go/secret
1
0
Fork 0
Code Issues Pull Requests Actions Releases Activity

More decryption functions and stub test cases for AWS

Browse Source
This commit is contained in:
maze
2025-09-05 08:41:03 +02:00
parent deb3c67d80
commit 6a1a7ba499
4 changed files with 293 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
aws_test.go Normal file
View File

@@ -0,0 +1,31 @@
package secret
import (
"os"
"testing"
)
func TestAWSKeyManagement(t *testing.T) {
if !testAWSAvailable(t) {
return
}
}
func TestAWSParameterStorage(t *testing.T) {
if !testAWSAvailable(t) {
return
}
}
func testAWSAvailable(t *testing.T) bool {
t.Helper()
if os.Getenv("AWS_ACCESS_KEY")+os.Getenv("AWS_ACCESS_KEY_ID") == "" {
t.Skip("AWS_ACCESS_KEY or AWS_ACCESS_KEY_ID not set, which should contain the access key for testing")
return false
}
if os.Getenv("AWS_SECRET_ACCESS_KEY")+os.Getenv("AWS_SECRET_KEY") == "" {
t.Skip("AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY not set, which should contain the secret key for testing")
return false
}
return true
}

191
decrypt.go
View File

@@ -1,15 +1,27 @@
package secret package secret
import ( import (
"bytes"
"crypto/aes" "crypto/aes"
"crypto/cipher" "crypto/cipher"
"crypto/ecdsa"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"encoding/pem"
"errors" "errors"
"fmt"
"hash"
"os"
"strings"
"golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/chacha20poly1305"
"golang.org/x/crypto/nacl/secretbox" "golang.org/x/crypto/nacl/secretbox"
) )
type aead struct { type aeadProvider struct {
Provider Provider
aead cipher.AEAD aead cipher.AEAD
} }
@@ -22,7 +34,7 @@ func WithChaCha20Poly1305(p Provider, key []byte) (Provider, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
return aead{ return aeadProvider{
Provider: p, Provider: p,
aead: cipher, aead: cipher,
}, nil }, nil
@@ -36,13 +48,13 @@ func WithChaCha20Poly1305X(p Provider, key []byte) (Provider, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
return aead{ return aeadProvider{
Provider: p, Provider: p,
aead: cipher, aead: cipher,
}, nil }, nil
} }
// WithAESGCM wraps the returned value and decrypts it using AES GCM AEAD. // WithAESGCM wraps the returned value and decrypts it using AES-GCM AEAD.
// //
// The accepted key sizes are 16 bytes for AES-128 and 32 bytes for AES-256. // The accepted key sizes are 16 bytes for AES-128 and 32 bytes for AES-256.
func WithAESGCM(p Provider, key []byte) (Provider, error) { func WithAESGCM(p Provider, key []byte) (Provider, error) {
@@ -56,13 +68,13 @@ func WithAESGCM(p Provider, key []byte) (Provider, error) {
return nil, err return nil, err
} }
return aead{ return aeadProvider{
Provider: p, Provider: p,
aead: gcm, aead: gcm,
}, nil }, nil
} }
func (p aead) GetSecret(key string) (value []byte, err error) { func (p aeadProvider) GetSecret(key string) (value []byte, err error) {
if value, err = p.Provider.GetSecret(key); err != nil { if value, err = p.Provider.GetSecret(key); err != nil {
return return
} }
@@ -76,19 +88,70 @@ func (p aead) GetSecret(key string) (value []byte, err error) {
return p.aead.Open(nil, nonce, ciphertext, nil) return p.aead.Open(nil, nonce, ciphertext, nil)
} }
type secretBox struct { type oaepProvider struct {
Provider Provider
key [32]byte key *rsa.PrivateKey
hash func() hash.Hash
} }
func WithSecretBox(p Provider, key [32]byte) Provider { // WithOAEP transparently decrypts secrets returned from the provider using RSA-OAEP.
return &secretBox{ //
// Encryption and decryption of a given message must use the same hash function and sha256.New()
// is a reasonable choice. When hashFunc is nil, then sha256 will be used.
func WithOAEP(p Provider, key *rsa.PrivateKey, hashFunc func() hash.Hash) Provider {
if hashFunc == nil {
hashFunc = func() hash.Hash {
return sha256.New()
}
}
return oaepProvider{
Provider: p,
key: key,
hash: hashFunc,
}
}
func (p oaepProvider) GetSecret(key string) (value []byte, err error) {
if value, err = p.Provider.GetSecret(key); err != nil {
return
}
return rsa.DecryptOAEP(p.hash(), nil, p.key, value, nil)
}
type pkcs1v15Provider struct {
Provider
key *rsa.PrivateKey
}
// WithPKCS1v15 transparently decrypts secrets returned from the provider using RSA and the padding scheme from PKCS #1 v1.5.
func WithPKCS1v15(p Provider, key *rsa.PrivateKey) Provider {
return pkcs1v15Provider{
Provider: p, Provider: p,
key: key, key: key,
} }
} }
func (p secretBox) GetSecret(key string) (value []byte, err error) { func (p pkcs1v15Provider) GetSecret(key string) (value []byte, err error) {
if value, err = p.Provider.GetSecret(key); err != nil {
return
}
return rsa.DecryptPKCS1v15(nil, p.key, value)
}
type secretboxProvider struct {
Provider
key [32]byte
}
// WithSecretBox transparently decrypts secrets returned from the provider using NaCL secretbox.
func WithSecretBox(p Provider, key [32]byte) Provider {
return &secretboxProvider{
Provider: p,
key: key,
}
}
func (p secretboxProvider) GetSecret(key string) (value []byte, err error) {
if value, err = p.Provider.GetSecret(key); err != nil { if value, err = p.Provider.GetSecret(key); err != nil {
return return
} }
@@ -105,3 +168,109 @@ func (p secretBox) GetSecret(key string) (value []byte, err error) {
return return
} }
const (
pemECPrivateKey = "EC PRIVATE KEY"
pemRSAPrivateKey = "RSA PRIVATE KEY"
pemPrivateKey = "PRIVATE KEY"
)
func loadPrivateKey(name string, blockType string) (any, error) {
b, err := os.ReadFile(name)
if err != nil {
return nil, err
}
return ParsePrivateKey(b, blockType)
}
func LoadECPrivateKey(name string) (*ecdsa.PrivateKey, error) {
k, err := loadPrivateKey(name, pemECPrivateKey)
if err != nil {
return nil, err
}
return k.(*ecdsa.PrivateKey), nil
}
func LoadRSAPrivateKey(name string) (*rsa.PrivateKey, error) {
k, err := loadPrivateKey(name, pemRSAPrivateKey)
if err != nil {
return nil, err
}
return k.(*rsa.PrivateKey), nil
}
func ParseECPrivateKey(b []byte) (*ecdsa.PrivateKey, error) {
k, err := ParsePrivateKey(b, pemECPrivateKey)
if err != nil {
return nil, err
}
return k.(*ecdsa.PrivateKey), nil
}
func ParseRSAPrivateKey(b []byte) (*rsa.PrivateKey, error) {
k, err := ParsePrivateKey(b, pemRSAPrivateKey)
if err != nil {
return nil, err
}
return k.(*rsa.PrivateKey), nil
}
const (
secretBoxHexEncodedLen = 64 // hex.EncodedLen(32)
secretBoxRawBase64EncodedLen = 43 // base64.RawStdEncoding.EncodedLen(32)
secretBoxStdBase64EncodedLen = 44 // base64.StdEncoding.EncodedLen(32)
)
// ParseSecretBoxKey decodes a hex or base64 encoded SecretBox key.
func ParseSecretBoxKey(b []byte) ([32]byte, error) {
var key [32]byte
b = bytes.TrimRight(b, "\r\n")
switch len(b) {
case secretBoxHexEncodedLen:
if _, err := hex.Decode(key[:], b); err != nil {
return key, err
}
case secretBoxRawBase64EncodedLen:
if _, err := base64.RawStdEncoding.Decode(key[:], b); err != nil {
return key, err
}
case secretBoxStdBase64EncodedLen:
if _, err := base64.StdEncoding.Decode(key[:], b); err != nil {
return key, err
}
default:
return key, fmt.Errorf("secret: secretbox expected %d hex bytes, or %d/%d base64 bytes, got %d",
secretBoxHexEncodedLen, secretBoxRawBase64EncodedLen, secretBoxStdBase64EncodedLen, len(b))
}
return key, nil
}
func ParsePrivateKey(b []byte, blockType string) (any, error) {
var (
rest = b
block *pem.Block
)
for {
if block, rest = pem.Decode(rest); block == nil {
return nil, errors.New("secret: no PEM encoded data remains")
}
if block.Type == blockType || block.Type == pemPrivateKey || blockType == "" {
break
}
}
if strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED") {
return nil, fmt.Errorf("secret: can't decrypt encrypted %s PEM block", block.Type)
}
switch block.Type {
case pemECPrivateKey:
return x509.ParseECPrivateKey(block.Bytes)
case pemRSAPrivateKey:
return x509.ParsePKCS1PrivateKey(block.Bytes)
case pemPrivateKey:
return x509.ParsePKCS8PrivateKey(block.Bytes)
default:
return nil, fmt.Errorf("secret: don't know how to decode a %s PEM block", block.Type)
}
}

