Misc improvements

Author: connorwstein

keystore/encryptor.go

@@ -21,8 +21,9 @@ import (
 
 // Opaque error messages to prevent information leakage
 var (
-	ErrEncryptionFailed = fmt.Errorf("encryption operation failed")
-	ErrDecryptionFailed = fmt.Errorf("decryption operation failed")
+	ErrSharedSecretFailed = fmt.Errorf("shared secret derivation failed")
+	ErrEncryptionFailed   = fmt.Errorf("encryption operation failed")
+	ErrDecryptionFailed   = fmt.Errorf("decryption operation failed")
 )
 
 type EncryptRequest struct {
@@ -103,6 +104,7 @@ func (k *keystore) Encrypt(ctx context.Context, req EncryptRequest) (EncryptResp
 	if len(req.Data) == 0 || len(req.Data) > MaxEncryptionPayloadSize {
 		return EncryptResponse{}, ErrEncryptionFailed
 	}
+
 	key, ok := k.keystore[req.KeyName]
 	if !ok {
 		return EncryptResponse{}, ErrEncryptionFailed
@@ -135,7 +137,7 @@ func (k *keystore) Encrypt(ctx context.Context, req EncryptRequest) (EncryptResp
 		if err != nil {
 			return EncryptResponse{}, ErrEncryptionFailed
 		}
-		// The magic here is the the receipient can compute the same
+		// The magic here is that the receipient can compute the same
 		// shared secret because ephPriv*G*recipientPriv = ephPub*G.
 		// This lets them derive the same ephemeral key used for encryption
 		// so they can decrypt the ciphertext.
@@ -289,17 +291,17 @@ func (k *keystore) DeriveSharedSecret(ctx context.Context, req DeriveSharedSecre
 
 	key, ok := k.keystore[req.LocalKeyName]
 	if !ok {
-		return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+		return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 	}
 
 	switch key.keyType {
 	case X25519:
 		if len(req.RemotePubKey) != 32 {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		sharedSecret, err := curve25519.X25519(internal.Bytes(key.privateKey), req.RemotePubKey)
 		if err != nil {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		return DeriveSharedSecretResponse{
 			SharedSecret: sharedSecret,
@@ -308,23 +310,23 @@ func (k *keystore) DeriveSharedSecret(ctx context.Context, req DeriveSharedSecre
 		curve := ecdh.P256()
 		priv, err := curve.NewPrivateKey(internal.Bytes(key.privateKey))
 		if err != nil {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		// P-256 uncompressed public keys are 65 bytes (0x04 || x || y)
 		if len(req.RemotePubKey) != 65 {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		remotePub, err := curve.NewPublicKey(req.RemotePubKey)
 		if err != nil {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		shared, err := priv.ECDH(remotePub)
 		if err != nil {
-			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+			return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 		}
 		return DeriveSharedSecretResponse{SharedSecret: shared}, nil
 	default:
-		return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+		return DeriveSharedSecretResponse{}, ErrSharedSecretFailed
 	}
 }
 

keystore/encryptor_test.go

@@ -45,11 +45,48 @@ func TestEncryptDecrypt(t *testing.T) {
 		}{keyType: keys.Keys[1].KeyInfo.KeyType, publicKey: keys.Keys[1].KeyInfo.PublicKey}
 	}
 
-	var tt []struct {
-		name          string
-		fromKey       string
-		toKey         string
-		expectedError error
+	type testCase struct {
+		name                 string
+		encryptKey           string
+		remotePubKey         []byte
+		decryptKey           string
+		payload              []byte
+		expectedEncryptError error
+		expectedDecryptError error
+	}
+
+	var tt = []testCase{
+		{
+			name:                 "Non-existent encrypt key",
+			encryptKey:           "blah",
+			remotePubKey:         testKeysByType[keyName(keystore.X25519, 0)].publicKey,
+			decryptKey:           keyName(keystore.X25519, 0),
+			payload:              []byte("hello world"),
+			expectedEncryptError: keystore.ErrEncryptionFailed,
+		},
+		{
+			name:                 "Non-existent decrypt key",
+			encryptKey:           keyName(keystore.X25519, 0),
+			remotePubKey:         testKeysByType[keyName(keystore.X25519, 0)].publicKey,
+			decryptKey:           "blah",
+			payload:              []byte("hello world"),
+			expectedDecryptError: keystore.ErrDecryptionFailed,
+		},
+		{
+			name:         "Max payload",
+			encryptKey:   keyName(keystore.X25519, 0),
+			remotePubKey: testKeysByType[keyName(keystore.X25519, 0)].publicKey,
+			decryptKey:   keyName(keystore.X25519, 0),
+			payload:      make([]byte, keystore.MaxEncryptionPayloadSize),
+		},
+		{
+			name:                 "Payload too large",
+			encryptKey:           keyName(keystore.X25519, 0),
+			remotePubKey:         testKeysByType[keyName(keystore.X25519, 0)].publicKey,
+			decryptKey:           keyName(keystore.X25519, 0),
+			payload:              make([]byte, keystore.MaxEncryptionPayloadSize+1),
+			expectedEncryptError: keystore.ErrEncryptionFailed,
+		},
 	}
 
 	for _, fromType := range keystore.AllKeyTypes {
@@ -60,48 +97,51 @@ func TestEncryptDecrypt(t *testing.T) {
 				fromKey := keyName(fromType, 0) // Always use key 0 as source
 				toKey := keyName(toType, keyIndex)
 
