-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaes_encrypter.go
100 lines (80 loc) · 2.78 KB
/
aes_encrypter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package e2eenc
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"fmt"
"io"
)
const AESKeyLength = 32
// AESEncryptor encrypts and decrypts data using AES in CBC mode.
// https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
// You can initialize this encryptor with NewAESEncryptor(key) and use it with Encrypt and Decrypt.
type AESEncryptor struct {
key []byte
}
// GenerateAESKey generates a random 256-bit key and returns it.
func GenerateAESKey() ([]byte, error) {
key := make([]byte, AESKeyLength) // 256 bits
if _, err := rand.Read(key); err != nil {
return nil, fmt.Errorf("failed to generate key: %w", err)
}
return key, nil
}
// NewAESEncryptor creates a new encryption struct with the provided key.
func NewAESEncryptor(key []byte) (*AESEncryptor, error) {
if len(key) != AESKeyLength { // 256 bits
return nil, fmt.Errorf("%w: %d", ErrInvalidKeyLength, len(key))
}
return &AESEncryptor{key: key}, nil
}
// Encrypt encrypts the provided data with AES in CBC mode and returns the encrypted data and any error that occurred.
func (e *AESEncryptor) Encrypt(data []byte) ([]byte, error) {
if len(data) == 0 {
return nil, ErrShortData
}
block, err := aes.NewCipher(e.key)
if err != nil {
return nil, fmt.Errorf("failed to create cipher: %w", err)
}
// Padding
padding := aes.BlockSize - len(data)%aes.BlockSize
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
data = append(data, padtext...)
// The IV needs to be unique, but not secure. Therefore it's common
// to include it at the beginning of the ciphertext.
cipherText := make([]byte, aes.BlockSize+len(data))
iv := cipherText[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, fmt.Errorf("failed to read random data: %v", err)
}
mode := cipher.NewCBCEncrypter(block, iv)
mode.CryptBlocks(cipherText[aes.BlockSize:], data)
return cipherText, nil
}
// Decrypt decrypts the provided ciphertext with AES in CBC mode and
// returns the decrypted data and any error that occurred.
func (e *AESEncryptor) Decrypt(cipherText []byte) ([]byte, error) {
block, err := aes.NewCipher(e.key)
if err != nil {
return nil, fmt.Errorf("failed to create cipher: %w", err)
}
if len(cipherText) < aes.BlockSize {
return nil, ErrShortData
}
// The IV needs to be unique, but not secure. Therefore it's common to
// include it at the beginning of the ciphertext.
iv := cipherText[:aes.BlockSize]
cipherText = cipherText[aes.BlockSize:]
mode := cipher.NewCBCDecrypter(block, iv)
mode.CryptBlocks(cipherText, cipherText)
// Unpadding
padding := cipherText[len(cipherText)-1]
cipherText = cipherText[:len(cipherText)-int(padding)]
return cipherText, nil
}
// Type returns the type of the encryptor.
func (e *AESEncryptor) Type() EncryptorType {
return AESEncryptorType
}