Implement auth tag verification

Author: joseph-neeraj

.gitignore

@@ -0,0 +1,3 @@
+# IDEs
+.idea
+.vscode

jwe/jwe_config.go

@@ -15,6 +15,7 @@ type JWEConfig struct {
 	encryptionPaths          map[string]string
 	decryptionPaths          map[string]string
 	encryptionKeyFingerprint string
+	enableHmacVerification 	 bool
 }
 
 func (config *JWEConfig) GetDecryptionKey() *rsa.PrivateKey {

jwe/jwe_config_builder.go

@@ -17,6 +17,7 @@ type JWEConfigBuilder struct {
 	encryptionPaths          map[string]string
 	decryptionPaths          map[string]string
 	encryptionKeyFingerprint string
+	enableHmacVerification   bool
 }
 
 func NewJWEConfigBuilder() *JWEConfigBuilder {
@@ -74,6 +75,11 @@ func (cb *JWEConfigBuilder) WithEncryptedValueFieldName(encryptedValueFieldName
 	return cb
 }
 
+func (cb *JWEConfigBuilder) WithHmacVerificationEnabled(enableHmacVerification bool) *JWEConfigBuilder {
+	cb.enableHmacVerification = enableHmacVerification
+	return cb
+}
+
 func (cb *JWEConfigBuilder) computeKeyFingerprint() {
 	derEncoded, err := x509.MarshalPKIXPublicKey(cb.encryptionKey)
 	if err != nil {
@@ -100,5 +106,6 @@ func (cb *JWEConfigBuilder) Build() *JWEConfig {
 		encryptionPaths:          cb.encryptionPaths,
 		decryptionPaths:          cb.decryptionPaths,
 		encryptionKeyFingerprint: cb.encryptionKeyFingerprint,
+		enableHmacVerification:   cb.enableHmacVerification,
 	}
 }

jwe/jwe_object.go

@@ -2,10 +2,14 @@ package jwe
 
 import (
 	"crypto"
+	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/binary"
 	"errors"
+	"fmt"
 	"strings"
 
 	"github.com/mastercard/client-encryption-go/aes_encryption"
@@ -15,7 +19,7 @@ import (
 const (
 	A128CBC_HS256 = "A128CBC-HS256"
 	A256GCM       = "A256GCM"
-	A128GCM	      = "A128GCM"
+	A128GCM       = "A128GCM"
 	A192GCM       = "A192GCM"
 )
 
@@ -84,6 +88,11 @@ func (jweObject JWEObject) Decrypt(config JWEConfig) (string, error) {
 		}
 		return string(plainText), nil
 	case A128CBC_HS256:
+		if config.enableHmacVerification {
+			if err := verifyAuthTagCbc(cek, nonce, cipherText, authTag, aad); err != nil {
+				return "", err
+			}
+		}
 		plainText, err := aes_encryption.AesCbcDecrypt(cipherText, cek[16:], nonce, authTag)
 		if err != nil {
 			return "", err
@@ -95,6 +104,31 @@ func (jweObject JWEObject) Decrypt(config JWEConfig) (string, error) {
 	}
 }
 
+func verifyAuthTagCbc(cek, nonce, cipherText, authTag, aad []byte) error {
+	macKeyLen := len(cek) / 2
+	if macKeyLen == 0 {
+		return errors.New("invalid cek length for auth tag verification")
+	}
+	macKey := cek[:macKeyLen]
+
+	al := make([]byte, 8)
+	binary.BigEndian.PutUint64(al, uint64(len(aad)*8))
+
+	mac := hmac.New(sha256.New, macKey)
+	mac.Write(aad)
+	mac.Write(nonce)
+	mac.Write(cipherText)
+	mac.Write(al)
+	expected := mac.Sum(nil)
+
+	expectedAuthTag := expected[:len(authTag)]
+	if subtle.ConstantTimeCompare(authTag, expectedAuthTag) != 1 {
+		return errors.New("invalid authentication tag")
+	}
+
+	return nil
+}
+
 func (jweObject JWEObject) Serialize() string {
 	return strings.Join([]string{jweObject.Aad, jweObject.EncryptedKey, jweObject.Iv, jweObject.CipherText, jweObject.AuthTag}, ".")
 }

