crypto: removed check on ciphertext length to allow decryption of empty secrets

Author: Astropilot

infisical/__version__.py

@@ -1 +1 @@
-__version__ = "1.0.0"
+__version__ = "1.0.1"

infisical/utils/crypto.py

@@ -11,8 +11,8 @@
 
 def encrypt_asymmetric(
     plaintext: Union[Buffer, str],
-    public_key: Union[Buffer, Base64String],
-    private_key: Union[Buffer, Base64String],
+    public_key: Union[Buffer, Base64String, public.PublicKey],
+    private_key: Union[Buffer, Base64String, public.PrivateKey],
 ) -> Tuple[Base64String, Base64String]:
     """Performs asymmetric encryption of the ``plaintext`` with x25519-xsalsa20-poly1305
     algorithm with the given parameters. Each of those params should be either the raw value in bytes
@@ -24,21 +24,33 @@ def encrypt_asymmetric(
     :raises ValueError: If ``plaintext``, ``public_key`` or ``private_key`` are empty
     :return: A tuple containing the ciphered text and the random nonce used for encryption
     """
-    if len(plaintext) == 0 or len(public_key) == 0 or len(private_key) == 0:
-        raise ValueError()
+    if (not isinstance(public_key, public.PublicKey) and len(public_key) == 0) or (
+        not isinstance(private_key, public.PrivateKey) and len(private_key) == 0
+    ):
+        raise ValueError("Public key and private key cannot be empty!")
 
     m_plaintext = (
         str.encode(plaintext, "utf-8") if isinstance(plaintext, str) else plaintext
     )
     m_public_key = (
         b64decode(public_key) if isinstance(public_key, Base64String) else public_key
     )
+    m_public_key = (
+        public.PublicKey(m_public_key)
+        if isinstance(m_public_key, (bytes, bytearray, memoryview))
+        else m_public_key
+    )
     m_private_key = (
         b64decode(private_key) if isinstance(private_key, Base64String) else private_key
     )
+    m_private_key = (
+        public.PrivateKey(m_private_key)
+        if isinstance(m_private_key, (bytes, bytearray, memoryview))
+        else m_private_key
+    )
 
     nonce = utils.random(24)
-    box = public.Box(public.PrivateKey(m_private_key), public.PublicKey(m_public_key))
+    box = public.Box(m_private_key, m_public_key)
     ciphertext = box.encrypt(m_plaintext, nonce).ciphertext
 
     return (b64encode(ciphertext).decode("utf-8"), b64encode(nonce).decode("utf-8"))
@@ -67,7 +79,9 @@ def decrypt_asymmetric(
         or (not isinstance(public_key, public.PublicKey) and len(public_key) == 0)
         or (not isinstance(private_key, public.PrivateKey) and len(private_key) == 0)
     ):
-        raise ValueError()
+        raise ValueError(
+            "Public key, private key, ciphertext and nonce cannot be empty!"
+        )
 
     m_ciphertext = (
         b64decode(ciphertext) if isinstance(ciphertext, Base64String) else ciphertext
@@ -107,8 +121,8 @@ def encrypt_symmetric(
     :raises ValueError: If either ``plaintext`` or ``key`` is empty
     :return: Ciphered text
     """
-    if len(plaintext) == 0 or len(key) == 0:
-        raise ValueError()
+    if len(key) == 0:
+        raise ValueError("The given key is empty!")
 
     BLOCK_SIZE_BYTES = 16
 
@@ -146,7 +160,7 @@ def decrypt_symmetric(
     :raises ValueError: If ``ciphertext``, ``iv``, ``tag`` or ``key`` are empty or tag/mac does not match
     :return: Deciphered text
     """
-    if len(ciphertext) == 0 or len(tag) == 0 or len(iv) == 0 or len(key) == 0:
+    if len(tag) == 0 or len(iv) == 0 or len(key) == 0:
         raise ValueError("One of the given parameter is empty!")
 
     m_key = b64decode(key) if isinstance(key, Base64String) else key

tests/test_utils/test_crypto_decrypt_symmetric.py

@@ -33,14 +33,6 @@ def test_decrypt_symmetric_empty_param() -> None:
             iv="H/cRvADtxDa4XWzM2p1j0w==",
         )
 
-    with pytest.raises(ValueError):
-        decrypt_symmetric(
-            key="NDQxYThhNGFlOTdlMDQyNzBmOWI0MDkyZDgzYThmMGQ=",
-            ciphertext="",
-            tag="DlHIpSGeE7FIJQ3bxyqB7Q==",
-            iv="H/cRvADtxDa4XWzM2p1j0w==",
-        )
-
     with pytest.raises(ValueError):
         decrypt_symmetric(
             key="NDQxYThhNGFlOTdlMDQyNzBmOWI0MDkyZDgzYThmMGQ=",
@@ -56,3 +48,10 @@ def test_decrypt_symmetric_empty_param() -> None:
             tag="DlHIpSGeE7FIJQ3bxyqB7Q==",
             iv="",
         )
+
+    decrypt_symmetric(
+        key="C4AmL9liaUXm5tNVoHBTJw==",
+        ciphertext="",
+        tag="w+3JZYTW+YiKagCseraf4Q==",
+        iv="zw8vhOL67bEhvRijTCA+vA==",
+    )

tests/test_utils/test_crypto_encrypt_asymmetric.py

@@ -51,10 +51,12 @@ def test_encrypt_asymmetric_bytes() -> None:
 
 
 def test_encrypt_asymmetric_empty_param() -> None:
-    with pytest.raises(ValueError):
-        encrypt_asymmetric(
-            plaintext="", private_key=ALICE_PRIVATE_KEY, public_key=BOB_PUBLIC_KEY
-        )
+    cipher, nonce = encrypt_asymmetric(
+        plaintext="", private_key=ALICE_PRIVATE_KEY, public_key=BOB_PUBLIC_KEY
+    )
+
+    assert len(cipher) > 0
+    assert len(nonce) > 0
 
     with pytest.raises(ValueError):
         encrypt_asymmetric(

tests/test_utils/test_crypto_encrypt_symmetric.py

@@ -1,4 +1,5 @@
 import pytest
+from Cryptodome.Random import get_random_bytes
 from infisical.utils.crypto import decrypt_symmetric, encrypt_symmetric
 
 
@@ -34,15 +35,21 @@ def test_encrypt_symmetric_bytes() -> None:
     assert plaintext == "9c07298c06c6aaa762fcee342cf6bc34"
 
 
-def test_encrypt_symmetric_empty_param() -> None:
-    with pytest.raises(ValueError):
-        encrypt_symmetric(
-            plaintext="",
-            key="NDQxYThhNGFlOTdlMDQyNzBmOWI0MDkyZDgzYThmMGQ=",
-        )
-
+def test_encrypt_symmetric_empty_key() -> None:
     with pytest.raises(ValueError):
         encrypt_symmetric(
             plaintext="9c07298c06c6aaa762fcee342cf6bc34",
             key="",
         )
+
+
+def test_encrypt_symmetric_empty_plaintext() -> None:
+    key = get_random_bytes(16)
+
+    cipher, iv, tag = encrypt_symmetric(
+        plaintext="",
+        key=key,
+    )
+
+    assert len(cipher) == 0
+    assert len(iv) > 0 and len(tag) > 0