New crypto implementation

config.go

@@ -2,6 +2,7 @@ package pubnub
 
 import (
 	"fmt"
+	"github.com/pubnub/go/v7/crypto"
 	"log"
 	"sync"
 )
@@ -27,29 +28,30 @@ type Config struct {
 	//
 	//Deprecated: please use SetUserId/GetUserId
 	UUID                          string
-	CipherKey                     string             // If CipherKey is passed, all communications to/from PubNub will be encrypted.
-	Secure                        bool               // True to use TLS
-	ConnectTimeout                int                // net.Dialer.Timeout
-	NonSubscribeRequestTimeout    int                // http.Client.Timeout for non-subscribe requests
-	SubscribeRequestTimeout       int                // http.Client.Timeout for subscribe requests only
-	FileUploadRequestTimeout      int                // http.Client.Timeout File Upload Request only
-	HeartbeatInterval             int                // The frequency of the pings to the server to state that the client is active
-	PresenceTimeout               int                // The time after which the server will send a timeout for the client
-	MaximumReconnectionRetries    int                // The config sets how many times to retry to reconnect before giving up.
-	MaximumLatencyDataAge         int                // Max time to store the latency data for telemetry
-	FilterExpression              string             // Feature to subscribe with a custom filter expression.
-	PNReconnectionPolicy          ReconnectionPolicy // Reconnection policy selection
-	Log                           *log.Logger        // Logger instance
-	SuppressLeaveEvents           bool               // When true the SDK doesn't send out the leave requests.
-	DisablePNOtherProcessing      bool               // PNOther processing looks for pn_other in the JSON on the recevied message
-	UseHTTP2                      bool               // HTTP2 Flag
-	MessageQueueOverflowCount     int                // When the limit is exceeded by the number of messages received in a single subscribe request, a status event PNRequestMessageCountExceededCategory is fired.
-	MaxIdleConnsPerHost           int                // Used to set the value of HTTP Transport's MaxIdleConnsPerHost.
-	MaxWorkers                    int                // Number of max workers for Publish and Grant requests
-	UsePAMV3                      bool               // Use PAM version 2, Objects requets would still use PAM v3
-	StoreTokensOnGrant            bool               // Will store grant v3 tokens in token manager for further use.
-	FileMessagePublishRetryLimit  int                // The number of tries made in case of Publish File Message failure.
-	UseRandomInitializationVector bool               // When true the IV will be random for all requests and not just file upload. When false the IV will be hardcoded for all requests except File Upload
+	CipherKey                     string              // If CipherKey is passed, all communications to/from PubNub will be encrypted.
+	Secure                        bool                // True to use TLS
+	ConnectTimeout                int                 // net.Dialer.Timeout
+	NonSubscribeRequestTimeout    int                 // http.Client.Timeout for non-subscribe requests
+	SubscribeRequestTimeout       int                 // http.Client.Timeout for subscribe requests only
+	FileUploadRequestTimeout      int                 // http.Client.Timeout File Upload Request only
+	HeartbeatInterval             int                 // The frequency of the pings to the server to state that the client is active
+	PresenceTimeout               int                 // The time after which the server will send a timeout for the client
+	MaximumReconnectionRetries    int                 // The config sets how many times to retry to reconnect before giving up.
+	MaximumLatencyDataAge         int                 // Max time to store the latency data for telemetry
+	FilterExpression              string              // Feature to subscribe with a custom filter expression.
+	PNReconnectionPolicy          ReconnectionPolicy  // Reconnection policy selection
+	Log                           *log.Logger         // Logger instance
+	SuppressLeaveEvents           bool                // When true the SDK doesn't send out the leave requests.
+	DisablePNOtherProcessing      bool                // PNOther processing looks for pn_other in the JSON on the recevied message
+	UseHTTP2                      bool                // HTTP2 Flag
+	MessageQueueOverflowCount     int                 // When the limit is exceeded by the number of messages received in a single subscribe request, a status event PNRequestMessageCountExceededCategory is fired.
+	MaxIdleConnsPerHost           int                 // Used to set the value of HTTP Transport's MaxIdleConnsPerHost.
+	MaxWorkers                    int                 // Number of max workers for Publish and Grant requests
+	UsePAMV3                      bool                // Use PAM version 2, Objects requets would still use PAM v3
+	StoreTokensOnGrant            bool                // Will store grant v3 tokens in token manager for further use.
+	FileMessagePublishRetryLimit  int                 // The number of tries made in case of Publish File Message failure.
+	UseRandomInitializationVector bool                // When true the IV will be random for all requests and not just file upload. When false the IV will be hardcoded for all requests except File Upload
+	CryptoModule                  crypto.CryptoModule // A cryptography module used for encryption and decryption
 }
 
 // NewDemoConfig initiates the config with demo keys, for tests only.
@@ -90,7 +92,7 @@ func NewConfigWithUserId(userId UserId) *Config {
 	return &c
 }
 
