refactor dbcrypt: add Ciphers to wrap multiple AES256

johnstcn · johnstcn · commit 4142fb2b1393 · 2023-08-29T10:47:33.000Z
diff --git a/enterprise/dbcrypt/cipher.go b/enterprise/dbcrypt/cipher.go
@@ -18,7 +18,7 @@ type Cipher interface {
 }
 
 // CipherAES256 returns a new AES-256 cipher.
-func CipherAES256(key []byte) (Cipher, error) {
+func CipherAES256(key []byte) (*AES256, error) {
 	if len(key) != 32 {
 		return nil, xerrors.Errorf("key must be 32 bytes")
 	}
@@ -31,16 +31,16 @@ func CipherAES256(key []byte) (Cipher, error) {
 		return nil, err
 	}
 	digest := fmt.Sprintf("%x", sha256.Sum256(key))[:7]
-	return &aes256{aead: aead, digest: digest}, nil
+	return &AES256{aead: aead, digest: digest}, nil
 }
 
-type aes256 struct {
+type AES256 struct {
 	aead cipher.AEAD
 	// digest is the first 7 bytes of the hex-encoded SHA-256 digest of aead.
 	digest string
 }
 
-func (a *aes256) Encrypt(plaintext []byte) ([]byte, error) {
+func (a *AES256) Encrypt(plaintext []byte) ([]byte, error) {
 	nonce := make([]byte, a.aead.NonceSize())
 	_, err := io.ReadFull(rand.Reader, nonce)
 	if err != nil {
@@ -49,7 +49,7 @@ func (a *aes256) Encrypt(plaintext []byte) ([]byte, error) {
 	return a.aead.Seal(nonce, nonce, plaintext, nil), nil
 }
 
-func (a *aes256) Decrypt(ciphertext []byte) ([]byte, error) {
+func (a *AES256) Decrypt(ciphertext []byte) ([]byte, error) {
 	if len(ciphertext) < a.aead.NonceSize() {
 		return nil, xerrors.Errorf("ciphertext too short")
 	}
@@ -60,7 +60,7 @@ func (a *aes256) Decrypt(ciphertext []byte) ([]byte, error) {
 	return decrypted, nil
 }
 
-func (a *aes256) HexDigest() string {
+func (a *AES256) HexDigest() string {
 	return a.digest
 }
 
@@ -70,19 +70,22 @@ type Ciphers struct {
 	m       map[string]Cipher
 }
 
-// CiphersAES256 returns a new Ciphers instance with the given ciphers.
+// NewCiphers returns a new Ciphers instance with the given ciphers.
 // The first cipher in the list is the primary cipher. Any ciphers after the
 // first are considered secondary ciphers and are only used for decryption.
-func CiphersAES256(cs ...Cipher) Ciphers {
+func NewCiphers(cs ...Cipher) *Ciphers {
 	var primary string
 	m := make(map[string]Cipher)
 	for idx, c := range cs {
+		if _, ok := c.(*Ciphers); ok {
+			panic("developer error: do not nest Ciphers")
+		}
 		m[c.HexDigest()] = c
 		if idx == 0 {
 			primary = c.HexDigest()
 		}
 	}
-	return Ciphers{primary: primary, m: m}
+	return &Ciphers{primary: primary, m: m}
 }
 
 // Encrypt encrypts the given plaintext using the primary cipher and returns the
@@ -112,3 +115,8 @@ func (cs Ciphers) Decrypt(ciphertext []byte) ([]byte, error) {
 	}
 	return c.Decrypt(ciphertext[8:])
 }
+
+// HexDigest returns the digest of the primary cipher.
+func (cs Ciphers) HexDigest() string {
+	return cs.primary
+}
diff --git a/enterprise/dbcrypt/cipher_test.go b/enterprise/dbcrypt/cipher_test.go
@@ -44,7 +44,7 @@ func TestCipherAES256(t *testing.T) {
 	})
 }
 
-func TestCiphersAES256(t *testing.T) {
+func TestCiphers(t *testing.T) {
 	t.Parallel()
 
 	// Given: two ciphers
@@ -55,10 +55,7 @@ func TestCiphersAES256(t *testing.T) {
 	cipher2, err := dbcrypt.CipherAES256(key2)
 	require.NoError(t, err)
 
-	ciphers := dbcrypt.CiphersAES256(
-		cipher1,
-		cipher2,
-	)
+	ciphers := dbcrypt.NewCiphers(cipher1, cipher2)
 
