micro/config/secrets/secretbox/secretbox.go

// Package secretbox is a config/secrets implementation that uses nacl/secretbox
// to do symmetric encryption / verification
package secretbox

import (
	"github.com/micro/go-micro/v2/config/secrets"
	"github.com/pkg/errors"
	"golang.org/x/crypto/nacl/secretbox"

	"crypto/rand"
)

const keyLength = 32

type secretBox struct {
	options secrets.Options

	secretKey [keyLength]byte
}

// NewCodec returns a secretbox codec
func NewCodec(opts ...secrets.Option) secrets.Codec {
	sb := &secretBox{}
	for _, o := range opts {
		o(&sb.options)
	}
	return sb
}

func (s *secretBox) Init(opts ...secrets.Option) error {
	for _, o := range opts {
		o(&s.options)
	}
	if len(s.options.SecretKey) == 0 {
		return errors.New("no secret key is defined")
	}
	if len(s.options.SecretKey) != keyLength {
		return errors.Errorf("secret key must be %d bytes long", keyLength)
	}
	copy(s.secretKey[:], s.options.SecretKey)
	return nil
}

func (s *secretBox) Options() secrets.Options {
	return s.options
}

func (s *secretBox) String() string {
	return "nacl-secretbox"
}

func (s *secretBox) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {
	// no opts are expected, so they are ignored

	// there must be a unique nonce for each message
	var nonce [24]byte
	if _, err := rand.Reader.Read(nonce[:]); err != nil {
		return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")
	}
	return secretbox.Seal(nonce[:], in, &nonce, &s.secretKey), nil
}

func (s *secretBox) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {
	// no options are expected, so they are ignored

	var decryptNonce [24]byte
	copy(decryptNonce[:], in[:24])
	decrypted, ok := secretbox.Open(nil, in[24:], &decryptNonce, &s.secretKey)
	if !ok {
		return []byte{}, errors.New("decryption failed (is the key set correctly?)")
	}
	return decrypted, nil
}
Add secrets interface to config/secrets (#1325) * Interface for secrets * Add secretbox secrets implementation * Start working on box * typo * Add asymmetric encryption implementation * go mod tidy * Fix review comments Co-authored-by: Asim Aslam <asim@aslam.me> 2020-03-11 01:52:06 +03:00			`// Package secretbox is a config/secrets implementation that uses nacl/secretbox`
			`// to do symmetric encryption / verification`
			`package secretbox`

			`import (`
			`"github.com/micro/go-micro/v2/config/secrets"`
			`"github.com/pkg/errors"`
			`"golang.org/x/crypto/nacl/secretbox"`

			`"crypto/rand"`
			`)`

			`const keyLength = 32`

			`type secretBox struct {`
			`options secrets.Options`

			`secretKey [keyLength]byte`
			`}`

			`// NewCodec returns a secretbox codec`
			`func NewCodec(opts ...secrets.Option) secrets.Codec {`
			`sb := &secretBox{}`
			`for _, o := range opts {`
			`o(&sb.options)`
			`}`
			`return sb`
			`}`

			`func (s *secretBox) Init(opts ...secrets.Option) error {`
			`for _, o := range opts {`
			`o(&s.options)`
			`}`
			`if len(s.options.SecretKey) == 0 {`
			`return errors.New("no secret key is defined")`
			`}`
			`if len(s.options.SecretKey) != keyLength {`
			`return errors.Errorf("secret key must be %d bytes long", keyLength)`
			`}`
			`copy(s.secretKey[:], s.options.SecretKey)`
			`return nil`
			`}`

			`func (s *secretBox) Options() secrets.Options {`
			`return s.options`
			`}`

			`func (s *secretBox) String() string {`
			`return "nacl-secretbox"`
			`}`

			`func (s *secretBox) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {`
			`// no opts are expected, so they are ignored`

			`// there must be a unique nonce for each message`
			`var nonce [24]byte`
			`if _, err := rand.Reader.Read(nonce[:]); err != nil {`
			`return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")`
			`}`
			`return secretbox.Seal(nonce[:], in, &nonce, &s.secretKey), nil`
			`}`

			`func (s *secretBox) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {`
			`// no options are expected, so they are ignored`

			`var decryptNonce [24]byte`
			`copy(decryptNonce[:], in[:24])`
			`decrypted, ok := secretbox.Open(nil, in[24:], &decryptNonce, &s.secretKey)`
			`if !ok {`
			`return []byte{}, errors.New("decryption failed (is the key set correctly?)")`
			`}`
			`return decrypted, nil`
			`}`