Add secrets interface to config/secrets (#1325)

* Interface for secrets * Add secretbox secrets implementation * Start working on box * typo * Add asymmetric encryption implementation * go mod tidy * Fix review comments Co-authored-by: Asim Aslam <asim@aslam.me>
2025-08-04 21:42:57 +02:00 · 2020-03-10 22:52:06 +00:00
parent 48b2a5c37c
commit 4125ae8d53
5 changed files with 363 additions and 0 deletions
--- a/config/secrets/box/box.go
+++ b/config/secrets/box/box.go
@ -0,0 +1,89 @@
+// Package box is an asymmetric implementation of config/secrets using nacl/box
+package box
+
+import (
+	"github.com/micro/go-micro/v2/config/secrets"
+	"github.com/pkg/errors"
+	naclbox "golang.org/x/crypto/nacl/box"
+
+	"crypto/rand"
+)
+
+const keyLength = 32
+
+type box struct {
+	options secrets.Options
+
+	publicKey  [keyLength]byte
+	privateKey [keyLength]byte
+}
+
+// NewCodec returns a nacl-box codec
+func NewCodec(opts ...secrets.Option) secrets.Codec {
+	b := &box{}
+	for _, o := range opts {
+		o(&b.options)
+	}
+	return b
+}
+
+// Init initialises a box
+func (b *box) Init(opts ...secrets.Option) error {
+	for _, o := range opts {
+		o(&b.options)
+	}
+	if len(b.options.PrivateKey) != keyLength || len(b.options.PublicKey) != keyLength {
+		return errors.Errorf("a public key and a private key of length %d must both be provided", keyLength)
+	}
+	copy(b.privateKey[:], b.options.PrivateKey)
+	copy(b.publicKey[:], b.options.PublicKey)
+	return nil
+}
+
+// Options returns options
+func (b *box) Options() secrets.Options {
+	return b.options
+}
+
+// String returns nacl-box
+func (*box) String() string {
+	return "nacl-box"
+}
+
+// Encrypt encrypts a message with the sender's private key and the receipient's public key
+func (b *box) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {
+	var options secrets.EncryptOptions
+	for _, o := range opts {
+		o(&options)
+	}
+	if len(options.RecipientPublicKey) != keyLength {
+		return []byte{}, errors.New("recepient's public key must be provided")
+	}
+	var recipientPublicKey [keyLength]byte
+	copy(recipientPublicKey[:], options.RecipientPublicKey)
+	var nonce [24]byte
+	if _, err := rand.Reader.Read(nonce[:]); err != nil {
+		return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")
+	}
+	return naclbox.Seal(nonce[:], in, &nonce, &recipientPublicKey, &b.privateKey), nil
+}
+
+// Decrypt Decrypts a message with the receiver's private key and the sender's public key
+func (b *box) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {
+	var options secrets.DecryptOptions
+	for _, o := range opts {
+		o(&options)
+	}
+	if len(options.SenderPublicKey) != keyLength {
+		return []byte{}, errors.New("sender's public key bust be provided")
+	}
+	var nonce [24]byte
+	var senderPublicKey [32]byte
+	copy(nonce[:], in[:24])
+	copy(senderPublicKey[:], options.SenderPublicKey)
+	decrypted, ok := naclbox.Open(nil, in[24:], &nonce, &senderPublicKey, &b.privateKey)
+	if !ok {
+		return []byte{}, errors.New("incoming message couldn't be verified / decrypted")
+	}
+	return decrypted, nil
+}