-//Deprecated: Please use NewConfigWithUserId
+// Deprecated: Please use NewConfigWithUserId
 func NewConfig(uuid string) *Config {
 	return NewConfigWithUserId(UserId(uuid))
 }

crypto/aes_cbc_cryptor.go

@@ -0,0 +1,91 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+)
+
+type aesCbcCryptor struct {
+	block cipher.Block
+}
+
+func NewAesCbcCryptor(cipherKey string) (ExtendedCryptor, error) {
+	block, e := aesCipher(cipherKey)
+	if e != nil {
+		return nil, e
+	}
+
+	return &aesCbcCryptor{
+		block: block,
+	}, nil
+}
+
+var crivId = "ACRH"
+
+func (c *aesCbcCryptor) Id() string {
+	return crivId
+}
+
+func (c *aesCbcCryptor) Encrypt(message []byte) (*EncryptedData, error) {
+	message = padWithPKCS7(message)
+	iv := generateIV(aes.BlockSize)
+	blockmode := cipher.NewCBCEncrypter(c.block, iv)
+
+	encryptedBytes := make([]byte, len(message))
+	blockmode.CryptBlocks(encryptedBytes, message)
+
+	return &EncryptedData{
+		Metadata: iv,
+		Data:     encryptedBytes,
+	}, nil
+}
+
+func (c *aesCbcCryptor) Decrypt(encryptedData *EncryptedData) (r []byte, e error) {
+	decrypter := cipher.NewCBCDecrypter(c.block, encryptedData.Metadata)
+	//to handle decryption errors
+	defer func() {
+		if rec := recover(); rec != nil {
+			r, e = nil, fmt.Errorf("decrypt error: %s", rec)
+		}
+	}()
+
+	decrypted := make([]byte, len(encryptedData.Data))
+	decrypter.CryptBlocks(decrypted, encryptedData.Data)
+	val, err := unpadPKCS7(decrypted)
+	if err != nil {
+		return nil, fmt.Errorf("decrypt error: %s", err)
+	}
+
+	return val, nil
+}
+
+func (c *aesCbcCryptor) EncryptStream(reader io.Reader) (*EncryptedStreamData, error) {
+	iv := generateIV(aes.BlockSize)
+
+	return &EncryptedStreamData{
+		Metadata: iv,
+		Reader:   newBlockModeEncryptingReader(reader, cipher.NewCBCEncrypter(c.block, iv)),
+	}, nil
+}
+
+func (c *aesCbcCryptor) DecryptStream(encryptedData *EncryptedStreamData) (io.Reader, error) {
+	if encryptedData.Metadata == nil {
+		return nil, errors.New("missing metadata")
+	}
+	return newBlockModeDecryptingReader(encryptedData.Reader, cipher.NewCBCDecrypter(c.block, encryptedData.Metadata)), nil
+}
+
+func aesCipher(cipherKey string) (cipher.Block, error) {
+	hash := sha256.New()
+	hash.Write([]byte(cipherKey))
+
+	block, err := aes.NewCipher(hash.Sum(nil))
+	if err != nil {
+		return nil, err
+	}
+	return block, nil
+}

crypto/aes_cbc_cryptor_test.go

@@ -0,0 +1,77 @@
+package crypto
+
+import (
+	"bytes"
+	"io"
+	"testing"
+	"testing/quick"
+)
+
+var defaultPropertyTestConfig = &quick.Config{
+	MaxCount: 1000,
+}
+
+func canDecryptEncryptStreamResult(in []byte) bool {
+	cryptor, e := NewAesCbcCryptor("enigma")
+	if e != nil {
+		return false
+	}
+
+	output, err := cryptor.EncryptStream(bytes.NewReader(in))
+	if err != nil {
+		return false
+	}
+
+	encrData, err := io.ReadAll(output.Reader)
+
+	decrypted, err := cryptor.Decrypt(&EncryptedData{
+		Data:     encrData,
+		Metadata: output.Metadata,
+	})
+	if err != nil {
+		return false
+	}
+	return bytes.Equal(in, decrypted)
+}
+
+func canDecryptStreamEncryptResult(in []byte) bool {
+	cryptor, e := NewAesCbcCryptor("enigma")
+	if e != nil {
+		return false
+	}
+
+	output, err := cryptor.Encrypt(in)
+	if err != nil {
+		println(err.Error())
+		return false
+	}
+
+	decryptingReader, err := cryptor.DecryptStream(&EncryptedStreamData{
+		Reader:   bytes.NewReader(output.Data),
+		Metadata: output.Metadata,
+	})
+	if err != nil {
+		println(err.Error())
+		return false
+	}
+
+	decrypted, err := io.ReadAll(decryptingReader)
+	if err != nil {
+		println(err.Error())
+		return false
+	}
+
+	return bytes.Equal(in, decrypted)
+}
+
+func Test_AesCBC_EncryptStream(t *testing.T) {
+	if err := quick.Check(canDecryptEncryptStreamResult, defaultPropertyTestConfig); err != nil {
+		t.Error(err)
+	}
+}
+
+func Test_AesCBC_DecryptStream(t *testing.T) {
+	if err := quick.Check(canDecryptStreamEncryptResult, defaultPropertyTestConfig); err != nil {
+		t.Error(err)
+	}
+}

crypto/cryptor.go

@@ -0,0 +1,25 @@
+package crypto
+
+import "io"
+
+type EncryptedData struct {
+	Metadata []byte
+	Data     []byte
+}
+
+type Cryptor interface {
+	Id() string
+	Encrypt(message []byte) (*EncryptedData, error)
+	Decrypt(encryptedData *EncryptedData) ([]byte, error)
+}
+
+type EncryptedStreamData struct {
+	Metadata []byte
+	Reader   io.Reader
+}
+
+type ExtendedCryptor interface {
+	Cryptor
+	EncryptStream(reader io.Reader) (*EncryptedStreamData, error)
+	DecryptStream(encryptedData *EncryptedStreamData) (io.Reader, error)
+}