storj/pkg/encryption/path.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package encryption

import (
	"crypto/hmac"
	"crypto/sha512"
	"strings"

	"github.com/zeebo/errs"

	"storj.io/storj/pkg/paths"
	"storj.io/storj/pkg/storj"
)

var (
	emptyComponentPrefix    = byte('\x01')
	notEmptyComponentPrefix = byte('\x02')
	emptyComponent          = []byte{emptyComponentPrefix}

	escapeSlash = byte('\x2e')
	escapeFF    = byte('\xfe')
	escape01    = byte('\x01')
)

// EncryptPath encrypts the path using the provided cipher and looking up
// keys from the provided store and bucket.
func EncryptPath(bucket string, path paths.Unencrypted, cipher storj.CipherSuite, store *Store) (
	encPath paths.Encrypted, err error) {

	// Invalid paths map to invalid paths
	if !path.Valid() {
		return paths.Encrypted{}, nil
	}

	if cipher == storj.EncNull {
		return paths.NewEncrypted(path.Raw()), nil
	}

	_, consumed, base := store.LookupUnencrypted(bucket, path)
	if base == nil {
		return paths.Encrypted{}, errs.New("unable to find encryption base for: %s/%q", bucket, path)
	}

	remaining, ok := path.Consume(consumed)
	if !ok {
		return paths.Encrypted{}, errs.New("unable to encrypt bucket path: %s/%q", bucket, path)
	}

	// if we didn't consume any path, we're at the root of the bucket, and so we have
	// to fold the bucket name into the key.
	key := &base.Key
	if !consumed.Valid() {
		key, err = derivePathKeyComponent(key, bucket)
		if err != nil {
			return paths.Encrypted{}, errs.Wrap(err)
		}
	}

	encrypted, err := EncryptPathRaw(remaining.Raw(), cipher, key)
	if err != nil {
		return paths.Encrypted{}, errs.Wrap(err)
	}

	var builder strings.Builder
	builder.WriteString(base.Encrypted.Raw())

	if len(encrypted) > 0 {
		if builder.Len() > 0 {
			builder.WriteByte('/')
		}
		builder.WriteString(encrypted)
	}

	return paths.NewEncrypted(builder.String()), nil
}

// EncryptPathRaw encrypts the path using the provided key directly. EncryptPath should be
// preferred if possible.
func EncryptPathRaw(raw string, cipher storj.CipherSuite, key *storj.Key) (string, error) {
	if cipher == storj.EncNull {
		return raw, nil
	}

	var builder strings.Builder
	for iter, i := paths.NewIterator(raw), 0; !iter.Done(); i++ {
		component := iter.Next()
		encComponent, err := encryptPathComponent(component, cipher, key)
		if err != nil {
			return "", errs.Wrap(err)
		}
		key, err = derivePathKeyComponent(key, component)
		if err != nil {
			return "", errs.Wrap(err)
		}
		if i > 0 {
			builder.WriteByte('/')
		}
		builder.WriteString(encComponent)
	}
	return builder.String(), nil
}

// DecryptPath decrypts the path using the provided cipher and looking up
// keys from the provided store and bucket.
func DecryptPath(bucket string, path paths.Encrypted, cipher storj.CipherSuite, store *Store) (
	unencPath paths.Unencrypted, err error) {

	// Invalid paths map to invalid paths
	if !path.Valid() {
		return paths.Unencrypted{}, nil
	}

	if cipher == storj.EncNull {
		return paths.NewUnencrypted(path.Raw()), nil
	}

	_, consumed, base := store.LookupEncrypted(bucket, path)
	if base == nil {
		return paths.Unencrypted{}, errs.New("unable to find decryption base for: %q", path)
	}

	remaining, ok := path.Consume(consumed)
	if !ok {
		return paths.Unencrypted{}, errs.New("unable to decrypt bucket path: %q", path)
	}