-				var expectedError error
+				var expectedEncryptError error
 				if fromType == toType && fromType.IsEncryptionKeyType() {
 					// Same key types should succeed
-					expectedError = nil
+					expectedEncryptError = nil
 				} else {
 					// Different key types or non-encryption key types should fail
-					expectedError = keystore.ErrEncryptionFailed
+					expectedEncryptError = keystore.ErrEncryptionFailed
 				}
 
-				tt = append(tt, struct {
-					name          string
-					fromKey       string
-					toKey         string
-					expectedError error
-				}{
-					name:          testName,
-					fromKey:       fromKey,
-					toKey:         toKey,
-					expectedError: expectedError,
+				tt = append(tt, testCase{
+					name:                 testName,
+					encryptKey:           fromKey,
+					remotePubKey:         testKeysByType[toKey].publicKey,
+					decryptKey:           toKey,
+					expectedEncryptError: expectedEncryptError,
+					payload:              []byte("hello world"),
 				})
 			}
 		}
 	}
+
 	for _, tt := range tt {
 		t.Run(tt.name, func(t *testing.T) {
 			encryptResp, err := ks.Encrypt(ctx, keystore.EncryptRequest{
-				KeyName:      tt.fromKey,
-				RemotePubKey: testKeysByType[tt.toKey].publicKey,
-				Data:         []byte("hello world"),
+				KeyName:      tt.encryptKey,
+				RemotePubKey: tt.remotePubKey,
+				Data:         tt.payload,
 			})
-			if tt.expectedError != nil {
+			if tt.expectedEncryptError != nil {
 				require.Error(t, err)
-				require.True(t, errors.Is(err, tt.expectedError))
+				require.True(t, errors.Is(err, tt.expectedEncryptError))
 				return
 			}
 			require.NoError(t, err)
 			decryptResp, err := ks.Decrypt(ctx, keystore.DecryptRequest{
-				KeyName:       tt.toKey,
+				KeyName:       tt.decryptKey,
 				EncryptedData: encryptResp.EncryptedData,
 			})
+			if tt.expectedDecryptError != nil {
+				require.Error(t, err)
+				require.True(t, errors.Is(err, tt.expectedDecryptError))
+				return
+			}
 			require.NoError(t, err)
-			require.Equal(t, []byte("hello world"), decryptResp.Data)
+			require.Equal(t, tt.payload, decryptResp.Data)
 		})
 	}
 }
@@ -132,58 +172,6 @@ func TestEncryptDecrypt_SharedSecret(t *testing.T) {
 	}
 }
 
-func TestEncryptDecrypt_PayloadSizeLimit(t *testing.T) {
-	ctx := context.Background()
-	ks, err := keystore.LoadKeystore(ctx, storage.NewMemoryStorage(), keystore.EncryptionParams{
-		Password:     "test-password",
-		ScryptParams: keystore.FastScryptParams,
-	})
-	require.NoError(t, err)
-
-	for _, keyType := range keystore.AllEncryptionKeyTypes {
-		t.Run(fmt.Sprintf("keyType_%s", keyType), func(t *testing.T) {
-			keyName := fmt.Sprintf("test-key-%s", keyType)
-			keys, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{
-				Keys: []keystore.CreateKeyRequest{
-					{KeyName: keyName, KeyType: keyType},
-				},
-			})
-			require.NoError(t, err)
-			// Test encrypting at the limit
-			maxPayload := make([]byte, keystore.MaxEncryptionPayloadSize)
-			maxEncryptResp, err := ks.Encrypt(ctx, keystore.EncryptRequest{
-				KeyName:      keyName,
-				RemotePubKey: keys.Keys[0].KeyInfo.PublicKey,
-				Data:         maxPayload,
-			})
-			require.NoError(t, err)
-
-			// Test decrypting at max (confirm overhead sufficient)
-			maxDecryptResp, err := ks.Decrypt(ctx, keystore.DecryptRequest{
-				KeyName:       keyName,
-				EncryptedData: maxEncryptResp.EncryptedData,
-			})
-			require.NoError(t, err)
-			require.Equal(t, len(maxDecryptResp.Data), len(maxPayload))
-
-			// Test encrypting above the limit
-			_, err = ks.Encrypt(ctx, keystore.EncryptRequest{
-				KeyName:      keyName,
-				RemotePubKey: keys.Keys[0].KeyInfo.PublicKey,
-				Data:         make([]byte, keystore.MaxEncryptionPayloadSize+1),
-			})
-			require.Error(t, err)
-
-			// Test decrypting above the limit
-			_, err = ks.Decrypt(ctx, keystore.DecryptRequest{
-				KeyName:       keyName,
-				EncryptedData: make([]byte, keystore.MaxEncryptionPayloadSize+1025),
-			})
-			require.Error(t, err)
-		})
-	}
-}
-
 func FuzzEncryptDecryptRoundtrip(f *testing.F) {
 	// Add seed corpus with various input sizes and patterns
 	seedCorpus := [][]byte{