Add ability to encrypt files

2 files changed, 133 insertions, 0 deletions

diff --git a/internal/encrypt.go b/internal/encrypt.go
new file mode 100644
index 0000000..a404de7
--- /dev/null
+++ b/internal/encrypt.go
@@ -0,0 +1,38 @@
+package internal
+
+import (
+	"log"
+
+	"github.com/joho/godotenv"
+)
+
+func Encrypt(data []byte) (EncryptedDataPayload, error) {
+	if err := godotenv.Load(); err != nil {
+		log.Fatal("Error loading .env file")
+	}
+
+	kek, err := NewKEKFromEnvB64("SECRET_KEY")
+	if err != nil {
+		return EncryptedDataPayload{}, err
+	}
+
+	dek, err := NewDEK()
+	if err != nil {
+		return EncryptedDataPayload{}, err
+	}
+
+	edek, err := WrapDEK(dek, kek)
+	if err != nil {
+		return EncryptedDataPayload{}, err
+	}
+
+	ct, err := EncryptData(data, dek)
+	if err != nil {
+		return EncryptedDataPayload{}, err
+	}
+
+	return EncryptedDataPayload{
+		DEK:     edek,
+		Payload: ct,
+	}, nil
+}
diff --git a/internal/goaes.go b/internal/goaes.go
index 668ef17..ce054e8 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -1,11 +1,34 @@
 package internal
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/rand"
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
+	"os"
 )
 
+func NewKEKFromEnvB64(envVar string) (KEK, error) {
+	b64 := os.Getenv(envVar)
+	if b64 == "" {
+		return nil, fmt.Errorf("%s is not set", envVar)
+	}
+
+	raw, err := base64.StdEncoding.DecodeString(b64)
+	if err != nil {
+		return nil, fmt.Errorf("decode %s base64: %w", envVar, err)
+	}
+
+	if !validAESKeyLen(len(raw)) {
+		return nil, errBadKeyLn
+	}
+
+	return KEK(raw), nil
+}
+
 func NewDEK() (DEK, error) {
 	key := make([]byte, 32) // AES-256
 	if _, err := io.ReadFull(rand.Reader, key); err != nil {
@@ -13,3 +36,75 @@ func NewDEK() (DEK, error) {
 	}
 	return DEK(key), nil
 }
+
+func WrapDEK(dek DEK, kek KEK) (WrappedDEK, error) {
+	edek, err := encryptAEAD([]byte(dek), []byte(kek), aadWrapDEK)
+	return WrappedDEK(edek), err
+}
+
+func UnwrapDEK(edek WrappedDEK, kek KEK) (DEK, error) {
+	dek, err := decryptAEAD([]byte(edek), []byte(kek), aadWrapDEK)
+	return DEK(dek), err
+}
+
+func EncryptData(plaintext []byte, dek DEK) (Ciphertext, error) {
+	ct, err := encryptAEAD(plaintext, []byte(dek), aadDataMsg)
+	return Ciphertext(ct), err
+}
+
+func DecryptData(ct Ciphertext, dek DEK) ([]byte, error) {
+	return decryptAEAD([]byte(ct), []byte(dek), aadDataMsg)
+}
+
+// encryptAEAD returns: nonce || ciphertext
+func encryptAEAD(plaintext, key, aad []byte) ([]byte, error) {
+	if !validAESKeyLen(len(key)) {
+		return nil, errBadKeyLn
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+
+	return gcm.Seal(nonce, nonce, plaintext, aad), nil
+}
+
+func decryptAEAD(ciphertext, key, aad []byte) ([]byte, error) {
+	if !validAESKeyLen(len(key)) {
+		return nil, errBadKeyLn
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	ns := gcm.NonceSize()
+	if len(ciphertext) < ns {
+		return nil, errors.New("ciphertext too short")
+	}
+
+	nonce := ciphertext[:ns]
+	body := ciphertext[ns:]
+	return gcm.Open(nil, nonce, body, aad)
+}
+
+func validAESKeyLen(n int) bool {
+	return n == 16 || n == 24 || n == 32
+}