	// if we didn't consume any path, we're at the root of the bucket, and so we have
	// to fold the bucket name into the key.
	key := &base.Key
	if !consumed.Valid() {
		key, err = derivePathKeyComponent(key, bucket)
		if err != nil {
			return paths.Unencrypted{}, errs.Wrap(err)
		}
	}

	decrypted, err := DecryptPathRaw(remaining.Raw(), cipher, key)
	if err != nil {
		return paths.Unencrypted{}, errs.Wrap(err)
	}

	var builder strings.Builder
	builder.WriteString(base.Unencrypted.Raw())

	if len(decrypted) > 0 {
		if builder.Len() > 0 {
			builder.WriteByte('/')
		}
		builder.WriteString(decrypted)
	}

	return paths.NewUnencrypted(builder.String()), nil
}

// DecryptPathRaw decrypts the path using the provided key directly. DecryptPath should be
// preferred if possible.
func DecryptPathRaw(raw string, cipher storj.CipherSuite, key *storj.Key) (string, error) {
	if cipher == storj.EncNull {
		return raw, nil
	}

	var builder strings.Builder
	for iter, i := paths.NewIterator(raw), 0; !iter.Done(); i++ {
		component := iter.Next()
		unencComponent, err := decryptPathComponent(component, cipher, key)
		if err != nil {
			return "", errs.Wrap(err)
		}
		key, err = derivePathKeyComponent(key, unencComponent)
		if err != nil {
			return "", errs.Wrap(err)
		}
		if i > 0 {
			builder.WriteByte('/')
		}
		builder.WriteString(unencComponent)
	}
	return builder.String(), nil
}

// DeriveContentKey returns the content key for the passed in path by looking up
// the appropriate base key from the store and bucket and deriving the rest.
func DeriveContentKey(bucket string, path paths.Unencrypted, store *Store) (key *storj.Key, err error) {
	key, err = DerivePathKey(bucket, path, store)
	if err != nil {
		return nil, errs.Wrap(err)
	}
	key, err = DeriveKey(key, "content")
	return key, errs.Wrap(err)
}

// DerivePathKey returns the path key for the passed in path by looking up the
// appropriate base key from the store and bucket and deriving the rest.
func DerivePathKey(bucket string, path paths.Unencrypted, store *Store) (key *storj.Key, err error) {
	_, consumed, base := store.LookupUnencrypted(bucket, path)
	if base == nil {
		return nil, errs.New("unable to find encryption base for: %s/%q", bucket, path)
	}

	// If asking for the key at the bucket, do that and return.
	if !path.Valid() {
		key, err = derivePathKeyComponent(&base.Key, bucket)
		if err != nil {
			return nil, errs.Wrap(err)
		}
		return key, nil
	}

	remaining, ok := path.Consume(consumed)
	if !ok {
		return nil, errs.New("unable to derive path key for: %s/%q", bucket, path)
	}

	// if we didn't consume any path, we're at the root of the bucket, and so we have
	// to fold the bucket name into the key.
	key = &base.Key
	if !consumed.Valid() {
		key, err = derivePathKeyComponent(key, bucket)
		if err != nil {
			return nil, errs.Wrap(err)
		}
	}

	for iter := remaining.Iterator(); !iter.Done(); {
		key, err = derivePathKeyComponent(key, iter.Next())
		if err != nil {
			return nil, errs.Wrap(err)
		}
	}
	return key, nil
}

// derivePathKeyComponent derives a new key from the provided one using the component. It
// should be preferred over DeriveKey when adding path components as it performs the
// necessary transformation to the component.
func derivePathKeyComponent(key *storj.Key, component string) (*storj.Key, error) {
	return DeriveKey(key, "path:"+component)
}

// encryptPathComponent encrypts a single path component with the provided cipher and key.
func encryptPathComponent(comp string, cipher storj.CipherSuite, key *storj.Key) (string, error) {
	// derive the key for the next path component. this is so that
	// every encrypted component has a unique nonce.
	derivedKey, err := derivePathKeyComponent(key, comp)
	if err != nil {
		return "", err
	}

	// use the derived key to derive the nonce
	mac := hmac.New(sha512.New, derivedKey[:])
	_, err = mac.Write([]byte("nonce"))
	if err != nil {
		return "", Error.Wrap(err)
	}

	nonce := new(storj.Nonce)
	copy(nonce[:], mac.Sum(nil))

	// encrypt the path components with the parent's key and the derived nonce
	cipherText, err := Encrypt([]byte(comp), cipher, key, nonce)
	if err != nil {
		return "", Error.Wrap(err)
	}

	nonceSize := storj.NonceSize
	if cipher == storj.EncAESGCM {
		nonceSize = AESGCMNonceSize
	}

	// keep the nonce together with the cipher text
	return string(encodeSegment(append(nonce[:nonceSize], cipherText...))), nil
}

