mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 18:47:01 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
165 lines
4.2 KiB
Go
165 lines
4.2 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package dhutil
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
|
|
"golang.org/x/crypto/hkdf"
|
|
|
|
"golang.org/x/crypto/curve25519"
|
|
)
|
|
|
|
type PublicKeyInfo struct {
|
|
Curve25519PublicKey []byte `json:"curve25519_public_key"`
|
|
}
|
|
|
|
type Envelope struct {
|
|
Curve25519PublicKey []byte `json:"curve25519_public_key"`
|
|
Nonce []byte `json:"nonce"`
|
|
EncryptedPayload []byte `json:"encrypted_payload"`
|
|
}
|
|
|
|
// generatePublicPrivateKey uses curve25519 to generate a public and private key
|
|
// pair.
|
|
func GeneratePublicPrivateKey() ([]byte, []byte, error) {
|
|
var scalar, public [32]byte
|
|
|
|
if _, err := io.ReadFull(rand.Reader, scalar[:]); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
curve25519.ScalarBaseMult(&public, &scalar)
|
|
return public[:], scalar[:], nil
|
|
}
|
|
|
|
// GenerateSharedSecret uses the private key and the other party's public key to
|
|
// generate the shared secret.
|
|
func GenerateSharedSecret(ourPrivate, theirPublic []byte) ([]byte, error) {
|
|
if len(ourPrivate) != 32 {
|
|
return nil, fmt.Errorf("invalid private key length: %d", len(ourPrivate))
|
|
}
|
|
if len(theirPublic) != 32 {
|
|
return nil, fmt.Errorf("invalid public key length: %d", len(theirPublic))
|
|
}
|
|
|
|
return curve25519.X25519(ourPrivate, theirPublic)
|
|
}
|
|
|
|
// DeriveSharedKey uses HKDF to derive a key from a shared secret and public keys
|
|
func DeriveSharedKey(secret, ourPublic, theirPublic []byte) ([]byte, error) {
|
|
// Derive the final key from the HKDF of the secret and public keys.
|
|
|
|
/*
|
|
Internally, HKDF hashes the secret and two public keys. If Alice and Bob are doing DH key exchange, Alice calculates:
|
|
|
|
HKDF(secret, A, B) since ourPublic is A.
|
|
|
|
Bob calculates HKDF(secret, B, A), since Bob's ours is B. That produces a different value. Now we only care
|
|
that both public keys participate in the derivation, so simply sorting them so they are in a consistent
|
|
numerical order (either one would do) arrives at an agreed value.
|
|
*/
|
|
|
|
var pub1 []byte
|
|
var pub2 []byte
|
|
switch bytes.Compare(ourPublic, theirPublic) {
|
|
case 0:
|
|
return nil, errors.New("same public key supplied for both participants")
|
|
case -1:
|
|
pub1 = ourPublic
|
|
pub2 = theirPublic
|
|
case 1:
|
|
pub1 = theirPublic
|
|
pub2 = ourPublic
|
|
}
|
|
|
|
kio := hkdf.New(sha256.New, secret, pub1, pub2)
|
|
|
|
var key [32]byte
|
|
n, err := io.ReadFull(kio, key[:])
|
|
if err != nil {
|
|
// Don't return the key along with the error to prevent misuse
|
|
return nil, err
|
|
}
|
|
if n != 32 {
|
|
return nil, errors.New("short read from hkdf")
|
|
}
|
|
|
|
return key[:], nil
|
|
}
|
|
|
|
// Use AES256-GCM to encrypt some plaintext with a provided key. The returned values are
|
|
// the ciphertext, the nonce, and error respectively.
|
|
func EncryptAES(key, plaintext, aad []byte) ([]byte, []byte, error) {
|
|
// We enforce AES-256, so check explicitly for 32 bytes on the key
|
|
if len(key) != 32 {
|
|
return nil, nil, fmt.Errorf("invalid key length: %d", len(key))
|
|
}
|
|
|
|
if len(plaintext) == 0 {
|
|
return nil, nil, errors.New("empty plaintext provided")
|
|
}
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
|
|
nonce := make([]byte, 12)
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
ciphertext := aesgcm.Seal(nil, nonce, plaintext, aad)
|
|
|
|
return ciphertext, nonce, nil
|
|
}
|
|
|
|
// Use AES256-GCM to decrypt some ciphertext with a provided key and nonce. The
|
|
// returned values are the plaintext and error respectively.
|
|
func DecryptAES(key, ciphertext, nonce, aad []byte) ([]byte, error) {
|
|
// We enforce AES-256, so check explicitly for 32 bytes on the key
|
|
if len(key) != 32 {
|
|
return nil, fmt.Errorf("invalid key length: %d", len(key))
|
|
}
|
|
|
|
if len(ciphertext) == 0 {
|
|
return nil, errors.New("empty ciphertext provided")
|
|
}
|
|
|
|
if len(nonce) == 0 {
|
|
return nil, errors.New("empty nonce provided")
|
|
}
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, aad)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|