Skip to content

Commit

Permalink
improve decryption failure message
Browse files Browse the repository at this point in the history
  • Loading branch information
wxiaoguang committed May 7, 2023
1 parent 56ae853 commit cb29e30
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 16 deletions.
21 changes: 11 additions & 10 deletions modules/secret/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"io"

"github.com/minio/sha256-simd"
Expand All @@ -19,13 +20,13 @@ import (
func AesEncrypt(key, text []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
return nil, fmt.Errorf("AesEncrypt invalid key: %v", err)
}
b := base64.StdEncoding.EncodeToString(text)
ciphertext := make([]byte, aes.BlockSize+len(b))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
if _, err = io.ReadFull(rand.Reader, iv); err != nil {
return nil, fmt.Errorf("AesEncrypt unable to read iv: %w", err)
}
cfb := cipher.NewCFBEncrypter(block, iv)
cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b))
Expand All @@ -39,15 +40,15 @@ func AesDecrypt(key, text []byte) ([]byte, error) {
return nil, err
}
if len(text) < aes.BlockSize {
return nil, errors.New("ciphertext too short")
return nil, errors.New("AesDecrypt ciphertext too short")
}
iv := text[:aes.BlockSize]
text = text[aes.BlockSize:]
cfb := cipher.NewCFBDecrypter(block, iv)
cfb.XORKeyStream(text, text)
data, err := base64.StdEncoding.DecodeString(string(text))
if err != nil {
return nil, err
return nil, fmt.Errorf("AesDecrypt invalid decrtyped base64 string: %w", err)
}
return data, nil
}
Expand All @@ -58,21 +59,21 @@ func EncryptSecret(key, str string) (string, error) {
plaintext := []byte(str)
ciphertext, err := AesEncrypt(keyHash[:], plaintext)
if err != nil {
return "", err
return "", fmt.Errorf("failed to encrypt by secret: %w", err)
}
return hex.EncodeToString(ciphertext), nil
}

// DecryptSecret decrypts a previously encrypted hex string
func DecryptSecret(key, cipherhex string) (string, error) {
func DecryptSecret(key, cipherHex string) (string, error) {
keyHash := sha256.Sum256([]byte(key))
ciphertext, err := hex.DecodeString(cipherhex)
ciphertext, err := hex.DecodeString(cipherHex)
if err != nil {
return "", err
return "", fmt.Errorf("failed to decrtyp by secret, invalid hex string: %w", err)
}
plaintext, err := AesDecrypt(keyHash[:], ciphertext)
if err != nil {
return "", err
return "", fmt.Errorf("failed to decrtyp by secret, secret key (SECRET_KEY) might be incorrect: %w", err)
}
return string(plaintext), nil
}
20 changes: 14 additions & 6 deletions modules/secret/secret_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,22 @@ import (
)

func TestEncryptDecrypt(t *testing.T) {
var hex string
var str string

hex, _ = EncryptSecret("foo", "baz")
str, _ = DecryptSecret("foo", hex)
hex, err := EncryptSecret("foo", "baz")
assert.NoError(t, err)
str, _ := DecryptSecret("foo", hex)
assert.Equal(t, "baz", str)

hex, _ = EncryptSecret("bar", "baz")
hex, err = EncryptSecret("bar", "baz")
assert.NoError(t, err)
str, _ = DecryptSecret("foo", hex)
assert.NotEqual(t, "baz", str)

_, err = DecryptSecret("a", "b")
assert.ErrorContains(t, err, "invalid hex string")

_, err = DecryptSecret("a", "bb")
assert.ErrorContains(t, err, "secret key (SECRET_KEY) might be incorrect: AesDecrypt ciphertext too short")

_, err = DecryptSecret("a", "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
assert.ErrorContains(t, err, "secret key (SECRET_KEY) might be incorrect: AesDecrypt invalid decrtyped base64 string")
}

0 comments on commit cb29e30

Please sign in to comment.