зеркало из https://github.com/Azure/ARO-RP.git
renames:
cipher -> aead encrypt/decrypt -> seal/open aeadCipher -> xChaCha20Poly1305
This commit is contained in:
Jim Minter
Родитель
91e2c2e5a3
Коммит
7a14788cea
|
|
@ -79,12 +79,12 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
|
|||
return err
|
||||
}
|
||||
|
||||
cipher, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, &noop.Noop{}, cipher)
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, &noop.Noop{}, aead)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -87,12 +87,12 @@ func portal(ctx context.Context, log *logrus.Entry) error {
|
|||
return err
|
||||
}
|
||||
|
||||
cipher, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, m, cipher)
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, m, aead)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -81,12 +81,12 @@ func rp(ctx context.Context, log *logrus.Entry) error {
|
|||
return err
|
||||
}
|
||||
|
||||
cipher, err := encryption.NewXChaCha20Poly1305(ctx, dbKey)
|
||||
aead, err := encryption.NewXChaCha20Poly1305(ctx, dbKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, m, cipher)
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, m, aead)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -118,17 +118,17 @@ func rp(ctx context.Context, log *logrus.Entry) error {
|
|||
return err
|
||||
}
|
||||
|
||||
feCipher, err := encryption.NewXChaCha20Poly1305(ctx, feKey)
|
||||
feAead, err := encryption.NewXChaCha20Poly1305(ctx, feKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
f, err := frontend.NewFrontend(ctx, log.WithField("component", "frontend"), _env, dbAsyncOperations, dbOpenShiftClusters, dbSubscriptions, api.APIs, m, feCipher, adminactions.New)
|
||||
f, err := frontend.NewFrontend(ctx, log.WithField("component", "frontend"), _env, dbAsyncOperations, dbOpenShiftClusters, dbSubscriptions, api.APIs, m, feAead, adminactions.New)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbOpenShiftClusters, dbSubscriptions, cipher, m)
|
||||
b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbOpenShiftClusters, dbSubscriptions, aead, m)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,12 +48,12 @@ func run(ctx context.Context, log *logrus.Entry) error {
|
|||
return err
|
||||
}
|
||||
|
||||
cipher, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
aead, err := encryption.NewXChaCha20Poly1305(ctx, key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, &noop.Noop{}, cipher)
|
||||
dbc, err := database.NewDatabaseClient(ctx, log.WithField("component", "database"), _env, &noop.Noop{}, aead)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ type backend struct {
|
|||
dbOpenShiftClusters database.OpenShiftClusters
|
||||
dbSubscriptions database.Subscriptions
|
||||
|
||||
cipher encryption.Cipher
|
||||
aead encryption.AEAD
|
||||
m metrics.Interface
|
||||
billing billing.Manager
|
||||
|
||||
|
|
@ -52,8 +52,8 @@ type Runnable interface {
|
|||
}
|
||||
|
||||
// NewBackend returns a new runnable backend
|
||||
func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, cipher encryption.Cipher, m metrics.Interface) (Runnable, error) {
|
||||
b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbOpenShiftClusters, dbSubscriptions, cipher, m)
|
||||
