[feat] Add binary encoding option (#170)

Author: jplock

Cargo.lock

@@ -51,7 +51,7 @@
 ENV_TABLE_NAME = "TABLE_NAME"
 ENV_VAULT_URL = "VAULT_URL"
 DEFAULT_VERSION = "v0"
-DEFAULT_ENCODING = enums.EncodingVersion.HEX
+DEFAULT_ENCODING = enums.EncodingVersion.BINARY
 KEY_SEPARATOR = "##"
 PACK_SEPARATOR = "#"
 MAX_TRANSACTION_WRITE_SIZE = 100

api/src/app/constants.py

@@ -20,6 +20,7 @@
 """
 
 import abc
+from warnings import deprecated
 
 from app import models, constants
 
@@ -28,10 +29,16 @@
 
 class BaseEncoder(abc.ABC):
     @abc.abstractmethod
-    def encode(self, data: models.EncryptedData) -> str:
+    def encode(self, data: models.EncryptedData) -> str | bytes:
         raise NotImplementedError
 
 
 class HexEncoder(BaseEncoder):
+    @deprecated("HexEncoder is deprecated, use BinaryEncoder instead")
     def encode(self, data: models.EncryptedData) -> str:
         return f"{data.encapped_key.hex()}{constants.PACK_SEPARATOR}{data.ciphertext.hex()}"
+
+
+class BinaryEncoder(BaseEncoder):
+    def encode(self, data: models.EncryptedData) -> bytes:
+        return data.encapped_key + data.ciphertext

api/src/app/encoders.py

@@ -69,7 +69,7 @@ def _encrypt_value(self, public_key: bytes, field: str, info: bytes, plaintext:
 
     def encrypt_values(
         self, public_key: bytes, plaintext_values: Dict[str, Any], vault_id: Optional[str] = None
-    ) -> Dict[str, str]:
+    ) -> Dict[str, str | bytes]:
         if not public_key:
             return plaintext_values
         if not plaintext_values:
@@ -78,9 +78,9 @@ def encrypt_values(
         pk: ec.EllipticCurvePublicKey = serialization.load_der_public_key(public_key)
 
         info = vault_id.encode()
-        encoder = encoders.HexEncoder()
+        encoder = encoders.BinaryEncoder()
 
-        encrypted_values: Dict[str, str] = {}
+        encrypted_values: Dict[str, str | bytes] = {}
 
         for field, value in plaintext_values.items():
             data = self._encrypt_value(

api/src/app/encryptors.py

@@ -24,3 +24,4 @@
 
 class EncodingVersion(IntEnum):
     HEX = 1  # hex(encap) + '#' + hex(ciphertext)
+    BINARY = 2  # encap + ciphertext

api/src/app/enums.py

@@ -46,7 +46,7 @@
 @router.post("/", summary="Create a vault")
 @tracer.capture_method(capture_response=False)
 def create_vault(
-    body: Annotated[models.CreateVaultRequest, Body(embed=False, example=constants.EXAMPLE_CREATE)]
+    body: Annotated[models.CreateVaultRequest, Body(embed=False, example=constants.EXAMPLE_CREATE)],
 ) -> Dict[str, Any]:
     txn: Optional[resources.TransactionWriter] = router.context.get("txn")
     if not txn:

api/src/app/routers/vaults.py

@@ -245,8 +245,10 @@ def decrypt_vault(
 
     payload_fields = {}
     for field in fields:
-        value: Optional[str] = item.get(field)
-        if value:
+        value: Optional[str | Binary] = item.get(field)
+        if isinstance(value, Binary):
+            payload_fields[field] = utils.b64_encode(value)
+        else:
             payload_fields[field] = value
 
     payload = {
@@ -257,7 +259,7 @@ def decrypt_vault(
         "encrypted_private_key": utils.b64_encode(encrypted_secret_key),
     }
     if encoding_version:
-        payload["encoding"] = encoding_version
+        payload["encoding"] = str(encoding_version)
     if expressions:
         payload["expressions"] = expressions
 
