From 35400b72784f8ea7ba087c1c7d0bf58afbc1d4c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rodolphe=20Br=C3=A9ard?= Date: Sat, 9 Mar 2024 12:40:28 +0100 Subject: [PATCH] Set a default key periodicity of 1 year --- src/encryption.rs | 43 ++++++++++++++++++++++++++++++++++++++----- src/kdf.rs | 6 +++++- src/lib.rs | 9 +++++++++ 3 files changed, 52 insertions(+), 6 deletions(-) diff --git a/src/encryption.rs b/src/encryption.rs index e2e9ede..e7e64ca 100644 --- a/src/encryption.rs +++ b/src/encryption.rs @@ -68,6 +68,18 @@ mod tests { const TEST_DATA_CTX: &[&str] = &["018db876-3d9d-79af-9460-55d17da991d8"]; const EMPTY_DATA_CTX: &[[u8; 0]] = &[]; + fn get_static_key_ctx() -> KeyContext { + let mut ctx: KeyContext = TEST_KEY_CTX.into(); + ctx.set_static(); + ctx + } + + fn get_static_empty_key_ctx() -> KeyContext { + let mut ctx = KeyContext::from([]); + ctx.set_static(); + ctx + } + fn get_ikm_lst() -> InputKeyMaterialList { InputKeyMaterialList::import( "AQAAAA:AQAAAAEAAAC_vYEw1ujVG5i-CtoPYSzik_6xaAq59odjPm5ij01-e6zz4mUAAAAALJGBiwAAAAAA", @@ -77,7 +89,7 @@ mod tests { #[test] fn encrypt_decrypt_no_context() { - let ctx = KeyContext::from([]); + let ctx = get_static_empty_key_ctx(); // Encrypt let lst = get_ikm_lst(); @@ -95,17 +107,38 @@ mod tests { } #[test] - fn encrypt_decrypt_with_context() { - // Encrypt + fn encrypt_decrypt_with_static_context() { let lst = get_ikm_lst(); - let res = encrypt(&lst, &TEST_KEY_CTX.into(), TEST_DATA, TEST_DATA_CTX); + let key_ctx = get_static_key_ctx(); + + // Encrypt + let res = encrypt(&lst, &key_ctx, TEST_DATA, TEST_DATA_CTX); assert!(res.is_ok(), "res: {res:?}"); let ciphertext = res.unwrap(); assert!(ciphertext.starts_with("AQAAAA:")); assert_eq!(ciphertext.len(), 98); // Decrypt - let res = decrypt(&lst, &TEST_KEY_CTX.into(), &ciphertext, TEST_DATA_CTX); + let res = decrypt(&lst, &key_ctx, &ciphertext, TEST_DATA_CTX); + assert!(res.is_ok(), "res: {res:?}"); + let plaintext = res.unwrap(); + assert_eq!(plaintext, TEST_DATA); + } + + #[test] + fn encrypt_decrypt_with_context() { + let lst = get_ikm_lst(); + let key_ctx = KeyContext::from(TEST_KEY_CTX); + + // Encrypt + let res = encrypt(&lst, &key_ctx, TEST_DATA, TEST_DATA_CTX); + assert!(res.is_ok(), "res: {res:?}"); + let ciphertext = res.unwrap(); + assert!(ciphertext.starts_with("AQAAAA:")); + assert_eq!(ciphertext.len(), 110); + + // Decrypt + let res = decrypt(&lst, &key_ctx, &ciphertext, TEST_DATA_CTX); assert!(res.is_ok(), "res: {res:?}"); let plaintext = res.unwrap(); assert_eq!(plaintext, TEST_DATA); diff --git a/src/kdf.rs b/src/kdf.rs index 376e0f1..72a0b04 100644 --- a/src/kdf.rs +++ b/src/kdf.rs @@ -9,6 +9,10 @@ pub struct KeyContext { } impl KeyContext { + pub fn set_static(&mut self) { + self.periodicity = None; + } + pub fn set_periodicity(&mut self, periodicity: u64) { self.periodicity = Some(periodicity); } @@ -34,7 +38,7 @@ impl From<[&str; N]> for KeyContext { fn from(ctx: [&str; N]) -> Self { Self { ctx: ctx.iter().map(|s| s.to_string()).collect(), - periodicity: None, + periodicity: Some(crate::DEFAULT_KEY_CTX_PERIODICITY), } } } diff --git a/src/lib.rs b/src/lib.rs index 278b9ba..4b1d5f4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -31,6 +31,15 @@ pub use scheme::Scheme; /// [tropical_year]: https://en.wikipedia.org/wiki/Tropical_year #[cfg(feature = "ikm-management")] pub const DEFAULT_IKM_DURATION: u64 = 315_569_252; +/// Default amount of time during which a key is valid. +/// This is used for automatic periodic key rotation. +/// This value is expressed in seconds. +/// +/// Considering that a day is composed of 86400 seconds (60×60×24) and a year is 365.24219 days (approximate value of the [mean tropical year][tropical_year]), this value is equivalent to 1 year. +/// +/// [tropical_year]: https://en.wikipedia.org/wiki/Tropical_year +#[cfg(feature = "encryption")] +pub const DEFAULT_KEY_CTX_PERIODICITY: u64 = 31_556_925; #[cfg(feature = "ikm-management")] const DEFAULT_SCHEME: Scheme = Scheme::XChaCha20Poly1305WithBlake3;