WIP

Author: netf

pkg/delegatedkeys/delegated_keys.go

@@ -4,11 +4,13 @@ import (
 	"bytes"
 	"fmt"
 	"strings"
+	"sync"
 
 	"github.com/tink-crypto/tink-go-awskms/integration/awskms"
 	"github.com/tink-crypto/tink-go/v2/aead"
 	"github.com/tink-crypto/tink-go/v2/keyset"
 	"github.com/tink-crypto/tink-go/v2/signature"
+	"github.com/tink-crypto/tink-go/v2/tink"
 )
 
 // DelegatedKey is an interface for keys that support encryption, decryption, signing,
@@ -29,16 +31,17 @@ type DelegatedKey interface {
 	// Sign signs the given data using the algorithm specified by the key.
 	Sign(data []byte) (signature []byte, err error)
 
-	// Verify verifies the given signature for the data using the algorithm specified by the key.
-	Verify(signature []byte, data []byte) (valid bool, err error)
-
 	// WrapKeyset wraps the keyset using the algorithm specified by the key.
 	WrapKeyset() (wrappedKeyset []byte, err error)
 }
 
 type TinkDelegatedKey struct {
-	keysetHandle *keyset.Handle
-	kekUri       string
+	keysetHandle    *keyset.Handle
+	kekUri          string
+	aeadPrimitive   tink.AEAD
+	signerPrimitive tink.Signer
+	aeadOnce        sync.Once
+	signerOnce      sync.Once
 }
 
 func NewTinkDelegatedKey(kh *keyset.Handle, kekUri string) *TinkDelegatedKey {
@@ -55,22 +58,38 @@ func (dk *TinkDelegatedKey) Algorithm() string {
 	return "Unknown"
 }
 
+// getAEADPrimitive lazily initializes the AEAD primitive.
+func (dk *TinkDelegatedKey) getAEADPrimitive() (tink.AEAD, error) {
+	var err error
+	dk.aeadOnce.Do(func() {
+		dk.aeadPrimitive, err = aead.New(dk.keysetHandle)
+	})
+	return dk.aeadPrimitive, err
+}
+
+// getSignerPrimitive lazily initializes the Signer primitive.
+func (dk *TinkDelegatedKey) getSignerPrimitive() (tink.Signer, error) {
+	var err error
+	dk.signerOnce.Do(func() {
+		dk.signerPrimitive, err = signature.NewSigner(dk.keysetHandle)
+	})
+	return dk.signerPrimitive, err
+}
+
 func (dk *TinkDelegatedKey) AllowedForRawMaterials() bool {
 	return true
 }
 
 func (dk *TinkDelegatedKey) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
-	// TODO: Support AEAD and DAEAD primitives
-	a, err := aead.New(dk.keysetHandle)
+	a, err := dk.getAEADPrimitive()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get AEAD primitive: %v", err)
 	}
 	return a.Encrypt(plaintext, associatedData)
 }
 
 func (dk *TinkDelegatedKey) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
-	// TODO: Support AEAD and DAEAD primitives
-	a, err := aead.New(dk.keysetHandle)
+	a, err := dk.getAEADPrimitive()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get AEAD primitive: %v", err)
 	}
@@ -79,7 +98,7 @@ func (dk *TinkDelegatedKey) Decrypt(ciphertext []byte, associatedData []byte) ([
 
 // Sign signs the given data using the keyset's primary key.
 func (dk *TinkDelegatedKey) Sign(data []byte) ([]byte, error) {
-	signer, err := signature.NewSigner(dk.keysetHandle)
+	signer, err := dk.getSignerPrimitive()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create signer: %v", err)
 	}
@@ -90,19 +109,6 @@ func (dk *TinkDelegatedKey) Sign(data []byte) ([]byte, error) {
 	return signature, nil
 }
 
-// Verify verifies the given signature for the data using the keyset's primary key.
-func (dk *TinkDelegatedKey) Verify(sign []byte, data []byte) (bool, error) {
-	verifier, err := signature.NewVerifier(dk.keysetHandle)
-	if err != nil {
-		return false, fmt.Errorf("failed to create verifier: %v", err)
-	}
-	err = verifier.Verify(sign, data)
-	if err != nil {
-		return false, fmt.Errorf("failed to verify signature: %v", err)
-	}
-	return true, nil
-}
-
 // WrapKeyset wraps the Tink keyset with the KEK.
 func (dk *TinkDelegatedKey) WrapKeyset() ([]byte, error) {
 	client, err := awskms.NewClientWithOptions(dk.kekUri)

pkg/encrypted/action.go

@@ -162,10 +162,12 @@ func TestEncryptedClient_PutItem(t *testing.T) {
 		nil,
 	), nil)
 
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
 
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	item := map[string]types.AttributeValue{
 		"PK":         &types.AttributeValueMemberS{Value: "123"},
@@ -189,10 +191,12 @@ func TestEncryptedClient_PutItem(t *testing.T) {
 func TestEncryptedClient_PutItem_Failure(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
 
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock the DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -235,10 +239,12 @@ func TestEncryptedClient_PutItem_Failure(t *testing.T) {
 func TestEncryptedClient_GetItem_Success(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
 
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -264,7 +270,6 @@ func TestEncryptedClient_GetItem_Success(t *testing.T) {
 	mockCMProvider.On("DecryptionMaterials", mock.Anything, mock.Anything, mock.Anything).Return(materials.NewDecryptionMaterials(
 		map[string]string{"mock": "data"},
 		&MockDelegatedKey{},
-		nil,
 	), nil)
 