func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, aead encryption.AEAD, m metrics.Interface) (Runnable, error) {
|
||||
b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbOpenShiftClusters, dbSubscriptions, aead, m)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -63,7 +63,7 @@ func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
|
|||
return b, nil
|
||||
}
|
||||
|
||||
func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, cipher encryption.Cipher, m metrics.Interface) (*backend, error) {
|
||||
func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, aead encryption.AEAD, m metrics.Interface) (*backend, error) {
|
||||
billing, err := billing.NewManager(env, dbBilling, dbSubscriptions, log)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -79,7 +79,7 @@ func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
|
|||
dbSubscriptions: dbSubscriptions,
|
||||
|
||||
billing: billing,
|
||||
cipher: cipher,
|
||||
aead: aead,
|
||||
m: m,
|
||||
}
|
||||
b.cond = sync.NewCond(&b.mu)
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ import (
|
|||
type openShiftClusterBackend struct {
|
||||
*backend
|
||||
|
||||
newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, encryption.Cipher, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument) (cluster.Interface, error)
|
||||
newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument) (cluster.Interface, error)
|
||||
}
|
||||
|
||||
func newOpenShiftClusterBackend(b *backend) *openShiftClusterBackend {
|
||||
|
|
@ -100,7 +100,7 @@ func (ocb *openShiftClusterBackend) handle(ctx context.Context, log *logrus.Entr
|
|||
return err
|
||||
}
|
||||
|
||||
m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.cipher, ocb.billing, doc, subscriptionDoc)
|
||||
m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.aead, ocb.billing, doc, subscriptionDoc)
|
||||
if err != nil {
|
||||
return ocb.endLease(ctx, log, stop, doc, api.ProvisioningStateFailed, err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -294,7 +294,7 @@ func TestBackendTry(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, encryption.Cipher, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument) (cluster.Interface, error) {
|
||||
createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument) (cluster.Interface, error) {
|
||||
return manager, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ type manager struct {
|
|||
billing billing.Manager
|
||||
doc *api.OpenShiftClusterDocument
|
||||
subscriptionDoc *api.SubscriptionDocument
|
||||
cipher encryption.Cipher
|
||||
aead encryption.AEAD
|
||||
fpAuthorizer refreshable.Authorizer
|
||||
localFpAuthorizer refreshable.Authorizer
|
||||
|
||||
|
|
@ -79,7 +79,7 @@ type manager struct {
|
|||
const deploymentName = "azuredeploy"
|
||||
|
||||
// New returns a cluster manager
|
||||
func New(ctx context.Context, log *logrus.Entry, env env.Interface, db database.OpenShiftClusters, cipher encryption.Cipher,
|
||||
func New(ctx context.Context, log *logrus.Entry, env env.Interface, db database.OpenShiftClusters, aead encryption.AEAD,
|
||||
billing billing.Manager, doc *api.OpenShiftClusterDocument, subscriptionDoc *api.SubscriptionDocument) (Interface, error) {
|
||||
r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
