvault.go @@ -117,11 +117,13 @@ const ( RSAOAEP256 JSONWebKeyEncryptionAlgorithm = "RSA-OAEP-256" // A256KW AES Key Wrap with 256 bit key-encryption key A256KW JSONWebKeyEncryptionAlgorithm = "A256KW" + // A256CBC AES-CBC with 256 bit encryption key + A256CBC JSONWebKeyEncryptionAlgorithm = "A256CBC" ) // KeyOperationsParameters the key operations parameters. type KeyOperationsParameters struct { - // Algorithm - algorithm identifier. Possible values include: 'RSAOAEP', 'RSAOAEP256', 'RSA15', 'A256KW' + // Algorithm - algorithm identifier. Possible values include: 'RSAOAEP', 'RSAOAEP256', 'RSA15', 'A256KW', "A256CBC" Algorithm JSONWebKeyEncryptionAlgorithm `json:"alg,omitempty"` // Value - a URL-encoded base64 string Value *string `json:"value,omitempty"` diff --git a/wrapper/cpp/main.go b/wrapper/cpp/main.go index 7f6d9f32..009419d5 100644 --- a/wrapper/cpp/main.go +++ b/wrapper/cpp/main.go @@ -88,7 +88,7 @@ func KeyvaultKeyEncryptDataCV(serverName *C.char, groupName *C.char, keyvaultNam parameters := &keyvault.KeyOperationsParameters{ Value: &value, - Algorithm: keyvault.A256KW, + Algorithm: keyvault.A256CBC, } response, err := keyClient.Encrypt(ctx, C.GoString(groupName), C.GoString(keyvaultName), C.GoString(keyName), parameters) @@ -125,7 +125,7 @@ func KeyvaultKeyDecryptDataCV(serverName *C.char, groupName *C.char, keyvaultNam parameters := &keyvault.KeyOperationsParameters{ Value: &value, - Algorithm: keyvault.A256KW, + Algorithm: keyvault.A256CBC, } response, err := keyClient.Decrypt(ctx, C.GoString(groupName), C.GoString(keyvaultName), C.GoString(keyName), parameters) From 2f1f479820799ef45dfc5f812c65f05d23bca4da Mon Sep 17 00:00:00 2001 From: Ganesh Date: Thu, 21 Sep 2023 17:29:39 -0700 Subject: [PATCH 2/4] Add A256CBC in GetMOCAlgorithmType conversion function --- services/security/keyvault/key/key.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/security/keyvault/key/key.go b/services/security/keyvault/key/key.go index 2fa766c8..59fbd481 100644 --- a/services/security/keyvault/key/key.go +++ b/services/security/keyvault/key/key.go @@ -299,6 +299,8 @@ func GetMOCAlgorithmType(algo string) (keyvault.JSONWebKeyEncryptionAlgorithm, e return keyvault.RSAOAEP256, nil case "A-256-KW": return keyvault.A256KW, nil + case "A-256-CBC": + return keyvault.A256CBC, nil } return keyvault.RSA15, errors.Wrapf(errors.InvalidInput, "Invalid Algorithm [%s]", algo) } From 5fb272e31a549f730084f5c8fb5d7444ffc9d25e Mon Sep 17 00:00:00 2001 From: Ganesh Date: Fri, 22 Sep 2023 12:01:43 -0700 Subject: [PATCH 3/4] Add algorithm validation for encrypt/decrypt/wrap/unwrap operations --- services/security/keyvault/key/wssd.go | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/services/security/keyvault/key/wssd.go b/services/security/keyvault/key/wssd.go index a2338fb8..dbf3c134 100644 --- a/services/security/keyvault/key/wssd.go +++ b/services/security/keyvault/key/wssd.go @@ -302,6 +302,10 @@ func (c *client) Delete(ctx context.Context, group, name, vaultName string) erro } func (c *client) Encrypt(ctx context.Context, group, vaultName, name string, param *keyvault.KeyOperationsParameters) (result *keyvault.KeyOperationResult, err error) { + err = c.isSupportedEncryptionAlgorithm(param.Algorithm) + if err != nil { + return + } request, err := c.getKeyOperationRequest(ctx, group, vaultName, name, param, wssdcloudcommon.ProviderAccessOperation_Key_Encrypt) if err != nil { return @@ -315,6 +319,10 @@ func (c *client) Encrypt(ctx context.Context, group, vaultName, name string, par } func (c *client) Decrypt(ctx