 	// Then: it should encrypt with the cipher1
 	output, err := ciphers.Encrypt([]byte("hello world"))
@@ -82,4 +79,16 @@ func TestCiphersAES256(t *testing.T) {
 	decrypted2, err := ciphers.Decrypt(bytes.Join([][]byte{[]byte(cipher2.HexDigest()), output2}, []byte{'-'}))
 	require.NoError(t, err)
 	require.Equal(t, "hello world", string(decrypted2))
+
+	// Decryption of data encrypted with cipher1 should succeed
+	output1, err := cipher1.Encrypt([]byte("hello world"))
+	require.NoError(t, err)
+	decrypted1, err := ciphers.Decrypt(bytes.Join([][]byte{[]byte(cipher1.HexDigest()), output1}, []byte{'-'}))
+	require.NoError(t, err)
+	require.Equal(t, "hello world", string(decrypted1))
+
+	// Wrapping a Ciphers with itself should panic.
+	require.PanicsWithValue(t, "developer error: do not nest Ciphers", func() {
+		_ = dbcrypt.NewCiphers(ciphers)
+	})
 }
diff --git a/enterprise/dbcrypt/dbcrypt.go b/enterprise/dbcrypt/dbcrypt.go
@@ -12,14 +12,14 @@
 // - database.DBCryptSentinelValue
 //
 // Encrypted fields are stored in the following format:
-// "dbcrypt-<first 7 characters of cipher's SHA256 digest>-<base64-encoded encrypted value>"
+// "dbcrypt-${b64encode(<first 7 digits of cipher's SHA256 digest>-<encrypted value>)}"
 //
 // The first 7 characters of the cipher's SHA256 digest are used to identify the cipher
 // used to encrypt the value.
 //
-// Two ciphers can be provided to support key rotation. The primary cipher is used to encrypt
-// and decrypt all values. We only use the secondary cipher to decrypt values if decryption
-// with the primary cipher fails.
+// Multiple ciphers can be provided to support key rotation. The primary cipher is used
+// to encrypt and decrypt all data. Secondary ciphers are only used for decryption.
+// We currently only use a single secondary cipher.
 package dbcrypt
 
 import (
@@ -28,16 +28,12 @@ import (
 	"encoding/base64"
 	"errors"
 	"strings"
-	"sync/atomic"
-
-	"github.com/google/uuid"
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/xerrors"
-
-	"cdr.dev/slog"
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
 )
 
 // MagicPrefix is prepended to all encrypted values in the database.
@@ -48,10 +44,6 @@ import (
 // encrypted value.
 const MagicPrefix = "dbcrypt-"
 
-// MagicPrefixLength is the length of the entire prefix used to identify
-// encrypted values.
-const MagicPrefixLength = len(MagicPrefix) + 8
-
 // sentinelValue is the value that is stored in the database to indicate
 // whether encryption is enabled. If not enabled, the value either not
 // present, or is the raw string "coder".
@@ -79,31 +71,14 @@ func (*DecryptFailedError) Unwrap() error {
 	return sql.ErrNoRows
 }
 
-func IsDecryptFailedError(err error) bool {
-	var e *DecryptFailedError
-	return errors.As(err, &e)
-}
-
-type Options struct {
-	// PrimaryCipher is an optional cipher that is used
-	// to encrypt/decrypt user link and git auth link tokens. If this is nil,
-	// then no encryption/decryption will be performed.
-	PrimaryCipher *atomic.Pointer[Cipher]
-	// SecondaryCipher is an optional cipher that is only used
-	// to decrypt user link and git auth link tokens.
-	// This should only be used when rotating the primary cipher.
-	SecondaryCipher *atomic.Pointer[Cipher]
-	Logger          slog.Logger
-}
-
 // New creates a database.Store wrapper that encrypts/decrypts values
 // stored at rest in the database.
-func New(ctx context.Context, db database.Store, options *Options) (database.Store, error) {
-	if options.PrimaryCipher.Load() == nil {
-		return nil, xerrors.Errorf("at least one cipher is required")
+func New(ctx context.Context, db database.Store, cs *Ciphers) (database.Store, error) {
+	if cs == nil {
+		return nil, xerrors.Errorf("no ciphers configured")
 	}
 	dbc := &dbCrypt{
-		Options: options,
+		ciphers: cs,
 		Store:   db,
 	}
 	if err := ensureEncrypted(dbauthz.AsSystemRestricted(ctx), dbc); err != nil {
@@ -113,14 +88,14 @@ func New(ctx context.Context, db database.Store, options *Options) (database.Sto
 }
 
