credentials: Refactor the encryption/dectryption functions

4 years ago · 2af4d35946
parent 0de6511aab
commit 2af4d35946
2 changed files with 41 additions and 35 deletions
--- a/pkg/users/credentials/credentials.go
+++ b/pkg/users/credentials/credentials.go
@ -21,14 +21,10 @@
 package credentials
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"io"
 	"strings"
 	"golang.org/x/crypto/nacl/secretbox"
 )
 type Secret struct {
@ -88,18 +84,9 @@ func (s *Credentials) Unlock(slot, password string) error {
 	var passBytes [32]byte
 	copy(passBytes[:], pb)
-	if len(sealedKey) < 24 {
+	keyBytes, err := Decrypt(sealedKey, passBytes)
-		return ErrUnauthorized
+	if err != nil {
-	}
+		return err
 	// Read the nonce
 	var nonce [24]byte
 	copy(nonce[:], sealedKey[:24])
 	// Decrypt
 	keyBytes, ok := secretbox.Open(nil, sealedKey[24:], &nonce, &passBytes)
 	if !ok {
 		return ErrUnauthorized
 	}
 	if s.Locked() {
@ -115,12 +102,10 @@ func (s *Credentials) SealKey(slot string, key [32]byte) error {
 		return ErrLocked
 	}
-	var nonce [24]byte
+	var err error
-	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
+	if s.SealedKeys[slot], err = Encrypt(s.Key[:], key); err != nil {
 		return err
 	}
 	s.SealedKeys[slot] = secretbox.Seal(nonce[:], s.Key[:], &nonce, &key)
 	return nil
 }
@ -134,31 +119,21 @@ func (s *Credentials) Encrypt() error {
 		return ErrEncryptionFailed
 	}
-	// Nonce must be different for each message
+	if s.SealedSecret, err = Encrypt([]byte(secret), s.Key); err != nil {
 	var nonce [24]byte
 	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
 		return err
 	}
 	// Encrypt the secret and append the result to the nonce
 	s.SealedSecret = secretbox.Seal(nonce[:], []byte(secret), &nonce, &s.Key)
 	return nil
 }
 func (s *Credentials) Decrypt() error {
-	if len(s.SealedSecret) < 24 || s.Locked() {
+	if s.Locked() {
 		return ErrDecryptionFailed
 	}
-	// Read the nonce
+	decrypted, err := Decrypt(s.SealedSecret, s.Key)
-	var nonce [24]byte
+	if err != nil {
-	copy(nonce[:], s.SealedSecret[:24])
+		return err
 	// Decrypt
 	decrypted, ok := secretbox.Open(nil, s.SealedSecret[24:], &nonce, &s.Key)
 	if !ok {
 		return ErrDecryptionFailed
 	}
 	if err := json.Unmarshal(decrypted, &s.Secret); err != nil {
--- a/pkg/users/credentials/pass.go
+++ b/pkg/users/credentials/pass.go
@ -24,6 +24,8 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"io"
 	"golang.org/x/crypto/nacl/secretbox"
 )
 func GenerateKey(size uint) []byte {
@ -37,3 +39,32 @@ func GenerateKey(size uint) []byte {
 func generatePassword() string {
 	return base64.RawURLEncoding.EncodeToString(GenerateKey(16))
 }
 func Decrypt(msg []byte, key [32]byte) ([]byte, error) {
 	if len(msg) < 24 {
 		return nil, ErrDecryptionFailed
 	}
 	// Read the nonce
 	var nonce [24]byte
 	copy(nonce[:], msg[:24])
 	// Decrypt
 	decrypted, ok := secretbox.Open(nil, msg[24:], &nonce, &key)
 	if !ok {
 		return nil, ErrDecryptionFailed
 	}
 	return decrypted, nil
 }
 func Encrypt(msg []byte, key [32]byte) ([]byte, error) {
 	// Nonce must be different for each message
 	var nonce [24]byte
 	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
 		return nil, err
 	}
 	// Encrypt the secret and append the result to the nonce
 	return secretbox.Seal(nonce[:], msg, &nonce, &key), nil
 }