feat(transport): AES-256-GCM + PBKDF2 BundleSecretEncryptor

src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs

@@ -0,0 +1,76 @@
+using System.Security.Cryptography;
+using ScadaLink.Commons.Types.Transport;
+
+namespace ScadaLink.Transport.Encryption;
+
+/// <summary>
+/// AES-256-GCM authenticated encryption with a PBKDF2-SHA256 derived key.
+/// Output format is <c>ciphertext || tag</c> (tag is the GCM authentication tag).
+/// Each encrypt call produces a fresh random salt + nonce so re-encrypting the
+/// same plaintext yields a different ciphertext.
+/// </summary>
+public sealed class BundleSecretEncryptor
+{
+    private const int KeyBytes = 32;            // AES-256.
+    private const int SaltBytes = 16;
+    private const int NonceBytes = 12;          // GCM standard.
+    private const int TagBytes = 16;
+
+    public (byte[] Ciphertext, EncryptionMetadata Metadata) Encrypt(
+        ReadOnlySpan<byte> plaintext,
+        string passphrase,
+        int iterations)
+    {
+        var salt = RandomNumberGenerator.GetBytes(SaltBytes);
+        var nonce = RandomNumberGenerator.GetBytes(NonceBytes);
+        var key = DeriveKey(passphrase, salt, iterations);
+
+        var ciphertext = new byte[plaintext.Length];
+        var tag = new byte[TagBytes];
+        using var aes = new AesGcm(key, TagBytes);
+        aes.Encrypt(nonce, plaintext, ciphertext, tag);
+
+        // Format: ciphertext || tag.
+        var output = new byte[ciphertext.Length + TagBytes];
+        Buffer.BlockCopy(ciphertext, 0, output, 0, ciphertext.Length);
+        Buffer.BlockCopy(tag, 0, output, ciphertext.Length, TagBytes);
+
+        return (output, new EncryptionMetadata(
+            "AES-256-GCM", "PBKDF2-SHA256", iterations,
+            Convert.ToBase64String(salt),
+            Convert.ToBase64String(nonce)));
+    }
+
+    public byte[] Decrypt(ReadOnlySpan<byte> payload, EncryptionMetadata metadata, string passphrase)
+    {
+        ArgumentNullException.ThrowIfNull(metadata);
+
+        if (metadata.Algorithm != "AES-256-GCM" || metadata.Kdf != "PBKDF2-SHA256")
+        {
+            throw new CryptographicException("Unsupported bundle encryption parameters.");
+        }
+
+        var salt = Convert.FromBase64String(metadata.SaltB64);
+        var nonce = Convert.FromBase64String(metadata.IvB64);
+        var key = DeriveKey(passphrase, salt, metadata.Iterations);
+
+        if (payload.Length < TagBytes)
+        {
+            throw new CryptographicException("Bundle payload too short.");
+        }
+
+        var ctLen = payload.Length - TagBytes;
+        var ciphertext = payload[..ctLen];
+        var tag = payload[ctLen..];
+
+        var plaintext = new byte[ctLen];
+        using var aes = new AesGcm(key, TagBytes);
+        aes.Decrypt(nonce, ciphertext, tag, plaintext);
+        return plaintext;
+    }
+
+    private static byte[] DeriveKey(string passphrase, byte[] salt, int iterations)
+    {
+        return Rfc2898DeriveBytes.Pbkdf2(passphrase, salt, iterations, HashAlgorithmName.SHA256, KeyBytes);
+    }
+}

tests/ScadaLink.Transport.Tests/Encryption/BundleSecretEncryptorTests.cs

@@ -0,0 +1,78 @@
+using System.Security.Cryptography;
+using System.Text;
+using ScadaLink.Transport.Encryption;
+
+namespace ScadaLink.Transport.Tests.Encryption;
+
+public sealed class BundleSecretEncryptorTests
+{
+    private const int TestIterations = 10_000; // Lower than production for test speed.
+
+    [Fact]
+    public void Encrypt_then_Decrypt_roundtrips_arbitrary_bytes()
+    {
+        var sut = new BundleSecretEncryptor();
+        var plaintext = Encoding.UTF8.GetBytes("the quick brown fox jumps over the lazy dog");
+
+        var (ciphertext, metadata) = sut.Encrypt(plaintext, "correct-horse-battery-staple", TestIterations);
+        var recovered = sut.Decrypt(ciphertext, metadata, "correct-horse-battery-staple");
+
+        Assert.Equal(plaintext, recovered);
+    }
+
+    [Fact]
+    public void Decrypt_with_wrong_passphrase_throws_CryptographicException()
+    {
+        var sut = new BundleSecretEncryptor();
+        var plaintext = Encoding.UTF8.GetBytes("secret payload");
+
+        var (ciphertext, metadata) = sut.Encrypt(plaintext, "right-pass", TestIterations);
+
+        Assert.ThrowsAny<CryptographicException>(() => sut.Decrypt(ciphertext, metadata, "wrong-pass"));
+    }
+
+    [Fact]
+    public void Decrypt_with_tampered_ciphertext_throws_CryptographicException()
+    {
+        var sut = new BundleSecretEncryptor();
+        var plaintext = Encoding.UTF8.GetBytes("secret payload");
+
+        var (ciphertext, metadata) = sut.Encrypt(plaintext, "pass", TestIterations);
+        ciphertext[0] ^= 0xFF; // Flip every bit in the first ciphertext byte.
+
+        Assert.ThrowsAny<CryptographicException>(() => sut.Decrypt(ciphertext, metadata, "pass"));
+    }
+
+    [Fact]
+    public void Encrypt_produces_distinct_ciphertext_for_same_input_due_to_random_iv()
+    {
+        var sut = new BundleSecretEncryptor();
+        var plaintext = Encoding.UTF8.GetBytes("same input");
+
+        var (ct1, meta1) = sut.Encrypt(plaintext, "pass", TestIterations);
+        var (ct2, meta2) = sut.Encrypt(plaintext, "pass", TestIterations);
+
+        Assert.NotEqual(ct1, ct2);
+        Assert.NotEqual(meta1.IvB64, meta2.IvB64);
+        Assert.NotEqual(meta1.SaltB64, meta2.SaltB64);
+    }
+
+    [Fact]
+    public void Encrypt_emits_metadata_matching_decryption_inputs()
+    {
+        var sut = new BundleSecretEncryptor();
+        var plaintext = Encoding.UTF8.GetBytes("payload");
+
+        var (ciphertext, metadata) = sut.Encrypt(plaintext, "pass", TestIterations);
+
+        Assert.Equal("AES-256-GCM", metadata.Algorithm);
+        Assert.Equal("PBKDF2-SHA256", metadata.Kdf);
+        Assert.Equal(TestIterations, metadata.Iterations);
+        // Salt is 16 bytes (24 chars b64 incl padding), Iv is 12 bytes (16 chars b64 incl padding).
+        Assert.Equal(16, Convert.FromBase64String(metadata.SaltB64).Length);
+        Assert.Equal(12, Convert.FromBase64String(metadata.IvB64).Length);
+
+        var recovered = sut.Decrypt(ciphertext, metadata, "pass");
+        Assert.Equal(plaintext, recovered);
+    }
+}