more implementation of runtime unlock

2023-12-28 11:14:16 +11:00
parent 9203e09d2d
commit 484acd1822
7 changed files with 115 additions and 43 deletions
--- a/models/db_unlock.go
+++ b/models/db_unlock.go
@@ -1,12 +0,0 @@
-package models
-
-type Unlock struct {
-	SecretsKey string `json:"secrets"`
-}
-
-func (u *Unlock) UnlockSecrets() (*Unlock, error) {
-
-	// Receive secrets key and store in memory somehow
-
-	return u, nil
-}
--- a/models/key.go
+++ b/models/key.go
@@ -0,0 +1,30 @@
+package models
+
+import "errors"
+
+// TODO: Look at using shamir's secret sharing to distribute components of the secret key
+var secretKey []byte
+var secretReceived bool
+
+func ReceiveKey(key string) error {
+
+	// confirm that the key is 32 bytes long exactly
+	if len(key) != 32 {
+		return errors.New("secret key provided is not exactly 32 bytes long")
+	}
+
+	// Store the secret key so that we can access it when encrypting/decrypting
+	secretKey = []byte(key)
+	secretReceived = true
+	return nil
+}
+
+func ProvideKey() ([]byte, error) {
+
+	// Provide the key when needed to decrypt/encrypt stored secrets
+	if secretReceived {
+		return secretKey, nil
+	} else {
+		return nil, errors.New("secret key has not been received")
+	}
+}
--- a/models/secret.go
+++ b/models/secret.go
@@ -156,42 +156,48 @@ func (s *Secret) UpdateSecret() (*Secret, error) {
 func (s *Secret) EncryptSecret() (*Secret, error) {

 	//keyString := os.Getenv("SECRETS_KEY")
-	keyString := secretKey
+	//keyString := secretKey

 	// The key argument should be the AES key, either 16 or 32 bytes
 	// to select AES-128 or AES-256.
-	key := []byte(keyString)
+	//key := []byte(keyString)
+	key, err := ProvideKey()
+	if err != nil {
+		return s, err
+	}
+
 	plaintext := []byte(s.Secret)

-	//log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
+	log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)

+	// TODO : move block and aesgcm generation to separate function since the identical code is used for encrypt and decrypt
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		log.Printf("EncryptSecret NewCipher error '%s'\n", err)
 		return s, err
 	}

+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		log.Printf("EncryptSecret NewGCM error '%s'\n", err)
+		return s, err
+	}
+
 	// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
 	nonce := make([]byte, nonceSize)
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		log.Printf("EncryptSecret nonce generation error '%s'\n", err)
 		return s, err
 	}
-	//log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
-
-	aesgcm, err := cipher.NewGCM(block)
-	if err != nil {
-		log.Printf("EncryptSecret NewGCM error '%s'\n", err)
-		return s, err
-	}
+	log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)

 	ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
-	//log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
+	log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)

 	// Create a new slice to store nonce at the start and then the resulting ciphertext
 	// Nonce is always 12 bytes
 	combinedText := append(nonce, ciphertext...)
-	//log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
+	log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)

 	// Store the value back into the struct ready for database operations
 	s.Secret = hex.EncodeToString(combinedText)
@@ -205,9 +211,13 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 	// The key argument should be the AES key, either 16 or 32 bytes
 	// to select AES-128 or AES-256.
 	//keyString := os.Getenv("SECRETS_KEY")
-	keyString := secretKey
+	//keyString := secretKey

-	key := []byte(keyString)
+	//key := []byte(keyString)
+	key, err := ProvideKey()
+	if err != nil {
+		return s, err
+	}

 	if len(s.Secret) < nonceSize {
 		log.Printf("DecryptSecret ciphertext is too short to decrypt\n")
@@ -220,13 +230,13 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 		return s, err
 	}

-	//log.Printf("DecryptSecret processing secret '%x'\n", crypted)
+	log.Printf("DecryptSecret processing secret '%x'\n", crypted)

 	// The nonce is the first 12 bytes from the ciphertext
 	nonce := crypted[:nonceSize]
 	ciphertext := crypted[nonceSize:]

-	//log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
+	log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)

 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -246,7 +256,7 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 		return s, err
 	}

-	//log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
+	log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)

 	s.Secret = string(plaintext)
 	return s, nil
--- a/models/setup.go
+++ b/models/setup.go
@@ -15,7 +15,6 @@ import (
 )

 var db *sqlx.DB
-var secretKey string

 const (
 	sqlFile = "smt.db"
@@ -81,11 +80,6 @@ func ConnectDatabase() {
 	//defer db.Close()
 }

-func LoadSecretKey(key string) {
-	// Store the secret key so that we can access it when encrypting/decrypting
-	secretKey = key
-}
-
 func DisconnectDatabase() {
 	log.Printf("DisconnectDatabase called")
 	defer db.Close()