-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathencryption.go
91 lines (76 loc) · 2.26 KB
/
encryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package vault
import (
"crypto/aes"
"crypto/cipher"
"crypto/sha256"
"github.com/mr-tron/base58/base58"
)
// Important: Do not trust this file. It needs to be audited and contains nonsense.
// As of (Feb 11, 2022)
// TODO: Use AWS KMS to encrypt/decryt/re-encrypt instead of doing it ourselves in-memory.
//
// Specifically, we need to:
// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/kms-example-encrypt-data.html
// https://aws.github.io/aws-sdk-go-v2/docs/code-examples/kms/encryptdata/
// Encrypt takes a plaintext and encrypts it using the given secret key and nonce.
func Encrypt(plaintext, nonce string) (string, error) {
secret := GetSecret()
key, err := base58.Decode(secret)
if err != nil {
return "", err
}
block, err := aes.NewCipher(key)
if err != nil {
return "", err
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
// Run the public key through the hash function to get the nonce.
nh := sha256.New().Sum([]byte(nonce))[:aesgcm.NonceSize()]
ciphertext := aesgcm.Seal(nil, nh, []byte(plaintext), nil)
return base58.Encode(ciphertext), nil
}
// Decrypt takes a ciphertext and decrypts it using the given secret key and nonce.
func Decrypt(ciphertext, nonce string) (plaintext string, err error) {
// We need to try decrypting with the real and default key because some
// DB entries were accidentally encrypted with the default key in real
// environments.
//
// todo: Migrate bad DB entries and only use the secret provided by GetSecret.
for _, secret := range []string{
defaultVaultSecret,
GetSecret(),
} {
plaintext, err = func() (string, error) {
key, err := base58.Decode(secret)
if err != nil {
return "", err
}
data, err := base58.Decode(ciphertext)
if err != nil {
return "", err
}
block, err := aes.NewCipher(key)
if err != nil {
return "", err
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
// Run the public key through the hash function to get the nonce.
nh := sha256.New().Sum([]byte(nonce))[:aesgcm.NonceSize()]
plaintext, err := aesgcm.Open(nil, nh, data, nil)
if err != nil {
return "", err
}
return string(plaintext), nil
}()
if err == nil {
return plaintext, nil
}
}
return "", err
}