123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 |
- // Copyright 2018 The go-ethereum Authors
- // This file is part of the go-ethereum library.
- //
- // The go-ethereum library is free software: you can redistribute it and/or modify
- // it under the terms of the GNU Lesser General Public License as published by
- // the Free Software Foundation, either version 3 of the License, or
- // (at your option) any later version.
- //
- // The go-ethereum library is distributed in the hope that it will be useful,
- // but WITHOUT ANY WARRANTY; without even the implied warranty of
- // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- // GNU Lesser General Public License for more details.
- //
- // You should have received a copy of the GNU Lesser General Public License
- // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
- package storage
- import (
- "crypto/aes"
- "crypto/cipher"
- "crypto/rand"
- "encoding/json"
- "io"
- "io/ioutil"
- "os"
- "github.com/ethereum/go-ethereum/log"
- )
- type storedCredential struct {
- // The iv
- Iv []byte `json:"iv"`
- // The ciphertext
- CipherText []byte `json:"c"`
- }
- // AESEncryptedStorage is a storage type which is backed by a json-file. The json-file contains
- // key-value mappings, where the keys are _not_ encrypted, only the values are.
- type AESEncryptedStorage struct {
- // File to read/write credentials
- filename string
- // Key stored in base64
- key []byte
- }
- // NewAESEncryptedStorage creates a new encrypted storage backed by the given file/key
- func NewAESEncryptedStorage(filename string, key []byte) *AESEncryptedStorage {
- return &AESEncryptedStorage{
- filename: filename,
- key: key,
- }
- }
- // Put stores a value by key. 0-length keys results in noop.
- func (s *AESEncryptedStorage) Put(key, value string) {
- if len(key) == 0 {
- return
- }
- data, err := s.readEncryptedStorage()
- if err != nil {
- log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
- return
- }
- ciphertext, iv, err := encrypt(s.key, []byte(value), []byte(key))
- if err != nil {
- log.Warn("Failed to encrypt entry", "err", err)
- return
- }
- encrypted := storedCredential{Iv: iv, CipherText: ciphertext}
- data[key] = encrypted
- if err = s.writeEncryptedStorage(data); err != nil {
- log.Warn("Failed to write entry", "err", err)
- }
- }
- // Get returns the previously stored value, or an error if it does not exist or
- // key is of 0-length.
- func (s *AESEncryptedStorage) Get(key string) (string, error) {
- if len(key) == 0 {
- return "", ErrZeroKey
- }
- data, err := s.readEncryptedStorage()
- if err != nil {
- log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
- return "", err
- }
- encrypted, exist := data[key]
- if !exist {
- log.Warn("Key does not exist", "key", key)
- return "", ErrNotFound
- }
- entry, err := decrypt(s.key, encrypted.Iv, encrypted.CipherText, []byte(key))
- if err != nil {
- log.Warn("Failed to decrypt key", "key", key)
- return "", err
- }
- return string(entry), nil
- }
- // Del removes a key-value pair. If the key doesn't exist, the method is a noop.
- func (s *AESEncryptedStorage) Del(key string) {
- data, err := s.readEncryptedStorage()
- if err != nil {
- log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
- return
- }
- delete(data, key)
- if err = s.writeEncryptedStorage(data); err != nil {
- log.Warn("Failed to write entry", "err", err)
- }
- }
- // readEncryptedStorage reads the file with encrypted creds
- func (s *AESEncryptedStorage) readEncryptedStorage() (map[string]storedCredential, error) {
- creds := make(map[string]storedCredential)
- raw, err := ioutil.ReadFile(s.filename)
- if err != nil {
- if os.IsNotExist(err) {
- // Doesn't exist yet
- return creds, nil
- }
- log.Warn("Failed to read encrypted storage", "err", err, "file", s.filename)
- }
- if err = json.Unmarshal(raw, &creds); err != nil {
- log.Warn("Failed to unmarshal encrypted storage", "err", err, "file", s.filename)
- return nil, err
- }
- return creds, nil
- }
- // writeEncryptedStorage write the file with encrypted creds
- func (s *AESEncryptedStorage) writeEncryptedStorage(creds map[string]storedCredential) error {
- raw, err := json.Marshal(creds)
- if err != nil {
- return err
- }
- if err = ioutil.WriteFile(s.filename, raw, 0600); err != nil {
- return err
- }
- return nil
- }
- // encrypt encrypts plaintext with the given key, with additional data
- // The 'additionalData' is used to place the (plaintext) KV-store key into the V,
- // to prevent the possibility to alter a K, or swap two entries in the KV store with eachother.
- func encrypt(key []byte, plaintext []byte, additionalData []byte) ([]byte, []byte, error) {
- block, err := aes.NewCipher(key)
- if err != nil {
- return nil, nil, err
- }
- aesgcm, err := cipher.NewGCM(block)
- if err != nil {
- return nil, nil, err
- }
- nonce := make([]byte, aesgcm.NonceSize())
- if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
- return nil, nil, err
- }
- ciphertext := aesgcm.Seal(nil, nonce, plaintext, additionalData)
- return ciphertext, nonce, nil
- }
- func decrypt(key []byte, nonce []byte, ciphertext []byte, additionalData []byte) ([]byte, error) {
- block, err := aes.NewCipher(key)
- if err != nil {
- return nil, err
- }
- aesgcm, err := cipher.NewGCM(block)
- if err != nil {
- return nil, err
- }
- plaintext, err := aesgcm.Open(nil, nonce, ciphertext, additionalData)
- if err != nil {
- return nil, err
- }
- return plaintext, nil
- }
|