From 136eda15bfbf269291c22ef7780ab1b3f78e02a0 Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Mon, 7 Mar 2022 15:29:37 +0530 Subject: [PATCH] fix: env encryption --- server/crypto/aes.go | 68 ++++++++++++++++++++++++++++++++++++++- server/crypto/common.go | 2 +- server/env/persist_env.go | 8 ++--- 3 files changed, 72 insertions(+), 6 deletions(-) diff --git a/server/crypto/aes.go b/server/crypto/aes.go index 2750486..8d06ffb 100644 --- a/server/crypto/aes.go +++ b/server/crypto/aes.go @@ -3,12 +3,14 @@ package crypto import ( "crypto/aes" "crypto/cipher" + "crypto/rand" + "io" "github.com/authorizerdev/authorizer/server/constants" "github.com/authorizerdev/authorizer/server/envstore" ) -var bytes = []byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 05} +var bytes = []byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 0o5} // EncryptAES method is to encrypt or hide any classified text func EncryptAES(text string) (string, error) { @@ -40,3 +42,67 @@ func DecryptAES(text string) (string, error) { cfb.XORKeyStream(plainText, []byte(cipherText)) return string(plainText), nil } + +// EncryptAESEnv encrypts data using AES algorithm +// kept for the backward compatibility of env data encryption +func EncryptAESEnv(text []byte) ([]byte, error) { + key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey)) + c, err := aes.NewCipher(key) + var res []byte + if err != nil { + return res, err + } + + // gcm or Galois/Counter Mode, is a mode of operation + // for symmetric key cryptographic block ciphers + // - https://en.wikipedia.org/wiki/Galois/Counter_Mode + gcm, err := cipher.NewGCM(c) + if err != nil { + return res, err + } + + // creates a new byte array the size of the nonce + // which must be passed to Seal + nonce := make([]byte, gcm.NonceSize()) + // populates our nonce with a cryptographically secure + // random sequence + if _, err = io.ReadFull(rand.Reader, nonce); err != nil { + return res, err + } + + // here we encrypt our text using the Seal function + // Seal encrypts and authenticates plaintext, authenticates the + // additional data and appends the result to dst, returning the updated + // slice. The nonce must be NonceSize() bytes long and unique for all + // time, for a given key. + return gcm.Seal(nonce, nonce, text, nil), nil +} + +// DecryptAES decrypts data using AES algorithm +// Kept for the backward compatibility of env data decryption +func DecryptAESEnv(ciphertext []byte) ([]byte, error) { + key := []byte(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyEncryptionKey)) + c, err := aes.NewCipher(key) + var res []byte + if err != nil { + return res, err + } + + gcm, err := cipher.NewGCM(c) + if err != nil { + return res, err + } + + nonceSize := gcm.NonceSize() + if len(ciphertext) < nonceSize { + return res, err + } + + nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:] + plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) + if err != nil { + return res, err + } + + return plaintext, nil +} diff --git a/server/crypto/common.go b/server/crypto/common.go index 7bd3513..7056913 100644 --- a/server/crypto/common.go +++ b/server/crypto/common.go @@ -94,7 +94,7 @@ func EncryptEnvData(data envstore.Store) (string, error) { if err != nil { return "", err } - encryptedConfig, err := EncryptAES(string(configData)) + encryptedConfig, err := EncryptAESEnv(configData) if err != nil { return "", err } diff --git a/server/env/persist_env.go b/server/env/persist_env.go index 24df138..a75f195 100644 --- a/server/env/persist_env.go +++ b/server/env/persist_env.go @@ -34,12 +34,12 @@ func GetEnvData() (envstore.Store, error) { envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey) - decryptedConfigs, err := crypto.DecryptAES(env.EnvData) + decryptedConfigs, err := crypto.DecryptAESEnv([]byte(env.EnvData)) if err != nil { return result, err } - err = json.Unmarshal([]byte(decryptedConfigs), &result) + err = json.Unmarshal(decryptedConfigs, &result) if err != nil { return result, err } @@ -82,7 +82,7 @@ func PersistEnv() error { envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey) - decryptedConfigs, err := crypto.DecryptAES(env.EnvData) + decryptedConfigs, err := crypto.DecryptAESEnv([]byte(env.EnvData)) if err != nil { return err } @@ -90,7 +90,7 @@ func PersistEnv() error { // temp store variable var storeData envstore.Store - err = json.Unmarshal([]byte(decryptedConfigs), &storeData) + err = json.Unmarshal(decryptedConfigs, &storeData) if err != nil { return err }