package app import ( "crypto/aes" "crypto/cipher" "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "io" "strings" ) const enterpriseSiteCredentialPrefix = "v1:" func encryptEnterpriseSiteCredential(secret string, keyMaterial string) (string, error) { secret = strings.TrimSpace(secret) if secret == "" { return "", fmt.Errorf("enterprise site credential is empty") } key := enterpriseSiteCredentialKey(keyMaterial) block, err := aes.NewCipher(key[:]) if err != nil { return "", fmt.Errorf("create enterprise site credential cipher: %w", err) } aead, err := cipher.NewGCM(block) if err != nil { return "", fmt.Errorf("create enterprise site credential gcm: %w", err) } nonce := make([]byte, aead.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return "", fmt.Errorf("generate enterprise site credential nonce: %w", err) } ciphertext := aead.Seal(nil, nonce, []byte(secret), nil) packed := append(nonce, ciphertext...) return enterpriseSiteCredentialPrefix + base64.StdEncoding.EncodeToString(packed), nil } func decryptEnterpriseSiteCredential(ciphertext string, keyMaterial string) (string, error) { ciphertext = strings.TrimSpace(ciphertext) if ciphertext == "" { return "", fmt.Errorf("enterprise site credential ciphertext is empty") } if !strings.HasPrefix(ciphertext, enterpriseSiteCredentialPrefix) { return "", fmt.Errorf("unsupported enterprise site credential format") } raw, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(ciphertext, enterpriseSiteCredentialPrefix)) if err != nil { return "", fmt.Errorf("decode enterprise site credential: %w", err) } key := enterpriseSiteCredentialKey(keyMaterial) block, err := aes.NewCipher(key[:]) if err != nil { return "", fmt.Errorf("create enterprise site credential cipher: %w", err) } aead, err := cipher.NewGCM(block) if err != nil { return "", fmt.Errorf("create enterprise site credential gcm: %w", err) } if len(raw) <= aead.NonceSize() { return "", fmt.Errorf("enterprise site credential payload is invalid") } nonce := raw[:aead.NonceSize()] encrypted := raw[aead.NonceSize():] plaintext, err := aead.Open(nil, nonce, encrypted, nil) if err != nil { return "", fmt.Errorf("decrypt enterprise site credential: %w", err) } return string(plaintext), nil } func enterpriseSiteCredentialKey(keyMaterial string) [32]byte { trimmed := strings.TrimSpace(keyMaterial) if trimmed == "" { trimmed = "geo-rankly-enterprise-site-development-key" } return sha256.Sum256([]byte("enterprise-site-credential:" + trimmed)) }