github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/value/encryption/jwe/builders.go

github.com/zntrio/harp/v2@v2.0.9/pkg/sdk/value/encryption/jwe/builders.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package jwe
    19  
    20  import (
    21  	"encoding/base64"
    22  	"errors"
    23  	"fmt"
    24  	"strings"
    25  
    26  	"gopkg.in/square/go-jose.v2"
    27  
    28  	"github.com/zntrio/harp/v2/pkg/sdk/value"
    29  	"github.com/zntrio/harp/v2/pkg/sdk/value/encryption"
    30  )
    31  
    32  type KeyAlgorithm string
    33  
    34  //nolint:revive,stylecheck // Accepted case
    35  var (
    36  	AES128_KW          KeyAlgorithm = "a128kw"
    37  	AES192_KW          KeyAlgorithm = "a192kw"
    38  	AES256_KW          KeyAlgorithm = "a256kw"
    39  	PBES2_HS256_A128KW KeyAlgorithm = "pbes2-hs256-a128kw"
    40  	PBES2_HS384_A192KW KeyAlgorithm = "pbes2-hs384-a192kw"
    41  	PBES2_HS512_A256KW KeyAlgorithm = "pbes2-hs512-a256kw"
    42  )
    43  
    44  func init() {
    45  	encryption.Register("jwe", FromKey)
    46  }
    47  
    48  // FromKey returns an encryption transformer instance according to the given key format.
    49  func FromKey(key string) (value.Transformer, error) {
    50  	// Remove the prefix
    51  	key = strings.TrimPrefix(key, "jwe:")
    52  
    53  	switch {
    54  	case strings.HasPrefix(key, "a128kw:"):
    55  		return Transformer(AES128_KW, strings.TrimPrefix(key, "a128kw:"))
    56  	case strings.HasPrefix(key, "a192kw:"):
    57  		return Transformer(AES192_KW, strings.TrimPrefix(key, "a192kw:"))
    58  	case strings.HasPrefix(key, "a256kw:"):
    59  		return Transformer(AES256_KW, strings.TrimPrefix(key, "a256kw:"))
    60  	case strings.HasPrefix(key, "pbes2-hs256-a128kw:"):
    61  		return Transformer(PBES2_HS256_A128KW, strings.TrimPrefix(key, "pbes2-hs256-a128kw:"))
    62  	case strings.HasPrefix(key, "pbes2-hs384-a192kw:"):
    63  		return Transformer(PBES2_HS384_A192KW, strings.TrimPrefix(key, "pbes2-hs384-a192kw:"))
    64  	case strings.HasPrefix(key, "pbes2-hs512-a256kw:"):
    65  		return Transformer(PBES2_HS512_A256KW, strings.TrimPrefix(key, "pbes2-hs512-a256kw:"))
    66  	default:
    67  	}
    68  
    69  	// Unsupported encryption scheme.
    70  	return nil, fmt.Errorf("unsupported jwe algorithm for key %q", key)
    71  }
    72  
    73  // TransformerKey assemble a transformer key.
    74  func TransformerKey(algorithm KeyAlgorithm, key string) string {
    75  	return fmt.Sprintf("%s:%s", algorithm, key)
    76  }
    77  
    78  // Transformer returns a JWE encryption value transformer instance.
    79  func Transformer(algorithm KeyAlgorithm, key string) (value.Transformer, error) {
    80  	switch algorithm {
    81  	case AES128_KW:
    82  		// Try to decode the key
    83  		k, err := base64.URLEncoding.DecodeString(key)
    84  		if err != nil {
    85  			return nil, fmt.Errorf("jwe: unable to decode key: %w", err)
    86  		}
    87  		if len(k) < 16 {
    88  			return nil, errors.New("jwe: key too short")
    89  		}
    90  		return transformer(k, jose.A128KW, jose.A128GCM)
    91  	case AES192_KW:
    92  		// Try to decode the key
    93  		k, err := base64.URLEncoding.DecodeString(key)
    94  		if err != nil {
    95  			return nil, fmt.Errorf("jwe: unable to decode key: %w", err)
    96  		}
    97  		if len(k) < 24 {
    98  			return nil, errors.New("jwe: key too short")
    99  		}
   100  		return transformer(k, jose.A192KW, jose.A192GCM)
   101  	case AES256_KW:
   102  		// Try to decode the key
   103  		k, err := base64.URLEncoding.DecodeString(key)
   104  		if err != nil {
   105  			return nil, fmt.Errorf("jwe: unable to decode key: %w", err)
   106  		}
   107  		if len(k) < 32 {
   108  			return nil, errors.New("jwe: key too short")
   109  		}
   110  		return transformer(k, jose.A256KW, jose.A256GCM)
   111  	case PBES2_HS256_A128KW:
   112  		return transformer(key, jose.PBES2_HS256_A128KW, jose.A128GCM)
   113  	case PBES2_HS384_A192KW:
   114  		return transformer(key, jose.PBES2_HS384_A192KW, jose.A192GCM)
   115  	case PBES2_HS512_A256KW:
   116  		return transformer(key, jose.PBES2_HS512_A256KW, jose.A256GCM)
   117  	default:
   118  	}
   119  
   120  	// Unsupported encryption scheme.
   121  	return nil, fmt.Errorf("unsupported jwe algorithm %q", algorithm)
   122  }