-
Notifications
You must be signed in to change notification settings - Fork 13
/
encryption.go
98 lines (85 loc) · 2.96 KB
/
encryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
// Copyright (c) 2022 Target Brands, Inc. All rights reserved.
//
// Use of this source code is governed by the LICENSE file in this repository.
package database
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"fmt"
"io"
)
// decrypt is a helper function to decrypt values. First
// a AES-256 Galois Counter Mode cipher block is created
// from the encryption key to decrypt the value. Then, we
// verify the value isn't smaller than the nonce which
// would indicate the value isn't encrypted. Finally the
// cipher block and nonce is used to decrypt the value.
func decrypt(key string, value []byte) ([]byte, error) {
// create a new cipher block from the encryption key
//
// the key should have a length of 64 bits to ensure
// we are using the AES-256 standard
//
// https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
block, err := aes.NewCipher([]byte(key))
if err != nil {
return value, err
}
// creates a new Galois Counter Mode cipher block
gcm, err := cipher.NewGCM(block)
if err != nil {
return value, err
}
// nonce is an arbitrary number used to to ensure that
// old communications cannot be reused in replay attacks.
//
// https://en.wikipedia.org/wiki/Cryptographic_nonce
nonceSize := gcm.NonceSize()
// verify the value has a length greater than the nonce
//
// if the value is less than the nonce size, then we
// can assume the value hasn't been encrypted yet.
if len(value) < nonceSize {
return value, fmt.Errorf("invalid value length for decrypt provided: %d", len(value))
}
// capture nonce and ciphertext from the value
nonce, ciphertext := value[:nonceSize], value[nonceSize:]
// decrypt the value from the ciphertext
return gcm.Open(nil, nonce, ciphertext, nil)
}
// encrypt is a helper function to encrypt values. First
// a AES-256 Galois Counter Mode cipher block is created
// from the encryption key to encrypt the value. Then,
// we create the nonce from a cryptographically secure
// random number generator. Finally, the cipher block
// and nonce is used to encrypt the value.
func encrypt(key string, value []byte) ([]byte, error) {
// create a new cipher block from the encryption key
//
// the key should have a length of 64 bits to ensure
// we are using the AES-256 standard
//
// https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
block, err := aes.NewCipher([]byte(key))
if err != nil {
return value, err
}
// creates a new Galois Counter Mode cipher block
gcm, err := cipher.NewGCM(block)
if err != nil {
return value, err
}
// nonce is an arbitrary number used to to ensure that
// old communications cannot be reused in replay attacks.
//
// https://en.wikipedia.org/wiki/Cryptographic_nonce
nonce := make([]byte, gcm.NonceSize())
// set nonce from a cryptographically secure random number generator
_, err = io.ReadFull(rand.Reader, nonce)
if err != nil {
return value, err
}
// encrypt the value with the randomly generated nonce
return gcm.Seal(nonce, nonce, value, nil), nil
}