 	// Test GetItem
@@ -286,9 +291,12 @@ func TestEncryptedClient_GetItem_Success(t *testing.T) {
 func TestEncryptedClient_Query(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -320,7 +328,6 @@ func TestEncryptedClient_Query(t *testing.T) {
 	mockCMProvider.On("DecryptionMaterials", mock.Anything, mock.Anything, mock.Anything).Return(materials.NewDecryptionMaterials(
 		map[string]string{"mock": "data"},
 		&MockDelegatedKey{},
-		nil,
 	), nil)
 
 	// Test Query
@@ -342,9 +349,12 @@ func TestEncryptedClient_Query(t *testing.T) {
 func TestEncryptedClient_Scan(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -376,7 +386,6 @@ func TestEncryptedClient_Scan(t *testing.T) {
 	mockCMProvider.On("DecryptionMaterials", mock.Anything, mock.Anything, mock.Anything).Return(materials.NewDecryptionMaterials(
 		map[string]string{"mock": "data"},
 		&MockDelegatedKey{},
-		nil,
 	), nil)
 
 	// Test Scan
@@ -394,9 +403,12 @@ func TestEncryptedClient_Scan(t *testing.T) {
 func TestEncryptedClient_BatchGetItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -430,7 +442,6 @@ func TestEncryptedClient_BatchGetItem(t *testing.T) {
 	mockCMProvider.On("DecryptionMaterials", mock.Anything, mock.Anything, mock.Anything).Return(materials.NewDecryptionMaterials(
 		map[string]string{"mock": "data"},
 		&MockDelegatedKey{},
-		nil,
 	), nil)
 
 	// Test BatchGetItem
@@ -461,9 +472,12 @@ func TestEncryptedClient_BatchGetItem(t *testing.T) {
 func TestEncryptedClient_BatchWriteItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -520,9 +534,12 @@ func TestEncryptedClient_BatchWriteItem(t *testing.T) {
 func TestEncryptedClient_DeleteItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	attributeActions := NewAttributeActions(AttributeActionDoNothing)
-	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
+	clientConfig := NewClientConfig(
+		WithDefaultEncryption(EncryptNone),
+		WithEncryption("SensitiveAttribute", EncryptStandard),
+	)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, clientConfig)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{

pkg/encrypted/client_test.go

@@ -8,15 +8,15 @@ import (
 type EncryptedResource struct {
 	Client            *EncryptedClient
 	MaterialsProvider provider.CryptographicMaterialsProvider
-	AttributeActions  *AttributeActions
+	ClientConfig      *ClientConfig
 }
 
 // NewEncryptedResource creates a new instance of EncryptedResource.
-func NewEncryptedResource(client *EncryptedClient, materialsProvider provider.CryptographicMaterialsProvider, attributeActions *AttributeActions) *EncryptedResource {
+func NewEncryptedResource(client *EncryptedClient, materialsProvider provider.CryptographicMaterialsProvider, clientConfig *ClientConfig) *EncryptedResource {
 	return &EncryptedResource{
 		Client:            client,
 		MaterialsProvider: materialsProvider,
-		AttributeActions:  attributeActions,
+		ClientConfig:      clientConfig,
 	}
 }
 

pkg/encrypted/resource.go

@@ -10,7 +10,6 @@ type CryptographicMaterials interface {
 	EncryptionKey() delegatedkeys.DelegatedKey
 	DecryptionKey() delegatedkeys.DelegatedKey
 	SigningKey() delegatedkeys.DelegatedKey
-	VerificationKey() delegatedkeys.DelegatedKey
 }
 
 // EncryptionMaterials defines the structure for encryption materials.
@@ -54,14 +53,12 @@ func (em *EncryptionMaterials) VerificationKey() delegatedkeys.DelegatedKey {
 type DecryptionMaterials struct {
 	materialDescription map[string]string
 	decryptionKey       delegatedkeys.DelegatedKey
-	verificationKey     delegatedkeys.DelegatedKey
 }
 
-func NewDecryptionMaterials(description map[string]string, decryptionKey, verificationKey delegatedkeys.DelegatedKey) CryptographicMaterials {
+func NewDecryptionMaterials(description map[string]string, decryptionKey delegatedkeys.DelegatedKey) CryptographicMaterials {
 	return &DecryptionMaterials{
 		materialDescription: description,
 		decryptionKey:       decryptionKey,
-		verificationKey:     verificationKey,
 	}
 }
 
@@ -82,7 +79,3 @@ func (dm *DecryptionMaterials) DecryptionKey() delegatedkeys.DelegatedKey {
 func (dm *DecryptionMaterials) SigningKey() delegatedkeys.DelegatedKey {
 	panic("Decryption materials do not provide signing keys.")
 }
-
-func (dm *DecryptionMaterials) VerificationKey() delegatedkeys.DelegatedKey {
-	return dm.verificationKey
-}

pkg/materials/materials.go

@@ -92,7 +92,6 @@ func (p *AwsKmsCryptographicMaterialsProvider) DecryptionMaterials(ctx context.C
 		return nil, fmt.Errorf("failed to decode signature: %v", err)
 	}
 
-	// Verify the wrapped keyset's signature
 	valid, err := delegatedkeys.VerifySignature(publicKeyBytes, signatureBytes, encryptedKeyset)
 	if err != nil || !valid {
 		return nil, fmt.Errorf("failed to verify the wrapped keyset's signature: %v", err)
@@ -104,7 +103,7 @@ func (p *AwsKmsCryptographicMaterialsProvider) DecryptionMaterials(ctx context.C
 	}
 
 	// Construct DecryptionMaterials with the actual delegatedKey
-	return materials.NewDecryptionMaterials(materialDescMap, delegatedKey, nil), nil
+	return materials.NewDecryptionMaterials(materialDescMap, delegatedKey), nil
 }
 
 func (p *AwsKmsCryptographicMaterialsProvider) TableName() string {