akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
110 lines
3.2 KiB
Go
Executable File
110 lines
3.2 KiB
Go
Executable File
// Package crypto provides cryptographic services for sensitive data.
|
|
package crypto
|
|
|
|
import (
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
)
|
|
|
|
// cipherFactory creates block ciphers. Used for testing.
|
|
type cipherFactory func(key []byte) (cipher.Block, error)
|
|
|
|
// gcmFactory creates GCM ciphers. Used for testing.
|
|
type gcmFactory func(cipher cipher.Block) (cipher.AEAD, error)
|
|
|
|
// randReader provides random bytes. Used for testing.
|
|
type randReader func(b []byte) (n int, err error)
|
|
|
|
// EncryptionService provides AES-256-GCM encryption and decryption.
|
|
// The service is thread-safe and can be shared across goroutines.
|
|
type EncryptionService struct {
|
|
key []byte // 32 bytes for AES-256
|
|
cipherFactory cipherFactory
|
|
gcmFactory gcmFactory
|
|
randReader randReader
|
|
}
|
|
|
|
// NewEncryptionService creates a new encryption service with the provided base64-encoded key.
|
|
// The key must be exactly 32 bytes (256 bits) when decoded.
|
|
func NewEncryptionService(keyBase64 string) (*EncryptionService, error) {
|
|
key, err := base64.StdEncoding.DecodeString(keyBase64)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid base64 key: %w", err)
|
|
}
|
|
|
|
if len(key) != 32 {
|
|
return nil, fmt.Errorf("invalid key length: expected 32 bytes, got %d bytes", len(key))
|
|
}
|
|
|
|
return &EncryptionService{
|
|
key: key,
|
|
cipherFactory: aes.NewCipher,
|
|
gcmFactory: cipher.NewGCM,
|
|
randReader: rand.Read,
|
|
}, nil
|
|
}
|
|
|
|
// Encrypt encrypts plaintext using AES-256-GCM and returns base64-encoded ciphertext.
|
|
// The nonce is randomly generated and prepended to the ciphertext.
|
|
func (s *EncryptionService) Encrypt(plaintext []byte) (string, error) {
|
|
block, err := s.cipherFactory(s.key)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to create cipher: %w", err)
|
|
}
|
|
|
|
gcm, err := s.gcmFactory(block)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to create GCM: %w", err)
|
|
}
|
|
|
|
// Generate random nonce
|
|
nonce := make([]byte, gcm.NonceSize())
|
|
if _, err := s.randReader(nonce); err != nil {
|
|
return "", fmt.Errorf("failed to generate nonce: %w", err)
|
|
}
|
|
|
|
// Encrypt and prepend nonce to ciphertext
|
|
ciphertext := gcm.Seal(nonce, nonce, plaintext, nil)
|
|
|
|
// Return base64-encoded result
|
|
return base64.StdEncoding.EncodeToString(ciphertext), nil
|
|
}
|
|
|
|
// Decrypt decrypts base64-encoded ciphertext using AES-256-GCM.
|
|
// The nonce is expected to be prepended to the ciphertext.
|
|
func (s *EncryptionService) Decrypt(ciphertextB64 string) ([]byte, error) {
|
|
ciphertext, err := base64.StdEncoding.DecodeString(ciphertextB64)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid base64 ciphertext: %w", err)
|
|
}
|
|
|
|
block, err := s.cipherFactory(s.key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create cipher: %w", err)
|
|
}
|
|
|
|
gcm, err := s.gcmFactory(block)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create GCM: %w", err)
|
|
}
|
|
|
|
nonceSize := gcm.NonceSize()
|
|
if len(ciphertext) < nonceSize {
|
|
return nil, fmt.Errorf("ciphertext too short: expected at least %d bytes, got %d bytes", nonceSize, len(ciphertext))
|
|
}
|
|
|
|
// Extract nonce and ciphertext
|
|
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
|
|
|
|
// Decrypt
|
|
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("decryption failed: %w", err)
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|