pg-core 0.5.9

PostGuard core library for communication and bytestream operations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624

//! Streaming mode.

use alloc::string::ToString;

use crate::artifacts::{PublicKey, SigningKeyExt, UserSecretKey, VerifyingKey};
use crate::client::*;
use crate::error::Error;
use crate::identity::{EncryptionPolicy, Policy};
use ibe::kem::cgw_kv::CGWKV;
use ibs::gg::{Identity, Signature, Signer, Verifier, SIG_BYTES};

use aead::stream::{DecryptorBE32, EncryptorBE32};
use aead::KeyInit;
use aes_gcm::Aes128Gcm;
use alloc::vec::Vec;
use futures::io::{AsyncRead, AsyncWrite};
use futures::io::{AsyncReadExt, AsyncWriteExt};
use futures::TryFutureExt;
use rand::{CryptoRng, RngCore};

/// Configures an [`Sealer`] to process a payload stream.
#[derive(Debug)]
pub struct SealerStreamConfig {
    /// Segment size.
    segment_size: u32,
    /// AEAD key.
    key: [u8; KEY_SIZE],
    /// AEAD nonce.
    nonce: [u8; STREAM_NONCE_SIZE],
}

/// Configures an [`Unsealer`] to process a payload stream.
#[derive(Debug)]
pub struct UnsealerStreamConfig {
    segment_size: u32,
}

impl SealerConfig for SealerStreamConfig {}
impl UnsealerConfig for UnsealerStreamConfig {}
impl crate::client::sealed::SealerConfig for SealerStreamConfig {}
impl crate::client::sealed::UnsealerConfig for UnsealerStreamConfig {}

impl<'r, Rng: RngCore + CryptoRng> Sealer<'r, Rng, SealerStreamConfig> {
    /// Construct a new [`Sealer`] that can process streaming payloads.
    pub fn new(
        pk: &PublicKey<CGWKV>,
        policies: &EncryptionPolicy,
        pub_sign_key: &SigningKeyExt,
        rng: &'r mut Rng,
    ) -> Result<Self, Error> {
        let (header, ss) = Header::new(pk, policies, rng)?;

        let (segment_size, _) = stream_mode_checked(&header)?;
        let Algorithm::Aes128Gcm(iv) = header.algo;

        let mut key = [0u8; KEY_SIZE];
        let mut nonce = [0u8; STREAM_NONCE_SIZE];

        key.copy_from_slice(&ss.0[..KEY_SIZE]);
        nonce.copy_from_slice(&iv.0[..STREAM_NONCE_SIZE]);

        Ok(Sealer {
            rng,
            header,
            pub_sign_key: pub_sign_key.clone(),
            priv_sign_key: None,
            config: SealerStreamConfig {
                segment_size,
                key,
                nonce,
            },
        })
    }

    /// Optional: Add a size hint.
    ///
    /// This can help the receiver save some reallocations.
    pub fn with_size_hint(mut self, size_hint: (u64, Option<u64>)) -> Self {
        self.header.mode = Mode::Streaming {
            segment_size: self.config.segment_size,
            size_hint,
        };

        self
    }

    /// Seals payload data from an [`AsyncRead`] into an [`AsyncWrite`].
    pub async fn seal<R, W>(self, mut r: R, mut w: W) -> Result<(), Error>
    where
        R: AsyncRead + Unpin,
        W: AsyncWrite + Unpin,
    {
        w.write_all(&PRELUDE).await?;
        w.write_all(&VERSION_V3.to_be_bytes()).await?;

        let header_vec = bincode::serialize(&self.header)?;
        w.write_all(&u32::try_from(header_vec.len())?.to_be_bytes())
            .await?;
        w.write_all(&header_vec).await?;

        let mut signer = Signer::default().chain(&header_vec);
        let header_sig = signer.clone().sign(&self.pub_sign_key.key.0, self.rng);
        let header_sig_ext = SignatureExt {
            sig: header_sig,
            pol: self.pub_sign_key.policy.clone(),
        };
        let header_sig_bytes = bincode::serialize(&header_sig_ext)?;

        w.write_all(&u32::try_from(header_sig_bytes.len())?.to_be_bytes())
            .await?;
        w.write_all(&header_sig_bytes).await?;

        let aead = Aes128Gcm::new_from_slice(&self.config.key)?;
        let mut enc = EncryptorBE32::from_aead(aead, &self.config.nonce.into());

