mirror of
https://github.com/getsops/sops.git
synced 2026-02-05 12:45:21 +01:00
AES decryptor now takes strings as input
This commit is contained in:
Adrian Utrilla
@@ -19,20 +19,20 @@ type EncryptedValue struct {
|
||||
|
||||
var encre = regexp.MustCompile(`^ENC\[AES256_GCM,data:(.+),iv:(.+),tag:(.+),type:(.+)\]`)
|
||||
|
||||
func parse(value []byte) (*EncryptedValue, error) {
|
||||
matches := encre.FindSubmatch(value)
|
||||
func parse(value string) (*EncryptedValue, error) {
|
||||
matches := encre.FindStringSubmatch(value)
|
||||
if matches == nil {
|
||||
return nil, fmt.Errorf("Input string %s does not match sops' data format", value)
|
||||
}
|
||||
data, err := base64.StdEncoding.DecodeString(string(matches[1]))
|
||||
data, err := base64.StdEncoding.DecodeString(matches[1])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Error base64-decoding data: %s", err)
|
||||
}
|
||||
iv, err := base64.StdEncoding.DecodeString(string(matches[2]))
|
||||
iv, err := base64.StdEncoding.DecodeString(matches[2])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Error base64-decoding iv: %s", err)
|
||||
}
|
||||
tag, err := base64.StdEncoding.DecodeString(string(matches[3]))
|
||||
tag, err := base64.StdEncoding.DecodeString(matches[3])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Error base64-decoding tag: %s", err)
|
||||
}
|
||||
@@ -42,17 +42,17 @@ func parse(value []byte) (*EncryptedValue, error) {
|
||||
}
|
||||
|
||||
// Decrypt takes a sops-format value string and a key and returns the decrypted value.
|
||||
func Decrypt(value, key []byte, additionalAuthData []byte) (interface{}, error) {
|
||||
func Decrypt(value string, key []byte, additionalAuthData []byte) (interface{}, error) {
|
||||
encryptedValue, err := parse(value)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
aes, err := cryptoaes.NewCipher([]byte(key))
|
||||
aescipher, err := cryptoaes.NewCipher(key)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
gcm, err := cipher.NewGCMWithNonceSize(aes, len(encryptedValue.iv))
|
||||
gcm, err := cipher.NewGCMWithNonceSize(aescipher, len(encryptedValue.iv))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
@@ -80,7 +80,7 @@ func Decrypt(value, key []byte, additionalAuthData []byte) (interface{}, error)
|
||||
}
|
||||
|
||||
func Encrypt(value interface{}, key []byte, additionalAuthData []byte) (string, error) {
|
||||
aes, err := cryptoaes.NewCipher([]byte(key))
|
||||
aescipher, err := cryptoaes.NewCipher(key)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("Could not initialize AES GCM encryption cipher: %s", err)
|
||||
}
|
||||
@@ -89,7 +89,7 @@ func Encrypt(value interface{}, key []byte, additionalAuthData []byte) (string,
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("Could not generate random bytes for IV: %s", err)
|
||||
}
|
||||
gcm, err := cipher.NewGCMWithNonceSize(aes, len(iv))
|
||||
gcm, err := cipher.NewGCMWithNonceSize(aescipher, len(iv))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("Could not create GCM: %s", err)
|
||||
}
|
||||
@@ -111,7 +111,6 @@ func Encrypt(value interface{}, key []byte, additionalAuthData []byte) (string,
|
||||
default:
|
||||
return "", fmt.Errorf("Value to encrypt has unsupported type %T", value)
|
||||
}
|
||||
|
||||
out := gcm.Seal(nil, iv, plaintext, additionalAuthData)
|
||||
return fmt.Sprintf("ENC[AES256_GCM,data:%s,iv:%s,tag:%s,type:%s]",
|
||||
base64.StdEncoding.EncodeToString(out[:len(out)-cryptoaes.BlockSize]),
|
||||
|
||||
@@ -10,7 +10,7 @@ import (
|
||||
|
||||
func TestDecrypt(t *testing.T) {
|
||||
expected := "foo"
|
||||
key := strings.Repeat("f", 32)
|
||||
key := []byte(strings.Repeat("f", 32))
|
||||
message := `ENC[AES256_GCM,data:oYyi,iv:MyIDYbT718JRr11QtBkcj3Dwm4k1aCGZBVeZf0EyV8o=,tag:t5z2Z023Up0kxwCgw1gNxg==,type:str]`
