diff options
author | Daniel Baumann <daniel@debian.org> | 2024-10-18 20:33:49 +0200 |
---|---|---|
committer | Daniel Baumann <daniel@debian.org> | 2024-12-12 23:57:56 +0100 |
commit | e68b9d00a6e05b3a941f63ffb696f91e554ac5ec (patch) | |
tree | 97775d6c13b0f416af55314eb6a89ef792474615 /modules/secret | |
parent | Initial commit. (diff) | |
download | forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.tar.xz forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.zip |
Adding upstream version 9.0.3.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to '')
-rw-r--r-- | modules/secret/secret.go | 78 | ||||
-rw-r--r-- | modules/secret/secret_test.go | 32 |
2 files changed, 110 insertions, 0 deletions
diff --git a/modules/secret/secret.go b/modules/secret/secret.go new file mode 100644 index 0000000..e70ae18 --- /dev/null +++ b/modules/secret/secret.go @@ -0,0 +1,78 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package secret + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/rand" + "crypto/sha256" + "encoding/base64" + "encoding/hex" + "errors" + "fmt" + "io" +) + +// AesEncrypt encrypts text and given key with AES. +func AesEncrypt(key, text []byte) ([]byte, error) { + block, err := aes.NewCipher(key) + if err != nil { + return nil, fmt.Errorf("AesEncrypt invalid key: %v", err) + } + b := base64.StdEncoding.EncodeToString(text) + ciphertext := make([]byte, aes.BlockSize+len(b)) + iv := ciphertext[:aes.BlockSize] + if _, err = io.ReadFull(rand.Reader, iv); err != nil { + return nil, fmt.Errorf("AesEncrypt unable to read IV: %w", err) + } + cfb := cipher.NewCFBEncrypter(block, iv) + cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b)) + return ciphertext, nil +} + +// AesDecrypt decrypts text and given key with AES. +func AesDecrypt(key, text []byte) ([]byte, error) { + block, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + if len(text) < aes.BlockSize { + return nil, errors.New("AesDecrypt ciphertext too short") + } + iv := text[:aes.BlockSize] + text = text[aes.BlockSize:] + cfb := cipher.NewCFBDecrypter(block, iv) + cfb.XORKeyStream(text, text) + data, err := base64.StdEncoding.DecodeString(string(text)) + if err != nil { + return nil, fmt.Errorf("AesDecrypt invalid decrypted base64 string: %w", err) + } + return data, nil +} + +// EncryptSecret encrypts a string with given key into a hex string +func EncryptSecret(key, str string) (string, error) { + keyHash := sha256.Sum256([]byte(key)) + plaintext := []byte(str) + ciphertext, err := AesEncrypt(keyHash[:], plaintext) + if err != nil { + return "", fmt.Errorf("failed to encrypt by secret: %w", err) + } + return hex.EncodeToString(ciphertext), nil +} + +// DecryptSecret decrypts a previously encrypted hex string +func DecryptSecret(key, cipherHex string) (string, error) { + keyHash := sha256.Sum256([]byte(key)) + ciphertext, err := hex.DecodeString(cipherHex) + if err != nil { + return "", fmt.Errorf("failed to decrypt by secret, invalid hex string: %w", err) + } + plaintext, err := AesDecrypt(keyHash[:], ciphertext) + if err != nil { + return "", fmt.Errorf("failed to decrypt by secret, the key (maybe SECRET_KEY?) might be incorrect: %w", err) + } + return string(plaintext), nil +} diff --git a/modules/secret/secret_test.go b/modules/secret/secret_test.go new file mode 100644 index 0000000..ba23718 --- /dev/null +++ b/modules/secret/secret_test.go @@ -0,0 +1,32 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package secret + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestEncryptDecrypt(t *testing.T) { + hex, err := EncryptSecret("foo", "baz") + require.NoError(t, err) + str, _ := DecryptSecret("foo", hex) + assert.Equal(t, "baz", str) + + hex, err = EncryptSecret("bar", "baz") + require.NoError(t, err) + str, _ = DecryptSecret("foo", hex) + assert.NotEqual(t, "baz", str) + + _, err = DecryptSecret("a", "b") + require.ErrorContains(t, err, "invalid hex string") + + _, err = DecryptSecret("a", "bb") + require.ErrorContains(t, err, "the key (maybe SECRET_KEY?) might be incorrect: AesDecrypt ciphertext too short") + + _, err = DecryptSecret("a", "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") + require.ErrorContains(t, err, "the key (maybe SECRET_KEY?) might be incorrect: AesDecrypt invalid decrypted base64 string") +} |