jwe/jwe_object_test.go

@@ -1,6 +1,7 @@
 package jwe_test
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/mastercard/client-encryption-go/jwe"
@@ -12,7 +13,7 @@ const (
 	encryptedPayload256Gcm = "eyJraWQiOiI3NjFiMDAzYzFlYWRlM2E1NDkwZTUwMDBkMzc4ODdiYWE1ZTZlYzBlMjI2YzA3NzA2ZTU5OTQ1MWZjMDMyYTc5IiwiY3R5IjoiYXBwbGljYXRpb25cL2pzb24iLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.8c6vxeZOUBS8A9SXYUSrRnfl1ht9xxciB7TAEv84etZhQQ2civQKso-htpa2DWFBSUm-UYlxb6XtXNXZxuWu-A0WXjwi1K5ZAACc8KUoYnqPldEtC9Q2bhbQgc_qZF_GxeKrOZfuXc9oi45xfVysF_db4RZ6VkLvY2YpPeDGEMX_nLEjzqKaDz_2m0Ae_nknr0p_Nu0m5UJgMzZGR4Sk1DJWa9x-WJLEyo4w_nRDThOjHJshOHaOU6qR5rdEAZr_dwqnTHrjX9Qm9N9gflPGMaJNVa4mvpsjz6LJzjaW3nJ2yCoirbaeJyCrful6cCiwMWMaDMuiBDPKa2ovVTy0Sw.w0Nkjxl0T9HHNu4R.suRZaYu6Ui05Z3-vsw.akknMr3Dl4L0VVTGPUszcA"
 	encryptedPayload128Gcm = "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.WtvYljbsjdEv-Ttxx1p6PgyIrOsLpj1FMF9NQNhJUAHlKchAo5QImgEgIdgJE7HC2KfpNcHiQVqKKZq_y201FVzpicDkNzlPJr5kIH4Lq-oC5iP0agWeou9yK5vIxFRP__F_B8HSuojBJ3gDYT_KdYffUIHkm_UysNj4PW2RIRlafJ6RKYanVzk74EoKZRG7MIr3pTU6LIkeQUW41qYG8hz6DbGBOh79Nkmq7Oceg0ZwCn1_MruerP-b15SGFkuvOshStT5JJp7OOq82gNAOkMl4fylEj2-vADjP7VSK8GlqrA7u9Tn-a4Q28oy0GOKr1Z-HJgn_CElknwkUTYsWbg.PKl6_kvZ4_4MjmjW.AH6pGFkn7J49hBQcwg.zdyD73TcuveImOy4CRnVpw"
 	encryptedPayload192Gcm = "eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.FWC8PVaZoR2TRKwKO4syhSJReezVIvtkxU_yKh4qODNvlVr8t8ttvySJ-AjM8xdI6vNyIg9jBMWASG4cE49jT9FYuQ72fP4R-Td4vX8wpB8GonQj40yLqZyfRLDrMgPR20RcQDW2ThzLXsgI55B5l5fpwQ9Nhmx8irGifrFWOcJ_k1dUSBdlsHsYxkjRKMENu5x4H6h12gGZ21aZSPtwAj9msMYnKLdiUbdGmGG_P8a6gPzc9ih20McxZk8fHzXKujjukr_1p5OO4o1N4d3qa-YI8Sns2fPtf7xPHnwi1wipmCC6ThFLU80r3173RXcpyZkF8Y3UacOS9y1f8eUfVQ.JRE7kZLN4Im1Rtdb.eW_lJ-U330n0QHqZnQ._r5xYVvMCrvICwLz4chjdw"
-	encryptedPayloadCbc = "eyJraWQiOiI3NjFiMDAzYzFlYWRlM2E1NDkwZTUwMDBkMzc4ODdiYWE1ZTZlYzBlMjI2YzA3NzA2ZTU5OTQ1MWZjMDMyYTc5IiwiY3R5IjoiYXBwbGljYXRpb25cL2pzb24iLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.5bsamlChk0HR3Nqg2UPJ2Fw4Y0MvC2pwWzNv84jYGkOXyqp1iwQSgETGaplIa7JyLg1ZWOqwNHEx3N7gsN4nzwAnVgz0eta6SsoQUE9YQ-5jek0COslUkoqIQjlQYJnYur7pqttDibj87fcw13G2agle5fL99j1QgFPjNPYqH88DMv481XGFa8O3VfJhW93m73KD2gvE5GasOPOkFK9wjKXc9lMGSgSArp3Awbc_oS2Cho_SbsvuEQwkhnQc2JKT3IaSWu8yK7edNGwD6OZJLhMJzWJlY30dUt2Eqe1r6kMT0IDRl7jHJnVIr2Qpe56CyeZ9V0aC5RH1mI5dYk4kHg.yI0CS3NdBrz9CCW2jwBSDw.6zr2pOSmAGdlJG0gbH53Eg.UFgf3-P9UjgMocEu7QA_vQ"
+	encryptedPayloadCbc    = "eyJraWQiOiI3NjFiMDAzYzFlYWRlM2E1NDkwZTUwMDBkMzc4ODdiYWE1ZTZlYzBlMjI2YzA3NzA2ZTU5OTQ1MWZjMDMyYTc5IiwiY3R5IjoiYXBwbGljYXRpb25cL2pzb24iLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.5bsamlChk0HR3Nqg2UPJ2Fw4Y0MvC2pwWzNv84jYGkOXyqp1iwQSgETGaplIa7JyLg1ZWOqwNHEx3N7gsN4nzwAnVgz0eta6SsoQUE9YQ-5jek0COslUkoqIQjlQYJnYur7pqttDibj87fcw13G2agle5fL99j1QgFPjNPYqH88DMv481XGFa8O3VfJhW93m73KD2gvE5GasOPOkFK9wjKXc9lMGSgSArp3Awbc_oS2Cho_SbsvuEQwkhnQc2JKT3IaSWu8yK7edNGwD6OZJLhMJzWJlY30dUt2Eqe1r6kMT0IDRl7jHJnVIr2Qpe56CyeZ9V0aC5RH1mI5dYk4kHg.yI0CS3NdBrz9CCW2jwBSDw.6zr2pOSmAGdlJG0gbH53Eg.UFgf3-P9UjgMocEu7QA_vQ"
 )
 