        // Check for a private signing key, otherwise fall back to the public one.
        let signing_key = self.priv_sign_key.unwrap_or(self.pub_sign_key);

        let pol_bytes = bincode::serialize(&signing_key.policy)?;
        let pol_len = pol_bytes.len();

        if pol_len + POL_SIZE_SIZE > self.config.segment_size as usize {
            return Err(Error::ConstraintViolation);
        }

        let mut buf = vec![0; self.config.segment_size as usize + TAG_SIZE];

        buf[..POL_SIZE_SIZE].copy_from_slice(&u32::try_from(pol_len)?.to_be_bytes());
        buf[POL_SIZE_SIZE..POL_SIZE_SIZE + pol_len].copy_from_slice(&pol_bytes);

        let mut buf_tail = POL_SIZE_SIZE + pol_len;
        let mut start = buf_tail;

        // First segment: DEM.K (pol_len || pol || m_0 || sig_0 )
        // Other segments: DEM.K (m_i || sig_0)

        let mut counter: u32 = 0;

        loop {
            let read = r
                .read(&mut buf[buf_tail..self.config.segment_size as usize])
                .await?;
            buf_tail += read;

            if buf_tail == self.config.segment_size as usize {
                buf.truncate(buf_tail);

                signer.update(&buf[start..]);
                let sig = signer
                    .clone()
                    .chain(&counter.to_be_bytes())
                    .chain(&[0x00])
                    .sign(&signing_key.key.0, self.rng);
                bincode::serialize_into(&mut buf, &sig)?;

                enc.encrypt_next_in_place(b"", &mut buf)?;

                w.write_all(&buf).await?;

                buf_tail = 0;
                start = 0;
                counter = counter.checked_add(1).unwrap(); // cannot fail, otherwise
                                                           // encrypt_next_in_place would have
                                                           // failed too.                                                // encrypt_next_in_place not failing
            } else if read == 0 {
                buf.truncate(buf_tail);

                signer.update(&buf[start..]);
                let sig_final = signer
                    .chain(&counter.to_be_bytes())
                    .chain(&[0x01])
                    .sign(&signing_key.key.0, self.rng);
                bincode::serialize_into(&mut buf, &sig_final)?;

                enc.encrypt_last_in_place(b"", &mut buf)?;

                w.write_all(&buf).await?;
                break;
            }
        }

        w.flush().await?;
        w.close().await?;

        Ok(())
    }
}

impl<R> Unsealer<R, UnsealerStreamConfig>
where
    R: AsyncRead + Unpin,
{
    /// Create a new [`Unsealer`] that starts reading from an [`AsyncRead`].
    ///
    /// Errors if the bytestream is not a legitimate PostGuard bytestream.
    pub async fn new(mut r: R, pk: &VerifyingKey) -> Result<Self, Error> {
        let mut preamble = [0u8; PREAMBLE_SIZE];
        r.read_exact(&mut preamble)
            .map_err(|_e| Error::NotPostGuard)
            .await?;

        let (version, header_len) = preamble_checked(&preamble)?;
        let mut header_raw = Vec::with_capacity(header_len);

