encryption working
This commit is contained in:
@@ -43,10 +43,20 @@ func StoreSecret(c *gin.Context) {
|
|||||||
|
|
||||||
// Encrypt secret
|
// Encrypt secret
|
||||||
s.Secret = input.SecretValue
|
s.Secret = input.SecretValue
|
||||||
s.EncryptSecret()
|
_, err = s.EncryptSecret()
|
||||||
|
if err != nil {
|
||||||
|
c.JSON(http.StatusBadRequest, gin.H{"Error encrypting secret": err.Error()})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is just here for testing to make sure that decryption works
|
||||||
|
_, err = s.DecryptSecret()
|
||||||
|
if err != nil {
|
||||||
|
c.JSON(http.StatusBadRequest, gin.H{"Error decrypting secret": err.Error()})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
_, err = s.SaveSecret()
|
_, err = s.SaveSecret()
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.JSON(http.StatusBadRequest, gin.H{"Error saving secret": err.Error()})
|
c.JSON(http.StatusBadRequest, gin.H{"Error saving secret": err.Error()})
|
||||||
return
|
return
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ import (
|
|||||||
"crypto/aes"
|
"crypto/aes"
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"os"
|
"os"
|
||||||
@@ -43,31 +44,82 @@ func (s *Secret) EncryptSecret() (*Secret, error) {
|
|||||||
// The key argument should be the AES key, either 16 or 32 bytes
|
// The key argument should be the AES key, either 16 or 32 bytes
|
||||||
// to select AES-128 or AES-256.
|
// to select AES-128 or AES-256.
|
||||||
key := []byte(keyString)
|
key := []byte(keyString)
|
||||||
|
//key := []byte("ECB518652A170880555136EA1F9752D6")
|
||||||
plaintext := []byte(s.Secret)
|
plaintext := []byte(s.Secret)
|
||||||
|
|
||||||
fmt.Printf("EncryptSecret applying key '%v' to plaintext secret '%s'\n", keyString, s.Secret)
|
fmt.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
|
||||||
|
|
||||||
block, err := aes.NewCipher(key)
|
block, err := aes.NewCipher(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err.Error())
|
fmt.Printf("EncryptSecret NewCipher error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
|
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
|
||||||
nonce := make([]byte, 12)
|
nonce := make([]byte, 12)
|
||||||
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
||||||
panic(err.Error())
|
fmt.Printf("EncryptSecret nonce generation error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
}
|
}
|
||||||
|
fmt.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
|
||||||
|
|
||||||
aesgcm, err := cipher.NewGCM(block)
|
aesgcm, err := cipher.NewGCM(block)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err.Error())
|
fmt.Printf("EncryptSecret NewGCM error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
}
|
}
|
||||||
|
|
||||||
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
|
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
|
||||||
fmt.Printf("EncryptSecret generated ciphertext '%x'\n", ciphertext)
|
fmt.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
|
||||||
|
|
||||||
|
// Create a new slice to store nonce at the start and then the resulting ciphertext
|
||||||
|
// Nonce is always 12 bytes
|
||||||
|
combinedText := append(nonce, ciphertext...)
|
||||||
|
fmt.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
|
||||||
|
|
||||||
|
// Store the value back into the struct ready for database operations
|
||||||
|
s.Secret = hex.EncodeToString(combinedText)
|
||||||
|
|
||||||
s.Secret = string(ciphertext)
|
|
||||||
return s, nil
|
return s, nil
|
||||||
|
|
||||||
//return string(ciphertext[:]), nil
|
//return string(ciphertext[:]), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Secret) DecryptSecret() (*Secret, error) {
|
||||||
|
|
||||||
|
keyString := os.Getenv("SECRETS_KEY")
|
||||||
|
key := []byte(keyString)
|
||||||
|
// The key argument should be the AES key, either 16 or 32 bytes
|
||||||
|
// to select AES-128 or AES-256.
|
||||||
|
//key := []byte("ECB518652A170880555136EA1F9752D6")
|
||||||
|
|
||||||
|
crypted, _ := hex.DecodeString(s.Secret)
|
||||||
|
|
||||||
|
//nonce, _ := hex.DecodeString("64a9433eae7ccceee2fc0eda")
|
||||||
|
// The nonce is the first 12 bytes from the ciphertext
|
||||||
|
nonce := crypted[:12]
|
||||||
|
ciphertext := crypted[12:]
|
||||||
|
|
||||||
|
fmt.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
|
||||||
|
|
||||||
|
block, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Printf("DecryptSecret NewCipher error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
|
}
|
||||||
|
|
||||||
|
aesgcm, err := cipher.NewGCM(block)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Printf("DecryptSecret NewGCM error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
|
}
|
||||||
|
|
||||||
|
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Printf("DecryptSecret Open error '%s'\n", err)
|
||||||
|
return s, err
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
|
||||||
|
return s, nil
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user