|
||||
if err != nil {
|
||||
|
|
@ -103,7 +103,7 @@ func New(ctx context.Context, log *logrus.Entry, env env.Interface, db database.
|
|||
billing: billing,
|
||||
doc: doc,
|
||||
subscriptionDoc: subscriptionDoc,
|
||||
cipher: cipher,
|
||||
aead: aead,
|
||||
fpAuthorizer: fpAuthorizer,
|
||||
localFpAuthorizer: localFPAuthorizer,
|
||||
|
||||
|
|
|
|||
|
|
@ -212,18 +212,18 @@ func (m *manager) loadGraph(ctx context.Context) (graph, error) {
|
|||
}
|
||||
defer rc.Close()
|
||||
|
||||
encrypted, err := ioutil.ReadAll(rc)
|
||||
b, err := ioutil.ReadAll(rc)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
output, err := m.cipher.Decrypt(encrypted)
|
||||
b, err = m.aead.Open(b)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var g graph
|
||||
err = json.Unmarshal(output, &g)
|
||||
err = json.Unmarshal(b, &g)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -252,10 +252,10 @@ func (m *manager) saveGraph(ctx context.Context, g graph) error {
|
|||
return err
|
||||
}
|
||||
|
||||
output, err := m.cipher.Encrypt(b)
|
||||
b, err = m.aead.Seal(b)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return graph.CreateBlockBlobFromReader(bytes.NewReader(output), nil)
|
||||
return graph.CreateBlockBlobFromReader(bytes.NewReader(b), nil)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,13 +34,13 @@ const (
|
|||
collSubscriptions = "Subscriptions"
|
||||
)
|
||||
|
||||
func NewDatabaseClient(ctx context.Context, log *logrus.Entry, env env.Core, m metrics.Interface, cipher encryption.Cipher) (cosmosdb.DatabaseClient, error) {
|
||||
func NewDatabaseClient(ctx context.Context, log *logrus.Entry, env env.Core, m metrics.Interface, aead encryption.AEAD) (cosmosdb.DatabaseClient, error) {
|
||||
databaseAccount, masterKey, err := find(ctx, env)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
h, err := NewJSONHandle(cipher)
|
||||
h, err := NewJSONHandle(aead)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -58,7 +58,7 @@ func NewDatabaseClient(ctx context.Context, log *logrus.Entry, env env.Core, m m
|
|||
return cosmosdb.NewDatabaseClient(log, c, h, databaseHostname, masterKey)
|
||||
}
|
||||
|
||||
func NewJSONHandle(cipher encryption.Cipher) (*codec.JsonHandle, error) {
|
||||
func NewJSONHandle(aead encryption.AEAD) (*codec.JsonHandle, error) {
|
||||
h := &codec.JsonHandle{
|
||||
BasicHandle: codec.BasicHandle{
|
||||
DecodeOptions: codec.DecodeOptions{
|
||||
|
|
@ -67,12 +67,12 @@ func NewJSONHandle(cipher encryption.Cipher) (*codec.JsonHandle, error) {
|
|||
},
|
||||
}
|
||||
|
||||
err := h.SetInterfaceExt(reflect.TypeOf(api.SecureBytes{}), 1, secureBytesExt{cipher: cipher})
|
||||
err := h.SetInterfaceExt(reflect.TypeOf(api.SecureBytes{}), 1, secureBytesExt{aead: aead})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = h.SetInterfaceExt(reflect.TypeOf((*api.SecureString)(nil)), 1, secureStringExt{cipher: cipher})
|
||||
err = h.SetInterfaceExt(reflect.TypeOf((*api.SecureString)(nil)), 1, secureStringExt{aead: aead})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,16 +15,16 @@ import (
|
|||
var _ codec.InterfaceExt = (*secureBytesExt)(nil)
|
||||
|
||||
type secureBytesExt struct {
|
||||
cipher encryption.Cipher
|
||||
aead encryption.AEAD
|
||||
}
|
||||
|
||||
