fix: WebCrypto API passes the tag with encrypted data.

seebees · seebees · commit e7fe8ab62856 · 2020-03-26T12:22:31.000-07:00
See: aws#237 Since the WebCrypto decrypt API expects the AES-GCM tag with the encrypted data, zero bytes of encrypted data is not zero bytes of data. fix: Add tests Add tests to specificly cover the Mixed Backend conditions and logic.
diff --git a/modules/material-management-browser/src/material_helpers.ts b/modules/material-management-browser/src/material_helpers.ts
@@ -175,10 +175,16 @@ export function getSubtleFunction<T extends WebCryptoMaterial<T>> (
           const { nonZeroByteSubtle, zeroByteSubtle } = backend
           const { nonZeroByteCryptoKey, zeroByteCryptoKey } = deriveKey
           const algorithm = { name: cipherName, iv, additionalData, tagLength }
-          if (data.byteLength) {
-            return nonZeroByteSubtle[subtleFunction](algorithm, nonZeroByteCryptoKey, data)
-          } else {
+          /* Precondition: The WebCrypto AES-GCM decrypt API expects the data *and* tag together.
+           * This means that on decrypt any amount of data less than tagLength is invalid.
+           * This also means that zero encrypted data will be equal to tagLength.
+           */
+          const dataByteLength = subtleFunction === 'decrypt' ? data.byteLength - tagLength / 8 : data.byteLength
+          needs(dataByteLength >= 0, 'Invalid data length.')
+          if (dataByteLength === 0) {
             return zeroByteSubtle[subtleFunction](algorithm, zeroByteCryptoKey, data)
+          } else {
+            return nonZeroByteSubtle[subtleFunction](algorithm, nonZeroByteCryptoKey, data)
           }
         }
         // This should be impossible
diff --git a/modules/material-management-browser/test/material_helpers.test.ts b/modules/material-management-browser/test/material_helpers.test.ts
@@ -36,7 +36,7 @@ import {
   SignatureKey,
   VerificationKey
 } from '@aws-crypto/material-management'
-import { synchronousRandomValues, getWebCryptoBackend, getZeroByteSubtle } from '@aws-crypto/web-crypto-backend'
+import { synchronousRandomValues, getWebCryptoBackend, getZeroByteSubtle, getNonZeroByteBackend } from '@aws-crypto/web-crypto-backend'
 
 chai.use(chaiAsPromised)
 const { expect } = chai
@@ -288,6 +288,93 @@ describe('getSubtleFunction', () => {
     expect(() => testIvAad(iv, aad)).to.throw()
   })
 
+  it('can encrypt/decrypt 0 bytes', async () => {
+    const suite = new WebCryptoAlgorithmSuite(AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16)
+    const material = new WebCryptoEncryptionMaterial(suite, {})
+    const udk = synchronousRandomValues(suite.keyLengthBytes)
+    const trace = { keyName: 'keyName', keyNamespace: 'keyNamespace', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY }
+    material.setUnencryptedDataKey(udk, trace)
+
+    const backend = await getWebCryptoBackend()
+    /* All of this _only_ matters in the case of a mixed backend.
+     * So I force the issue.
+     */
+    const mixedBackend = {
+      nonZeroByteSubtle: getZeroByteSubtle(backend),
+      zeroByteSubtle: getNonZeroByteBackend(backend),
+      randomValues: backend.randomValues
+    }
+
+    const cryptoKey = await importCryptoKey(mixedBackend, material, ['encrypt', 'decrypt'])
+    material.setCryptoKey(cryptoKey, trace)
+
+    const iv = new Uint8Array(suite.ivLength)
+    const aad = new Uint8Array(1)
+    const tagLengthBytes = suite.tagLength / 8
+
+    // Encrypt
+    const testEncryptInfo = getSubtleFunction(material, mixedBackend, 'encrypt')
+    const testEncryptIvAad = testEncryptInfo(new Uint8Array(1))
+    const testEncryptFunction = testEncryptIvAad(iv, aad)
+    const testEncryptedData = await testEncryptFunction(new Uint8Array(0))
+    // Because I encrypted 0 bytes, the data should _only_ be tagLength
+    expect(testEncryptedData.byteLength).to.equal(tagLengthBytes)
+
+    // Decrypt
+    const testDecryptInfo = getSubtleFunction(material, mixedBackend, 'decrypt')
+    const testDecryptIvAad = testDecryptInfo(new Uint8Array(1))
+    const testDecryptFunction = testDecryptIvAad(iv, aad)
+    const testDecryptedData = await testDecryptFunction(new Uint8Array(testEncryptedData))
+
+    // Because I encrypted 0 bytes, the data should be 0 length
+    expect(testDecryptedData.byteLength).to.equal(0)
+  })
+
+  it('Precondition: The WebCrypto AES-GCM decrypt API expects the data *and* tag together.', async () => {
+    const suite = new WebCryptoAlgorithmSuite(AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16)
+    const material = new WebCryptoEncryptionMaterial(suite, {})
+    const udk = synchronousRandomValues(suite.keyLengthBytes)
+    const trace = { keyName: 'keyName', keyNamespace: 'keyNamespace', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY }
+    material.setUnencryptedDataKey(udk, trace)
+
+    const backend = await getWebCryptoBackend()
+    /* All of this _only_ matters in the case of a mixed backend.
+     * So I force the issue.
+     */
+    const mixedBackend = {
+      nonZeroByteSubtle: getZeroByteSubtle(backend),
+      zeroByteSubtle: getNonZeroByteBackend(backend),
+      randomValues: backend.randomValues
+    }
+
+    const cryptoKey = await importCryptoKey(mixedBackend, material, ['encrypt', 'decrypt'])
+    material.setCryptoKey(cryptoKey, trace)
+
+    const iv = new Uint8Array(suite.ivLength)
+    const aad = new Uint8Array(1)
+    const tagLengthBytes = suite.tagLength / 8
+
+    // Encrypt
+    const testEncryptInfo = getSubtleFunction(material, mixedBackend, 'encrypt')
+    const testEncryptIvAad = testEncryptInfo(new Uint8Array(1))
+    const testEncryptFunction = testEncryptIvAad(iv, aad)
+    const testEncryptedData = await testEncryptFunction(new Uint8Array(0))
+
+    // Because I encrypted 0 bytes, the data should _only_ be tagLength
+    expect(testEncryptedData.byteLength).to.equal(tagLengthBytes)
+
+    // Decrypt
+    const testDecryptInfo = getSubtleFunction(material, mixedBackend, 'decrypt')
+    const testDecryptIvAad = testDecryptInfo(new Uint8Array(1))
+    const testDecryptFunction = testDecryptIvAad(iv, aad)
+
+    for (let i = 0; tagLengthBytes > i; i++) {
+      console.log(i)
+      await expect(testDecryptFunction(new Uint8Array(testEncryptedData.slice(0, i))))
+        .to.eventually.rejectedWith(Error, 'Invalid data length.')
+    }
+  })
+
   it('no kdf, simple backend, can encrypt/decrypt', async () => {
     const suite = new WebCryptoAlgorithmSuite(AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16)
     const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {})
