We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 56da020e6b
Branches Tags
moby
/
vendor
/
github.com
/
docker
/
swarmkit
/
manager
/
encryption
/
nacl.go

nacl.go 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. package encryption
    2. 

  2. 

  3. import (
    4. 

  4. 	cryptorand "crypto/rand"
    5. 

  5. 	"fmt"
    6. 

  6. 	"io"
    7. 

  7. 

  8. 	"github.com/docker/swarmkit/api"
    9. 

  9. 

  10. 	"golang.org/x/crypto/nacl/secretbox"
    11. 

  11. )
    12. 

  12. 

  13. const naclSecretboxKeySize = 32
    14. 

  14. const naclSecretboxNonceSize = 24
    15. 

  15. 

  16. // This provides the default implementation of an encrypter and decrypter, as well
    17. 

  17. // as the default KDF function.
    18. 

  18. 

  19. // NACLSecretbox is an implementation of an encrypter/decrypter.  Encrypting
    20. 

  20. // generates random Nonces.
    21. 

  21. type NACLSecretbox struct {
    22. 

  22. 	key [naclSecretboxKeySize]byte
    23. 

  23. }
    24. 

  24. 

  25. // NewNACLSecretbox returns a new NACL secretbox encrypter/decrypter with the given key
    26. 

  26. func NewNACLSecretbox(key []byte) NACLSecretbox {
    27. 

  27. 	secretbox := NACLSecretbox{}
    28. 

  28. 	copy(secretbox.key[:], key)
    29. 

  29. 	return secretbox
    30. 

  30. }
    31. 

  31. 

  32. // Algorithm returns the type of algorithm this is (NACL Secretbox using XSalsa20 and Poly1305)
    33. 

  33. func (n NACLSecretbox) Algorithm() api.MaybeEncryptedRecord_Algorithm {
    34. 

  34. 	return api.MaybeEncryptedRecord_NACLSecretboxSalsa20Poly1305
    35. 

  35. }
    36. 

  36. 

  37. // Encrypt encrypts some bytes and returns an encrypted record
    38. 

  38. func (n NACLSecretbox) Encrypt(data []byte) (*api.MaybeEncryptedRecord, error) {
    39. 

  39. 	var nonce [24]byte
    40. 

  40. 	if _, err := io.ReadFull(cryptorand.Reader, nonce[:]); err != nil {
    41. 

  41. 		return nil, err
    42. 

  42. 	}
    43. 

  43. 

  44. 	// Seal's first argument is an "out", the data that the new encrypted message should be
    45. 

  45. 	// appended to.  Since we don't want to append anything, we pass nil.
    46. 

  46. 	encrypted := secretbox.Seal(nil, data, &nonce, &n.key)
    47. 

  47. 	return &api.MaybeEncryptedRecord{
    48. 

  48. 		Algorithm: n.Algorithm(),
    49. 

  49. 		Data:      encrypted,
    50. 

  50. 		Nonce:     nonce[:],
    51. 

  51. 	}, nil
    52. 

  52. }
    53. 

  53. 

  54. // Decrypt decrypts a MaybeEncryptedRecord and returns some bytes
    55. 

  55. func (n NACLSecretbox) Decrypt(record api.MaybeEncryptedRecord) ([]byte, error) {
    56. 

  56. 	if record.Algorithm != n.Algorithm() {
    57. 

  57. 		return nil, fmt.Errorf("not a NACL secretbox record")
    58. 

  58. 	}
    59. 

  59. 	if len(record.Nonce) != naclSecretboxNonceSize {
    60. 

  60. 		return nil, fmt.Errorf("invalid nonce size for NACL secretbox: require 24, got %d", len(record.Nonce))
    61. 

  61. 	}
    62. 

  62. 

  63. 	var decryptNonce [naclSecretboxNonceSize]byte
    64. 

  64. 	copy(decryptNonce[:], record.Nonce[:naclSecretboxNonceSize])
    65. 

  65. 

  66. 	// Open's first argument is an "out", the data that the decrypted message should be
    67. 

  67. 	// appended to.  Since we don't want to append anything, we pass nil.
    68. 

  68. 	decrypted, ok := secretbox.Open(nil, record.Data, &decryptNonce, &n.key)
    69. 

  69. 	if !ok {
    70. 

  70. 		return nil, fmt.Errorf("decryption error using NACL secretbox")
    71. 

  71. 	}
    72. 

  72. 	return decrypted, nil
    73. 

  73. }
    74.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5