WIP

Author: netf

pkg/delegatedkeys/delegated_keys.go

@@ -158,3 +158,53 @@ func GenerateDataKey(keyURI string) (*TinkDelegatedKey, []byte, error) {
 
 	return delegatedKey, wrappedKeyset, nil
 }
+
+func GenerateSigningKey(keyURI string) (*TinkDelegatedKey, []byte, []byte, error) {
+	kh, err := keyset.NewHandle(signature.ECDSAP256KeyTemplate())
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to generate new keyset handle: %v", err)
+	}
+
+	// Extract the public key
+	publicKeysetHandle, err := kh.Public()
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to extract public key: %v", err)
+	}
+
+	var publicKeyBytes bytes.Buffer
+	publicKeyWriter := keyset.NewBinaryWriter(&publicKeyBytes)
+	if err := publicKeysetHandle.WriteWithNoSecrets(publicKeyWriter); err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to serialize public key: %v", err)
+	}
+
+	delegatedKey := NewTinkDelegatedKey(kh, keyURI)
+	wrappedKeyset, err := delegatedKey.WrapKeyset()
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to wrap keyset: %v", err)
+	}
+
+	return delegatedKey, wrappedKeyset, publicKeyBytes.Bytes(), nil
+}
+
+func VerifySignature(publicKeyBytes, sig, data []byte) (bool, error) {
+	// Load the public key into a keyset.Handle
+	publicKeyReader := keyset.NewBinaryReader(bytes.NewReader(publicKeyBytes))
+	publicKeyHandle, err := keyset.ReadWithNoSecrets(publicKeyReader)
+	if err != nil {
+		return false, fmt.Errorf("failed to load public key: %v", err)
+	}
+
+	// Get a Verifier instance from the public key handle
+	verifier, err := signature.NewVerifier(publicKeyHandle)
+	if err != nil {
+		return false, fmt.Errorf("failed to get verifier: %v", err)
+	}
+
+	// Verify the signature
+	err = verifier.Verify(sig, data)
+	if err != nil {
+		return false, nil
+	}
+
+	return true, nil
+}

pkg/materials/materials.go

@@ -1,6 +1,8 @@
 package materials
 
-import "github.com/cloudopsy/dynamodb-encryption-go/pkg/delegatedkeys"
+import (
+	"github.com/cloudopsy/dynamodb-encryption-go/pkg/delegatedkeys"
+)
 
 // CryptographicMaterials defines a common interface for cryptographic materials.
 type CryptographicMaterials interface {

pkg/provider/kms.go

@@ -28,36 +28,35 @@ func NewAwsKmsCryptographicMaterialsProvider(keyID string, encryptionContext map
 	}, nil
 }
 
-// GenerateDataKey generates a new data key using AWS KMS and wraps the Tink keyset.
-func (p *AwsKmsCryptographicMaterialsProvider) GenerateDataKey() (*delegatedkeys.TinkDelegatedKey, []byte, error) {
+// EncryptionMaterials retrieves and stores encryption materials for the given encryption context.
+func (p *AwsKmsCryptographicMaterialsProvider) EncryptionMaterials(ctx context.Context, materialName string) (materials.CryptographicMaterials, error) {
+	// Generate a new Tink keyset and wrap it
 	delegatedKey, wrappedKeyset, err := delegatedkeys.GenerateDataKey(p.KeyID)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to generate data key: %v", err)
+		return nil, fmt.Errorf("failed to generate and wrap data key: %v", err)
 	}
 
-	return delegatedKey, wrappedKeyset, nil
-}
-
-// DecryptDataKey unwraps the Tink keyset using AWS KMS.
-func (p *AwsKmsCryptographicMaterialsProvider) DecryptDataKey(encryptedKeyset []byte) (*delegatedkeys.TinkDelegatedKey, error) {
-	return delegatedkeys.UnwrapKeyset(encryptedKeyset, p.KeyID)
-}
-
-// EncryptionMaterials retrieves and stores encryption materials for the given encryption context.
-func (p *AwsKmsCryptographicMaterialsProvider) EncryptionMaterials(ctx context.Context, materialName string) (materials.CryptographicMaterials, error) {
-	// Generate a new Tink keyset and wrap it
-	delegatedKey, wrappedKeyset, err := p.GenerateDataKey()
+	// Assume GenerateSigningKey is modified to return public key as well
+	delegatedSigningKey, _, publicKeyBytes, err := delegatedkeys.GenerateSigningKey(p.KeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate and wrap data key: %v", err)
 	}
 
+	// Sign the wrappedKeyset
+	signature, err := delegatedSigningKey.Sign(wrappedKeyset)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign wrappedKeyset: %v", err)
+	}
+
 	// Prepare the material description with encryption context and wrapped keyset
 	materialDescription := make(map[string]string)
 	for key, value := range p.EncryptionContext {
 		materialDescription[key] = value
 	}
 	materialDescription["ContentEncryptionAlgorithm"] = delegatedKey.Algorithm()
 	materialDescription["WrappedKeyset"] = base64.StdEncoding.EncodeToString(wrappedKeyset)
+	materialDescription["Signature"] = base64.StdEncoding.EncodeToString(signature)
+	materialDescription["PublicKey"] = base64.StdEncoding.EncodeToString(publicKeyBytes)
 
 	// Create encryption materials with the material description and the encryption key
 	encryptionMaterials := materials.NewEncryptionMaterials(materialDescription, delegatedKey, nil)
@@ -81,7 +80,25 @@ func (p *AwsKmsCryptographicMaterialsProvider) DecryptionMaterials(ctx context.C
 		return nil, fmt.Errorf("failed to decode encrypted keyset: %v", err)
 	}
 
-	delegatedKey, err := p.DecryptDataKey(encryptedKeyset)
+	publicKeyBase64 := materialDescMap["PublicKey"]
+	publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKeyBase64)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode public key: %v", err)
+	}
+
+	signatureBase64 := materialDescMap["Signature"]
+	signatureBytes, err := base64.StdEncoding.DecodeString(signatureBase64)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode signature: %v", err)
+	}
+
+	// Verify the wrapped keyset's signature
+	valid, err := delegatedkeys.VerifySignature(publicKeyBytes, signatureBytes, encryptedKeyset)
+	if err != nil || !valid {
+		return nil, fmt.Errorf("failed to verify the wrapped keyset's signature: %v", err)
+	}
+
+	delegatedKey, err := delegatedkeys.UnwrapKeyset(encryptedKeyset, p.KeyID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt and unwrap data key: %v", err)
 	}