forked from TrueCloudLab/frostfs-node
01ed366e99
Add `WithEncryption` option that passes ECDSA key to the persistent session storage. It uses 32 bytes from marshalled ECDSA key in ASN.1 DER from in AES-256 algorithm encryption in Galois/Counter Mode. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
32 lines
730 B
Go
32 lines
730 B
Go
package persistent
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"fmt"
|
|
"io"
|
|
)
|
|
|
|
func (s *TokenStore) encrypt(value []byte) ([]byte, error) {
|
|
nonce := make([]byte, s.gcm.NonceSize())
|
|
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
return nil, fmt.Errorf("could not init random nonce: %w", err)
|
|
}
|
|
|
|
return s.gcm.Seal(nonce, nonce, value, nil), nil
|
|
}
|
|
|
|
func (s *TokenStore) decrypt(value []byte) ([]byte, error) {
|
|
nonceSize := s.gcm.NonceSize()
|
|
if len(value) < nonceSize {
|
|
return nil, fmt.Errorf(
|
|
"unexpected encrypted length: nonce length is %d, encrypted data lenght is %d",
|
|
nonceSize,
|
|
len(value),
|
|
)
|
|
}
|
|
|
|
nonce, encryptedData := value[:nonceSize], value[nonceSize:]
|
|
|
|
return s.gcm.Open(nil, nonce, encryptedData, nil)
|
|
}
|