sftpgo-mirror/kms/local.go

package kms

import (
	"context"
	"crypto/sha256"
	"encoding/base64"
	"encoding/hex"
	"io"

	sdkkms "github.com/sftpgo/sdk/kms"
	"gocloud.dev/secrets/localsecrets"
	"golang.org/x/crypto/hkdf"
)

func init() {
	RegisterSecretProvider(sdkkms.SchemeLocal, sdkkms.SecretStatusSecretBox, NewLocalSecret)
}

type localSecret struct {
	BaseSecret
	masterKey string
}

// NewLocalSecret returns a SecretProvider that use a locally provided symmetric key
func NewLocalSecret(base BaseSecret, url, masterKey string) SecretProvider {
	return &localSecret{
		BaseSecret: base,
		masterKey:  masterKey,
	}
}

func (s *localSecret) Name() string {
	return "Local"
}

func (s *localSecret) IsEncrypted() bool {
	return s.Status == sdkkms.SecretStatusSecretBox
}

func (s *localSecret) Encrypt() error {
	if s.Status != sdkkms.SecretStatusPlain {
		return ErrWrongSecretStatus
	}
	if s.Payload == "" {
		return ErrInvalidSecret
	}
	secretKey, err := localsecrets.NewRandomKey()
	if err != nil {
		return err
	}
	key, err := s.deriveKey(secretKey[:], false)
	if err != nil {
		return err
	}
	keeper := localsecrets.NewKeeper(key)
	defer keeper.Close()

	ciphertext, err := keeper.Encrypt(context.Background(), []byte(s.Payload))
	if err != nil {
		return err
	}
	s.Key = hex.EncodeToString(secretKey[:])
	s.Payload = base64.StdEncoding.EncodeToString(ciphertext)
	s.Status = sdkkms.SecretStatusSecretBox
	s.Mode = s.getEncryptionMode()
	return nil
}

func (s *localSecret) Decrypt() error {
	if !s.IsEncrypted() {
		return ErrWrongSecretStatus
	}
	encrypted, err := base64.StdEncoding.DecodeString(s.Payload)
	if err != nil {
		return err
	}
	secretKey, err := hex.DecodeString(s.Key)
	if err != nil {
		return err
	}
	key, err := s.deriveKey(secretKey[:], true)
	if err != nil {
		return err
	}
	keeper := localsecrets.NewKeeper(key)
	defer keeper.Close()

	plaintext, err := keeper.Decrypt(context.Background(), encrypted)
	if err != nil {
		return err
	}
	s.Status = sdkkms.SecretStatusPlain
	s.Payload = string(plaintext)
	s.Key = ""
	s.AdditionalData = ""
	s.Mode = 0
	return nil
}

func (s *localSecret) deriveKey(key []byte, isForDecryption bool) ([32]byte, error) {
	var masterKey []byte
	if s.masterKey == "" || (isForDecryption && s.Mode == 0) {
		var combined []byte
		combined = append(combined, key...)
		if s.AdditionalData != "" {
			combined = append(combined, []byte(s.AdditionalData)...)
		}
		combined = append(combined, key...)
		hash := sha256.Sum256(combined)
		masterKey = hash[:]
	} else {
		masterKey = []byte(s.masterKey)
	}
	var derivedKey [32]byte
	var info []byte
	if s.AdditionalData != "" {
		info = []byte(s.AdditionalData)
	}
	kdf := hkdf.New(sha256.New, masterKey, key, info)
	if _, err := io.ReadFull(kdf, derivedKey[:]); err != nil {
		return derivedKey, err
	}
	return derivedKey, nil
}

func (s *localSecret) getEncryptionMode() int {
	if s.masterKey == "" {
		return 0
	}
	return 1
}

func (s *localSecret) Clone() SecretProvider {
	baseSecret := BaseSecret{
		Status:         s.Status,
		Payload:        s.Payload,
		Key:            s.Key,
		AdditionalData: s.AdditionalData,
		Mode:           s.Mode,
	}
	return NewLocalSecret(baseSecret, "", s.masterKey)
}
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`package kms`

			`import (`
			`"context"`
remove sha256-simd usage sha256-simd is now deprecated https://github.com/minio/sha256-simd/issues/58 This could slow down sha256 computation on some CPU 2021-04-05 16:23:40 +00:00			`"crypto/sha256"`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`"encoding/base64"`
			`"encoding/hex"`
			`"io"`

make the sdk a separate module The SFTPGo SDK now is at the following URL https://github.com/sftpgo/sdk Fixes #657 Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 10:54:43 +00:00			`sdkkms "github.com/sftpgo/sdk/kms"`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`"gocloud.dev/secrets/localsecrets"`
			`"golang.org/x/crypto/hkdf"`
			`)`

kms: improve modularity 2021-07-13 19:17:21 +00:00			`func init() {`
move kms implementation outside the sdk package Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 09:11:47 +00:00			`RegisterSecretProvider(sdkkms.SchemeLocal, sdkkms.SecretStatusSecretBox, NewLocalSecret)`
kms: improve modularity 2021-07-13 19:17:21 +00:00			`}`

add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`type localSecret struct {`
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`BaseSecret`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`masterKey string`
			`}`

kms: improve modularity 2021-07-13 19:17:21 +00:00			`// NewLocalSecret returns a SecretProvider that use a locally provided symmetric key`
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`func NewLocalSecret(base BaseSecret, url, masterKey string) SecretProvider {`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`return &localSecret{`
kms: improve modularity 2021-07-13 19:17:21 +00:00			`BaseSecret: base,`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`masterKey: masterKey,`
			`}`
			`}`

