100 lines
3.1 KiB
Go
100 lines
3.1 KiB
Go
|
// Package crypto provides application-layer encryption for sensitive data at
|
||
|
|
// rest (browser session storage, third-party API keys).
|
||
|
|
//
|
||
|
|
// Ciphertext format: "enc:v1:" + base64url(nonce || ciphertext||tag).
|
||
|
|
// Values without the prefix are treated as legacy plaintext and returned as-is
|
||
|
|
// on Decrypt, so enabling encryption is backward compatible with existing data.
|
||
|
|
package crypto
|
||
|
|
|
||
|
|
import (
|
||
|
|
"crypto/aes"
|
||
|
|
"crypto/cipher"
|
||
|
|
"crypto/rand"
|
||
|
|
"encoding/base64"
|
||
|
|
"errors"
|
||
|
|
"fmt"
|
||
|
|
"strings"
|
||
|
|
)
|
||
|
|
|
||
|
|
const cipherPrefix = "enc:v1:"
|
||
|
|
|
||
|
|
// Cipher encrypts/decrypts secret strings. When built without a key it is
|
||
|
|
// disabled and acts as a passthrough (for local dev), but Decrypt still
|
||
|
|
// transparently handles previously written ciphertext if any.
|
||
|
|
type Cipher struct {
|
||
|
|
aead cipher.AEAD
|
||
|
|
}
|
||
|
|
|
||
|
|
// New builds a Cipher from a base64-encoded 32-byte (AES-256) key.
|
||
|
|
// An empty key returns a disabled (passthrough) cipher.
|
||
|
|
func New(base64Key string) (*Cipher, error) {
|
||
|
|
base64Key = strings.TrimSpace(base64Key)
|
||
|
|
if base64Key == "" {
|
||
|
|
return &Cipher{}, nil
|
||
|
|
}
|
||
|
|
key, err := base64.StdEncoding.DecodeString(base64Key)
|
||
|
|
if err != nil {
|
||
|
|
return nil, fmt.Errorf("crypto: invalid base64 encryption key: %w", err)
|
||
|
|
}
|
||
|
|
if len(key) != 32 {
|
||
|
|
return nil, fmt.Errorf("crypto: encryption key must be 32 bytes (got %d)", len(key))
|
||
|
|
}
|
||
|
|
block, err := aes.NewCipher(key)
|
||
|
|
if err != nil {
|
||
|
|
return nil, fmt.Errorf("crypto: new cipher: %w", err)
|
||
|
|
}
|
||
|
|
aead, err := cipher.NewGCM(block)
|
||
|
|
if err != nil {
|
||
|
|
return nil, fmt.Errorf("crypto: new gcm: %w", err)
|
||
|
|
}
|
||
|
|
return &Cipher{aead: aead}, nil
|
||
|
|
}
|
||
|
|
|
||
|
|
// Enabled reports whether a key is configured.
|
||
|
|
func (c *Cipher) Enabled() bool {
|
||
|
|
return c != nil && c.aead != nil
|
||
|
|
}
|
||
|
|
|
||
|
|
// Encrypt returns ciphertext for non-empty plaintext when enabled; otherwise
|
||
|
|
// it returns the input unchanged.
|
||
|
|
func (c *Cipher) Encrypt(plaintext string) (string, error) {
|
||
|
|
if !c.Enabled() || plaintext == "" {
|
||
|
|
return plaintext, nil
|
||
|
|
}
|
||
|
|
if strings.HasPrefix(plaintext, cipherPrefix) {
|
||
|
|
// Already encrypted; avoid double-encrypting.
|
||
|
|
return plaintext, nil
|
||
|
|
}
|
||
|
|
nonce := make([]byte, c.aead.NonceSize())
|
||
|
|
if _, err := rand.Read(nonce); err != nil {
|
||
|
|
return "", fmt.Errorf("crypto: read nonce: %w", err)
|
||
|
|
}
|
||
|
|
sealed := c.aead.Seal(nonce, nonce, []byte(plaintext), nil)
|
||
|
|
return cipherPrefix + base64.RawURLEncoding.EncodeToString(sealed), nil
|
||
|
|
}
|
||
|
|
|
||
|
|
// Decrypt reverses Encrypt. Values without the cipher prefix are returned
|
||
|
|
// unchanged (legacy plaintext), keeping the change backward compatible.
|
||
|
|
func (c *Cipher) Decrypt(value string) (string, error) {
|
||
|
|
if !strings.HasPrefix(value, cipherPrefix) {
|
||
|
|
return value, nil
|
||
|
|
}
|
||
|
|
if !c.Enabled() {
|
||
|
|
return "", errors.New("crypto: encrypted value found but no encryption key configured")
|
||
|
|
}
|
||
|
|
raw, err := base64.RawURLEncoding.DecodeString(strings.TrimPrefix(value, cipherPrefix))
|
||
|
|
if err != nil {
|
||
|
|
return "", fmt.Errorf("crypto: decode ciphertext: %w", err)
|
||
|
|
}
|
||
|
|
nonceSize := c.aead.NonceSize()
|
||
|
|
if len(raw) < nonceSize {
|
||
|
|
return "", errors.New("crypto: ciphertext too short")
|
||
|
|
}
|
||
|
|
nonce, ct := raw[:nonceSize], raw[nonceSize:]
|
||
|
|
plain, err := c.aead.Open(nil, nonce, ct, nil)
|
||
|
|
if err != nil {
|
||
|
|
return "", fmt.Errorf("crypto: decrypt: %w", err)
|
||
|
|
}
|
||
|
|
return string(plain), nil
|
||
|
|
}
|