GitHub Actions
9a05e2f927
- Implement DNSProviderCard component for displaying individual DNS provider details. - Create DNSProviderForm component for adding and editing DNS providers. - Add DNSProviderSelector component for selecting DNS providers in forms. - Introduce useDNSProviders hook for fetching and managing DNS provider data. - Add DNSProviders page for listing and managing DNS providers. - Update layout to include DNS Providers navigation. - Enhance UI components with new badge styles and improved layouts. - Add default provider schemas for various DNS providers. - Integrate translation strings for DNS provider management. - Update Vite configuration for improved chunking and performance.
96 lines
2.7 KiB
Go
96 lines
2.7 KiB
Go
// Package crypto provides cryptographic services for sensitive data.
|
|
package crypto
|
|
|
|
import (
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"io"
|
|
)
|
|
|
|
// EncryptionService provides AES-256-GCM encryption and decryption.
|
|
// The service is thread-safe and can be shared across goroutines.
|
|
type EncryptionService struct {
|
|
key []byte // 32 bytes for AES-256
|
|
}
|
|
|
|
// NewEncryptionService creates a new encryption service with the provided base64-encoded key.
|
|
// The key must be exactly 32 bytes (256 bits) when decoded.
|
|
func NewEncryptionService(keyBase64 string) (*EncryptionService, error) {
|
|
key, err := base64.StdEncoding.DecodeString(keyBase64)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid base64 key: %w", err)
|
|
}
|
|
|
|
if len(key) != 32 {
|
|
return nil, fmt.Errorf("invalid key length: expected 32 bytes, got %d bytes", len(key))
|
|
}
|
|
|
|
return &EncryptionService{
|
|
key: key,
|
|
}, nil
|
|
}
|
|
|
|
// Encrypt encrypts plaintext using AES-256-GCM and returns base64-encoded ciphertext.
|
|
// The nonce is randomly generated and prepended to the ciphertext.
|
|
func (s *EncryptionService) Encrypt(plaintext []byte) (string, error) {
|
|
block, err := aes.NewCipher(s.key)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to create cipher: %w", err)
|
|
}
|
|
|
|
gcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to create GCM: %w", err)
|
|
}
|
|
|
|
// Generate random nonce
|
|
nonce := make([]byte, gcm.NonceSize())
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
return "", fmt.Errorf("failed to generate nonce: %w", err)
|
|
}
|
|
|
|
// Encrypt and prepend nonce to ciphertext
|
|
ciphertext := gcm.Seal(nonce, nonce, plaintext, nil)
|
|
|
|
// Return base64-encoded result
|
|
return base64.StdEncoding.EncodeToString(ciphertext), nil
|
|
}
|
|
|
|
// Decrypt decrypts base64-encoded ciphertext using AES-256-GCM.
|
|
// The nonce is expected to be prepended to the ciphertext.
|
|
func (s *EncryptionService) Decrypt(ciphertextB64 string) ([]byte, error) {
|
|
ciphertext, err := base64.StdEncoding.DecodeString(ciphertextB64)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid base64 ciphertext: %w", err)
|
|
}
|
|
|
|
block, err := aes.NewCipher(s.key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create cipher: %w", err)
|
|
}
|
|
|
|
gcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create GCM: %w", err)
|
|
}
|
|
|
|
nonceSize := gcm.NonceSize()
|
|
if len(ciphertext) < nonceSize {
|
|
return nil, fmt.Errorf("ciphertext too short: expected at least %d bytes, got %d bytes", nonceSize, len(ciphertext))
|
|
}
|
|
|
|
// Extract nonce and ciphertext
|
|
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
|
|
|
|
// Decrypt
|
|
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("decryption failed: %w", err)
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|