			`func (s *localSecret) Name() string {`
kms: improve modularity 2021-07-13 19:17:21 +00:00			`return "Local"`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`}`

			`func (s *localSecret) IsEncrypted() bool {`
move kms implementation outside the sdk package Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 09:11:47 +00:00			`return s.Status == sdkkms.SecretStatusSecretBox`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`}`

			`func (s *localSecret) Encrypt() error {`
move kms implementation outside the sdk package Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 09:11:47 +00:00			`if s.Status != sdkkms.SecretStatusPlain {`
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`return ErrWrongSecretStatus`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`}`
			`if s.Payload == "" {`
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`return ErrInvalidSecret`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`}`
			`secretKey, err := localsecrets.NewRandomKey()`
			`if err != nil {`
			`return err`
			`}`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`key, err := s.deriveKey(secretKey[:], false)`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`if err != nil {`
			`return err`
			`}`
			`keeper := localsecrets.NewKeeper(key)`
			`defer keeper.Close()`

			`ciphertext, err := keeper.Encrypt(context.Background(), []byte(s.Payload))`
			`if err != nil {`
			`return err`
			`}`
			`s.Key = hex.EncodeToString(secretKey[:])`
			`s.Payload = base64.StdEncoding.EncodeToString(ciphertext)`
move kms implementation outside the sdk package Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 09:11:47 +00:00			`s.Status = sdkkms.SecretStatusSecretBox`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`s.Mode = s.getEncryptionMode()`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`return nil`
			`}`

			`func (s *localSecret) Decrypt() error {`
			`if !s.IsEncrypted() {`
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`return ErrWrongSecretStatus`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`}`
			`encrypted, err := base64.StdEncoding.DecodeString(s.Payload)`
			`if err != nil {`
			`return err`
			`}`
			`secretKey, err := hex.DecodeString(s.Key)`
			`if err != nil {`
			`return err`
			`}`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`key, err := s.deriveKey(secretKey[:], true)`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`if err != nil {`
			`return err`
			`}`
			`keeper := localsecrets.NewKeeper(key)`
			`defer keeper.Close()`

			`plaintext, err := keeper.Decrypt(context.Background(), encrypted)`
			`if err != nil {`
			`return err`
			`}`
move kms implementation outside the sdk package Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-06 09:11:47 +00:00			`s.Status = sdkkms.SecretStatusPlain`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`s.Payload = string(plaintext)`
			`s.Key = ""`
			`s.AdditionalData = ""`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`s.Mode = 0`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`return nil`
			`}`

kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`func (s *localSecret) deriveKey(key []byte, isForDecryption bool) ([32]byte, error) {`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`var masterKey []byte`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00			`if s.masterKey == "" \|\| (isForDecryption && s.Mode == 0) {`
add KMS support Fixes #226 2020-11-30 20:46:34 +00:00			`var combined []byte`
			`combined = append(combined, key...)`
			`if s.AdditionalData != "" {`
			`combined = append(combined, []byte(s.AdditionalData)...)`
			`}`
			`combined = append(combined, key...)`
			`hash := sha256.Sum256(combined)`
			`masterKey = hash[:]`
			`} else {`
			`masterKey = []byte(s.masterKey)`
			`}`
			`var derivedKey [32]byte`
			`var info []byte`
			`if s.AdditionalData != "" {`
			`info = []byte(s.AdditionalData)`
			`}`
			`kdf := hkdf.New(sha256.New, masterKey, key, info)`
			`if _, err := io.ReadFull(kdf, derivedKey[:]); err != nil {`
			`return derivedKey, err`
			`}`
			`return derivedKey, nil`
			`}`
kms: remember if a secret was saved without a master key So we will be able to decrypt secret stored without a master key if a such key is provided later 2020-12-01 21:18:16 +00:00
			`func (s *localSecret) getEncryptionMode() int {`
			`if s.masterKey == "" {`
			`return 0`
			`}`
			`return 1`
			`}`
kms: improve modularity 2021-07-13 19:17:21 +00:00
sdk: add a logger interface we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2022-01-04 15:07:41 +00:00			`func (s *localSecret) Clone() SecretProvider {`
			`baseSecret := BaseSecret{`
kms: improve modularity 2021-07-13 19:17:21 +00:00			`Status: s.Status,`
			`Payload: s.Payload,`
			`Key: s.Key,`
			`AdditionalData: s.AdditionalData,`
			`Mode: s.Mode,`
			`}`
			`return NewLocalSecret(baseSecret, "", s.masterKey)`
			`}`