feat: add AES protected key interface and implementation #2599
Conversation
Add ProtectedKey and Encapsulator interfaces to lib/ocrypto package, along with AESProtectedKey implementation. This exposes previously internal cryptographic functionality for external consumption. - Add interfaces.go with ProtectedKey and Encapsulator interfaces - Add protected_key.go with AESProtectedKey implementation - Add comprehensive test suite in protected_key_test.go - Use standard error types without logging dependencies
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @strantalis, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request aims to expose and standardize key management operations within the lib/ocrypto package by introducing new interfaces and a concrete AES-based implementation. This change modularizes cryptographic functionality, allowing for broader and more consistent consumption of protected keys across the system.
Highlights
- New Interfaces: I've introduced
ProtectedKeyandEncapsulatorinterfaces inlib/ocrypto/interfaces.go. These interfaces define standard operations for managing and encapsulating cryptographic keys, making previously internal functionality accessible. - AESProtectedKey Implementation: A concrete implementation,
AESProtectedKey, has been added inlib/ocrypto/protected_key.go. This struct implements theProtectedKeyinterface, providing methods for AES-GCM decryption, secure key export (with optional encapsulation), and policy binding verification using HMAC-SHA256. - Comprehensive Testing: I've included a thorough test suite in
lib/ocrypto/protected_key_test.go. These tests cover theAESProtectedKey's core functionalities, various error conditions, and ensure its compliance with theProtectedKeyinterface, including the use of a mock encapsulator for isolated testing.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
New crypto flows, Keys protected, safe and sound, Code now open wide.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a new ProtectedKey interface and its AESProtectedKey implementation for cryptographic operations. The changes are well-structured and include a comprehensive test suite.
My review focuses on improving security and code clarity. Key suggestions include:
- Preventing slice aliasing in the constructor and
Exportmethod to enhance security by copying the key data. - Refactoring
generateHMACDigestto remove an unused context parameter and a redundant error check.
strantalis
changed the title
- Add defensive copying in constructor to prevent external mutation - Add defensive copying in Export method for security - Simplify generateHMACDigest by removing unused context and error handling - Update tests to match simplified signature Addresses feedback from code review on PR opentdf#2599
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces new interfaces for cryptographic operations and an AESProtectedKey implementation. The code is well-structured and includes a comprehensive test suite. The review focuses on improving performance by suggesting to initialize the AES cipher once in the constructor and to correct the AES key sizes in the tests.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces new interfaces (Encapsulator, ProtectedKey) and an implementation (AESProtectedKey) for cryptographic operations, exposing them for external use. The changes are well-structured and include a comprehensive test suite.
My review focuses on improving API clarity, consistency, and addressing potential security risks. Key points include:
- Refining the new interfaces for better naming and documentation, following Go conventions.
- Highlighting two significant security considerations in
AESProtectedKey: the storage of raw keys in memory and the ability to export them unencrypted. These create potential "footgun" scenarios that could lead to accidental key exposure. - Suggesting improvements to the test suite for better maintainability and to test against the public API rather than internal state.
Overall, the PR is a good addition, but the security implications should be carefully considered and addressed.
🤖 I have created a release *beep* *boop* --- ## [0.4.0](lib/ocrypto/v0.3.0...lib/ocrypto/v0.4.0) (2025-09-02) ### Features * add AES protected key interface and implementation ([#2599](#2599)) ([2bb7eb0](2bb7eb0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.4.0](lib/ocrypto/v0.3.0...lib/ocrypto/v0.4.0) (2025-09-02) ### Features * add AES protected key interface and implementation ([#2599](#2599)) ([2bb7eb0](2bb7eb0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
- Add defensive copying in constructor to prevent external mutation - Add defensive copying in Export method for security - Simplify generateHMACDigest by removing unused context and error handling - Update tests to match simplified signature Addresses feedback from code review on PR opentdf#2599
- Add defensive copying in constructor to prevent external mutation - Add defensive copying in Export method for security - Simplify generateHMACDigest by removing unused context and error handling - Update tests to match simplified signature Addresses feedback from code review on PR opentdf#2599
- Add defensive copying in constructor to prevent external mutation - Add defensive copying in Export method for security - Simplify generateHMACDigest by removing unused context and error handling - Update tests to match simplified signature Addresses feedback from code review on PR opentdf#2599
Proposed Changes
Add ProtectedKey and Encapsulator interfaces to lib/ocrypto package, along with AESProtectedKey implementation. This exposes previously internal cryptographic functionality for external consumption.
Checklist
Testing Instructions