diff --git a/controllers/store_secrets.go b/controllers/store_secrets.go index 05cde36..726d926 100644 --- a/controllers/store_secrets.go +++ b/controllers/store_secrets.go @@ -43,10 +43,20 @@ func StoreSecret(c *gin.Context) { // Encrypt secret s.Secret = input.SecretValue - s.EncryptSecret() + _, err = s.EncryptSecret() + if err != nil { + c.JSON(http.StatusBadRequest, gin.H{"Error encrypting secret": err.Error()}) + return + } + + // This is just here for testing to make sure that decryption works + _, err = s.DecryptSecret() + if err != nil { + c.JSON(http.StatusBadRequest, gin.H{"Error decrypting secret": err.Error()}) + return + } _, err = s.SaveSecret() - if err != nil { c.JSON(http.StatusBadRequest, gin.H{"Error saving secret": err.Error()}) return diff --git a/models/secret.go b/models/secret.go index e5b7a52..a9e58fc 100644 --- a/models/secret.go +++ b/models/secret.go @@ -4,6 +4,7 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" + "encoding/hex" "fmt" "io" "os" @@ -43,31 +44,82 @@ func (s *Secret) EncryptSecret() (*Secret, error) { // The key argument should be the AES key, either 16 or 32 bytes // to select AES-128 or AES-256. key := []byte(keyString) + //key := []byte("ECB518652A170880555136EA1F9752D6") plaintext := []byte(s.Secret) - fmt.Printf("EncryptSecret applying key '%v' to plaintext secret '%s'\n", keyString, s.Secret) + fmt.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret) block, err := aes.NewCipher(key) if err != nil { - panic(err.Error()) + fmt.Printf("EncryptSecret NewCipher error '%s'\n", err) + return s, err } // Never use more than 2^32 random nonces with a given key because of the risk of a repeat. nonce := make([]byte, 12) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { - panic(err.Error()) + fmt.Printf("EncryptSecret nonce generation error '%s'\n", err) + return s, err } + fmt.Printf("EncryptSecret random nonce value is '%x'\n", nonce) aesgcm, err := cipher.NewGCM(block) if err != nil { - panic(err.Error()) + fmt.Printf("EncryptSecret NewGCM error '%s'\n", err) + return s, err } ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil) - fmt.Printf("EncryptSecret generated ciphertext '%x'\n", ciphertext) + fmt.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext) + + // Create a new slice to store nonce at the start and then the resulting ciphertext + // Nonce is always 12 bytes + combinedText := append(nonce, ciphertext...) + fmt.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText) + + // Store the value back into the struct ready for database operations + s.Secret = hex.EncodeToString(combinedText) - s.Secret = string(ciphertext) return s, nil //return string(ciphertext[:]), nil } + +func (s *Secret) DecryptSecret() (*Secret, error) { + + keyString := os.Getenv("SECRETS_KEY") + key := []byte(keyString) + // The key argument should be the AES key, either 16 or 32 bytes + // to select AES-128 or AES-256. + //key := []byte("ECB518652A170880555136EA1F9752D6") + + crypted, _ := hex.DecodeString(s.Secret) + + //nonce, _ := hex.DecodeString("64a9433eae7ccceee2fc0eda") + // The nonce is the first 12 bytes from the ciphertext + nonce := crypted[:12] + ciphertext := crypted[12:] + + fmt.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext) + + block, err := aes.NewCipher(key) + if err != nil { + fmt.Printf("DecryptSecret NewCipher error '%s'\n", err) + return s, err + } + + aesgcm, err := cipher.NewGCM(block) + if err != nil { + fmt.Printf("DecryptSecret NewGCM error '%s'\n", err) + return s, err + } + + plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil) + if err != nil { + fmt.Printf("DecryptSecret Open error '%s'\n", err) + return s, err + } + + fmt.Printf("DecryptSecret plaintext is '%s'\n", plaintext) + return s, nil +}