sftpgo-mirror/kms/builtin.go

154 lines
3.6 KiB
Go
Raw Permalink Normal View History

// Copyright (C) 2019-2022 Nicola Murino
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published
// by the Free Software Foundation, version 3.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
2020-11-30 20:46:34 +00:00
package kms
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
2020-11-30 20:46:34 +00:00
"encoding/hex"
"errors"
2020-11-30 20:46:34 +00:00
"io"
sdkkms "github.com/sftpgo/sdk/kms"
)
var (
errMalformedCiphertext = errors.New("malformed ciphertext")
2020-11-30 20:46:34 +00:00
)
type builtinSecret struct {
BaseSecret
2020-11-30 20:46:34 +00:00
}
2021-07-13 19:17:21 +00:00
func init() {
RegisterSecretProvider(sdkkms.SchemeBuiltin, sdkkms.SecretStatusAES256GCM, newBuiltinSecret)
2021-07-13 19:17:21 +00:00
}
func newBuiltinSecret(base BaseSecret, url, masterKey string) SecretProvider {
2020-11-30 20:46:34 +00:00
return &builtinSecret{
2021-07-13 19:17:21 +00:00
BaseSecret: base,
2020-11-30 20:46:34 +00:00
}
}
func (s *builtinSecret) Name() string {
2021-07-13 19:17:21 +00:00
return "Builtin"
2020-11-30 20:46:34 +00:00
}
func (s *builtinSecret) IsEncrypted() bool {
return s.Status == sdkkms.SecretStatusAES256GCM
2020-11-30 20:46:34 +00:00
}
func (s *builtinSecret) deriveKey(key []byte) []byte {
var combined []byte
combined = append(combined, key...)
if s.AdditionalData != "" {
combined = append(combined, []byte(s.AdditionalData)...)
}
combined = append(combined, key...)
hash := sha256.Sum256(combined)
return hash[:]
}
func (s *builtinSecret) Encrypt() error {
if s.Payload == "" {
return ErrInvalidSecret
2020-11-30 20:46:34 +00:00
}
switch s.Status {
case sdkkms.SecretStatusPlain:
2020-11-30 20:46:34 +00:00
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
return err
}
block, err := aes.NewCipher(s.deriveKey(key))
if err != nil {
return err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return err
}
nonce := make([]byte, gcm.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
return err
}
var aad []byte
if s.AdditionalData != "" {
aad = []byte(s.AdditionalData)
}
ciphertext := gcm.Seal(nonce, nonce, []byte(s.Payload), aad)
s.Key = hex.EncodeToString(key)
s.Payload = hex.EncodeToString(ciphertext)
s.Status = sdkkms.SecretStatusAES256GCM
2020-11-30 20:46:34 +00:00
return nil
default:
return ErrWrongSecretStatus
2020-11-30 20:46:34 +00:00
}
}
func (s *builtinSecret) Decrypt() error {
switch s.Status {
case sdkkms.SecretStatusAES256GCM:
2020-11-30 20:46:34 +00:00
encrypted, err := hex.DecodeString(s.Payload)
if err != nil {
return err
}
key, err := hex.DecodeString(s.Key)
if err != nil {
return err
}
block, err := aes.NewCipher(s.deriveKey(key))
if err != nil {
return err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return err
}
nonceSize := gcm.NonceSize()
if len(encrypted) < nonceSize {
return errMalformedCiphertext
}
nonce, ciphertext := encrypted[:nonceSize], encrypted[nonceSize:]
var aad []byte
if s.AdditionalData != "" {
aad = []byte(s.AdditionalData)
}
plaintext, err := gcm.Open(nil, nonce, ciphertext, aad)
if err != nil {
return err
}
s.Status = sdkkms.SecretStatusPlain
2020-11-30 20:46:34 +00:00
s.Payload = string(plaintext)
s.Key = ""
s.AdditionalData = ""
return nil
default:
return ErrWrongSecretStatus
2021-07-13 19:17:21 +00:00
}
}
func (s *builtinSecret) Clone() SecretProvider {
baseSecret := BaseSecret{
2021-07-13 19:17:21 +00:00
Status: s.Status,
Payload: s.Payload,
Key: s.Key,
AdditionalData: s.AdditionalData,
Mode: s.Mode,
2020-11-30 20:46:34 +00:00
}
2021-07-13 19:17:21 +00:00
return newBuiltinSecret(baseSecret, "", "")
2020-11-30 20:46:34 +00:00
}