feat(gcpkms): support asymmetric key

yz89122 · yz89122 · commit 1507275307c9 · 2023-03-15T13:52:55.000+08:00
diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
@@ -1,9 +1,18 @@
 package gcpkms //import "go.mozilla.org/sops/v3/gcpkms"
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
+	"errors"
 	"fmt"
-	"google.golang.org/api/option"
+	"hash"
+	"hash/crc32"
 	"os"
 	"regexp"
 	"strings"
@@ -14,6 +23,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	cloudkms "google.golang.org/api/cloudkms/v1"
+	"google.golang.org/api/option"
 )
 
 var log *logrus.Logger
@@ -46,6 +56,37 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 		log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
 		return fmt.Errorf("Cannot create GCP KMS service: %w", err)
 	}
+
+	purpose, err := key.purpose(cloudkmsService)
+	if err != nil {
+		return err
+	}
+
+	switch purpose {
+	case "ENCRYPT_DECRYPT":
+		return key.encryptSymmetric(cloudkmsService, dataKey)
+	case "ASYMMETRIC_DECRYPT":
+		return key.encryptAsymmetric(cloudkmsService, dataKey)
+	}
+
+	log.WithField("resourceID", key.ResourceID).WithField("purpose", purpose).Info("This key cannot be used for encryption")
+	return fmt.Errorf("This key cannot be used for encryption, purpose: %s", purpose)
+}
+
+func (key *MasterKey) purpose(cloudkmsService *cloudkms.Service) (string, error) {
+	// It needs to use `projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key` to request.
+	// If request with format `projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key/cryptoKeyVersions/version`,
+	// KMS will response without `purpose`.
+	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Get(key.resourceIDWithoutVersion()).Do()
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("Get key info failed")
+		return "", fmt.Errorf("Get key from GCP KMS failed: %w", err)
+	}
+
+	return resp.Purpose, nil
+}
+
+func (key *MasterKey) encryptSymmetric(cloudkmsService *cloudkms.Service, dataKey []byte) error {
 	req := &cloudkms.EncryptRequest{
 		Plaintext: base64.StdEncoding.EncodeToString(dataKey),
 	}
@@ -59,6 +100,63 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	return nil
 }
 
+func (key *MasterKey) encryptAsymmetric(cloudkmsService *cloudkms.Service, dataKey []byte) error {
+	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.CryptoKeyVersions.GetPublicKey(key.ResourceID).Do()
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("Get public key failed")
+		return fmt.Errorf("Get public key from GCP KMS failed: %w", err)
+	}
+
+	if resp.PemCrc32c != int64(crc32c([]byte(resp.Pem))) {
+		log.WithField("resourceID", key.ResourceID).Info("Get public key response corrupted in-transit")
+		return errors.New("Get public key response corrupted in-transit")
+	}
+
+	block, _ := pem.Decode([]byte(resp.Pem))
+	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("Failed to parse public key")
+		return fmt.Errorf("Failed to parse public key: %w", err)
+	}
+	rsaKey, ok := publicKey.(*rsa.PublicKey)
+	if !ok {
+		log.WithField("resourceID", key.ResourceID).Info("Public key is not RSA")
+		return errors.New("Public key is not RSA")
+	}
+
+	var hash hash.Hash
+
+	switch resp.Algorithm {
+	case "RSA_DECRYPT_OAEP_2048_SHA256":
+		hash = sha256.New()
+	case "RSA_DECRYPT_OAEP_3072_SHA256":
+		hash = sha256.New()
+	case "RSA_DECRYPT_OAEP_4096_SHA256":
+		hash = sha256.New()
+	case "RSA_DECRYPT_OAEP_4096_SHA512":
+		hash = sha512.New()
+	case "RSA_DECRYPT_OAEP_2048_SHA1":
+		hash = sha1.New()
+	case "RSA_DECRYPT_OAEP_3072_SHA1":
+		hash = sha1.New()
+	case "RSA_DECRYPT_OAEP_4096_SHA1":
+		hash = sha1.New()
+	default:
+		log.WithField("resourceID", key.ResourceID).WithField("algorithm", resp.Algorithm).Info("Unsupported algorithm")
+		return fmt.Errorf("Key with unsupported algorithm: %s", resp.Algorithm)
+	}
+
+	ciphertext, err := rsa.EncryptOAEP(hash, rand.Reader, rsaKey, dataKey, nil)
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("rsa.EncryptOAEP() error")
+		return fmt.Errorf("rsa.EncryptOAEP: %w", err)
+	}
+
+	key.EncryptedKey = base64.StdEncoding.EncodeToString(ciphertext)
+
+	return nil
+}
+
 // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet
 func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
 	if key.EncryptedKey == "" {
@@ -75,6 +173,23 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 		return nil, fmt.Errorf("Cannot create GCP KMS service: %w", err)
 	}
 
