Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce new Secure Message API (#389)
* Introduce new Secure Message API The new API has more obvious naming and should be harder to misuse, with encrypt/decrypt and sign/verify API clearly named and separated. A common mistake with the old API was for users to accidentally using sign/verify API instead of encryption by not providing a private key. New API features more strict checks and prevents this kind of mistakes. Currently the new API is implemented using the old functions (as they are intended to be used). We'll switch the implementations in the next commit and then deprecate the old API. * Implement new Secure Message API using primitives This effectively moves themis_secure_message_{wrap,unwrap} code to these specific functions. However, with changes and simplifications. For example, verification and decryption no longer has to guess the type of the container: we now expect only encrypted containers when decrypting and signed containers for verification. Initially I wanted to reimplement themis_secure_message_{wrap,unwrap} in terms of the new functions, however their behavior has several idiosyncrasies so the old functions are still there with the same implementation. For example, if the provided keys are invalid then in in encrypt/decrypt mode the old API returns THEMIS_INVALID_PARAM but in sign/verify mode it returns THEMIS_FAIL. The new API returns THEMIS_INVALID_PARAM consistently (as it is evident from the tests). Leave a comment in the code for developers so that they don't try to (incorrectly) reimplement, for example, unwrap with decrypt and verify or vice versa. * Mark old Secure Message API as deprecated Actually mark the old functions them with a deprecation attribute. This will produce warnings during compilation which should prompt the users to migrate to the new API. Add an exception to our test code which still needs to test the old API. We treat warnings as errors and don't want to fail the build. * Use new Secure Message API: ThemisPP C++ methods are already using the new names so just replace the calls with the new ones and we're done here. * Use new Secure Message API: rust-themis Rust methods already use new names so we only have to change the implementation. It's quite repetetive and verbose but meh... we have to call different functions with different interfaces. (It may be possible to avoid some of the copypasta with macros but I doubt they will be more maintainable than this.) * Use new Secure Message API: Java/Android Themis Java binding actually fails to build on CI due to deprecation warnings from the core library so we have to make these changes anyway. Current JNI interface is not flexible enough with a single boolean flag. Replace the flag with an integer action mode, provide and use the constants in Java code. JNI interface is an implementation detail so we can make this change freely. * Use new Secure Message API: JsThemis Easy as with C++: just use the new functions and we're done. All object methods already have proper names. * Move key kind validation to Themis Core These functions should be useful for Themis users so make them available. We're going to use them internally as well to validate key inputs where appropriate. Note that in Rust we no longer need to link against Soter because the functions are now exported from Themis. Also, drop the long and detalied rant about pointer alignment. It's not very realistic to do anything about it and it does not cause any trouble yet. I guess we can let it pass until we encounter SIGBUS in the wild. Just assume that the pointers are correctly aligned (and try to keep them aligned in Rust). * Key kind checks in Secure Message Add key validation to the new Secure Message API in Themis Core. Now the functions validate the key checksums and make sure that correct private and public keys are used. This should avoid unexpected behavior when a private key is used instead of a public one or vice versa. * Key kind checks in Secure Message: ThemisPP Add validation and human-friendly error messages to ThemisPP if the user passes incorrect keys to constructor. * Key kind checks in Secure Message: JsThemis Add key validation to JavaScript wrapper as well. This is similar to ThemisPP but we use NAN's error reporting instead of C++ exceptions. * Move keygen and validation into a new file All language wrappers actually have a separate module named "keygen" or something like that. However, the core library keeps key generation routines in secure_message.c which is weird. Move key generation and validation into a separate source file at least. C does not have modules per se, but this makes much easier to locate keygen functions.
- Loading branch information