// decryptPathComponent decrypts a single path component with the provided cipher and key.
func decryptPathComponent(comp string, cipher storj.CipherSuite, key *storj.Key) (string, error) {
	if comp == "" {
		return "", nil
	}

	data, err := decodeSegment([]byte(comp))
	if err != nil {
		return "", Error.Wrap(err)
	}

	nonceSize := storj.NonceSize
	if cipher == storj.EncAESGCM {
		nonceSize = AESGCMNonceSize
	}
	if len(data) < nonceSize || nonceSize < 0 {
		return "", errs.New("component did not contain enough nonce bytes")
	}

	// extract the nonce from the cipher text
	nonce := new(storj.Nonce)
	copy(nonce[:], data[:nonceSize])

	decrypted, err := Decrypt(data[nonceSize:], cipher, key, nonce)
	if err != nil {
		return "", Error.Wrap(err)
	}

	return string(decrypted), nil
}

// encodeSegment encodes segment according to specific rules
// The empty path component is encoded as `\x01`
// Any other path component is encoded as `\x02 + escape(component)`
//
// `\x2e` escapes to `\x2e\x01`
// `\x2f` escapes to `\x2e\x02`
// `\xfe` escapes to `\xfe\x01`
// `\xff` escapes to `\xfe\x02`
// `\x00` escapes to `\x01\x01`
// `\x01` escapes to `\x01\x02
// for more details see docs/design/path-component-encoding.md
func encodeSegment(segment []byte) []byte {
	if len(segment) == 0 {
		return emptyComponent
	}

	result := make([]byte, 0, len(segment)*2+1)
	result = append(result, notEmptyComponentPrefix)
	for i := 0; i < len(segment); i++ {
		switch segment[i] {
		case escapeSlash:
			result = append(result, []byte{escapeSlash, 1}...)
		case escapeSlash + 1:
			result = append(result, []byte{escapeSlash, 2}...)
		case escapeFF:
			result = append(result, []byte{escapeFF, 1}...)
		case escapeFF + 1:
			result = append(result, []byte{escapeFF, 2}...)
		case escape01 - 1:
			result = append(result, []byte{escape01, 1}...)
		case escape01:
			result = append(result, []byte{escape01, 2}...)
		default:
			result = append(result, segment[i])
		}
	}
	return result
}

func decodeSegment(segment []byte) ([]byte, error) {
	err := validateEncodedSegment(segment)
	if err != nil {
		return []byte{}, err
	}
	if segment[0] == emptyComponentPrefix {
		return []byte{}, nil
	}

	currentIndex := 0
	for i := 1; i < len(segment); i++ {
		switch {
		case i == len(segment)-1:
			segment[currentIndex] = segment[i]
		case segment[i] == escapeSlash || segment[i] == escapeFF:
			segment[currentIndex] = segment[i] + segment[i+1] - 1
			i++
		case segment[i] == escape01:
			segment[currentIndex] = segment[i+1] - 1
			i++
		default:
			segment[currentIndex] = segment[i]
		}
		currentIndex++
	}
	return segment[:currentIndex], nil
}

// validateEncodedSegment checks if:
// * The last byte/sequence is not in {escape1, escape2, escape3}
// * Any byte after an escape character is \x01 or \x02
// * It does not contain any characters in {\x00, \xff, \x2f}
// * It is non-empty
// * It begins with a character in {\x01, \x02}
func validateEncodedSegment(segment []byte) error {
	switch {
	case len(segment) == 0:
		return errs.New("encoded segment cannot be empty")
	case segment[0] != emptyComponentPrefix && segment[0] != notEmptyComponentPrefix:
		return errs.New("invalid segment prefix")
	case segment[0] == emptyComponentPrefix && len(segment) > 1:
		return errs.New("segment encoded as empty but contains data")
	case segment[0] == notEmptyComponentPrefix && len(segment) == 1:
		return errs.New("segment encoded as not empty but doesn't contain data")
	}

	if len(segment) == 1 {
		return nil
	}

	index := 1
	for ; index < len(segment)-1; index++ {
		if isEscapeByte(segment[index]) {
			if segment[index+1] == 1 || segment[index+1] == 2 {
				index++
				continue
			}
			return errs.New("invalid escape sequence")
		}
		if isDisallowedByte(segment[index]) {
			return errs.New("invalid character in segment")
		}
	}
	if index == len(segment)-1 {
		if isEscapeByte(segment[index]) {
			return errs.New("invalid escape sequence")
		}
		if isDisallowedByte(segment[index]) {
			return errs.New("invalid character")
		}
	}

	return nil
}

func isEscapeByte(b byte) bool {
	return b == escapeSlash || b == escapeFF || b == escape01
}

func isDisallowedByte(b byte) bool {
	return b == 0 || b == '\xff' || b == '/'
}