        // Limit reader to not read past header
        let mut r = r.take(header_len as u64);

        r.read_to_end(&mut header_raw)
            .map_err(|_e| Error::ConstraintViolation)
            .await?;

        let mut r = r.into_inner();

        let mut header_sig_len_bytes = [0u8; SIG_SIZE_SIZE];
        r.read_exact(&mut header_sig_len_bytes)
            .map_err(|_e| Error::FormatViolation("no header signature length".to_string()))
            .await?;
        let header_sig_len = u32::from_be_bytes(header_sig_len_bytes);

        let mut header_sig_raw = Vec::with_capacity(header_sig_len as usize);
        let mut r = r.take(header_sig_len as u64);

        r.read_to_end(&mut header_sig_raw).await?;

        let h_sig_ext: SignatureExt = bincode::deserialize(&header_sig_raw)?;

        let verifier = Verifier::default().chain(&header_raw);
        let pub_id = h_sig_ext.pol.derive_ibs()?;

        if !verifier.clone().verify(&pk.0, &h_sig_ext.sig, &pub_id) {
            return Err(Error::IncorrectSignature);
        }

        let header: Header = bincode::deserialize(&header_raw)?;
        let (segment_size, _) = stream_mode_checked(&header)?;

        Ok(Unsealer {
            version,
            header,
            pub_id: h_sig_ext.pol,
            config: UnsealerStreamConfig { segment_size },
            r: r.into_inner(), // This (new) reader is locked to the payload.
            verifier,
            vk: pk.clone(),
        })
    }

    /// Unseal the remaining data (which is now only payload) into an [`AsyncWrite`].
    pub async fn unseal<W: AsyncWrite + Unpin>(
        mut self,
        ident: &str,
        usk: &UserSecretKey<CGWKV>,
        mut w: W,
    ) -> Result<VerificationResult, Error> {
        let rec_info = self
            .header
            .recipients
            .get(ident)
            .ok_or_else(|| Error::UnknownIdentifier(ident.to_string()))?;

        let ss = rec_info.decaps(usk)?;
        let key = &ss.0[..KEY_SIZE];
        let aead = Aes128Gcm::new_from_slice(key)?;

        let Algorithm::Aes128Gcm(iv) = self.header.algo;
        let nonce = &iv.0[..STREAM_NONCE_SIZE];

        let mut dec = DecryptorBE32::from_aead(aead, nonce.into());

        let bufsize: usize = self.config.segment_size as usize + SIG_BYTES + TAG_SIZE;
        let mut buf = vec![0u8; bufsize];
        let mut buf_tail = 0;
        let mut counter: u32 = 0;
        let mut pol_id: Option<(Policy, Identity)> = None;

        fn extract_policy(buf: &mut Vec<u8>) -> Result<Option<(Policy, Identity)>, Error> {
            let pol_len = u32::from_be_bytes(buf[..POL_SIZE_SIZE].try_into()?) as usize;
            let pol_bytes = &buf[POL_SIZE_SIZE..POL_SIZE_SIZE + pol_len];
            let pol: Policy = bincode::deserialize(pol_bytes)?;
            let id = pol.derive_ibs()?;

            buf.drain(..POL_SIZE_SIZE + pol_len);

            Ok(Some((pol, id)))
        }

        fn verify_segment<'a>(
            seg: &'a [u8],
            verifier: &mut Verifier,
            vk: &VerifyingKey,
            id: &Identity,
            counter: u32,
            is_last: bool,
        ) -> Result<&'a [u8], Error> {
            debug_assert!(seg.len() > SIG_BYTES);

            let (m, sig_bytes) = seg.split_at(seg.len() - SIG_BYTES);
            let sig: Signature = bincode::deserialize(sig_bytes)?;
            verifier.update(m);

            if !verifier
                .clone()
                .chain(&counter.to_be_bytes())
                .chain(&[is_last as u8])
                .verify(&vk.0, &sig, id)
            {
                return Err(Error::IncorrectSignature);
            }

            Ok(m)
        }

        loop {
            let read = self.r.read(&mut buf[buf_tail..bufsize]).await?;
            buf_tail += read;

            if buf_tail == bufsize {
                dec.decrypt_next_in_place(b"", &mut buf)?;

                if counter == 0 {
                    pol_id = extract_policy(&mut buf)?;
                }

                let m = verify_segment(
                    &buf,
                    &mut self.verifier,
                    &self.vk,
                    &pol_id.as_ref().unwrap().1,
                    counter,
                    false,
                )?;

                w.write_all(m).await?;

                buf_tail = 0;
                buf.resize(bufsize, 0);
                counter += 1;
            } else if read == 0 {
                buf.truncate(buf_tail);
                dec.decrypt_last_in_place(b"", &mut buf)?;

