diff options
| -rw-r--r-- | .golangci.yml | 4 | ||||
| -rw-r--r-- | cmd/goaes/commands/commands.go | 3 | ||||
| -rw-r--r-- | cmd/goaes/commands/decrypt.go | 2 | ||||
| -rw-r--r-- | cmd/goaes/commands/encrypt.go | 2 | ||||
| -rw-r--r-- | internal/goaes.go | 10 |
5 files changed, 17 insertions, 4 deletions
diff --git a/.golangci.yml b/.golangci.yml index 4bbb013..ce01f88 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,3 +1,7 @@ version: "2" linters: default: standard + enable: + - nlreturn + - mnd + - gosec diff --git a/cmd/goaes/commands/commands.go b/cmd/goaes/commands/commands.go new file mode 100644 index 0000000..f7086a9 --- /dev/null +++ b/cmd/goaes/commands/commands.go @@ -0,0 +1,3 @@ +package commands + +const fileMode = 0600 diff --git a/cmd/goaes/commands/decrypt.go b/cmd/goaes/commands/decrypt.go index 8f73c42..1912c1a 100644 --- a/cmd/goaes/commands/decrypt.go +++ b/cmd/goaes/commands/decrypt.go @@ -39,7 +39,7 @@ func Decrypt(ctx context.Context, cmd *cli.Command) error { return err } - err = os.WriteFile(destination, plaintext, 0666) + err = os.WriteFile(destination, plaintext, fileMode) if err != nil { return err } diff --git a/cmd/goaes/commands/encrypt.go b/cmd/goaes/commands/encrypt.go index 47809c4..c658780 100644 --- a/cmd/goaes/commands/encrypt.go +++ b/cmd/goaes/commands/encrypt.go @@ -32,7 +32,7 @@ func Encrypt(ctx context.Context, cmd *cli.Command) error { return err } - err = os.WriteFile(destination, dataBuffer.Bytes(), 0666) + err = os.WriteFile(destination, dataBuffer.Bytes(), fileMode) if err != nil { return err } diff --git a/internal/goaes.go b/internal/goaes.go index 65d898d..805a386 100644 --- a/internal/goaes.go +++ b/internal/goaes.go @@ -41,33 +41,38 @@ func NewKEKFromEnvB64(passphraseEnvVar string, salt Salt) (KEK, error) { } func NewDEK() (DEK, error) { - key := make([]byte, 32) + key := make([]byte, keyLen) if _, err := io.ReadFull(rand.Reader, key); err != nil { return nil, fmt.Errorf("random DEK gen: %w", err) } + return DEK(key), nil } func NewSalt() (Salt, error) { - key := make([]byte, 32) + key := make([]byte, keyLen) if _, err := io.ReadFull(rand.Reader, key); err != nil { return nil, fmt.Errorf("random salt gen: %w", err) } + return Salt(key), nil } func WrapDEK(dek DEK, kek KEK) (WrappedDEK, error) { edek, err := encryptAEAD([]byte(dek), []byte(kek), aadWrapDEK) + return WrappedDEK(edek), err } func UnwrapDEK(edek WrappedDEK, kek KEK) (DEK, error) { dek, err := decryptAEAD([]byte(edek), []byte(kek), aadWrapDEK) + return DEK(dek), err } func EncryptData(plaintext []byte, dek DEK) (Ciphertext, error) { ct, err := encryptAEAD(plaintext, []byte(dek), aadDataMsg) + return Ciphertext(ct), err } @@ -121,6 +126,7 @@ func decryptAEAD(ciphertext, key, aad []byte) ([]byte, error) { nonce := ciphertext[:ns] body := ciphertext[ns:] + return gcm.Open(nil, nonce, body, aad) } |