/
encryption.go
147 lines (121 loc) · 4.64 KB
/
encryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
//
// Copyright (c) 2017 Cavium
// Copyright (c) 2021 Intel Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
package transforms
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/sha1" //nolint: gosec
"encoding/base64"
"fmt"
"github.com/migelankodra/application-export/pkg/interfaces"
"github.com/migelankodra/application-export/pkg/util"
"github.com/edgexfoundry/go-mod-core-contracts/v2/common"
)
// Deprecated: use AESProtection
type Encryption struct {
SecretPath string
SecretName string
EncryptionKey string
InitializationVector string
}
// NewEncryption creates, initializes and returns a new instance of Encryption
// Deprecated: use NewAESProtection
func NewEncryption(encryptionKey string, initializationVector string) Encryption {
return Encryption{
EncryptionKey: encryptionKey,
InitializationVector: initializationVector,
}
}
// NewEncryptionWithSecrets creates, initializes and returns a new instance of Encryption configured
// to retrieve the encryption key from the Secret Store
// Deprecated: use NewAESProtection
func NewEncryptionWithSecrets(secretPath string, secretName string, initializationVector string) Encryption {
return Encryption{
SecretPath: secretPath,
SecretName: secretName,
InitializationVector: initializationVector,
}
}
// IV and KEY must be 16 bytes
const blockSize = 16
func pkcs5Padding(ciphertext []byte, blockSize int) []byte {
padding := blockSize - len(ciphertext)%blockSize
padText := bytes.Repeat([]byte{byte(padding)}, padding)
return append(ciphertext, padText...)
}
// EncryptWithAES encrypts a string, []byte, or json.Marshaller type using AES encryption.
// It will return a Base64 encode []byte of the encrypted data.
// Deprecated: use AESProtection.Encrypt
func (aesData Encryption) EncryptWithAES(ctx interfaces.AppFunctionContext, data interface{}) (bool, interface{}) {
if data == nil {
return false, fmt.Errorf("function EncryptWithAES in pipeline '%s': No Data Received", ctx.PipelineId())
}
ctx.LoggingClient().Warnf("EncryptWithAES has been deprecated - please use the new AESProtection.Encrypt in pipeline '%s'", ctx.PipelineId())
ctx.LoggingClient().Debugf("Encrypting with AES in pipeline '%s'", ctx.PipelineId())
byteData, err := util.CoerceType(data)
if err != nil {
return false, err
}
iv := make([]byte, blockSize)
copy(iv, aesData.InitializationVector)
hash := sha1.New() //nolint: gosec
// If using Secret Store for the encryption key
if len(aesData.SecretPath) != 0 && len(aesData.SecretName) != 0 {
// Note secrets are cached so this call doesn't result in unneeded calls to SecretStore Service and
// the cache is invalidated when StoreSecrets is used.
secretData, err := ctx.GetSecret(aesData.SecretPath, aesData.SecretName)
if err != nil {
return false, fmt.Errorf(
"unable to retieve encryption key at secret path=%s and name=%s in pipeline '%s'",
aesData.SecretPath,
aesData.SecretName,
ctx.PipelineId())
}
key, ok := secretData[aesData.SecretName]
if !ok {
return false, fmt.Errorf(
"unable find encryption key in secret data for name=%s in pipeline '%s'",
aesData.SecretName,
ctx.PipelineId())
}
ctx.LoggingClient().Debugf(
"Using encryption key from Secret Store at path=%s & name=%s in pipeline '%s'",
aesData.SecretPath,
aesData.SecretName,
ctx.PipelineId())
aesData.EncryptionKey = key
}
if len(aesData.EncryptionKey) == 0 {
return false, fmt.Errorf("AES encryption key not set in pipeline '%s'", ctx.PipelineId())
}
hash.Write([]byte((aesData.EncryptionKey)))
key := hash.Sum(nil)
key = key[:blockSize]
block, err := aes.NewCipher(key)
if err != nil {
return false, fmt.Errorf("failed to create new AES Cipher in pipeline '%s': %s", ctx.PipelineId(), err)
}
ecb := cipher.NewCBCEncrypter(block, iv)
content := pkcs5Padding(byteData, block.BlockSize())
encrypted := make([]byte, len(content))
ecb.CryptBlocks(encrypted, content)
encodedData := []byte(base64.StdEncoding.EncodeToString(encrypted))
// Set response "content-type" header to "text/plain"
ctx.SetResponseContentType(common.ContentTypeText)
return true, encodedData
}