chore(core): Validate basic root key

[dmihalcik-virtru]

Proposed Changes

• Export error types for invalid keys and insufficient/incorrectly formatted ciphertext
• Use errors.Is from the service to appropriate report errors given their context
• While here, auto-fixed a few 'upcoming' golangci-lint issues

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @dmihalcik-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the error handling mechanisms within the core cryptography module by introducing dedicated, exported error types for invalid key data and ciphertext. These new errors are then consistently applied across the AES-GCM implementation and propagated through higher-level components using errors.Is. The change aims to provide clearer and more actionable error messages, allowing for better identification and resolution of issues related to cryptographic key management and data processing.

Highlights

• New Exported Error Types: Introduced and exported two new error types, ErrInvalidKeyData and ErrInvalidCiphertext, to provide more specific error reporting for cryptographic operations.
• Improved Error Handling in AES-GCM: Updated AESGcm methods to utilize the new error types, replacing generic error messages with ErrInvalidKeyData for key-related issues and ErrInvalidCiphertext for problems with nonce sizes or malformed input data during encryption and decryption.
• Enhanced Input Validation: Added explicit checks in AESGcm decryption functions (Decrypt, DecryptWithTagSize) to validate input data length, preventing potential issues with empty or undersized ciphertext and returning ErrInvalidCiphertext.
• Contextual Error Propagation: Implemented errors.Is checks in protected_key.go and basic_manager.go to inspect underlying cryptographic errors and re-wrap them with more context-specific and user-friendly messages, improving diagnosability for higher-level components.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Bad key, bad data, Clear errors now will show, Code path made so clean.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a good step towards more robust error handling by introducing specific error types like ErrInvalidKeyData and ErrInvalidCiphertext. This allows for more granular error checking and reporting. The changes in aes_gcm.go correctly replace generic errors with these new typed errors. The usage of errors.Is in protected_key.go and basic_manager.go to provide more context-specific error messages is also a good improvement.

I've found a few areas for improvement:

• There are some redundant checks in lib/ocrypto/aes_gcm.go that can be simplified.
• There appear to be some unreachable error handling blocks in lib/ocrypto/protected_key.go and service/internal/security/basic_manager.go where an error type is checked for that cannot be returned by the preceding function call. These can be removed.

[github-actions]

X-Test Failure Report

opentdfplatform0WW8QM.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	179.885128ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	107.739409ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	363.224374ms
Throughput	275.31 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.480602384s
Average Latency	393.443836ms
Throughput	126.64 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.076416729s
Average Latency	279.854954ms
Throughput	178.09 requests/second

[github-actions]

X-Test Results

opentdfplatformCKXJK0.dockerbuild
✅ java-v0.4.34
✅ js-v0.4.34
cukes-report
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-3011
✅ java-pull-3011
✅ go-pull-3011

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	197.286879ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.359498ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	368.414652ms
Throughput	271.43 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.064624459s
Average Latency	408.877772ms
Throughput	121.76 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.862311126s
Average Latency	277.685324ms
Throughput	179.45 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	204.455516ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	112.892558ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	363.705716ms
Throughput	274.95 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.942566056s
Average Latency	397.422927ms
Throughput	125.18 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.417872077s
Average Latency	283.389448ms
Throughput	175.95 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	197.565852ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	114.912888ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	383.366735ms
Throughput	260.85 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.972191161s
Average Latency	407.438964ms
Throughput	122.03 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.803813213s
Average Latency	276.899396ms
Throughput	179.83 requests/second

[github-actions]

X-Test Results

opentdfplatformSQ2ZQB.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-3011
test-cases-mapping-report
✅ java-pull-3011
✅ go-pull-3011

[github-actions]

X-Test Results

opentdfplatformPLP8YC.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-f6769f67cb2b8aa8c9508d2ceecb139314461a44
test-cases-mapping-report
✅ java-f6769f67cb2b8aa8c9508d2ceecb139314461a44
✅ go-f6769f67cb2b8aa8c9508d2ceecb139314461a44

[github-actions]

X-Test Results

opentdfplatformL0YAUM.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-3011
✅ java-pull-3011
✅ go-pull-3011

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	195.788543ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.05747ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	371.911175ms
Throughput	268.88 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.723350942s
Average Latency	386.318401ms
Throughput	129.12 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.629970975s
Average Latency	275.602746ms
Throughput	180.96 requests/second

[github-actions]

X-Test Results

opentdfplatformWATNR2.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-3011
✅ java-pull-3011
✅ go-pull-3011