func (s secureBytesExt) ConvertExt(v interface{}) interface{} {
|
||||
encrypted, err := s.cipher.Encrypt(v.(api.SecureBytes))
|
||||
b, err := s.aead.Seal(v.(api.SecureBytes))
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return base64.StdEncoding.EncodeToString([]byte(encrypted))
|
||||
return base64.StdEncoding.EncodeToString(b)
|
||||
}
|
||||
|
||||
func (s secureBytesExt) UpdateExt(dest interface{}, v interface{}) {
|
||||
|
|
@ -33,7 +33,7 @@ func (s secureBytesExt) UpdateExt(dest interface{}, v interface{}) {
|
|||
panic(err)
|
||||
}
|
||||
|
||||
b, err = s.cipher.Decrypt(b)
|
||||
b, err = s.aead.Open(b)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
|
@ -44,16 +44,16 @@ func (s secureBytesExt) UpdateExt(dest interface{}, v interface{}) {
|
|||
var _ codec.InterfaceExt = (*secureStringExt)(nil)
|
||||
|
||||
type secureStringExt struct {
|
||||
cipher encryption.Cipher
|
||||
aead encryption.AEAD
|
||||
}
|
||||
|
||||
func (s secureStringExt) ConvertExt(v interface{}) interface{} {
|
||||
encrypted, err := s.cipher.Encrypt([]byte(v.(api.SecureString)))
|
||||
b, err := s.aead.Seal([]byte(v.(api.SecureString)))
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return base64.StdEncoding.EncodeToString([]byte(encrypted))
|
||||
return base64.StdEncoding.EncodeToString(b)
|
||||
}
|
||||
|
||||
func (s secureStringExt) UpdateExt(dest interface{}, v interface{}) {
|
||||
|
|
@ -62,7 +62,7 @@ func (s secureStringExt) UpdateExt(dest interface{}, v interface{}) {
|
|||
panic(err)
|
||||
}
|
||||
|
||||
b, err = s.cipher.Decrypt(b)
|
||||
b, err = s.aead.Open(b)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,12 +24,12 @@ type testStruct struct {
|
|||
func TestExtensions(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
cipher, err := encryption.NewXChaCha20Poly1305(ctx, []byte("\x63\xb5\x59\xf0\x43\x34\x79\x49\x68\x46\xab\x8b\xce\xdb\xc1\x2d\x7a\x0b\x14\x86\x7e\x1a\xb2\xd7\x3a\x92\x4e\x98\x6c\x5e\xcb\xe1"))
|
||||
aead, err := encryption.NewXChaCha20Poly1305(ctx, []byte("\x63\xb5\x59\xf0\x43\x34\x79\x49\x68\x46\xab\x8b\xce\xdb\xc1\x2d\x7a\x0b\x14\x86\x7e\x1a\xb2\xd7\x3a\x92\x4e\x98\x6c\x5e\xcb\xe1"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
h, err := NewJSONHandle(cipher)
|
||||
h, err := NewJSONHandle(aead)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -112,13 +112,13 @@ func TestAdminListOpenShiftCluster(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
cipher := testdatabase.NewFakeCipher()
|
||||
aead := testdatabase.NewFakeAEAD()
|
||||
|
||||
if tt.throwsError != nil {
|
||||
ti.openShiftClustersClient.SetError(tt.throwsError)
|
||||
}
|
||||
|
||||
f, err := NewFrontend(ctx, ti.log, ti.env, ti.asyncOperationsDatabase, ti.openShiftClustersDatabase, ti.subscriptionsDatabase, api.APIs, &noop.Noop{}, cipher, nil)
|
||||
f, err := NewFrontend(ctx, ti.log, ti.env, ti.asyncOperationsDatabase, ti.openShiftClustersDatabase, ti.subscriptionsDatabase, api.APIs, &noop.Noop{}, aead, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,9 +48,9 @@ type frontend struct {
|
|||
dbOpenShiftClusters database.OpenShiftClusters
|
||||
dbSubscriptions database.Subscriptions
|
||||
|
||||
apis map[string]*api.Version
|
||||
m metrics.Interface
|
||||
cipher encryption.Cipher
|
||||