                if counter == 0 {
                    pol_id = extract_policy(&mut buf)?;
                }

                let m = verify_segment(
                    &buf,
                    &mut self.verifier,
                    &self.vk,
                    &pol_id.as_ref().unwrap().1,
                    counter,
                    true,
                )?;

                w.write_all(m).await?;

                break;
            }
        }

        w.close().await?;

        let private_id = pol_id.unwrap().0;
        let private = if self.pub_id == private_id {
            None
        } else {
            Some(private_id)
        };

        Ok(VerificationResult {
            public: self.pub_id,
            private,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::{Sealer, SealerStreamConfig, Unsealer, UnsealerStreamConfig};
    use crate::client::VerificationResult;
    use crate::error::Error;
    use crate::test::TestSetup;
    use crate::{PREAMBLE_SIZE, SYMMETRIC_CRYPTO_DEFAULT_CHUNK, TAG_SIZE};
    use alloc::string::String;
    use alloc::vec::Vec;
    use futures::{executor::block_on, io::AllowStdIo};
    use rand::{thread_rng, Rng, RngCore};
    use std::io::Cursor;
    use tokio::io::AsyncReadExt;

    const LENGTHS: &[u32] = &[
        1,
        512,
        SYMMETRIC_CRYPTO_DEFAULT_CHUNK - 3,
        SYMMETRIC_CRYPTO_DEFAULT_CHUNK,
        SYMMETRIC_CRYPTO_DEFAULT_CHUNK + 3,
        3 * SYMMETRIC_CRYPTO_DEFAULT_CHUNK,
        3 * SYMMETRIC_CRYPTO_DEFAULT_CHUNK + 16,
        3 * SYMMETRIC_CRYPTO_DEFAULT_CHUNK - 17,
    ];

    fn seal_helper(setup: &TestSetup, plain: &[u8]) -> Vec<u8> {
        let mut rng = rand::thread_rng();

        let mut input = AllowStdIo::new(Cursor::new(plain));
        let mut output = AllowStdIo::new(Vec::new());

        let signing_key = &setup.signing_keys[0];

        block_on(async {
            Sealer::<_, SealerStreamConfig>::new(
                &setup.ibe_pk,
                &setup.policy,
                &signing_key,
                &mut rng,
            )
            .unwrap()
            .seal(&mut input, &mut output)
            .await
            .unwrap();
        });

        output.into_inner()
    }

    fn unseal_helper(setup: &TestSetup, ct: &[u8]) -> (Vec<u8>, VerificationResult) {
        let mut input = AllowStdIo::new(Cursor::new(ct));
        let mut output = AllowStdIo::new(Vec::new());

        // sometimes decrypt as Bob, sometimes decrypt as Charlie
        let (id, usk_id) = if thread_rng().gen::<bool>() {
            ("Bob", setup.usks[2].clone())
        } else {
            ("Charlie", setup.usks[3].clone())
        };

        let vr = block_on(async {
            let unsealer = Unsealer::<_, UnsealerStreamConfig>::new(&mut input, &setup.ibs_pk)
                .await
                .unwrap();

            // Normally, a user would need to retrieve a usk here via the PKG,
            // but in this case we own the master key pair.
            unsealer.unseal(id, &usk_id, &mut output).await.unwrap()
        });

        (output.into_inner(), vr)
    }

    fn seal_and_unseal(setup: &TestSetup, plain: Vec<u8>) {
        let ct = seal_helper(setup, &plain);
        let (plain2, vr) = unseal_helper(setup, &ct);

        assert_eq!(&plain, &plain2);
        assert_eq!(&vr.public, &setup.signing_keys[0].policy);
        assert_eq!(vr.private, None);
    }

    fn rand_vec(length: usize) -> Vec<u8> {
        let mut vec = vec![0u8; length];
        rand::thread_rng().fill_bytes(&mut vec);
        vec
    }

