-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate.go
104 lines (88 loc) · 3 KB
/
generate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package transit
import (
"context"
"crypto/rand"
"encoding/base64"
"github.com/PumpkinSeed/heimdall/internal/errors"
"github.com/emvi/null"
)
type GenerateRequest struct {
Name string `json:"name"`
Plaintext string `json:"plaintext"`
Context null.String `json:"context"`
Nonce null.String `json:"nonce"`
Bits null.Int64 `json:"bits"`
KeyVersion null.Int64 `json:"key_version"`
}
type GenerateResponse struct {
Ciphertext string `json:"ciphertext"`
KeyVersion int64 `json:"key_version"`
Plaintext string `json:"plaintext"`
}
func (t Transit) GenerateKey(ctx context.Context, engineName string, req GenerateRequest) (GenerateResponse, error) {
plaintextAllowed := false
switch req.Plaintext {
case "plaintext":
plaintextAllowed = true
case "wrapped":
default:
return GenerateResponse{}, errors.New("Invalid path, must be 'plaintext' or 'wrapped'", errors.CodePkgCryptoTransitGenerateInvalidPlainText)
}
var err error
// Decode the context if any
var decodedContext []byte
if req.Context.Valid && len(req.Context.String) != 0 {
decodedContext, err = base64.StdEncoding.DecodeString(req.Context.String)
if err != nil {
return GenerateResponse{}, errors.Wrap(err, "failed to base64-decode context", errors.CodePkgCryptoTransitGenerateInvalidContext)
}
}
// Decode the nonce if any
var decodedNonce []byte
if req.Nonce.Valid && len(req.Nonce.String) != 0 {
decodedNonce, err = base64.StdEncoding.DecodeString(req.Nonce.String)
if err != nil {
return GenerateResponse{}, errors.Wrap(err, "failed to base64-decode nonce", errors.CodePkgCryptoTransitGenerateInvalidNonce)
}
}
p, err := t.GetKey(ctx, req.Name, engineName)
if err != nil {
return GenerateResponse{}, errors.Wrap(err, "encryption key not found", errors.CodePkgCryptoTransitGenerateGetKey)
}
if !req.Bits.Valid {
req.Bits.SetValid(256)
}
newKey := make([]byte, 32)
switch req.Bits.Int64 {
case 512:
newKey = make([]byte, 64)
case 256:
case 128:
newKey = make([]byte, 16)
default:
return GenerateResponse{}, errors.New("invalid bit length", errors.CodePkgCryptoTransitGenerateInvalidBits)
}
_, err = rand.Read(newKey)
if err != nil {
return GenerateResponse{}, errors.Wrap(err, "transit generate key error", errors.CodePkgCryptoTransitGenerateRandRead)
}
ciphertext, err := p.Encrypt(int(req.KeyVersion.Int64), decodedContext, decodedNonce, base64.StdEncoding.EncodeToString(newKey))
if err != nil {
return GenerateResponse{}, errors.Wrap(err, "transit generate key encrypt error", errors.CodePkgCryptoTransitGenerateEncrypt)
}
if ciphertext == "" {
return GenerateResponse{}, errors.New("transit generate key empty ciphertext returned", errors.CodePkgCryptoTransitGenerateCiphertext)
}
keyVersion := req.KeyVersion.Int64
if keyVersion == 0 {
keyVersion = int64(p.LatestVersion)
}
resp := GenerateResponse{
Ciphertext: ciphertext,
KeyVersion: keyVersion,
}
if plaintextAllowed {
resp.Plaintext = base64.StdEncoding.EncodeToString(newKey)
}
return resp, nil
}