Raw rsa keyring decrypt

[ttjsu-aws]

Issue #, if available:

Description of changes:

This PR contains the implementation of RSA keyring. The PR also contains a full working implementation of the decrypt_data_key method and it contains a bunch of tests corresponding to the decryption of EDKs and some malformed test cases. It also contains test vectors for the three supported algorithms: RSA with PKCS1 Padding, RSA with OAEP/SHA-1/MGF1 Padding, RSA with OAEP/SHA-256/MGF1 Padding for the 128, 192, and 256 bit AES data keys. The test vectors used in this PR were generated by the Python SDK with a KeySize of 4096. The generate_data_key and encrypt_data_key methods for this keyring will be sent in another PR shortly.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[tautschnig]

In case this project becomes open-source with the full commit history maintained, commits really need to be tidy.

[tautschnig]

In absence of any comments: why those, where is the list coming from, and may it need to be expanded at some future date?

[ttjsu-aws]

This is obtained from here Asymmetric Wrapping Algorithms discussion .

[tautschnig]

We will need some public-facing documentation for this. (And I do note that you removed NO_PADDING in a later commit.)

[tautschnig]

Do we need to worry about timing sidechannels here? The paths are certainly not balanced.

[ttjsu-aws]

Good question, let me talk to my team and get back to you.

[david-koenig]

In addition to all of the specific comments I've given, I've noticed that you mixed into this a naming change of the enums for the hash function of the HKDF stuff. That is a good change that should be made, but there's no reason to do it within this PR. You should make a separate PR for that, which we should be able to push out quickly.

[david-koenig]

Based on our discussions, I think that this argument is supposed to point to the contents of a PEM file of the private key. I would rename the variable to something that indicates this better, such as private_key_pem. Also, does it make sense to hold the PEM internally as a const struct aws_string, similarly to how we are doing for the other items? You can access the raw bytes of the string at any time with aws_string_bytes(private_key_pem) and the length with private_key_pem->len in order to work with the OpenSSL interface, but that way you will only have one pointer to pass between your functions.

[ttjsu-aws]

We could make it a const struct aws_string, it would be a minor change.

[david-koenig]

Am I understanding correctly that everything else will succeed but this function will fail if you use the wrong private key for decryption? Have you tested this? Is this a case where the function fails without generating an OpenSSL error code? If so, have you verified this?

[ttjsu-aws]

Yes this function fails if we have the wrong private key for decryption. This function return 1 for success and 0 or a negative value (-2 indicates the operation is not supported) for failure in the decryption process. I shall add additional test cases to cover all the possible cases here.

[david-koenig]

Firstly, answer the questions below about the error cases and error codes to make sure you are doing the right thing.

If you are doing the right thing, there is no need to make this a bool. Instead you can do int err_code = AWS_CRYPTOSDK_ERR_CRYPTO_UNKNOWN;. And in the case that you need to change this, you can just reassign err_code = AWS_CRYPTOSDK_ERR_BAD_CIPHERTEXT;. Then in your exit code at the bottom of the function, you don't need a conditional and can just do return aws_raise_error(err_code);. Note that there is nothing wrong with calling flush_openssl_errors(); when OpenSSL has not generated any errors.

[david-koenig]

If there is no other cleanup needed at your success label, then you don't need the goto here. Just return AWS_OP_SUCCESS;

[david-koenig]

Currently all of the algorithm suites we use for the Encryption SDK use AES algorithms for the encryption of the plaintext. Therefore, our data keys are always 128/192/256 bit AES data keys. However, it is possible that we could add other algorithm suites in the future that use something other than AES for the plaintext encryption. Therefore, we have no guarantees that all of our data keys will take this form.

The keyring should be agnostic to this. It doesn't care what the length of the data key is, and the fact that the data key is an AES data key is irrelevant. Its job is simply to encrypt whatever data key is provided to it, of whatever length. Therefore, you should not indicate that it is a 128/192/256 bit AES data key here.

[ttjsu-aws]

I shall go ahead and replace 128/192/256 bit AES data key to unencrypted data key in the comments.

[david-koenig]

So the reason the AES-GCM decryption function had this kind of behavior was that data could be dumped into the plain buffer partway through, even on an unsuccessful decryption. So we needed to scrub the data out of the buffer when this did not succeed. Is that the case with this decryption algorithm?

[ttjsu-aws]

I zeroed out the plain buffer to be on a safer side so that we can be sure of no random secret bytes leaking through the plain buffer in the case of errors. Isn't it recommended to zero out the plain->buffer in case of errors anyway?

[david-koenig]

What I am asking is: Are there any bytes being output to the plain buffer when you hit an error condition?

[ttjsu-aws]

I just verified that there isn't any bytes being outputted to the plain buffer when I hit an error condition. I don't think we need to set the plain buffer to all zero bytes.

[david-koenig]

I thought that was likely the case. The reason that it was an issue in the other functions was particular to the way AES-GCM encryption works, as well as the OpenSSL interface to it.

