Code review

IronCoreLabs · Dec 11, 2023 · 1c185e2 · 1c185e2
1 parent e398909
commit 1c185e2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 14 deletions.
diff --git a/src/aes.rs b/src/aes.rs
@@ -62,13 +62,12 @@ pub struct PlaintextDocument(pub Vec<u8>);
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct EncryptionKey(pub [u8; 32]);
 
-/// Decrypt the AES encrypted payload using the key. Note that the IV is on the front of the payload and the tag
-/// is on the end.
+/// Decrypt the AES encrypted payload using the key. Note that the IV is on the front of the payload.
 pub fn decrypt_document_with_attached_iv(
     key: &EncryptionKey,
-    aes_encrypted_payload: &[u8],
+    aes_encrypted_payload: &IvAndCiphertext,
 ) -> Result<PlaintextDocument> {
-    let (iv_slice, ciphertext) = aes_encrypted_payload.split_at(IV_LEN);
+    let (iv_slice, ciphertext) = aes_encrypted_payload.0.split_at(IV_LEN);
     let iv = iv_slice
         .try_into()
         .expect("IV conversion will always have 12 bytes.");
@@ -162,7 +161,7 @@ mod test {
         let encrypted =
             encrypt_document_and_attach_iv(&mut rng, key, PlaintextDocument(document.clone()))
                 .unwrap();
-        let result = decrypt_document_with_attached_iv(&key, encrypted.as_ref()).unwrap();
+        let result = decrypt_document_with_attached_iv(&key, &encrypted).unwrap();
         assert_eq!(result.0, document);
     }
 }
diff --git a/src/v3/mod.rs b/src/v3/mod.rs
@@ -71,7 +71,7 @@ impl EncryptedPayload {
     /// Decrypt a V3 detached document and verify its signature.
     pub fn decrypt(self, key: &EncryptionKey) -> Result<PlaintextDocument, Error> {
         if verify_signature(key.0, &self.v3_document_header) {
-            decrypt_document_with_attached_iv(key, &self.iv_and_ciphertext.0)
+            decrypt_document_with_attached_iv(key, &self.iv_and_ciphertext)
         } else {
             Err(Error::DecryptError(
                 "Signature validation failed.".to_string(),

diff --git a/src/v5/mod.rs b/src/v5/mod.rs
@@ -24,7 +24,7 @@ pub(crate) const DETACHED_HEADER_LEN: usize = 5;
 /// This value is correct by construction and will be validated when we create it.
 /// There is no public constructor, only the TryFrom implementations.
 #[derive(Debug, Clone, PartialEq, Eq)]
-pub struct EncryptedPayload(pub IvAndCiphertext);
+pub struct EncryptedPayload(IvAndCiphertext);
 
 impl Default for EncryptedPayload {
     fn default() -> EncryptedPayload {
@@ -60,6 +60,12 @@ impl TryFrom<Vec<u8>> for EncryptedPayload {
     }
 }
 
+impl From<IvAndCiphertext> for EncryptedPayload {
+    fn from(value: IvAndCiphertext) -> Self {
+        EncryptedPayload(value)
+    }
+}
+
 impl EncryptedPayload {
     /// Convert the encrypted payload to t
     pub fn to_aes_value_with_attached_iv(self) -> IvAndCiphertext {
@@ -68,10 +74,7 @@ impl EncryptedPayload {
 
     /// Decrypt a V5 detached document. The document should have the expected header
     pub fn decrypt(self, key: &EncryptionKey) -> Result<PlaintextDocument> {
-        crate::aes::decrypt_document_with_attached_iv(
-            key,
-            self.to_aes_value_with_attached_iv().as_ref(),
-        )
+        crate::aes::decrypt_document_with_attached_iv(key, &self.to_aes_value_with_attached_iv())
     }
 
     pub fn write_to_bytes(&self) -> Vec<u8> {
@@ -91,9 +94,9 @@ pub fn encrypt_detached_document<R: RngCore + CryptoRng>(
     document: PlaintextDocument,
 ) -> Result<EncryptedPayload> {
     let (iv, enc_data) = aes_encrypt(key, &document.0, &[], rng)?;
-    [&[V0], &MAGIC[..], &iv[..], &enc_data.0[..]]
-        .concat()
-        .try_into()
+    Ok(EncryptedPayload(IvAndCiphertext(
+        iv.into_iter().chain(enc_data.0.into_iter()).collect(),
+    )))
 }
 
 pub fn parse_standard_edek(edek_bytes: Bytes) -> Result<(KeyIdHeader, V4DocumentHeader)> {