@@ -268,7 +270,7 @@ def decrypt_vault(
     try:
         r.raise_for_status()
     except HTTPError:
-        logger.exception("Invalid response received from vault", status_code=r.status_code)
+        logger.exception("Invalid response received from vault", status_code=r.status_code, body=r.text)
         raise exceptions.InternalServerError()
 
     data = r.json()

api/src/app/vault.py

@@ -10,3 +10,6 @@ pub const P256: &[u8; 10] = &[72, 80, 75, 69, 0, 16, 0, 1, 0, 2];
 pub const P384: &[u8; 10] = &[72, 80, 75, 69, 0, 17, 0, 2, 0, 2];
 // build_suite_id(0x0012u16, 0x0003u16, 0x0002u16) - DH_KEM_P521_HKDF_SHA512_AES_256
 pub const P521: &[u8; 10] = &[72, 80, 75, 69, 0, 18, 0, 3, 0, 2];
+
+pub const ENCODING_HEX: &str = "1";
+pub const ENCODING_BINARY: &str = "2";

enclave/src/constants.rs

@@ -1,27 +1,21 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: MIT-0
 
-use std::collections::BTreeMap;
-
-use anyhow::{Error, Result, anyhow};
+use anyhow::{Result, anyhow};
 use rustls::crypto::hpke::{EncapsulatedSecret, Hpke, HpkePrivateKey};
 use serde_json::Value;
 
-use crate::models::{EncryptedData, Suite};
+use crate::models::EncryptedData;
 
-fn decrypt_value(
+pub fn decrypt_value(
     suite: &dyn Hpke,
-    secret_key: &HpkePrivateKey,
+    private_key: &HpkePrivateKey,
     info: &[u8],
     field: &str,
-    hex_encrypted_value: &str,
+    encrypted_data: EncryptedData,
 ) -> Result<Value> {
     let aad = field.to_lowercase();
 
-    let encrypted_data: EncryptedData = hex_encrypted_value
-        .try_into()
-        .map_err(|err| anyhow!("[{}] unable to convert to encrypted_data: {:?}", aad, err))?;
-
     let enc = EncapsulatedSecret(encrypted_data.encapped_key);
 
     let plaintext_value = suite
@@ -30,7 +24,7 @@ fn decrypt_value(
             info,
             aad.as_bytes(),
             &encrypted_data.ciphertext,
-            secret_key,
+            private_key,
         )
         .map_err(|err| anyhow!("[{}] unable to decrypt data: {:?}", aad, err))?;
 
@@ -48,44 +42,15 @@ fn decrypt_value(
     Ok(value)
 }
 
-pub fn decrypt_values(
-    vault_id: &str,
-    suite: &Suite,
-    secret_key: &HpkePrivateKey,
-    fields: &BTreeMap<String, String>,
-) -> Result<(BTreeMap<String, Value>, Vec<Error>)> {
-    let suite = suite.get_suite()?;
-    let info = vault_id.as_bytes();
-
-    let mut errors: Vec<Error> = Vec::new();
-
-    let decrypted_fields: BTreeMap<String, Value> = {
-        let mut decrypted_fields = BTreeMap::new();
-
-        for (field, hex_encrypted_value) in fields {
-            let value = decrypt_value(suite, secret_key, info, field, hex_encrypted_value)
-                .unwrap_or_else(|error| {
-                    errors.push(error);
-                    Value::Null
-                });
-            decrypted_fields.insert(field.to_string(), value);
-        }
-
-        decrypted_fields
-    };
-
-    Ok((decrypted_fields, errors))
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::utils::base64_decode;
+    use crate::{models::Suite, utils::base64_decode};
     use aws_lc_rs::{encoding::AsBigEndian, signature::EcdsaKeyPair};
     use serde_json::json;
 
