github.com/annwntech/go-micro/v2@v2.9.5/config/secrets/box/box.go

github.com/annwntech/go-micro/v2@v2.9.5/config/secrets/box/box.go (about)

     1  // Package box is an asymmetric implementation of config/secrets using nacl/box
     2  package box
     3  
     4  import (
     5  	"github.com/annwntech/go-micro/v2/config/secrets"
     6  	"github.com/pkg/errors"
     7  	naclbox "golang.org/x/crypto/nacl/box"
     8  
     9  	"crypto/rand"
    10  )
    11  
    12  const keyLength = 32
    13  
    14  type box struct {
    15  	options secrets.Options
    16  
    17  	publicKey  [keyLength]byte
    18  	privateKey [keyLength]byte
    19  }
    20  
    21  // NewSecrets returns a nacl-box codec
    22  func NewSecrets(opts ...secrets.Option) secrets.Secrets {
    23  	b := &box{}
    24  	for _, o := range opts {
    25  		o(&b.options)
    26  	}
    27  	return b
    28  }
    29  
    30  // Init initialises a box
    31  func (b *box) Init(opts ...secrets.Option) error {
    32  	for _, o := range opts {
    33  		o(&b.options)
    34  	}
    35  	if len(b.options.PrivateKey) != keyLength || len(b.options.PublicKey) != keyLength {
    36  		return errors.Errorf("a public key and a private key of length %d must both be provided", keyLength)
    37  	}
    38  	copy(b.privateKey[:], b.options.PrivateKey)
    39  	copy(b.publicKey[:], b.options.PublicKey)
    40  	return nil
    41  }
    42  
    43  // Options returns options
    44  func (b *box) Options() secrets.Options {
    45  	return b.options
    46  }
    47  
    48  // String returns nacl-box
    49  func (*box) String() string {
    50  	return "nacl-box"
    51  }
    52  
    53  // Encrypt encrypts a message with the sender's private key and the receipient's public key
    54  func (b *box) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {
    55  	var options secrets.EncryptOptions
    56  	for _, o := range opts {
    57  		o(&options)
    58  	}
    59  	if len(options.RecipientPublicKey) != keyLength {
    60  		return []byte{}, errors.New("recepient's public key must be provided")
    61  	}
    62  	var recipientPublicKey [keyLength]byte
    63  	copy(recipientPublicKey[:], options.RecipientPublicKey)
    64  	var nonce [24]byte
    65  	if _, err := rand.Reader.Read(nonce[:]); err != nil {
    66  		return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")
    67  	}
    68  	return naclbox.Seal(nonce[:], in, &nonce, &recipientPublicKey, &b.privateKey), nil
    69  }
    70  
    71  // Decrypt Decrypts a message with the receiver's private key and the sender's public key
    72  func (b *box) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {
    73  	var options secrets.DecryptOptions
    74  	for _, o := range opts {
    75  		o(&options)
    76  	}
    77  	if len(options.SenderPublicKey) != keyLength {
    78  		return []byte{}, errors.New("sender's public key bust be provided")
    79  	}
    80  	var nonce [24]byte
    81  	var senderPublicKey [32]byte
    82  	copy(nonce[:], in[:24])
    83  	copy(senderPublicKey[:], options.SenderPublicKey)
    84  	decrypted, ok := naclbox.Open(nil, in[24:], &nonce, &senderPublicKey, &b.privateKey)
    85  	if !ok {
    86  		return []byte{}, errors.New("incoming message couldn't be verified / decrypted")
    87  	}
    88  	return decrypted, nil
    89  }