apis map[string]*api.Version
|
||||
m metrics.Interface
|
||||
aead encryption.AEAD
|
||||
|
||||
ocEnricher clusterdata.OpenShiftClusterEnricher
|
||||
adminActionsFactory adminActionsFactory
|
||||
|
|
@ -78,7 +78,7 @@ func NewFrontend(ctx context.Context,
|
|||
dbSubscriptions database.Subscriptions,
|
||||
apis map[string]*api.Version,
|
||||
m metrics.Interface,
|
||||
cipher encryption.Cipher,
|
||||
aead encryption.AEAD,
|
||||
adminActionsFactory adminActionsFactory) (Runnable, error) {
|
||||
f := &frontend{
|
||||
baseLog: baseLog,
|
||||
|
|
@ -88,7 +88,7 @@ func NewFrontend(ctx context.Context,
|
|||
dbSubscriptions: dbSubscriptions,
|
||||
apis: apis,
|
||||
m: m,
|
||||
cipher: cipher,
|
||||
aead: aead,
|
||||
adminActionsFactory: adminActionsFactory,
|
||||
|
||||
ocEnricher: clusterdata.NewBestEffortEnricher(baseLog, _env, m),
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ func (f *frontend) parseSkipToken(originalURL string) (string, error) {
|
|||
return "", err
|
||||
}
|
||||
|
||||
output, err := f.cipher.Decrypt(b)
|
||||
output, err := f.aead.Open(b)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
|
@ -114,7 +114,7 @@ func (f *frontend) buildNextLink(baseURL, skipToken string) (string, error) {
|
|||
return "", err
|
||||
}
|
||||
|
||||
output, err := f.cipher.Encrypt([]byte(skipToken))
|
||||
output, err := f.aead.Seal([]byte(skipToken))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -191,9 +191,9 @@ func TestListOpenShiftCluster(t *testing.T) {
|
|||
ti.openShiftClustersClient.SetError(tt.dbError)
|
||||
}
|
||||
|
||||
cipher := testdatabase.NewFakeCipher()
|
||||
aead := testdatabase.NewFakeAEAD()
|
||||
|
||||
f, err := NewFrontend(ctx, ti.log, ti.env, ti.asyncOperationsDatabase, ti.openShiftClustersDatabase, ti.subscriptionsDatabase, api.APIs, &noop.Noop{}, cipher, nil)
|
||||
f, err := NewFrontend(ctx, ti.log, ti.env, ti.asyncOperationsDatabase, ti.openShiftClustersDatabase, ti.subscriptionsDatabase, api.APIs, &noop.Noop{}, aead, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
package encryption
|
||||
|
||||
// Copyright (c) Microsoft Corporation.
|
||||
// Licensed under the Apache License 2.0.
|
||||
|
||||
type AEAD interface {
|
||||
Open([]byte) ([]byte, error)
|
||||
Seal([]byte) ([]byte, error)
|
||||
}
|
||||
|
|
@ -13,31 +13,26 @@ import (
|
|||
"golang.org/x/crypto/chacha20poly1305"
|
||||
)
|
||||
|
||||
var _ Cipher = (*aeadCipher)(nil)
|
||||
|
||||
type Cipher interface {
|
||||
Decrypt([]byte) ([]byte, error)
|
||||
Encrypt([]byte) ([]byte, error)
|
||||
}
|
||||
|
||||
type aeadCipher struct {
|
||||
type xChaCha20Poly1305 struct {
|
||||
aead cipher.AEAD
|
||||
randReader io.Reader
|
||||
}
|
||||
|
||||
func NewXChaCha20Poly1305(ctx context.Context, key []byte) (Cipher, error) {
|
||||
var _ AEAD = (*xChaCha20Poly1305)(nil)
|
||||
|
||||
func NewXChaCha20Poly1305(ctx context.Context, key []byte) (AEAD, error) {
|
||||
aead, err := chacha20poly1305.NewX(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &aeadCipher{
|
||||
return &xChaCha20Poly1305{
|
||||
aead: aead,
|
||||
randReader: rand.Reader,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *aeadCipher) Decrypt(input []byte) ([]byte, error) {
|
||||
func (c *xChaCha20Poly1305) Open(input []byte) ([]byte, error) {
