105 lines
3.2 KiB
Go
105 lines
3.2 KiB
Go
// Package transcrypt provides functionality to encrypt arbitrary data into a hex encoded string for safe on-disk storage, and decrypt said string.
|
|
package transcrypt
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
|
|
"github.com/minio/sio"
|
|
)
|
|
|
|
// Decrypt decrypts a supplied hex-encoded data string using the supplied secret key.
|
|
// It will return an error if either the key or the data is empty.
|
|
// If the hex-encoded string data cannot be converted into proper encrypted data, decryption will also fail with an error.
|
|
func Decrypt(key string, data string) (any, error) {
|
|
if key == "" {
|
|
return nil, errors.New("key is empty")
|
|
}
|
|
if data == "" {
|
|
return nil, errors.New("data is empty")
|
|
}
|
|
|
|
var err error
|
|
var encryptedData []byte
|
|
var kind reflect.Kind
|
|
var cryptoConfig sio.Config
|
|
|
|
if encryptedData, kind, cryptoConfig, err = decodeHexString(key, data); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var decryptedHexData *bytes.Buffer
|
|
decryptedHexData = bytes.NewBuffer(make([]byte, 0))
|
|
if _, err = sio.Decrypt(decryptedHexData, bytes.NewBuffer(encryptedData), cryptoConfig); err != nil {
|
|
return nil, fmt.Errorf("decrypt failed: %w", err)
|
|
}
|
|
|
|
var decryptedData []byte
|
|
if decryptedData, err = hex.DecodeString(string(decryptedHexData.Bytes())); err != nil {
|
|
return nil, fmt.Errorf("decode decrypted hex data failed: %w", err)
|
|
}
|
|
|
|
var outputValue reflect.Value
|
|
if outputValue, err = convertBytesToValue(decryptedData, kind); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return outputValue.Interface(), nil
|
|
}
|
|
|
|
// Encrypt encrypts the supplied data using the supplied secret key and cipher suite.
|
|
// It will return an error if either the key is empty or the data is nil.
|
|
// Additionally, if the necessary cryptographic configuration cannot be created using the supplied cipherSuite, it will return an error.
|
|
// If a salt is provided, it must be at least 12 bytes.
|
|
// If salt is nil, the function will automatically create one on-the-fly.
|
|
func Encrypt(key string, salt []byte, cipherSuite CipherSuite, d any) (string, error) {
|
|
if key == "" {
|
|
return "", errors.New("key is empty")
|
|
}
|
|
|
|
if d == nil {
|
|
return "", errors.New("data is nil")
|
|
}
|
|
|
|
if salt != nil && len(salt) < 12 {
|
|
return "", fmt.Errorf("salt needs to be at least 12 bytes, got %d", len(salt))
|
|
}
|
|
|
|
var err error
|
|
var data string
|
|
// Convert input data to reflect.Value before serialization
|
|
if data, err = convertValueToHexString(reflect.ValueOf(d)); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
var cryptoConfig sio.Config
|
|
if cryptoConfig, err = createCryptoConfig(key, []byte{byte(cipherSuite)}, salt); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
encryptedData := bytes.NewBuffer(make([]byte, 0))
|
|
if _, err = sio.Encrypt(encryptedData, bytes.NewBuffer([]byte(data)), cryptoConfig); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Encode all details in hex before joining together
|
|
encryptedString := strings.Join(
|
|
[]string{
|
|
hex.EncodeToString([]byte{byte(cipherSuite)}),
|
|
hex.EncodeToString(cryptoConfig.Nonce[:]),
|
|
hex.EncodeToString(encryptedData.Bytes()),
|
|
hex.EncodeToString([]byte(reflect.TypeOf(d).Kind().String())),
|
|
}, ":",
|
|
)
|
|
|
|
if !regexEncryptedString.MatchString(encryptedString) {
|
|
return "", fmt.Errorf("could not validate encrypted data")
|
|
}
|
|
|
|
return encryptedString, nil
|
|
}
|