 func TestJWEObject(t *testing.T) {
@@ -132,3 +133,28 @@ func TestDecrypt_ShouldReturnDecryptedPayload_WhenPayloadIsCbcEncrypted(t *testi
 	assert.Nil(t, err)
 	assert.Equal(t, "bar", decryptedPayload)
 }
+
+func TestDecrypt_ShouldReturnError_WhenAuthTagIsInvalid(t *testing.T) {
+	jweObject, err := jwe.ParseJWEObject(encryptedPayloadCbc)
+	assert.Nil(t, err)
+
+	// Tamper with the auth tag while keeping it base64url valid
+	jweObject.AuthTag = strings.Repeat("A", len(jweObject.AuthTag))
+
+	decryptionKeyPath := "../testdata/keys/pkcs8/test_key_pkcs8-2048.der"
+	certificatePath := "../testdata/certificates/test_certificate-2048.der"
+
+	decryptionKey, err := utils.LoadUnencryptedDecryptionKey(decryptionKeyPath)
+	assert.Nil(t, err)
+	certificate, err := utils.LoadEncryptionCertificate(certificatePath)
+	assert.Nil(t, err)
+
+	cb := jwe.NewJWEConfigBuilder()
+	jweConfig := cb.WithDecryptionKey(decryptionKey).
+		WithCertificate(certificate).
+		Build()
+
+	decryptedPayload, err := jweObject.Decrypt(*jweConfig)
+	assert.Empty(t, decryptedPayload)
+	assert.NotNil(t, err)
+}