|
||||
if len(input) < c.aead.NonceSize() {
|
||||
return nil, fmt.Errorf("encrypted value too short")
|
||||
}
|
||||
|
|
@ -48,7 +43,7 @@ func (c *aeadCipher) Decrypt(input []byte) ([]byte, error) {
|
|||
return c.aead.Open(nil, nonce, data, nil)
|
||||
}
|
||||
|
||||
func (c *aeadCipher) Encrypt(input []byte) ([]byte, error) {
|
||||
func (c *xChaCha20Poly1305) Seal(input []byte) ([]byte, error) {
|
||||
nonce := make([]byte, c.aead.NonceSize())
|
||||
|
||||
_, err := io.ReadFull(c.randReader, nonce)
|
||||
|
|
|
|||
|
|
@ -42,19 +42,19 @@ func TestNewXChaCha20Poly1305(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestXChaCha20Poly1305Decrypt(t *testing.T) {
|
||||
func TestXChaCha20Poly1305Open(t *testing.T) {
|
||||
for _, tt := range []struct {
|
||||
name string
|
||||
key []byte
|
||||
input []byte
|
||||
wantDecrypted []byte
|
||||
wantErr string
|
||||
name string
|
||||
key []byte
|
||||
input []byte
|
||||
wantOpened []byte
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "valid",
|
||||
key: []byte("\x6a\x98\x95\x6b\x2b\xb2\x7e\xfd\x1b\x68\xdf\x5c\x40\xc3\x4f\x8b\xcf\xff\xe8\x17\xc2\x2d\xf6\x40\x2e\x5a\xb0\x15\x63\x4a\x2d\x2e"),
|
||||
input: []byte("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2\x9c\xf6\xe9\xbd\xdd\xe3\x1d\x54\xde\x41\xa2\x99\x56\x6a\xfc\x9a\xf3\x58\x73\x03"),
|
||||
wantDecrypted: []byte("test"),
|
||||
name: "valid",
|
||||
key: []byte("\x6a\x98\x95\x6b\x2b\xb2\x7e\xfd\x1b\x68\xdf\x5c\x40\xc3\x4f\x8b\xcf\xff\xe8\x17\xc2\x2d\xf6\x40\x2e\x5a\xb0\x15\x63\x4a\x2d\x2e"),
|
||||
input: []byte("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2\x9c\xf6\xe9\xbd\xdd\xe3\x1d\x54\xde\x41\xa2\x99\x56\x6a\xfc\x9a\xf3\x58\x73\x03"),
|
||||
wantOpened: []byte("test"),
|
||||
},
|
||||
{
|
||||
name: "invalid - encrypted value tampered with",
|
||||
|
|
@ -70,39 +70,39 @@ func TestXChaCha20Poly1305Decrypt(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cipher, err := NewXChaCha20Poly1305(context.Background(), tt.key)
|
||||
aead, err := NewXChaCha20Poly1305(context.Background(), tt.key)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
decrypted, err := cipher.Decrypt(tt.input)
|
||||
opened, err := aead.Open(tt.input)
|
||||
if err != nil && err.Error() != tt.wantErr ||
|
||||
err == nil && tt.wantErr != "" {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if !bytes.Equal(tt.wantDecrypted, decrypted) {
|
||||
t.Error(string(decrypted))
|
||||
if !bytes.Equal(tt.wantOpened, opened) {
|
||||
t.Error(string(opened))
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestXChaCha20Poly1305Encrypt(t *testing.T) {
|
||||
func TestXChaCha20Poly1305Seal(t *testing.T) {
|
||||
for _, tt := range []struct {
|
||||
name string
|
||||
key []byte
|
||||
randReader io.Reader
|
||||
input []byte
|
||||
wantEncrypted []byte
|
||||
wantErr string
|
||||
name string
|
||||
key []byte
|
||||
randReader io.Reader
|
||||
input []byte
|
||||
wantSealed []byte
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "valid",
|
||||
key: []byte("\x6a\x98\x95\x6b\x2b\xb2\x7e\xfd\x1b\x68\xdf\x5c\x40\xc3\x4f\x8b\xcf\xff\xe8\x17\xc2\x2d\xf6\x40\x2e\x5a\xb0\x15\x63\x4a\x2d\x2e"),
|
||||
randReader: bytes.NewBufferString("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2"),
