Files
geo/server/internal/tenant/app/enterprise_site_crypto.go
T

79 lines
2.5 KiB
Go
Raw Normal View History

package app
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"io"
"strings"
)
const enterpriseSiteCredentialPrefix = "v1:"
func encryptEnterpriseSiteCredential(secret string, keyMaterial string) (string, error) {
secret = strings.TrimSpace(secret)
if secret == "" {
return "", fmt.Errorf("enterprise site credential is empty")
}
key := enterpriseSiteCredentialKey(keyMaterial)
block, err := aes.NewCipher(key[:])
if err != nil {
return "", fmt.Errorf("create enterprise site credential cipher: %w", err)
}
aead, err := cipher.NewGCM(block)
if err != nil {
return "", fmt.Errorf("create enterprise site credential gcm: %w", err)
}
nonce := make([]byte, aead.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return "", fmt.Errorf("generate enterprise site credential nonce: %w", err)
}
ciphertext := aead.Seal(nil, nonce, []byte(secret), nil)
packed := append(nonce, ciphertext...)
return enterpriseSiteCredentialPrefix + base64.StdEncoding.EncodeToString(packed), nil
}
func decryptEnterpriseSiteCredential(ciphertext string, keyMaterial string) (string, error) {
ciphertext = strings.TrimSpace(ciphertext)
if ciphertext == "" {
return "", fmt.Errorf("enterprise site credential ciphertext is empty")
}
if !strings.HasPrefix(ciphertext, enterpriseSiteCredentialPrefix) {
return "", fmt.Errorf("unsupported enterprise site credential format")
}
raw, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(ciphertext, enterpriseSiteCredentialPrefix))
if err != nil {
return "", fmt.Errorf("decode enterprise site credential: %w", err)
}
key := enterpriseSiteCredentialKey(keyMaterial)
block, err := aes.NewCipher(key[:])
if err != nil {
return "", fmt.Errorf("create enterprise site credential cipher: %w", err)
}
aead, err := cipher.NewGCM(block)
if err != nil {
return "", fmt.Errorf("create enterprise site credential gcm: %w", err)
}
if len(raw) <= aead.NonceSize() {
return "", fmt.Errorf("enterprise site credential payload is invalid")
}
nonce := raw[:aead.NonceSize()]
encrypted := raw[aead.NonceSize():]
plaintext, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
return "", fmt.Errorf("decrypt enterprise site credential: %w", err)
}
return string(plaintext), nil
}
func enterpriseSiteCredentialKey(keyMaterial string) [32]byte {
trimmed := strings.TrimSpace(keyMaterial)
if trimmed == "" {
trimmed = "geo-rankly-enterprise-site-development-key"
}
return sha256.Sum256([]byte("enterprise-site-credential:" + trimmed))
}