[david-koenig]

You're probably going to want to separate this switch statement into its own function, as I think you'll need to reuse it for the encryption function. If you want, you can wait on that change for the encryption PR.

[ttjsu-aws]

I've done exactly this, will be putting it up with the PR for encrypt.

[david-koenig]

Use aws_string_new_from_c_str instead

[ttjsu-aws]

The reason I didn't use aws_string_new_from_c_str is because the parameters to it is const char *c_str and the rsa_key_pem string is unsigned of type const uint8_t*. The way the aws_string_new_from_c_str API works is it takes in const char *c_str and then makes a call to aws_string_new_from_array under the hood , this loop is what I wanted to avoid.

That being said, it would be useful to have an API called aws_string_from_array similar to the way the aws_byte_buf_from_array works. I shall put in a request to aws-c-commons library for this API.

[david-koenig]

You have it backwards. You should be using char * for the input argument for something where you are expecting a null terminated C-string as the input type. Once you use the aws_string_new_from_c_str function, it will switch to using the unsigned 8 bit integer data type for its internal array.

[david-koenig]

I thought I already commented on this before. Did my comment get lost? There's no point in making a goto which just jumps to a return statement. You can just put a return statement here.

[ttjsu-aws]

The reason I retained the goto success is that, if not for this I would have to add return AWS_OP_SUCCESS on line 62 and line 68 (end of the function after the clean up). Note: If none of the EDKs worked, we clean up unencrypted data key buffer and return success as per materials.h.

[david-koenig]

It is okay to have more than one return statement in the function.

If you have more than one line of cleanup code that needs to be run in either case, then it is okay to jump to the label.

If you are jumping to the label just to execute a return statement, the goto statement is an extra cycle that is unnecessary. It saves you no lines of code, and forces the programmer reading this to jump to a different place in the code to see what is happening.

[david-koenig]

This should be strlen(raw_rsa_keyring_tv_master_key_id) and strlen(raw_rsa_keyring_tv_provider_id). The way you did it, the null byte is part of the contents of the string, which is not what you want.

[david-koenig]

Sorry, accidentally clicked approve before. Undoing that.

[bdonlan]

What should the capacity of 'plain' be? What happens if the encrypted plaintext is larger than the normal key size of the algorithm suite in use?

[bdonlan]

If we are using this as a C string, use const char *.

[david-koenig]

Exactly what @bdonlan said here. Once you make this change you won't get the compiler complaint about using aws_string_new_from_c_str that you talked about in the other file.

[bdonlan]

Verify that outlen <= plain->capacity

[david-koenig]

Also, outlen is an unsigned integer, so it is always non-negative. The test you wrote is equivalent to outlen == 0. From the machine's point of view, there's nothing wrong with writing it either way, but I want to make sure you understand that. Writing the test with == might help avoid creating misunderstandings from other programmers in the future.

[bdonlan]

You can pass &plain->len directly here

[bdonlan]

Can we merge the cleanup between the success and error paths?

[bdonlan]

Add some malformed test vectors:

• Data key too small
• Data key too large
• Bad padding

[bdonlan]

it's a little bit cleaner to use rsa_private_key_pem->len for the length (not a blocker)

[bdonlan]

Add a comment describing how this key is "wrong".

[bdonlan]

Do not approximate this. EVP_PKEY_decrypt gives you the precise size bound on the output when called with a NULL output buffer.

[ttjsu-aws]

Yes, which is what is done in line 592 here : https://github.com/ttjsu-aws/aws-encryption-sdk-c/blob/raw_rsa_kr/source/cipher.c#L592. Ideally, the max capactiy of the dec_mat->unencrypted_data_key should be equal to the RSA Keysize and from my discusison with Greg, I understand that there is no harm in taking 2/3 rd of the RSA key in PEM format as the size in our case. If we want to set the capacity to the return value from EVP_Decrypt we will have to refrain from initializing the dec_mat->unencrypted_data_key buffer in raw_rsa_keyring.c and move the initialization into to cipher.c which may be the best thing to do in this case. Is moving the init to cipher.c okay?

[bdonlan]

I would suggest allocating it in aws_cryptosdk_rsa_decrypt once you know the required size.

If you do go with an approximation approach, the correct ratio for base64 to unencoded sizes is 6/8 (or 3/4), not 2/3.

[david-koenig]

I'm okay with doing an approximation so that we don't have to allocate the buffer inside the loop. Note that this was @SalusaSecondus's suggestion.

[david-koenig]

When you cut and paste code from the other tests like this, you should probably be looking to refactor the common functionality out into files in tests/lib. This will reduce duplication and make all of the tests easier to read. I'm not blocking on this for now. We can make it a later sprint task to go back and refactor these tests.

[david-koenig]

I created #99 to remind us to address this later.

[ttjsu-aws]

Sure, you can assign this to me. I'll make it a priority to take this task at a later stage once I have my encrypt and generate function in.