|
||||
input: []byte("test"),
|
||||
wantEncrypted: []byte("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2\x9c\xf6\xe9\xbd\xdd\xe3\x1d\x54\xde\x41\xa2\x99\x56\x6a\xfc\x9a\xf3\x58\x73\x03"),
|
||||
name: "valid",
|
||||
key: []byte("\x6a\x98\x95\x6b\x2b\xb2\x7e\xfd\x1b\x68\xdf\x5c\x40\xc3\x4f\x8b\xcf\xff\xe8\x17\xc2\x2d\xf6\x40\x2e\x5a\xb0\x15\x63\x4a\x2d\x2e"),
|
||||
randReader: bytes.NewBufferString("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2"),
|
||||
input: []byte("test"),
|
||||
wantSealed: []byte("\xd9\x1c\x3c\x05\xb2\xf3\xc5\x93\x20\x9f\x9b\x67\x43\x8c\x0c\x3d\x9c\x33\x5b\x16\xd6\x9a\x9c\xf2\x9c\xf6\xe9\xbd\xdd\xe3\x1d\x54\xde\x41\xa2\x99\x56\x6a\xfc\x9a\xf3\x58\x73\x03"),
|
||||
},
|
||||
{
|
||||
name: "rand.Read EOF",
|
||||
|
|
@ -118,21 +118,21 @@ func TestXChaCha20Poly1305Encrypt(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cipher, err := NewXChaCha20Poly1305(context.Background(), tt.key)
|
||||
aead, err := NewXChaCha20Poly1305(context.Background(), tt.key)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
cipher.(*aeadCipher).randReader = tt.randReader
|
||||
aead.(*xChaCha20Poly1305).randReader = tt.randReader
|
||||
|
||||
encrypted, err := cipher.Encrypt(tt.input)
|
||||
sealed, err := aead.Seal(tt.input)
|
||||
if err != nil && err.Error() != tt.wantErr ||
|
||||
err == nil && tt.wantErr != "" {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if !bytes.Equal(tt.wantEncrypted, encrypted) {
|
||||
t.Error(hex.EncodeToString(encrypted))
|
||||
if !bytes.Equal(tt.wantSealed, sealed) {
|
||||
t.Error(hex.EncodeToString(sealed))
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,20 +5,19 @@ package database
|
|||
|
||||
var fakeCode []byte = []byte{'F', 'A', 'K', 'E'}
|
||||
|
||||
type fakeCipher struct {
|
||||
}
|
||||
type fakeAEAD struct{}
|
||||
|
||||
func (c fakeCipher) Decrypt(in []byte) ([]byte, error) {
|
||||
func (fakeAEAD) Open(in []byte) ([]byte, error) {
|
||||
return in[4:], nil
|
||||
}
|
||||
|
||||
func (c fakeCipher) Encrypt(in []byte) ([]byte, error) {
|
||||
func (fakeAEAD) Seal(in []byte) ([]byte, error) {
|
||||
out := make([]byte, 4+len(in))
|
||||
copy(out, fakeCode)
|
||||
copy(out[4:], in)
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func NewFakeCipher() *fakeCipher {
|
||||
return &fakeCipher{}
|
||||
func NewFakeAEAD() *fakeAEAD {
|
||||
return &fakeAEAD{}
|
||||
}
|
||||
|
|
@ -5,15 +5,15 @@ package database
|
|||
|
||||
import "testing"
|
||||
|
||||
func TestFakeCipher(t *testing.T) {
|
||||
c := &fakeCipher{}
|
||||
func TestFakeAEAD(t *testing.T) {
|
||||
c := &fakeAEAD{}
|
||||
|
||||
encrypted, _ := c.Encrypt([]byte{'f', 'o', 'o'})
|
||||
encrypted, _ := c.Seal([]byte{'f', 'o', 'o'})
|
||||
if string(encrypted) != "FAKEfoo" {
|
||||
t.Error(string(encrypted))
|
||||
}
|
||||
|
||||
decrypted, _ := c.Decrypt(encrypted)
|
||||
decrypted, _ := c.Open(encrypted)
|
||||
if string(decrypted) != "foo" {
|
||||
t.Error(string(decrypted))
|
||||
}
|
||||
|
|
@ -14,7 +14,7 @@ var jsonHandle *codec.JsonHandle
|
|||
|
||||
func init() {
|
||||
var err error
|
||||
jsonHandle, err = database.NewJSONHandle(&fakeCipher{})
|
||||
jsonHandle, err = database.NewJSONHandle(&fakeAEAD{})
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче