Add support for NaCL SecretBox
This commit is contained in:
107
decrypt.go
Normal file
107
decrypt.go
Normal file
@@ -0,0 +1,107 @@
|
||||
package secret
|
||||
|
||||
import (
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"errors"
|
||||
|
||||
"golang.org/x/crypto/chacha20poly1305"
|
||||
"golang.org/x/crypto/nacl/secretbox"
|
||||
)
|
||||
|
||||
type aead struct {
|
||||
Provider
|
||||
aead cipher.AEAD
|
||||
}
|
||||
|
||||
// WithChaCha20Poly1305 wraps the returned value and decrypts it using ChaCha20-Poly1305 AEAD.
|
||||
//
|
||||
// The used nonce size is 12 bytes.
|
||||
func WithChaCha20Poly1305(p Provider, key []byte) (Provider, error) {
|
||||
cipher, err := chacha20poly1305.New(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return aead{
|
||||
Provider: p,
|
||||
aead: cipher,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// WithChaCha20Poly1305X wraps the returned value and decrypts it using ChaCha20-Poly1305 AEAD.
|
||||
//
|
||||
// The used nonce size is 24 bytes.
|
||||
func WithChaCha20Poly1305X(p Provider, key []byte) (Provider, error) {
|
||||
cipher, err := chacha20poly1305.NewX(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return aead{
|
||||
Provider: p,
|
||||
aead: cipher,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// WithAESGCM wraps the returned value and decrypts it using AES GCM AEAD.
|
||||
//
|
||||
// The accepted key sizes are 16 bytes for AES-128 and 32 bytes for AES-256.
|
||||
func WithAESGCM(p Provider, key []byte) (Provider, error) {
|
||||
block, err := aes.NewCipher(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
gcm, err := cipher.NewGCM(block)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return aead{
|
||||
Provider: p,
|
||||
aead: gcm,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (p aead) GetSecret(key string) (value []byte, err error) {
|
||||
if value, err = p.Provider.GetSecret(key); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
nonceSize := p.aead.NonceSize()
|
||||
if len(value) < nonceSize {
|
||||
return nil, errors.New("secret: ciphertext is too short")
|
||||
}
|
||||
|
||||
nonce, ciphertext := value[:nonceSize], value[nonceSize:]
|
||||
return p.aead.Open(nil, nonce, ciphertext, nil)
|
||||
}
|
||||
|
||||
type secretBox struct {
|
||||
Provider
|
||||
key [32]byte
|
||||
}
|
||||
|
||||
func WithSecretBox(p Provider, key [32]byte) Provider {
|
||||
return &secretBox{
|
||||
Provider: p,
|
||||
key: key,
|
||||
}
|
||||
}
|
||||
|
||||
func (p secretBox) GetSecret(key string) (value []byte, err error) {
|
||||
if value, err = p.Provider.GetSecret(key); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
var nonce [24]byte
|
||||
if copy(nonce[:], value) < 24 {
|
||||
return nil, errors.New("secret: encrypted secretbox value is too short")
|
||||
}
|
||||
|
||||
var ok bool
|
||||
if value, ok = secretbox.Open(nil, value[24:], &nonce, &p.key); !ok {
|
||||
return nil, errors.New("secret: encrypted secretbox open failed")
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
Reference in New Issue
Block a user