This repository has been archived by the owner on Mar 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Authcrypt Encrypt Using (X)Chach20Poly1035
This change adds support to encrypt agent's payloads for the Pack() call at the transport layer It follows JWE encryption instructions from Aries Issue: hyperledger/aries-rfcs#133 Signed-off-by: Baha Shaaban <baha.shaaban@securekey.com>
- Loading branch information
Baha Shaaban
committed
Aug 22, 2019
1 parent
1acfbb0
commit eda76ac
Showing
6 changed files
with
628 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
/* | ||
Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package crypto | ||
|
||
// Crypter is an Aries envelop encrypter to support | ||
// secure DIDComm exchange of envelops between Aries agents | ||
type Crypter interface { | ||
// Encrypt a payload in an Aries compliant format | ||
// returns: | ||
// []byte containing the encrypted envelope | ||
// error if encryption failed | ||
Encrypt(payload string) ([]byte, error) | ||
// Decrypt an envelop in an Aries compliant format | ||
// returns: | ||
// string containing the decrypted payload | ||
// error if encryption failed | ||
Decrypt(envelope []byte) (string, error) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package authcrypt | ||
|
||
import ( | ||
"golang.org/x/crypto/blake2b" | ||
"golang.org/x/crypto/chacha20poly1305" | ||
"golang.org/x/crypto/nacl/box" | ||
) | ||
|
||
// Decrypt will JWE decode the envelop argument for the sender and recipients | ||
// Using (X)Chacha20 encryption algorithm and Poly1035 authenticator | ||
func (c *Crypter) Decrypt(envelope []byte) (string, error) { | ||
// TODO implement decryption and call decryptOID for the recipient's OID | ||
decryptOID(nil, nil, nil) | ||
return "", nil | ||
} | ||
|
||
// decryptOID will decrypt a recipient's encrypted OID (in the case of this package, it is represented as | ||
// ephemeral key concatenated with the sender's public key) using the recipient's privKey/pubKey keypair, | ||
// this is equivalent to libsodium's C function: crypto_box_seal() | ||
// https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes#usage | ||
func decryptOID(privKey, pubKey *[chacha20poly1305.KeySize]byte, encrypted []byte) []byte { | ||
var epk [32]byte | ||
var nonce [24]byte | ||
copy(epk[:], encrypted[:chacha20poly1305.KeySize]) | ||
|
||
nonceWriter, _ := blake2b.New(24, nil) | ||
nonceSlice := nonceWriter.Sum(append(epk[:], pubKey[:]...)) | ||
copy(nonce[:], nonceSlice) | ||
|
||
decrypted, ok := box.Open(nil, encrypted[32:], &nonce, &epk, privKey) | ||
if !ok { | ||
panic("Decryption error.") | ||
} | ||
return decrypted | ||
} |
Oops, something went wrong.