github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/security/crypto/symmetric.go

github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/security/crypto/symmetric.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package crypto
    19  
    20  import (
    21  	"encoding/base64"
    22  	"fmt"
    23  
    24  	"github.com/awnumar/memguard"
    25  	"github.com/fernet/fernet-go"
    26  	"github.com/pkg/errors"
    27  
    28  	"github.com/zntrio/harp/v2/build/fips"
    29  )
    30  
    31  // -----------------------------------------------------------------------------
    32  
    33  // Key generates symmetric encryption keys according to given keyType.
    34  func Key(keyType string) (string, error) {
    35  	switch keyType {
    36  	case "aes:128":
    37  		key := memguard.NewBufferRandom(16).Bytes()
    38  		return base64.StdEncoding.EncodeToString(key), nil
    39  	case "aes:192":
    40  		key := memguard.NewBufferRandom(24).Bytes()
    41  		return base64.StdEncoding.EncodeToString(key), nil
    42  	case "aes:256":
    43  		key := memguard.NewBufferRandom(32).Bytes()
    44  		return base64.StdEncoding.EncodeToString(key), nil
    45  	case "aes:siv":
    46  		if fips.Enabled() {
    47  			return "", errors.New("aes:siv key generation is disabled in FIPS Mode")
    48  		}
    49  		key := memguard.NewBufferRandom(64).Bytes()
    50  		return base64.StdEncoding.EncodeToString(key), nil
    51  	case "secretbox":
    52  		if fips.Enabled() {
    53  			return "", errors.New("secretbox key generation is disabled in FIPS Mode")
    54  		}
    55  		key := memguard.NewBufferRandom(32).Bytes()
    56  		return base64.StdEncoding.EncodeToString(key), nil
    57  	case "chacha20":
    58  		if fips.Enabled() {
    59  			return "", errors.New("chacha20 key generation is disabled in FIPS Mode")
    60  		}
    61  		key := memguard.NewBufferRandom(32).Bytes()
    62  		return base64.StdEncoding.EncodeToString(key), nil
    63  	case "fernet":
    64  		// Generate a fernet key
    65  		k := &fernet.Key{}
    66  		if err := k.Generate(); err != nil {
    67  			return "", err
    68  		}
    69  		return k.Encode(), nil
    70  	default:
    71  		return "", fmt.Errorf("invalid keytype (%s) [aes:128, aes:192, aes:256, aes:siv, secretbox, chacha20, fernet]", keyType)
    72  	}
    73  }