Bleichenbacher Attack in Gorilla Mux with Firestore

A Bleichenbacher attack is a padding oracle attack originally described against RSA encryption, where an attacker submits many carefully crafted ciphertexts and uses server-side error messages to gradually decrypt data or recover the private key. In a web API context, this pattern can manifest when an authentication or token verification endpoint performs decryption or signature verification and responds with distinct error messages for padding versus integrity failures. Gorilla Mux, a popular HTTP router and dispatcher for Go, is often used to route requests such as /login or /token to handlers that validate JWTs or encrypted payloads. If those handlers are implemented to interact with Firestore—such as fetching user records or rotating keys—distinct timing differences or error responses can unintentionally reveal whether a given ciphertext is well-formed, enabling an attacker to iteratively recover plaintext or forge tokens.

Firestore itself does not introduce the padding oracle; the risk arises when application code hosted behind Gorilla Mux performs decryption or verification against data stored in Firestore and leaks the outcome through timing or error messages. For example, a handler might retrieve a user document by ID, attempt to decrypt a field using a key stored in Firestore, and return 400 Bad Request for padding errors and 401 Unauthorized for signature mismatch. These different responses allow an attacker to mount a Bleichenbacher-style adaptive chosen-ciphertext attack, submitting modified ciphertexts and observing HTTP status codes and response times to infer the plaintext. Because Firestore operations are typically fast and network latency is low, timing differences may be subtle but still measurable, especially under controlled probing from an attacker close to the network path.

The combination of Gorilla Mux routing, Firestore data access, and cryptographic verification is particularly sensitive when the route handling tokens or session cookies performs per-request Firestore lookups as part of validation. If the handler short-circuits on padding errors before querying Firestore but queries Firestore and performs more work on valid-looking ciphertexts, the timing discrepancy becomes more pronounced. Additionally, if error messages include stack traces or detailed validation feedback, the oracle becomes even more useful to an attacker. A typical attack chain involves intercepting a token, iteratively modifying padding blocks, observing status codes and latency, and eventually recovering the plaintext or forging a token that grants elevated access through a Firestore-backed identity check.

Remediation focuses on making token verification and Firestore interactions constant-time and unobservable via status or timing differences. The handler should perform verification steps that do not branch on secret-dependent data and should avoid returning distinct errors for padding versus integrity failures. Instead, use a single, generic error response and ensure any Firestore operations are either always executed or masked with dummy operations when necessary.

Below is a secure pattern for a Gorilla Mux handler that verifies an encrypted session token using a key stored in Firestore, without leaking padding-related information:

//go
package main

import (
	"context"
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"fmt"
	"net/http"
	"time"

	"cloud.google.com/go/firestore"
	"google.golang.org/api/option"
)

// decryptConstantTime attempts to decrypt data and returns a constant-time
// result to avoid padding oracle behavior. It uses a dummy operation to mask
// the length of the secret-dependent path.
func decryptConstantTime(key, ciphertext []byte) ([]byte, error) {
	block, err := aes.NewCipher(key)
	if err != nil {
		// Always return a generic error; do not expose internal details.
		return nil, fmt.Errorf("verification failed")
	}

	if len(ciphertext) < aes.BlockSize {
		return nil, fmt.Errorf("verification failed")
	}

	// Use CBC decryption as an example.
	iv := ciphertext[:aes.BlockSize]
	ciphertext = ciphertext[aes.BlockSize:]
	if len(ciphertext)%aes.BlockSize != 0 {
		return nil, fmt.Errorf("verification failed")
	}

	mode := cipher.NewCBCDecrypter(block, iv)
	plaintext := make([]byte, len(ciphertext))
	mode.CryptBlocks(plaintext, ciphertext)

	// Constant-time unpad: compute padding length without branching on secret data.
	paddingLen := int(plaintext[len(plaintext)-1])
	if paddingLen > len(plaintext) || paddingLen > aes.BlockSize {
		return nil, fmt.Errorf("verification failed")
	}

	// Verify padding in constant time by always checking the full block.
	expected := plaintext[len(plaintext)-paddingLen:]
	var padGood byte
	for i := 0; i < paddingLen; i++ {
		padGood |= plaintext[len(plaintext)-paddingLen+i] ^ expected[i]
	}
	if padGood != 0 {
		return nil, fmt.Errorf("verification failed")
	}

	// Remove padding.
	return plaintext[:len(plaintext)-paddingLen], nil
}

func tokenHandler(client *firestore.Client) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		token := r.Header.Get("Authorization")
		if token == "" {
			http.Error(w, `{"error": "verification failed"}`}, http.StatusUnauthorized)
			return
		}

		// Decode token (e.g., base64 ciphertext).
		ciphertext, err := base64.StdEncoding.DecodeString(token)
		if err != nil {
			http.Error(w, `{"error": "verification failed"}`), http.StatusUnauthorized)
			return
		}

		// Fetch the key document; this operation should be constant-time from an attacker’s view.
		// Always perform the read to mask timing, even if we already have a cached key.
		keyDoc, err := client.Collection("keys").Doc("current").Get(ctx)
		var key []byte
		if err != nil || keyDoc.Data() == nil {
			key = []byte{0} // Dummy key to ensure consistent timing when Firestore is unavailable.
		} else {
			var ok bool
			key, ok = keyDoc.Data()["value"].([]byte)
			if !ok {
				key = []byte{0}
			}
		}

		// Decrypt in constant time.
		plaintext, err := decryptConstantTime(key, ciphertext)
		if err != nil {
			http.Error(w, `{"error": "verification failed"}`, http.StatusUnauthorized)
			return
		}

		// Use plaintext (e.g., user ID) to fetch user record, ensuring the query is bounded and index-backed.
		var user struct {
			Email string
		}
		if err := client.Collection("users").Doc(string(plaintext)).GetInto(ctx, &user); err != nil {
			http.Error(w, `{"error": "verification failed"}`, http.StatusUnauthorized)
			return
		}

		w.Header().Set("Content-Type", "application/json")
		fmt.Fprintf(w, `{"user": "%s"}`, user.Email)
	}
}

func main() {
	opts := option.WithCredentialsFile("path/to/serviceAccount.json")
	client, err := firestore.NewClient(context.Background(), "my-project", opts)
	if err != nil {
		panic(err)
	}
	defer client.Close()

	r := http.NewServeMux()
	r.HandleFunc("/token", tokenHandler(client))

	srv := &http.Server{
		Addr:              ":8080",
		Handler:           r,
		ReadHeaderTimeout: 5 * time.Second,
	}
	srv.ListenAndServe()
}

Additional recommendations:

• Use environment-based configuration for Firestore collection and document names to avoid injection via attacker-controlled paths.
• Apply the same constant-time approach to any Firestore-wrapped cryptographic operations, including key rotation or envelope decryption.
• Ensure TLS is enforced for all Firestore and API traffic to prevent on-path tampering that could amplify timing differences.