|
||||
decryption, err := Decrypt(message, key, []byte("bar:"))
|
||||
if err != nil {
|
||||
@@ -23,7 +23,7 @@ func TestDecrypt(t *testing.T) {
|
||||
|
||||
func TestDecryptInvalidAad(t *testing.T) {
|
||||
message := `ENC[AES256_GCM,data:oYyi,iv:MyIDYbT718JRr11QtBkcj3Dwm4k1aCGZBVeZf0EyV8o=,tag:t5z2Z023Up0kxwCgw1gNxg==,type:str]`
|
||||
_, err := Decrypt(message, strings.Repeat("f", 32), []byte(""))
|
||||
_, err := Decrypt(message, []byte(strings.Repeat("f", 32)), []byte(""))
|
||||
if err == nil {
|
||||
t.Errorf("Decrypting with an invalid AAC should fail")
|
||||
}
|
||||
@@ -36,12 +36,12 @@ func TestRoundtripString(t *testing.T) {
|
||||
if x == "" {
|
||||
return true
|
||||
}
|
||||
s, err := Encrypt(x, string(key), aad)
|
||||
s, err := Encrypt(x, key, aad)
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
return false
|
||||
}
|
||||
d, err := Decrypt(s, string(key), aad)
|
||||
d, err := Decrypt(s, key, aad)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
@@ -53,7 +53,7 @@ func TestRoundtripString(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestRoundtripFloat(t *testing.T) {
|
||||
key := strings.Repeat("f", 32)
|
||||
key := []byte(strings.Repeat("f", 32))
|
||||
f := func(x float64) bool {
|
||||
s, err := Encrypt(x, key, []byte(""))
|
||||
if err != nil {
|
||||
@@ -72,7 +72,7 @@ func TestRoundtripFloat(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestRoundtripInt(t *testing.T) {
|
||||
key := strings.Repeat("f", 32)
|
||||
key := []byte(strings.Repeat("f", 32))
|
||||
f := func(x int) bool {
|
||||
s, err := Encrypt(x, key, []byte(""))
|
||||
if err != nil {
|
||||
@@ -91,7 +91,7 @@ func TestRoundtripInt(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestRoundtripBool(t *testing.T) {
|
||||
key := strings.Repeat("f", 32)
|
||||
key := []byte(strings.Repeat("f", 32))
|
||||
f := func(x bool) bool {
|
||||
s, err := Encrypt(x, key, []byte(""))
|
||||
if err != nil {
|
||||
|
||||
@@ -195,7 +195,7 @@ func decrypt(c *cli.Context, file string, fileBytes []byte, output io.Writer) er
|
||||
if err != nil {
|
||||
return cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), 8)
|
||||
}
|
||||
originalMac, err := aes.Decrypt([]byte(metadata.MessageAuthenticationCode), key, []byte(metadata.LastModified.Format(time.RFC3339)))
|
||||
originalMac, err := aes.Decrypt(metadata.MessageAuthenticationCode, key, []byte(metadata.LastModified.Format(time.RFC3339)))
|
||||
if originalMac != mac && !c.Bool("ignore-mac") {
|
||||
return cli.NewExitError("MAC mismatch.", 9)
|
||||
}
|
||||
@@ -274,7 +274,7 @@ func rotate(c *cli.Context, file string, fileBytes []byte, output io.Writer) err
|
||||
if err != nil {
|
||||
return cli.NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), 8)
|
||||
}
|
||||
originalMac, err := aes.Decrypt([]byte(metadata.MessageAuthenticationCode), key, []byte(metadata.LastModified.Format(time.RFC3339)))
|
||||
originalMac, err := aes.Decrypt(metadata.MessageAuthenticationCode, key, []byte(metadata.LastModified.Format(time.RFC3339)))
|
||||
if originalMac != mac && !c.Bool("ignore-mac") {
|
||||
return cli.NewExitError("MAC mismatch.", 9)
|
||||
}
|
||||
|
||||
2
sops.go
2
sops.go
@@ -99,7 +99,7 @@ func (tree Tree) Decrypt(key []byte) (string, error) {
|
||||
var v interface{}
|
||||
if !strings.HasSuffix(path[len(path)-1], tree.Metadata.UnencryptedSuffix) {
|
||||
var err error
|
||||
v, err = aes.Decrypt([]byte(in.(string)), key, []byte(strings.Join(path, ":")+":"))
|
||||
v, err = aes.Decrypt(in.(string), key, []byte(strings.Join(path, ":")+":"))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Could not decrypt value: %s", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user