90
decrypt_test.go
View File

@@ -11,7 +11,8 @@ func TestWithAES128GCM(t *testing.T) {
0x37, 0xe4, 0x62, 0x59, 0xa6, 0xef, 0xe9, 0x96, 0x37, 0xe4, 0x62, 0x59, 0xa6, 0xef, 0xe9, 0x96,
0xb8, 0x5d, 0x2c, 0x35, 0xb5, 0x33, 0x3e, 0xff, 0xb8, 0x5d, 0x2c, 0x35, 0xb5, 0x33, 0x3e, 0xff,
} }
env := environment{"test": []byte{
p, err := WithAESGCM(mockProvider{[]byte{
0x1c, 0x74, 0x37, 0xe9, 0x9e, 0x37, 0xb8, 0x9e, 0x1c, 0x74, 0x37, 0xe9, 0x9e, 0x37, 0xb8, 0x9e,
0xf0, 0x21, 0xc0, 0xec, 0xad, 0x9d, 0xdf, 0x67, 0xf0, 0x21, 0xc0, 0xec, 0xad, 0x9d, 0xdf, 0x67,
0x75, 0xfd, 0x00, 0x48, 0x20, 0x46, 0x2e, 0x14, 0x75, 0xfd, 0x00, 0x48, 0x20, 0x46, 0x2e, 0x14,
@@ -21,9 +22,7 @@ func TestWithAES128GCM(t *testing.T) {
0x62, 0x55, 0x2b, 0x3b, 0x5e, 0xb5, 0x67, 0xb4, 0x62, 0x55, 0x2b, 0x3b, 0x5e, 0xb5, 0x67, 0xb4,
0x32, 0x92, 0x68, 0xcc, 0x55, 0x8e, 0xd3, 0xc7, 0x32, 0x92, 0x68, 0xcc, 0x55, 0x8e, 0xd3, 0xc7,
0xce, 0xce,
}} }, nil}, key)
p, err := WithAESGCM(env, key)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
return return
@@ -47,7 +46,8 @@ func TestWithAES256GCM(t *testing.T) {
0x12, 0xbf, 0x7a, 0x47, 0x4d, 0x21, 0x09, 0xa0, 0x12, 0xbf, 0x7a, 0x47, 0x4d, 0x21, 0x09, 0xa0,
0x3e, 0x3f, 0x65, 0xc7, 0xae, 0x94, 0x6c, 0xe3, 0x3e, 0x3f, 0x65, 0xc7, 0xae, 0x94, 0x6c, 0xe3,
} }
env := environment{"test": []byte{
p, err := WithAESGCM(mockProvider{[]byte{
0x62, 0x97, 0x6b, 0xc1, 0x78, 0xef, 0x41, 0xa0, 0x62, 0x97, 0x6b, 0xc1, 0x78, 0xef, 0x41, 0xa0,
0xd4, 0xdc, 0x05, 0x05, 0x66, 0xf6, 0x5f, 0x62, 0xd4, 0xdc, 0x05, 0x05, 0x66, 0xf6, 0x5f, 0x62,
0xca, 0x91, 0xae, 0xd7, 0x7c, 0xff, 0xad, 0xc1, 0xca, 0x91, 0xae, 0xd7, 0x7c, 0xff, 0xad, 0xc1,
@@ -57,9 +57,7 @@ func TestWithAES256GCM(t *testing.T) {
0xc7, 0x82, 0x24, 0xb4, 0x9e, 0x9e, 0xdc, 0x10, 0xc7, 0x82, 0x24, 0xb4, 0x9e, 0x9e, 0xdc, 0x10,
0x96, 0x60, 0xa2, 0x92, 0x2a, 0x94, 0x9c, 0x3a, 0x96, 0x60, 0xa2, 0x92, 0x2a, 0x94, 0x9c, 0x3a,
0xd8, 0xd8,
}} }, nil}, key)
p, err := WithAESGCM(env, key)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
return return
@@ -84,7 +82,7 @@ func TestWithChaCha20Poly1305(t *testing.T) {
0x12, 0x46, 0x2f, 0xae, 0x9e, 0xa7, 0x17, 0x09, 0x12, 0x46, 0x2f, 0xae, 0x9e, 0xa7, 0x17, 0x09,
} }
env := environment{"test": []byte{ p, err := WithChaCha20Poly1305(mockProvider{[]byte{
0x76, 0x7c, 0x7d, 0x5d, 0x36, 0xd1, 0x27, 0xca, 0x76, 0x7c, 0x7d, 0x5d, 0x36, 0xd1, 0x27, 0xca,
