feat: encrypt private keys saved on disk and in database (#682)

Co-authored-by: Kyle Mendell <kmendell@ofkm.us>
2026-02-16 11:56:12 +00:00 · 2025-07-03 11:34:34 -07:00
parent 9872608d61
commit 5550729120
25 changed files with 2311 additions and 328 deletions
--- a/backend/internal/utils/jwk/key_provider_file_test.go
+++ b/backend/internal/utils/jwk/key_provider_file_test.go
@@ -0,0 +1,320 @@
+package jwk
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/base64"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
+)
+
+func TestKeyProviderFile_LoadKey(t *testing.T) {
+	// Generate a test key to use in our tests
+	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	key, err := jwk.Import(pk)
+	require.NoError(t, err)
+
+	t.Run("LoadKey with no existing key", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		provider := &KeyProviderFile{}
+		err := provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+		})
+		require.NoError(t, err)
+
+		// Load key when none exists
+		loadedKey, err := provider.LoadKey()
+		require.NoError(t, err)
+		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
+	})
+
+	t.Run("LoadKey with no existing key (with kek)", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		provider := &KeyProviderFile{}
+		err = provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+			Kek: makeKEK(t),
+		})
+		require.NoError(t, err)
+
+		// Load key when none exists
+		loadedKey, err := provider.LoadKey()
+		require.NoError(t, err)
+		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
+	})
+
+	t.Run("LoadKey with unencrypted key", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		provider := &KeyProviderFile{}
+		err := provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+		})
+		require.NoError(t, err)
+
+		// Save a key
+		err = provider.SaveKey(key)
+		require.NoError(t, err)
+
+		// Make sure the key file exists
+		keyPath := filepath.Join(tempDir, PrivateKeyFile)
+		exists, err := utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected key file to exist")
+
+		// Load the key
+		loadedKey, err := provider.LoadKey()
+		require.NoError(t, err)
+		assert.NotNil(t, loadedKey, "Expected non-nil key when key exists")
+
+		// Verify the loaded key is the same as the original
+		keyBytes, err := EncodeJWKBytes(key)
+		require.NoError(t, err)
+
+		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
+		require.NoError(t, err)
+
+		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
+	})
+
+	t.Run("LoadKey with encrypted key", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		provider := &KeyProviderFile{}
+		err = provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+			Kek: makeKEK(t),
+		})
+		require.NoError(t, err)
+
+		// Save a key (will be encrypted)
+		err = provider.SaveKey(key)
+		require.NoError(t, err)
+
+		// Make sure the encrypted key file exists
+		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
+		exists, err := utils.FileExists(encKeyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected encrypted key file to exist")
+
+		// Make sure the unencrypted key file does not exist
+		keyPath := filepath.Join(tempDir, PrivateKeyFile)
+		exists, err = utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.False(t, exists, "Expected unencrypted key file to not exist")
+
+		// Load the key
+		loadedKey, err := provider.LoadKey()
+		require.NoError(t, err)
+		assert.NotNil(t, loadedKey, "Expected non-nil key when encrypted key exists")
+
+		// Verify the loaded key is the same as the original
+		keyBytes, err := EncodeJWKBytes(key)
+		require.NoError(t, err)
+
+		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
+		require.NoError(t, err)
+
+		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
+	})
+
+	t.Run("LoadKey replaces unencrypted key with encrypted key when kek is provided", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		// First, create an unencrypted key
+		providerNoKek := &KeyProviderFile{}
+		err := providerNoKek.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+		})
+		require.NoError(t, err)
+
+		// Save an unencrypted key
+		err = providerNoKek.SaveKey(key)
+		require.NoError(t, err)
+
+		// Verify unencrypted key exists
+		keyPath := filepath.Join(tempDir, PrivateKeyFile)
+		exists, err := utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected unencrypted key file to exist")