context.Context, group, vaultName, name string, param *keyvault.KeyOperationsParameters) (result *keyvault.KeyOperationResult, err error) { + err = c.isSupportedEncryptionAlgorithm(param.Algorithm) + if err != nil { + return + } request, err := c.getKeyOperationRequest(ctx, group, vaultName, name, param, wssdcloudcommon.ProviderAccessOperation_Key_Decrypt) if err != nil { return @@ -328,6 +336,10 @@ func (c *client) Decrypt(ctx context.Context, group, vaultName, name string, par } func (c *client) WrapKey(ctx context.Context, group, vaultName, name string, param *keyvault.KeyOperationsParameters) (result *keyvault.KeyOperationResult, err error) { + err = c.isSupportedWrapAlgorithm(param.Algorithm) + if err != nil { + return + } request, err := c.getKeyOperationRequest(ctx, group, vaultName, name, param, wssdcloudcommon.ProviderAccessOperation_Key_WrapKey) if err != nil { return @@ -341,6 +353,10 @@ func (c *client) WrapKey(ctx context.Context, group, vaultName, name string, par } func (c *client) UnwrapKey(ctx context.Context, group, vaultName, name string, param *keyvault.KeyOperationsParameters) (result *keyvault.KeyOperationResult, err error) { + err = c.isSupportedWrapAlgorithm(param.Algorithm) + if err != nil { + return + } request, err := c.getKeyOperationRequest(ctx, group, vaultName, name, param, wssdcloudcommon.ProviderAccessOperation_Key_UnwrapKey) if err != nil { return @@ -562,3 +578,21 @@ func (c *client) getKeyOperationRequestVerify(ctx context.Context, return request, nil } + +func (c *client) isSupportedEncryptionAlgorithm(algorithm keyvault.JSONWebKeyEncryptionAlgorithm) error { + switch algorithm { + case keyvault.A256CBC: + return nil + default: + return errors.Wrapf(errors.InvalidInput, "Invalid Algorithm") + } +} + +func (c *client) isSupportedWrapAlgorithm(algorithm keyvault.JSONWebKeyEncryptionAlgorithm) error { + switch algorithm { + case keyvault.A256KW: + return nil + default: + return errors.Wrapf(errors.InvalidInput, "Invalid Algorithm") + } +} From 9081d7b72c73f7c2952c3c43665643296ef8e6c1 Mon Sep 17 00:00:00 2001 From: Ganesh Date: Fri, 22 Sep 2023 12:38:48 -0700 Subject: [PATCH 4/4] Add unit tests for algorithm validation function --- services/security/keyvault/key/wssd_test.go | 43 +++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 services/security/keyvault/key/wssd_test.go diff --git a/services/security/keyvault/key/wssd_test.go b/services/security/keyvault/key/wssd_test.go new file mode 100644 index 00000000..0f96cf9c --- /dev/null +++ b/services/security/keyvault/key/wssd_test.go @@ -0,0 +1,43 @@ +package key + +import ( + "testing" + + "github.com/microsoft/moc-sdk-for-go/services/security/keyvault" +) + +func TestEncryptValidation_invalidAlgorithm(t *testing.T) { + mockClient := &client{nil} + err := mockClient.isSupportedEncryptionAlgorithm(keyvault.A256KW) + + if err == nil { + t.Errorf("Expected error") + } +} + +func TestEncryptValidation_validAlgorithm(t *testing.T) { + mockClient := &client{nil} + err := mockClient.isSupportedEncryptionAlgorithm(keyvault.A256CBC) + + if err != nil { + t.Errorf("Unexpected error %+v", err) + } +} + +func TestWrapValidation_invalidAlgorithm(t *testing.T) { + mockClient := &client{nil} + err := mockClient.isSupportedWrapAlgorithm(keyvault.A256CBC) + + if err == nil { + t.Errorf("Expected error") + } +} + +func TestWrapValidation_validAlgorithm(t *testing.T) { + mockClient := &client{nil} + err := mockClient.isSupportedWrapAlgorithm(keyvault.A256KW) + + if err != nil { + t.Errorf("Unexpected error %+v", err) + } +}