    #[test]
    fn test_reflection_seal_unsealer() {
        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        for l in LENGTHS {
            seal_and_unseal(&setup, rand_vec(*l as usize));
        }
    }

    #[test]
    #[should_panic]
    fn test_corrupt_header() {
        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        let plain = rand_vec(100);
        let mut ct = seal_helper(&setup, &plain);

        // Flip a byte that is guaranteed to be in the header.
        ct[PREAMBLE_SIZE + 2] = !ct[PREAMBLE_SIZE + 2];

        // This should panic, because of the header signature.
        let _plain2 = unseal_helper(&setup, &ct);
    }

    #[test]
    #[should_panic]
    fn test_corrupt_payload() {
        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        let plain = rand_vec(100);
        let mut ct = seal_helper(&setup, &plain);

        // Flip a byte that is guaranteed to be in the encrypted payload.
        let ct_len = ct.len();
        ct[ct_len - TAG_SIZE - 5] = !ct[ct_len - TAG_SIZE - 5];

        // This should panic, because of the AEAD.
        let _plain2 = unseal_helper(&setup, &ct);
    }

    #[test]
    #[should_panic]
    fn test_corrupt_tag() {
        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        let plain = rand_vec(100);
        let mut ct = seal_helper(&setup, &plain);

        let len = ct.len();
        ct[len - 5] = !ct[len - 5];

        // This should panic as well.
        let _plain2 = unseal_helper(&setup, &ct);
    }

    #[tokio::test]
    async fn test_tokio_file() -> Result<(), Error> {
        use futures::AsyncWriteExt;
        use tokio::fs::{File, OpenOptions};
        use tokio_util::compat::TokioAsyncReadCompatExt;

        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        let signing_key = &setup.signing_keys[0];

        let in_name = std::env::temp_dir().join("foo.txt");
        let out_name = std::env::temp_dir().join("foo.enc");
        let orig_name = std::env::temp_dir().join("foo2.txt");

        let mut file = OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(true)
            .open(&in_name)
            .await?
            .compat();

        file.write_all(b"SECRET DATA").await?;
        file.close().await?;

        let mut in_file = File::open(&in_name).await?.compat();
        let mut out_file = OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(true)
            .open(&out_name)
            .await?
            .compat();

        Sealer::<_, SealerStreamConfig>::new(&setup.ibe_pk, &setup.policy, signing_key, &mut rng)?
            .seal(&mut in_file, &mut out_file)
            .await?;

        in_file.close().await?;
        out_file.close().await?;

        let mut out_file = File::open(&out_name).await?.compat();
        let mut orig_file = OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(true)
            .open(&orig_name)
            .await?
            .compat();

        let id = "Bob";
        let usk = &setup.usks[2];

        Unsealer::<_, UnsealerStreamConfig>::new(&mut out_file, &setup.ibs_pk)
            .await?
            .unseal(id, usk, &mut orig_file)
            .await?;

        out_file.close().await?;
        orig_file.close().await?;

        let mut buf = String::new();
        File::open(&orig_name)
            .await?
            .read_to_string(&mut buf)
            .await?;

        assert_eq!(buf.as_bytes(), b"SECRET DATA");

        Ok(())
    }

    #[tokio::test]
    async fn test_cursor() -> Result<(), Error> {
        use futures::io::Cursor;

        let mut rng = rand::thread_rng();
        let setup = TestSetup::new(&mut rng);

        let signing_key = &setup.signing_keys[0];

        let mut input = Cursor::new(b"SECRET DATA");
        let mut encrypted = Vec::new();

        Sealer::<_, SealerStreamConfig>::new(&setup.ibe_pk, &setup.policy, signing_key, &mut rng)?
            .seal(&mut input, &mut encrypted)
            .await?;

        let mut original = Vec::new();
        let id = "Bob";
        let usk = &setup.usks[2];
        Unsealer::<_, UnsealerStreamConfig>::new(&mut Cursor::new(encrypted), &setup.ibs_pk)
            .await?
            .unseal(id, usk, &mut original)
            .await?;

        assert_eq!(input.into_inner().to_vec(), original);
        Ok(())
    }
}