Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Commit

Permalink
check the input key length for hkdf
Browse files Browse the repository at this point in the history
Signed-off-by: Nick Revin <[email protected]>
  • Loading branch information
nrvnrvn committed Aug 7, 2019
1 parent 74937fb commit ed1b5a2
Show file tree
Hide file tree
Showing 7 changed files with 59 additions and 18 deletions.
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@

## Project status: alpha

### Cryptography API

Core cryptography API is freezed and is unlikely to be changed. It is open for extension and adding more providers. Thorough independent security audit is badly needed and welcome!

### Kubernetes API and CLI

The basic features have been completed, and while no breaking API changes are currently planned, the API can change in a backwards incompatible way before the project is declared stable.

## Overview
Expand Down Expand Up @@ -58,6 +64,10 @@ When used in conjunction with [encrypting Secret Data at Rest][encrypting-secret
kubectl apply -f example/k8s_v1alpha1_secretencryptionconfig_cr.yaml
```

### Getting CLI

Official Secreter CLI binaries can be found on the [Releases][releases] page.

### Configuring Secreter

The `SecretEncryptionConfig` CRD is used for configuring Secreter.
Expand Down Expand Up @@ -327,3 +337,4 @@ Providers:
[curve25519]: https://godoc.org/github.com/amaizfinance/secreter/pkg/crypto/curve25519
[libsodium-sealed-box]: https://download.libsodium.org/doc/public-key_cryptography/sealed_boxes
[nacl-box]: https://nacl.cr.yp.to/box.html
[releases]: https://github.com/amaizfinance/secreter/releases
15 changes: 3 additions & 12 deletions WORKSPACE
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ gazelle_dependencies()
# fetch and load rules_docker
http_archive(
name = "io_bazel_rules_docker",
sha256 = "87fc6a2b128147a0a3039a2fd0b53cc1f2ed5adb8716f50756544a572999ae9a",
strip_prefix = "rules_docker-0.8.1",
urls = ["https://github.com/bazelbuild/rules_docker/archive/v0.8.1.tar.gz"],
sha256 = "e513c0ac6534810eb7a14bf025a0f159726753f97f74ab7863c650d26e01d677",
strip_prefix = "rules_docker-0.9.0",
urls = ["https://github.com/bazelbuild/rules_docker/archive/v0.9.0.tar.gz"],
)

load(
Expand All @@ -52,12 +52,3 @@ load(
)

_go_image_repos()

load("@io_bazel_rules_docker//container:container.bzl", "container_pull")

container_pull(
name = "distroless_static",
digest = "sha256:9b60270ec0991bc4f14bda475e8cae75594d8197d0ae58576ace84694aa75d7a",
registry = "gcr.io",
repository = "distroless/static",
)
1 change: 1 addition & 0 deletions cmd/cli/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ go_library(
go_binary(
name = "secreter",
embed = [":go_default_library"],
pure = "on",
visibility = ["//visibility:public"],
)

Expand Down
3 changes: 2 additions & 1 deletion cmd/manager/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@ go_library(
go_binary(
name = "manager",
embed = [":go_default_library"],
pure = "on",
visibility = ["//visibility:public"],
)

load("@io_bazel_rules_docker//go:image.bzl", "go_image")

go_image(
name = "manager_image",
base = "@distroless_static//image",
embed = [":go_default_library"],
pure = "on",
visibility = ["//visibility:public"],
)

Expand Down
2 changes: 1 addition & 1 deletion hack/build/test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ set -o nounset
set -o pipefail
set -x

bazel test //...
bazel test --features=race //...
bazel build //...
5 changes: 5 additions & 0 deletions pkg/crypto/xchacha20poly1305/xchacha20poly1305.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
package xchacha20poly1305

import (
"errors"
"hash"
"io"

Expand Down Expand Up @@ -74,6 +75,10 @@ func Open(key, ciphertext, additionalData []byte) ([]byte, error) {
}

func deriveKeyAndNonce(inputKeyMaterial, salt []byte) ([]byte, []byte, error) {
if len(inputKeyMaterial) == 0 {
return nil, nil, errors.New("xchacha20poly1305: key cannot be empty")
}

key := make([]byte, chacha20poly1305.KeySize)
nonce := make([]byte, chacha20poly1305.NonceSizeX)

Expand Down
40 changes: 36 additions & 4 deletions pkg/crypto/xchacha20poly1305/xchacha20poly1305_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"encoding/hex"
"fmt"
"io"
"reflect"
"testing"
)

Expand All @@ -33,7 +34,7 @@ func TestSealOpen(t *testing.T) {
want []byte
wantErr bool
}{
{name: "empty", want: make([]byte, 0)},
{name: "empty", wantErr: true},
{name: "bad ciphertext", args: args{ciphertext: []byte("lol")}, wantErr: true},
{
name: "random key",
Expand Down Expand Up @@ -71,7 +72,7 @@ func TestSealOpen(t *testing.T) {
return
}
if !bytes.Equal(got, tt.want) {
t.Errorf("Open() = %v, want %#v", got, tt.want)
t.Errorf("Open() = %v, wantKey %#v", got, tt.want)
}
})
}
Expand Down Expand Up @@ -106,7 +107,7 @@ func TestSealOpenDeterministic(t *testing.T) {
return
}
if !bytes.Equal(ciphertext, tt.args.ciphertext) {
t.Errorf("\nSeal():\t%v\nwant\t%v", ciphertext, tt.args.ciphertext)
t.Errorf("\nSeal():\t%v\nwantKey\t%v", ciphertext, tt.args.ciphertext)
return
}
got, err := Open(tt.args.key, tt.args.ciphertext, tt.args.additionalData)
Expand All @@ -117,7 +118,7 @@ func TestSealOpenDeterministic(t *testing.T) {
fmt.Println(tt.args.plaintext)

if !bytes.Equal(got, tt.want) {
t.Errorf("Open() = %v, want %#v", got, tt.want)
t.Errorf("Open() = %v, wantKey %#v", got, tt.want)
}
})
}
Expand Down Expand Up @@ -151,3 +152,34 @@ func BenchmarkDeriveKeyAndNonce(b *testing.B) {
}
}
}

func Test_deriveKeyAndNonce(t *testing.T) {
type args struct {
inputKeyMaterial []byte
salt []byte
}
tests := []struct {
name string
args args
wantKey []byte
wantNonce []byte
wantErr bool
}{
{name: "empty", wantErr: true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotKey, gotNonce, err := deriveKeyAndNonce(tt.args.inputKeyMaterial, tt.args.salt)
if (err != nil) != tt.wantErr {
t.Errorf("deriveKeyAndNonce() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(gotKey, tt.wantKey) {
t.Errorf("deriveKeyAndNonce() gotKey = %v, wantKey %v", gotKey, tt.wantKey)
}
if !reflect.DeepEqual(gotNonce, tt.wantNonce) {
t.Errorf("deriveKeyAndNonce() gotNonce = %v, wantNonce %v", gotNonce, tt.wantNonce)
}
})
}
}

0 comments on commit ed1b5a2

Please sign in to comment.