+
+		// Now create a provider with a kek
+		kek := make([]byte, 32)
+		_, err = rand.Read(kek)
+		require.NoError(t, err)
+
+		providerWithKek := &KeyProviderFile{}
+		err = providerWithKek.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+			Kek: kek,
+		})
+		require.NoError(t, err)
+
+		// Load the key - this should convert the unencrypted key to encrypted
+		loadedKey, err := providerWithKek.LoadKey()
+		require.NoError(t, err)
+		assert.NotNil(t, loadedKey, "Expected non-nil key when loading and converting key")
+
+		// Verify the unencrypted key no longer exists
+		exists, err = utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.False(t, exists, "Expected unencrypted key file to be removed")
+
+		// Verify the encrypted key file exists
+		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
+		exists, err = utils.FileExists(encKeyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected encrypted key file to exist after conversion")
+
+		// Verify the key data
+		keyBytes, err := EncodeJWKBytes(key)
+		require.NoError(t, err)
+
+		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
+		require.NoError(t, err)
+
+		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key after conversion")
+	})
+}
+
+func TestKeyProviderFile_SaveKey(t *testing.T) {
+	// Generate a test key to use in our tests
+	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	key, err := jwk.Import(pk)
+	require.NoError(t, err)
+
+	t.Run("SaveKey unencrypted", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		provider := &KeyProviderFile{}
+		err := provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+		})
+		require.NoError(t, err)
+
+		// Save the key
+		err = provider.SaveKey(key)
+		require.NoError(t, err)
+
+		// Verify the key file exists
+		keyPath := filepath.Join(tempDir, PrivateKeyFile)
+		exists, err := utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected key file to exist")
+
+		// Verify the content of the key file
+		data, err := os.ReadFile(keyPath)
+		require.NoError(t, err)
+
+		parsedKey, err := jwk.ParseKey(data)
+		require.NoError(t, err)
+
+		// Compare the saved key with the original
+		keyBytes, err := EncodeJWKBytes(key)
+		require.NoError(t, err)
+
+		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
+		require.NoError(t, err)
+
+		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected saved key to match original key")
+	})
+
+	t.Run("SaveKey encrypted", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		// Generate a 64-byte kek
+		kek := makeKEK(t)
+
+		provider := &KeyProviderFile{}
+		err = provider.Init(KeyProviderOpts{
+			EnvConfig: &common.EnvConfigSchema{
+				KeysPath: tempDir,
+			},
+			Kek: kek,
+		})
+		require.NoError(t, err)
+
+		// Save the key (will be encrypted)
+		err = provider.SaveKey(key)
+		require.NoError(t, err)
+
+		// Verify the encrypted key file exists
+		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
+		exists, err := utils.FileExists(encKeyPath)
+		require.NoError(t, err)
+		assert.True(t, exists, "Expected encrypted key file to exist")
+
+		// Verify the unencrypted key file doesn't exist
+		keyPath := filepath.Join(tempDir, PrivateKeyFile)
+		exists, err = utils.FileExists(keyPath)
+		require.NoError(t, err)
+		assert.False(t, exists, "Expected unencrypted key file to not exist")
+
+		// Manually decrypt the encrypted key file to verify it contains the correct key
+		encB64, err := os.ReadFile(encKeyPath)
+		require.NoError(t, err)
+
+		// Decode from base64
+		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
+		n, err := base64.StdEncoding.Decode(enc, encB64)
+		require.NoError(t, err)
+		enc = enc[:n] // Trim any padding
+
+		// Decrypt the data
+		data, err := cryptoutils.Decrypt(kek, enc, nil)
+		require.NoError(t, err)
+
+		// Parse the key
+		parsedKey, err := jwk.ParseKey(data)
+		require.NoError(t, err)
+
+		// Compare the decrypted key with the original
+		keyBytes, err := EncodeJWKBytes(key)
+		require.NoError(t, err)
+
+		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
+		require.NoError(t, err)
+
+		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected decrypted key to match original key")
+	})
+}
+
+func makeKEK(t *testing.T) []byte {
+	t.Helper()
+
+	// Generate a 32-byte kek
+	kek := make([]byte, 32)
+	_, err := rand.Read(kek)
+	require.NoError(t, err)
+	return kek
+}