0x0b, 0x64, 0x28, 0x82, 0xc3, 0x3a, 0xd3, 0x24, 0x0b, 0x64, 0x28, 0x82, 0xc3, 0x3a, 0xd3, 0x24,
0x30, 0x77, 0x8f, 0xef, 0xf1, 0x3a, 0x9f, 0xa7, 0x30, 0x77, 0x8f, 0xef, 0xf1, 0x3a, 0x9f, 0xa7,
@@ -94,9 +92,7 @@ func TestWithChaCha20Poly1305(t *testing.T) {
0x4c, 0x71, 0x6b, 0x24, 0x01, 0xd0, 0xf9, 0x88, 0x4c, 0x71, 0x6b, 0x24, 0x01, 0xd0, 0xf9, 0x88,
0xcf, 0x88, 0xbe, 0xee, 0xe2, 0x77, 0x07, 0x18, 0xcf, 0x88, 0xbe, 0xee, 0xe2, 0x77, 0x07, 0x18,
0xf1, 0xf1,
}} }, nil}, key)
p, err := WithChaCha20Poly1305(env, key)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
return return
@@ -121,7 +117,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) {
0xa1, 0x92, 0xd1, 0xa0, 0x08, 0x3e, 0xf5, 0xfd, 0xa1, 0x92, 0xd1, 0xa0, 0x08, 0x3e, 0xf5, 0xfd,
} }
env := environment{"test": []byte{ p, err := WithChaCha20Poly1305X(mockProvider{[]byte{
0x59, 0xaf, 0xc4, 0x65, 0x60, 0x3f, 0x02, 0xd3, 0x59, 0xaf, 0xc4, 0x65, 0x60, 0x3f, 0x02, 0xd3,
0x87, 0xd3, 0x15, 0xac, 0xf3, 0x6b, 0x4a, 0x4f, 0x87, 0xd3, 0x15, 0xac, 0xf3, 0x6b, 0x4a, 0x4f,
0xe8, 0x40, 0xe5, 0x4d, 0x80, 0x30, 0x7b, 0x3d, 0xe8, 0x40, 0xe5, 0x4d, 0x80, 0x30, 0x7b, 0x3d,
@@ -132,9 +128,7 @@ func TestWithChaCha20Poly1305X(t *testing.T) {
0x3c, 0x2b, 0x59, 0x6f, 0xc7, 0x92, 0x3b, 0x40, 0x3c, 0x2b, 0x59, 0x6f, 0xc7, 0x92, 0x3b, 0x40,
0x89, 0x13, 0x93, 0x6b, 0xa0, 0x35, 0x4e, 0x6f, 0x89, 0x13, 0x93, 0x6b, 0xa0, 0x35, 0x4e, 0x6f,
0xd8, 0x31, 0x67, 0xee, 0xa2, 0xd8, 0x31, 0x67, 0xee, 0xa2,
}} }, nil}, key)
p, err := WithChaCha20Poly1305X(env, key)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
return return
@@ -175,7 +169,7 @@ func TestWithSecretBox(t *testing.T) {
0xe1, 0xbd, 0xfe, 0xd3, 0x86, 0x12, 0x8d, 0x09, 0xe1, 0xbd, 0xfe, 0xd3, 0x86, 0x12, 0x8d, 0x09,
0x85, 0x34, 0xae, 0xa3, 0xfd) 0x85, 0x34, 0xae, 0xa3, 0xfd)
p := WithSecretBox(environment{"test": box}, key) p := WithSecretBox(mockProvider{box, nil}, key)
v, err := p.GetSecret("test") v, err := p.GetSecret("test")
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@@ -185,3 +179,65 @@ func TestWithSecretBox(t *testing.T) {
t.Errorf(`expected "Hello, boxed Gophers!", got %q`, v) t.Errorf(`expected "Hello, boxed Gophers!", got %q`, v)
} }
} }
func TestParseECPrivateKey(t *testing.T) {
b := []byte(`-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFsSWzsfH0GiukSATicV/N69C3q0VQQySIItoeBo/73NoAoGCCqGSM49
