rebase on main and update ocrypto

Author: strantalis

service/internal/security/basic_manager.go

@@ -12,7 +12,6 @@ import (
 	"log/slog"
 
 	"github.com/opentdf/platform/lib/ocrypto"
-	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/pkg/cache"
 	"github.com/opentdf/platform/service/trust"
@@ -50,7 +49,7 @@ func (b *BasicManager) Name() string {
 	return BasicManagerName
 }
 
-func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (trust.ProtectedKey, error) {
+func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error) {
 	// Implementation of Decrypt method
 
 	// Get Private Key
@@ -75,8 +74,12 @@ func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails,
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt with RSA: %w", err)
 		}
-		return ocrypto.NewAESProtectedKey(plaintext), nil
-	case policy.Algorithm_ALGORITHM_EC_P256.String(), policy.Algorithm_ALGORITHM_EC_P384.String(), policy.Algorithm_ALGORITHM_EC_P521.String():
+		protectedKey, err := ocrypto.NewAESProtectedKey(plaintext)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create protected key: %w", err)
+		}
+		return protectedKey, nil
+	case ocrypto.EC256Key, ocrypto.EC384Key, ocrypto.EC521Key:
 		ecPrivKey, err := ocrypto.ECPrivateKeyFromPem(privKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create EC private key from PEM: %w", err)
@@ -89,13 +92,17 @@ func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails,
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt with ephemeral key: %w", err)
 		}
-		return ocrypto.NewAESProtectedKey(plaintext), nil
+		protectedKey, err := ocrypto.NewAESProtectedKey(plaintext)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create protected key: %w", err)
+		}
+		return protectedKey, nil
 	}
 
 	return nil, fmt.Errorf("unsupported algorithm: %s", keyDetails.Algorithm())
 }
 
-func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (trust.ProtectedKey, error) {
+func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ocrypto.ProtectedKey, error) {
 	// Implementation of DeriveKey method
 	privateKeyCtx, err := keyDetails.ExportPrivateKey(ctx)
 	if err != nil {
@@ -131,22 +138,35 @@ func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetail
 	if err != nil {
 		return nil, fmt.Errorf("failed to calculate HKDF: %w", err)
 	}
-	return ocrypto.NewAESProtectedKey(key), nil
+	protectedKey, err := ocrypto.NewAESProtectedKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create protected key: %w", err)
+	}
+	return protectedKey, nil
 }
 
 type OCEncapsulator struct {
 	ocrypto.PublicKeyEncryptor
 }
 
-func (e *OCEncapsulator) Encapsulate(dek trust.ProtectedKey) ([]byte, error) {
-	ipk, ok := dek.(*InProcessAESKey)
+func (e *OCEncapsulator) Encapsulate(dek ocrypto.ProtectedKey) ([]byte, error) {
+	ipk, ok := dek.(*ocrypto.AESProtectedKey)
 	if !ok {
 		return nil, errors.New("invalid DEK type for encapsulation")
 	}
-	return e.Encrypt(ipk.rawKey)
+	// Export the raw key without encryption
+	rawKey, err := ipk.Export(nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to export raw key: %w", err)
+	}
+	return e.Encrypt(rawKey)
+}
+
+func (e *OCEncapsulator) PublicKeyAsPEM() (string, error) {
+	return e.PublicKeyEncryptor.PublicKeyInPemFormat()
 }
 
-func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (trust.Encapsulator, error) {
+func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (ocrypto.Encapsulator, error) {
 	pke, err := ocrypto.FromPublicPEMWithSalt(ephemeralPublicKey, NanoVersionSalt(), nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create public key encryptor: %w", err)

service/internal/security/basic_manager_test.go

@@ -276,7 +276,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 	bm, err := NewBasicManager(log, testCache, rootKeyHex)
 	require.NoError(t, err)
 
-	samplePayload := []byte("secret payload")
+	samplePayload := []byte("secret payload16") // 16 bytes for valid AES key
 
 	t.Run("successful RSA decryption", func(t *testing.T) {
 		mockDetails := new(MockKeyDetails)

service/internal/security/in_process_provider.go

@@ -251,13 +251,24 @@ func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDet
 		return nil, err
 	}
 
-	return ocrypto.NewAESProtectedKey(rawKey), nil
+	protectedKey, err := ocrypto.NewAESProtectedKey(rawKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create protected key: %w", err)
+	}
+	return protectedKey, nil
 }
 
 // DeriveKey generates a symmetric key for NanoTDF
 func (a *InProcessProvider) DeriveKey(_ context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (trust.ProtectedKey, error) {
 	k, err := a.cryptoProvider.GenerateNanoTDFSymmetricKey(string(keyDetails.ID()), ephemeralPublicKeyBytes, curve)
-	return ocrypto.NewAESProtectedKey(k), err
+	if err != nil {
+		return nil, err
+	}
+	protectedKey, err := ocrypto.NewAESProtectedKey(k)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create protected key: %w", err)
+	}
+	return protectedKey, nil
 }
 
 // GenerateECSessionKey generates a session key for NanoTDF

service/internal/security/standard_crypto.go

@@ -439,7 +439,7 @@ func (s *StandardCrypto) ECDecrypt(ctx context.Context, keyID string, ephemeralP
 }
 
 // Decrypt implements the SecurityProvider Decrypt method
-func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (trust.ProtectedKey, error) {
+func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error) {
 	kid := string(keyID)
 	ska, ok := s.keysByID[kid]
 	if !ok {
@@ -488,5 +488,5 @@ func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, c
 		return nil, fmt.Errorf("unsupported key type for key ID [%s]", kid)
 	}
 
-	return ocrypto.NewAESProtectedKey(rawKey), nil
+	return ocrypto.NewAESProtectedKey(rawKey)
 }

service/kas/access/rewrap.go

@@ -827,7 +827,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.Unsigned
 		failAllKaos(requests, results, err400("keypair mismatch"))
 		return "", results
 	}
-	sessionKeyPEM, err := sessionKey.PublicKeyInPemFormat()
+	sessionKeyPEM, err := sessionKey.PublicKeyAsPEM()
 	if err != nil {
 		p.Logger.WarnContext(ctx, "failure in PublicKeyToPem", slog.Any("error", err))
 		failAllKaos(requests, results, err500(""))

service/trust/delegating_key_service_test.go

@@ -188,7 +188,7 @@ func (m *MockEncapsulator) Encrypt(data []byte) ([]byte, error) {
 	return nil, args.Error(1)
 }
 
-func (m *MockEncapsulator) PublicKeyInPemFormat() (string, error) {
+func (m *MockEncapsulator) PublicKeyAsPEM() (string, error) {
 	args := m.Called()
 	return args.String(0), args.Error(1)
 }
@@ -201,7 +201,7 @@ func (m *MockEncapsulator) EphemeralKey() []byte {
 	return nil
 }
 
-var _ Encapsulator = (*MockEncapsulator)(nil)
+var _ ocrypto.Encapsulator = (*MockEncapsulator)(nil)
 
 type DelegatingKeyServiceTestSuite struct {
 	suite.Suite

service/trust/key_manager.go

@@ -9,7 +9,9 @@ import (
 
 // Type aliases for backward compatibility - these interfaces are now defined in lib/ocrypto
 type (
+	// Deprecated: use ocrypto.Encapsulator
 	Encapsulator = ocrypto.Encapsulator
+	// Deprecated: use ocrypto.ProtectedKey
 	ProtectedKey = ocrypto.ProtectedKey
 )