 type dbCrypt struct {
-	*Options
+	ciphers *Ciphers
 	database.Store
 }
 
 func (db *dbCrypt) InTx(function func(database.Store) error, txOpts *sql.TxOptions) error {
 	return db.Store.InTx(func(s database.Store) error {
 		return function(&dbCrypt{
-			Options: db.Options,
+			ciphers: db.ciphers,
 			Store:   s,
 		})
 	}, txOpts)
@@ -225,83 +200,52 @@ func (db *dbCrypt) SetDBCryptSentinelValue(ctx context.Context, value string) er
 }
 
 func (db *dbCrypt) encryptFields(fields ...*string) error {
-	// Encryption ALWAYS happens with the primary cipher.
-	cipherPtr := db.PrimaryCipher.Load()
 	// If no cipher is loaded, then we can't encrypt anything!
-	if cipherPtr == nil {
+	if db.ciphers == nil {
 		return ErrNotEnabled
 	}
-	cipher := *cipherPtr
+
 	for _, field := range fields {
 		if field == nil {
 			continue
 		}
 
-		encrypted, err := cipher.Encrypt([]byte(*field))
+		encrypted, err := db.ciphers.Encrypt([]byte(*field))
 		if err != nil {
 			return err
 		}
 		// Base64 is used to support UTF-8 encoding in PostgreSQL.
-		*field = MagicPrefix + cipher.HexDigest()[:7] + "-" + b64encode(encrypted)
+		*field = MagicPrefix + b64encode(encrypted)
 	}
 	return nil
 }
 
 // decryptFields decrypts the given fields in place.
 // If the value fails to decrypt, sql.ErrNoRows will be returned.
 func (db *dbCrypt) decryptFields(fields ...*string) error {
-	var merr *multierror.Error
-
-	// We try to decrypt with both the primary and secondary cipher.
-	primaryCipherPtr := db.PrimaryCipher.Load()
-	if err := decryptWithCipher(primaryCipherPtr, fields...); err == nil {
-		return nil
-	} else {
-		merr = multierror.Append(merr, err)
-	}
-	secondaryCipherPtr := db.SecondaryCipher.Load()
-	if err := decryptWithCipher(secondaryCipherPtr, fields...); err == nil {
-		return nil
-	} else {
-		merr = multierror.Append(merr, err)
-	}
-	return merr
-}
-
-func decryptWithCipher(cipherPtr *Cipher, fields ...*string) error {
-	// If no cipher is loaded, then we can't decrypt anything!
-	if cipherPtr == nil {
+	if db.ciphers == nil {
 		return ErrNotEnabled
 	}
 
-	cipher := *cipherPtr
 	for _, field := range fields {
 		if field == nil {
 			continue
 		}
 
-		if len(*field) < 16 || !strings.HasPrefix(*field, MagicPrefix) {
+		if len(*field) < 8 || !strings.HasPrefix(*field, MagicPrefix) {
 			// We do not force decryption of unencrypted rows. This could be damaging
 			// to the deployment, and admins can always manually purge data.
 			continue
 		}
 
-		// The first 7 characters of the digest are used to identify the cipher.
-		// If the cipher changes, we should complain loudly.
-		encPrefix := cipher.HexDigest()[:7]
-		if !strings.HasPrefix((*field)[8:15], encPrefix) {
-			return &DecryptFailedError{
-				Inner: xerrors.Errorf("cipher mismatch: expected %q, got %q", encPrefix, (*field)[8:15]),
-			}
-		}
-		data, err := b64decode((*field)[16:])
+		data, err := b64decode((*field)[8:])
 		if err != nil {
 			// If it's not base64 with the prefix, we should complain loudly.
 			return &DecryptFailedError{
 				Inner: xerrors.Errorf("malformed encrypted field %q: %w", *field, err),
 			}
 		}
-		decrypted, err := cipher.Decrypt(data)
+		decrypted, err := db.ciphers.Decrypt(data)
 		if err != nil {
 			// If the encryption key changed, return our special error that unwraps to sql.ErrNoRows.
 			return &DecryptFailedError{Inner: err}
diff --git a/enterprise/dbcrypt/dbcrypt_test.go b/enterprise/dbcrypt/dbcrypt_test.go