+	purpose, err := key.purpose(cloudkmsService)
+	if err != nil {
+		return nil, err
+	}
+
+	switch purpose {
+	case "ENCRYPT_DECRYPT":
+		return key.decryptSymmetric(cloudkmsService)
+	case "ASYMMETRIC_DECRYPT":
+		return key.decryptAsymmetric(cloudkmsService)
+	default:
+		log.WithField("resourceID", key.ResourceID).WithField("purpose", purpose).Info("This key cannot be used for decryption")
+		return nil, fmt.Errorf("This key cannot be used for decryption, purpose: %s", purpose)
+	}
+}
+
+func (key *MasterKey) decryptSymmetric(cloudkmsService *cloudkms.Service) ([]byte, error) {
 	req := &cloudkms.DecryptRequest{
 		Ciphertext: key.EncryptedKey,
 	}
@@ -92,6 +207,24 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
 	return encryptedKey, nil
 }
 
+func (key *MasterKey) decryptAsymmetric(cloudkmsService *cloudkms.Service) ([]byte, error) {
+	req := &cloudkms.AsymmetricDecryptRequest{
+		Ciphertext: key.EncryptedKey,
+	}
+	resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.CryptoKeyVersions.AsymmetricDecrypt(key.ResourceID, req).Do()
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("Asymmetric decryption failed")
+		return nil, fmt.Errorf("Error decrypting key: %w", err)
+	}
+	encryptedKey, err := base64.StdEncoding.DecodeString(resp.Plaintext)
+	if err != nil {
+		log.WithField("resourceID", key.ResourceID).Info("Asymmetric decryption failed")
+		return nil, err
+	}
+	log.WithField("resourceID", key.ResourceID).Info("Asymmetric decryption succeeded")
+	return encryptedKey, nil
+}
+
 // NeedsRotation returns whether the data key needs to be rotated or not.
 func (key *MasterKey) NeedsRotation() bool {
 	return time.Since(key.CreationDate) > (time.Hour * 24 * 30 * 6)
@@ -124,7 +257,7 @@ func MasterKeysFromResourceIDString(resourceID string) []*MasterKey {
 }
 
 func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) {
-	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
+	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+(?:/cryptoKeyVersions/[^/]+)?$`)
 	matches := re.FindStringSubmatch(key.ResourceID)
 	if matches == nil {
 		return nil, fmt.Errorf("No valid resourceId found in %q", key.ResourceID)
@@ -155,6 +288,18 @@ func (key MasterKey) ToMap() map[string]interface{} {
 	return out
 }
 
+// assume key.ResourceID is in following format
+//   - `projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key`
+//   - `projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key/cryptoKeyVersions/version`
+func (key MasterKey) resourceIDWithoutVersion() string {
+	re := regexp.MustCompile(`^(projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+)(?:/cryptoKeyVersions/[^/]+)?$`)
+	matches := re.FindStringSubmatch(key.ResourceID)
+	if len(matches) < 2 {
+		return ""
+	}
+	return matches[1]
+}
+
 // getGoogleCredentials looks for a GCP Service Account in the environment
 // variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the
 // variable's value in JSON format.
@@ -167,3 +312,8 @@ func getGoogleCredentials() ([]byte, error) {
 	}
 	return []byte(defaultCredentials), nil
 }
+
+func crc32c(data []byte) uint32 {
+	t := crc32.MakeTable(crc32.Castagnoli)
+	return crc32.Checksum(data, t)
+}
