Add secrets interface to config/secrets (#1325)

* Interface for secrets * Add secretbox secrets implementation * Start working on box * typo * Add asymmetric encryption implementation * go mod tidy * Fix review comments Co-authored-by: Asim Aslam <asim@aslam.me>
2020-03-10 22:52:06 +00:00
parent 48b2a5c37c
commit 4125ae8d53
5 changed files with 363 additions and 0 deletions
--- a/config/secrets/secretbox/secretbox.go
+++ b/config/secrets/secretbox/secretbox.go
@@ -0,0 +1,73 @@
+// Package secretbox is a config/secrets implementation that uses nacl/secretbox
+// to do symmetric encryption / verification
+package secretbox
+
+import (
+	"github.com/micro/go-micro/v2/config/secrets"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/nacl/secretbox"
+
+	"crypto/rand"
+)
+
+const keyLength = 32
+
+type secretBox struct {
+	options secrets.Options
+
+	secretKey [keyLength]byte
+}
+
+// NewCodec returns a secretbox codec
+func NewCodec(opts ...secrets.Option) secrets.Codec {
+	sb := &secretBox{}
+	for _, o := range opts {
+		o(&sb.options)
+	}
+	return sb
+}
+
+func (s *secretBox) Init(opts ...secrets.Option) error {
+	for _, o := range opts {
+		o(&s.options)
+	}
+	if len(s.options.SecretKey) == 0 {
+		return errors.New("no secret key is defined")
+	}
+	if len(s.options.SecretKey) != keyLength {
+		return errors.Errorf("secret key must be %d bytes long", keyLength)
+	}
+	copy(s.secretKey[:], s.options.SecretKey)
+	return nil
+}
+
+func (s *secretBox) Options() secrets.Options {
+	return s.options
+}
+
+func (s *secretBox) String() string {
+	return "nacl-secretbox"
+}
+
+func (s *secretBox) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {
+	// no opts are expected, so they are ignored
+
+	// there must be a unique nonce for each message
+	var nonce [24]byte
+	if _, err := rand.Reader.Read(nonce[:]); err != nil {
+		return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")
+	}
+	return secretbox.Seal(nonce[:], in, &nonce, &s.secretKey), nil
+}
+
+func (s *secretBox) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {
+	// no options are expected, so they are ignored
+
+	var decryptNonce [24]byte
+	copy(decryptNonce[:], in[:24])
+	decrypted, ok := secretbox.Open(nil, in[24:], &decryptNonce, &s.secretKey)
+	if !ok {
+		return []byte{}, errors.New("decryption failed (is the key set correctly?)")
+	}
+	return decrypted, nil
+}
--- a/config/secrets/secretbox/secretbox_test.go
+++ b/config/secrets/secretbox/secretbox_test.go
@@ -0,0 +1,56 @@
+package secretbox
+
+import (
+	"encoding/base64"
+	"reflect"
+	"testing"
+
+	"github.com/micro/go-micro/v2/config/secrets"
+)
+
+func TestSecretBox(t *testing.T) {
+	secretKey, err := base64.StdEncoding.DecodeString("4jbVgq8FsAV7vy+n8WqEZrl7BUtNqh3fYT5RXzXOPFY=")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s := NewCodec()
+
+	if err := s.Init(); err == nil {
+		t.Error("Secretbox accepted an empty secret key")
+	}
+	if err := s.Init(secrets.SecretKey([]byte("invalid"))); err == nil {
+		t.Error("Secretbox accepted a secret key that is invalid")
+	}
+
+	if err := s.Init(secrets.SecretKey(secretKey)); err != nil {
+		t.Fatal(err)
+	}
+
+	o := s.Options()
+	if !reflect.DeepEqual(o.SecretKey, secretKey) {
+		t.Error("Init() didn't set secret key correctly")
+	}
+	if s.String() != "nacl-secretbox" {
+		t.Error(s.String() + " should be nacl-secretbox")
+	}
+
+	// Try 10 times to get different nonces
+	for i := 0; i < 10; i++ {
+		message := []byte(`Can you hear me, Major Tom?`)
+
+		encrypted, err := s.Encrypt(message)
+		if err != nil {
+			t.Errorf("Failed to encrypt message (%s)", err)
+		}
+
+		decrypted, err := s.Decrypt(encrypted)
+		if err != nil {
+			t.Errorf("Failed to decrypt encrypted message (%s)", err)
+		}
+
+		if !reflect.DeepEqual(message, decrypted) {
+			t.Errorf("Decrypted Message dod not match encrypted message")
+		}
+	}
+}