     #[test]
-    fn test_decrypt_values() {
+    fn test_decrypt_value() {
         let vault_id = "v_2hRK9u2DOzmAPMhdVNt9qlJ3UvL";
         let b64_suite_id: String = "SFBLRQARAAIAAg==".to_string();
         let suite: Suite = b64_suite_id.try_into().unwrap();
@@ -99,14 +64,18 @@ mod tests {
         let sk_ref = sk_bytes.as_ref();
         let secret_key: HpkePrivateKey = sk_ref.to_vec().into();
 
-        let fields = BTreeMap::from([
-            ("first_name".to_string(), "04cebfe3667db3305777774f14a7ed4f26ce90b2d68935a30f9b086dc915e6ede23e6dfdde7aaf34dc34cd964c76f94bc91ba99edb3707281862c990c54782eace8c687770d72d4c714d4edd239e010facfb7c3d5c168b14d9040194059529f5e6#80c10441ae55442775bc5d1b0b8465eaaaa33b".to_string()),
-        ]);
+        let hex_encrypted_value: String = "04cebfe3667db3305777774f14a7ed4f26ce90b2d68935a30f9b086dc915e6ede23e6dfdde7aaf34dc34cd964c76f94bc91ba99edb3707281862c990c54782eace8c687770d72d4c714d4edd239e010facfb7c3d5c168b14d9040194059529f5e6#80c10441ae55442775bc5d1b0b8465eaaaa33b".to_string();
+        let encrypted_data: EncryptedData =
+            EncryptedData::from_hex(hex_encrypted_value.as_str()).unwrap();
+
+        let suite = suite.get_suite().unwrap();
+        let info = vault_id.as_bytes();
+        let field = "first_name";
 
-        let expected = BTreeMap::from([("first_name".to_string(), json!("Bob"))]);
+        let expected = json!("Bob");
 
-        let actual = decrypt_values(vault_id, &suite, &secret_key, &fields).unwrap();
+        let actual = decrypt_value(suite, &secret_key, info, field, encrypted_data).unwrap();
 
-        assert_eq!(actual.0, expected);
+        assert_eq!(actual, expected);
     }
 }

enclave/src/hpke.rs

@@ -5,11 +5,11 @@ use std::process::Command;
 
 use anyhow::{Result, anyhow, bail};
 use aws_lc_rs::encoding::AsBigEndian;
-use aws_lc_rs::signature::EcdsaKeyPair;
+use aws_lc_rs::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm};
 use rustls::crypto::hpke::HpkePrivateKey;
 
 use crate::constants::PLAINTEXT_PREFIX;
-use crate::models::{Credential, EnclaveRequest, Suite};
+use crate::models::{Credential, EnclaveRequest};
 use crate::utils::base64_decode;
 
 fn call_kms_decrypt(credential: &Credential, ciphertext: &str, region: &str) -> Result<String> {
@@ -40,7 +40,10 @@ fn call_kms_decrypt(credential: &Credential, ciphertext: &str, region: &str) ->
     Ok(String::from_utf8_lossy(output.stdout.as_slice()).to_string())
 }
 
-pub fn get_secret_key(suite: &Suite, payload: &EnclaveRequest) -> Result<HpkePrivateKey> {
+pub fn get_secret_key(
+    alg: &'static EcdsaSigningAlgorithm,
+    payload: &EnclaveRequest,
+) -> Result<HpkePrivateKey> {
     let kms_result = call_kms_decrypt(
         &payload.credential,
         &payload.request.encrypted_private_key, // base64 encoded
@@ -54,8 +57,6 @@ pub fn get_secret_key(suite: &Suite, payload: &EnclaveRequest) -> Result<HpkePri
     // Base64 decode the secret key
     let plaintext_sk = base64_decode(b64_sk)?;
 
-    let alg = suite.get_signing_algorithm()?;
-
     // Decode the DER PKCS#8 secret key
     let sk = EcdsaKeyPair::from_private_key_der(alg, &plaintext_sk)
         .map_err(|err| anyhow!("unable to decode PKCS#8 private key: {:?}", err))?;