@@ -25,23 +25,26 @@ import (
2525 "encoding/base64"
2626 "fmt"
2727 "io"
28-
29- log "github.com/sirupsen/logrus"
3028)
3129
3230const standardGcmNonceSize = 12
3331
34- // GenerateNonce creates a random nonce of a fixed size
35- func GenerateNonce () ([] byte , error ) {
32+ // GenerateNonce creates a random base64-encoded nonce of a fixed size.
33+ func GenerateNonce () (string , error ) {
3634 nonce := make ([]byte , standardGcmNonceSize )
3735 if _ , err := io .ReadFull (rand .Reader , nonce ); err != nil {
38- return nil , err
36+ return "" , err
3937 }
40- return [] byte ( base64 .StdEncoding .EncodeToString (nonce ) ), nil
38+ return base64 .StdEncoding .EncodeToString (nonce ), nil
4139}
4240
43- // EncryptText gzip input data and encrypts it using the supplied AES key
44- func EncryptText (text string , aesKey []byte , nonceEncoded []byte ) (string , error ) {
41+ // EncryptText gzips input data and encrypts it using the supplied AES key.
42+ // nonceEncoded must be a base64-encoded nonce of standardGcmNonceSize bytes.
43+ func EncryptText (text string , aesKey []byte , nonceEncoded string ) (string , error ) {
44+ if len (nonceEncoded ) == 0 {
45+ return "" , fmt .Errorf ("nonce must be provided" )
46+ }
47+
4548 block , err := aes .NewCipher (aesKey )
4649 if err != nil {
4750 return "" , err
@@ -53,7 +56,7 @@ func EncryptText(text string, aesKey []byte, nonceEncoded []byte) (string, error
5356 }
5457
5558 nonce := make ([]byte , standardGcmNonceSize )
56- if _ , err = base64 .StdEncoding .Decode (nonce , nonceEncoded ); err != nil {
59+ if _ , err = base64 .StdEncoding .Decode (nonce , [] byte ( nonceEncoded ) ); err != nil {
5760 return "" , err
5861 }
5962
@@ -66,40 +69,38 @@ func EncryptText(text string, aesKey []byte, nonceEncoded []byte) (string, error
6669 return base64 .StdEncoding .EncodeToString (cipherData ), nil
6770}
6871
69- // DecryptText decrypt gziped data using a supplied AES encryption key ang ungzip it
70- // in case of decryption failed, will return original input and decryption error
72+ // DecryptText decrypts data using the supplied AES encryption key and decompresses it.
73+ // Returns the plaintext, the base64-encoded nonce, and any error.
7174func DecryptText (text string , aesKey []byte ) (string , string , error ) {
7275 block , err := aes .NewCipher (aesKey )
7376 if err != nil {
7477 return "" , "" , err
7578 }
76- gcm , err := cipher .NewGCM (block )
79+ gcm , err := cipher .NewGCMWithNonceSize (block , standardGcmNonceSize )
7780 if err != nil {
7881 return "" , "" , err
7982 }
80- nonceSize := gcm .NonceSize ()
8183 data , err := base64 .StdEncoding .DecodeString (text )
8284 if err != nil {
8385 return "" , "" , err
8486 }
85- if len (data ) <= nonceSize {
86- return "" , "" , fmt .Errorf ("the encoded data from text %#v is shorter than %#v bytes and can't be decoded " , text , nonceSize )
87+ if len (data ) <= standardGcmNonceSize {
88+ return "" , "" , fmt .Errorf ("encrypted data too short: got %d bytes, need more than %d " , len ( data ), standardGcmNonceSize )
8789 }
88- nonce , ciphertext := data [:nonceSize ], data [nonceSize :]
90+ nonce , ciphertext := data [:standardGcmNonceSize ], data [standardGcmNonceSize :]
8991 plaindata , err := gcm .Open (nil , nonce , ciphertext , nil )
9092 if err != nil {
9193 return "" , "" , err
9294 }
9395 plaindata , err = decompressData (plaindata )
9496 if err != nil {
95- log .Debugf ("Failed to decompress data based on the base64 encoded text %#v. Got error %#v." , text , err )
9697 return "" , "" , err
9798 }
9899
99100 return string (plaindata ), base64 .StdEncoding .EncodeToString (nonce ), nil
100101}
101102
102- // decompressData gzip compressed data
103+ // decompressData decompresses gzip- compressed data.
103104func decompressData (data []byte ) ([]byte , error ) {
104105 gz , err := gzip .NewReader (bytes .NewBuffer (data ))
105106 if err != nil {
@@ -114,15 +115,14 @@ func decompressData(data []byte) ([]byte, error) {
114115 return b .Bytes (), nil
115116}
116117
117- // compressData by gzip, for minify data stored in registry
118+ // compressData compresses data using gzip to minimize storage in the registry.
118119func compressData (data []byte ) ([]byte , error ) {
119120 var b bytes.Buffer
120121 gz , err := gzip .NewWriterLevel (& b , gzip .BestCompression )
121122 if err != nil {
122123 return nil , err
123124 }
124125
125- defer gz .Close ()
126126 if _ , err = gz .Write (data ); err != nil {
127127 return nil , err
128128 }
0 commit comments