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ type Cipher interface {`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`// CipherAES256 returns a new AES-256 cipher.`
`21`		`-func CipherAES256(key []byte) (Cipher, error) {`
	`21`	`+func CipherAES256(key []byte) (*AES256, error) {`
`22`	`22`	`if len(key) != 32 {`
`23`	`23`	`return nil, xerrors.Errorf("key must be 32 bytes")`
`24`	`24`	`}`
`@@ -31,16 +31,16 @@ func CipherAES256(key []byte) (Cipher, error) {`
`31`	`31`	`return nil, err`
`32`	`32`	`}`
`33`	`33`	`digest := fmt.Sprintf("%x", sha256.Sum256(key))[:7]`
`34`		`- return &aes256{aead: aead, digest: digest}, nil`
	`34`	`+ return &AES256{aead: aead, digest: digest}, nil`
`35`	`35`	`}`
`36`	`36`
`37`		`-type aes256 struct {`
	`37`	`+type AES256 struct {`
`38`	`38`	`aead cipher.AEAD`
`39`	`39`	`// digest is the first 7 bytes of the hex-encoded SHA-256 digest of aead.`
`40`	`40`	`digest string`
`41`	`41`	`}`
`42`	`42`
`43`		`-func (a *aes256) Encrypt(plaintext []byte) ([]byte, error) {`
	`43`	`+func (a *AES256) Encrypt(plaintext []byte) ([]byte, error) {`
`44`	`44`	`nonce := make([]byte, a.aead.NonceSize())`
`45`	`45`	`_, err := io.ReadFull(rand.Reader, nonce)`
`46`	`46`	`if err != nil {`
`@@ -49,7 +49,7 @@ func (a *aes256) Encrypt(plaintext []byte) ([]byte, error) {`
`49`	`49`	`return a.aead.Seal(nonce, nonce, plaintext, nil), nil`
`50`	`50`	`}`
`51`	`51`
`52`		`-func (a *aes256) Decrypt(ciphertext []byte) ([]byte, error) {`
	`52`	`+func (a *AES256) Decrypt(ciphertext []byte) ([]byte, error) {`
`53`	`53`	`if len(ciphertext) < a.aead.NonceSize() {`
`54`	`54`	`return nil, xerrors.Errorf("ciphertext too short")`
`55`	`55`	`}`
`@@ -60,7 +60,7 @@ func (a *aes256) Decrypt(ciphertext []byte) ([]byte, error) {`
`60`	`60`	`return decrypted, nil`
`61`	`61`	`}`
`62`	`62`
`63`		`-func (a *aes256) HexDigest() string {`
	`63`	`+func (a *AES256) HexDigest() string {`
`64`	`64`	`return a.digest`
`65`	`65`	`}`
`66`	`66`
`@@ -70,19 +70,22 @@ type Ciphers struct {`
`70`	`70`	`m map[string]Cipher`
`71`	`71`	`}`
`72`	`72`
`73`		`-// CiphersAES256 returns a new Ciphers instance with the given ciphers.`
	`73`	`+// NewCiphers returns a new Ciphers instance with the given ciphers.`
`74`	`74`	`// The first cipher in the list is the primary cipher. Any ciphers after the`
`75`	`75`	`// first are considered secondary ciphers and are only used for decryption.`
`76`		`-func CiphersAES256(cs ...Cipher) Ciphers {`
	`76`	`+func NewCiphers(cs ...Cipher) *Ciphers {`
`77`	`77`	`var primary string`
`78`	`78`	`m := make(map[string]Cipher)`
`79`	`79`	`for idx, c := range cs {`
	`80`	`+ if _, ok := c.(*Ciphers); ok {`
	`81`	`+ panic("developer error: do not nest Ciphers")`
	`82`	`+ }`
`80`	`83`	`m[c.HexDigest()] = c`
`81`	`84`	`if idx == 0 {`
`82`	`85`	`primary = c.HexDigest()`
`83`	`86`	`}`
`84`	`87`	`}`
`85`		`- return Ciphers{primary: primary, m: m}`
	`88`	`+ return &Ciphers{primary: primary, m: m}`
`86`	`89`	`}`
`87`	`90`
`88`	`91`	`// Encrypt encrypts the given plaintext using the primary cipher and returns the`
`@@ -112,3 +115,8 @@ func (cs Ciphers) Decrypt(ciphertext []byte) ([]byte, error) {`
`112`	`115`	`}`
`113`	`116`	`return c.Decrypt(ciphertext[8:])`
`114`	`117`	`}`
	`118`	`+`
	`119`	`+// HexDigest returns the digest of the primary cipher.`
	`120`	`+func (cs Ciphers) HexDigest() string {`
	`121`	`+ return cs.primary`
	`122`	`+}`