[#1255] node/session: Add encryption

Add `WithEncryption` option that passes ECDSA key to the persistent session storage. It uses 32 bytes from marshalled ECDSA key in ASN.1 DER from in AES-256 algorithm encryption in Galois/Counter Mode. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
2022-03-21 14:53:49 +03:00 · 2022-03-21 14:53:49 +03:00 · 01ed366e99
commit 01ed366e99
parent a884ad56d9
6 changed files with 111 additions and 11 deletions
--- a/pkg/services/session/storage/persistent/encryption.go
+++ b/pkg/services/session/storage/persistent/encryption.go
@ -0,0 +1,32 @@
+package persistent
+
+import (
+	"crypto/rand"
+	"fmt"
+	"io"
+)
+
+func (s *TokenStore) encrypt(value []byte) ([]byte, error) {
+	nonce := make([]byte, s.gcm.NonceSize())
+
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, fmt.Errorf("could not init random nonce: %w", err)
+	}
+
+	return s.gcm.Seal(nonce, nonce, value, nil), nil
+}
+
+func (s *TokenStore) decrypt(value []byte) ([]byte, error) {
+	nonceSize := s.gcm.NonceSize()
+	if len(value) < nonceSize {
+		return nil, fmt.Errorf(
+			"unexpected encrypted length: nonce length is %d, encrypted data lenght is %d",
+			nonceSize,
+			len(value),
+		)
+	}
+
+	nonce, encryptedData := value[:nonceSize], value[nonceSize:]
+
+	return s.gcm.Open(nil, nonce, encryptedData, nil)
+}