aboutsummaryrefslogblamecommitdiffstats
path: root/signer/storage/aes_gcm_storage.go
blob: 4fa1ba136f20c93b10dbf0fcbf6c9983567a1683 (plain) (tree) 
ec3db0f56
















16f3c3177

ec3db0f56











21cbe9d5b

ec3db0f56









f0488e80f

ec3db0f56


























d3441ebb5

ec3db0f56


























d3441ebb5

ec3db0f56
















ec3db0f56

16f3c3177

ec3db0f56




















d3441ebb5




ec3db0f56












d3441ebb5

ec3db0f56



d3441ebb5

ec3db0f56








d3441ebb5

ec3db0f56





1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

17

18
19
20
21
22
23
24
25
26
27
28

29

30
31
32
33
34
35
36
37
38

39

40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

66

67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

93

94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

110

111

112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

132
133
134
135

136
137
138
139
140
141
142
143
144
145
146
147

148

149
150
151

152

153
154
155
156
157
158
159
160

161

162
163
164
165
166
















                                                                       
 










                       
                                               








                                    
                                                                                               

























                                                                                            
                                                                         

























                                                                                                          
                                                                                     















                                                                                           
                 
                                                                                            



















                                                                                                 



                                                                                               











                                                                  
                                                                        


                                     
                                                                                                  







                                           
                                                                             




                               
// Copyright 2018 The go-ethereum Authors
// This file is part of go-ethereum.
//
// go-ethereum is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// go-ethereum is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with go-ethereum. If not, see <http://www.gnu.org/licenses/>.
//

package storage

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
    "encoding/json"
    "io"
    "io/ioutil"
    "os"

    "github.com/dexon-foundation/dexon/log"
)

type storedCredential struct {
    // The iv
    Iv []byte `json:"iv"`
    // The ciphertext
    CipherText []byte `json:"c"`
}

// AESEncryptedStorage is a storage type which is backed by a json-file. The json-file contains
// key-value mappings, where the keys are _not_ encrypted, only the values are.
type AESEncryptedStorage struct {
    // File to read/write credentials
    filename string
    // Key stored in base64
    key []byte
}

// NewAESEncryptedStorage creates a new encrypted storage backed by the given file/key
func NewAESEncryptedStorage(filename string, key []byte) *AESEncryptedStorage {
    return &AESEncryptedStorage{
        filename: filename,
        key:      key,
    }
}

// Put stores a value by key. 0-length keys results in no-op
func (s *AESEncryptedStorage) Put(key, value string) {
    if len(key) == 0 {
        return
    }
    data, err := s.readEncryptedStorage()
    if err != nil {
        log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
        return
    }
    ciphertext, iv, err := encrypt(s.key, []byte(value), []byte(key))
    if err != nil {
        log.Warn("Failed to encrypt entry", "err", err)
        return
    }
    encrypted := storedCredential{Iv: iv, CipherText: ciphertext}
    data[key] = encrypted
    if err = s.writeEncryptedStorage(data); err != nil {
        log.Warn("Failed to write entry", "err", err)
    }
}

// Get returns the previously stored value, or the empty string if it does not exist or key is of 0-length
func (s *AESEncryptedStorage) Get(key string) string {
    if len(key) == 0 {
        return ""
    }
    data, err := s.readEncryptedStorage()
    if err != nil {
        log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
        return ""
    }
    encrypted, exist := data[key]
    if !exist {
        log.Warn("Key does not exist", "key", key)
        return ""
    }
    entry, err := decrypt(s.key, encrypted.Iv, encrypted.CipherText, []byte(key))
    if err != nil {
        log.Warn("Failed to decrypt key", "key", key)
        return ""
    }
    return string(entry)
}

// readEncryptedStorage reads the file with encrypted creds
func (s *AESEncryptedStorage) readEncryptedStorage() (map[string]storedCredential, error) {
    creds := make(map[string]storedCredential)
    raw, err := ioutil.ReadFile(s.filename)

    if err != nil {
        if os.IsNotExist(err) {
            // Doesn't exist yet
            return creds, nil
        }
        log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
    }
    if err = json.Unmarshal(raw, &creds); err != nil {
        log.Warn("Failed to unmarshal encrypted storage", "err", err, "file", s.filename)
        return nil, err
    }
    return creds, nil
}

// writeEncryptedStorage write the file with encrypted creds
func (s *AESEncryptedStorage) writeEncryptedStorage(creds map[string]storedCredential) error {
    raw, err := json.Marshal(creds)
    if err != nil {
        return err
    }
    if err = ioutil.WriteFile(s.filename, raw, 0600); err != nil {
        return err
    }
    return nil
}

// encrypt encrypts plaintext with the given key, with additional data
// The 'additionalData' is used to place the (plaintext) KV-store key into the V,
// to prevent the possibility to alter a K, or swap two entries in the KV store with eachother.
func encrypt(key []byte, plaintext []byte, additionalData []byte) ([]byte, []byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, nil, err
    }
    aesgcm, err := cipher.NewGCM(block)
    nonce := make([]byte, aesgcm.NonceSize())
    if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
        return nil, nil, err
    }
    if err != nil {
        return nil, nil, err
    }
    ciphertext := aesgcm.Seal(nil, nonce, plaintext, additionalData)
    return ciphertext, nonce, nil
}

func decrypt(key []byte, nonce []byte, ciphertext []byte, additionalData []byte) ([]byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }
    aesgcm, err := cipher.NewGCM(block)
    if err != nil {
        return nil, err
    }
    plaintext, err := aesgcm.Open(nil, nonce, ciphertext, additionalData)
    if err != nil {
        return nil, err
    }
    return plaintext, nil
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 17:24:59 +0800