AwEHoUQDQgAE5fgRgzJYEunuVV4560q+Ddt6Sj1fJR3EETgjmJTqVn3z3cf9VEmF
37+SIL2vagDV9paD1L9l3+E9New89oHxxw==
-----END EC PRIVATE KEY-----
`)
k, err := ParseECPrivateKey(b)
if err != nil {
t.Error(err)
return
} else if k == nil {
t.Error("key is nil")
}
}
func TestParseRSAPrivateKey(t *testing.T) {
b := []byte(`-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALzubkr6QNzwgmHQ
XbYnHEtisSAkQItPTODYhUiUStTF8RauT7iTFBNb7UP1dprAl3aBIsB/aFQUmSJr
9SaCxmqrwihygxNWzPQnhTRculy12HqRsPmJ0F6hlnrc6CppPY731/5Wpq1epUBE
V75z0tYSaoQ058XvF7m5rELkbwkbAgMBAAECgYBEcx4CjChz469ZQOSy2fimV1tV
Cc1Yq6Ju1AN2CEQUUqLGVOENPjxHx0ZvGL+f0acOiDrPA1oJHG1eyz5GdZrs6uJA
mY/CriRgwXFbg268/ET9jzBlE5GuWMbHlo3rPmAV/KQ3TCdmtLP0VvkHpZcPPFja
7GfO88FbYQetllF6AQJBAO8qR54LBrz0s601jjmIjB2iwdhLUPdYN+fPJFZUG0Vb
CJ0c6L6QvvetP3nuiuyIGvJGz7Swqnux97m5T7Z5FQUCQQDKOvIgMg1QR+AoAKx3
9RaDfNxjVpq6ly6MWqeh8pLNgmQ7vfl4tBbPkL8ey4uFlK8vk+23Y1GqbH6ySbxY
D/+fAkA7+Qwwc29jHrGXs6BQiQ8pt1CInopVHAgY1vazty+HesZ0L3Wlo8JfdVA/
kTPBEHhBXMRk+RAnKH+IURHOHhrJAkAnLTQquIeLveDW3wqKUpiB8HZhaC2haBhE
aGuBHBUEavYv/KWPlJO2sjvUI2pr/lnRxb6PgFYZxdrlfxNVnAPRAkEAp7c2iWTq
h0/8YIAw1J95m9WCkQ1/7U6SiJQRzPhYR4EJuDSVbYtgTb1WkDpriySKQ1CL2q8Q
H41cEKgY5m+lDA==
-----END PRIVATE KEY-----
`)
k, err := ParseRSAPrivateKey(b)
if err != nil {
t.Error(err)
return
} else if k == nil {
t.Error("key is nil")
}
}
func TestParseSecretBoxKey(t *testing.T) {
var validKeys = [][]byte{
[]byte("0000000000000000000000000000000000000000000000000000000000000000"), // nil hex
[]byte("079cdef09061cc8ee120b069cde548da0b829bf51a560c45bcfa4de53f16e0d4"), // hex
[]byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"), // nil raw base64
[]byte("6WpELgf5/agd0/IB+vZrw57S6TPMl9ruFcRUgRJk/lc"), // raw base64
[]byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="), // nil std base64
[]byte("Ra5SbhE9KYxcPMxKp8AAZsw35B5rWLkMv9d2+NjkV/o="), // std base64
}
for _, b := range validKeys {
t.Run("", func(it *testing.T) {
if _, err := ParseSecretBoxKey(b); err != nil {
it.Error(err)
}
})
}
}

9
provider_test.go
View File

@@ -8,6 +8,15 @@ import (
"testing" "testing"
) )
type mockProvider struct {
out []byte
err error
}
func (p mockProvider) GetSecret(_ string) ([]byte, error) {
return p.out, p.err
}
type testProviderCase struct { type testProviderCase struct {
Name string Name string
Key string Key string