summaryrefslogtreecommitdiff
path: root/internal/goaes.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/goaes.go')
-rw-r--r--internal/goaes.go10
1 files changed, 8 insertions, 2 deletions
diff --git a/internal/goaes.go b/internal/goaes.go
index 65d898d..805a386 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -41,33 +41,38 @@ func NewKEKFromEnvB64(passphraseEnvVar string, salt Salt) (KEK, error) {
}
func NewDEK() (DEK, error) {
- key := make([]byte, 32)
+ key := make([]byte, keyLen)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
return nil, fmt.Errorf("random DEK gen: %w", err)
}
+
return DEK(key), nil
}
func NewSalt() (Salt, error) {
- key := make([]byte, 32)
+ key := make([]byte, keyLen)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
return nil, fmt.Errorf("random salt gen: %w", err)
}
+
return Salt(key), nil
}
func WrapDEK(dek DEK, kek KEK) (WrappedDEK, error) {
edek, err := encryptAEAD([]byte(dek), []byte(kek), aadWrapDEK)
+
return WrappedDEK(edek), err
}
func UnwrapDEK(edek WrappedDEK, kek KEK) (DEK, error) {
dek, err := decryptAEAD([]byte(edek), []byte(kek), aadWrapDEK)
+
return DEK(dek), err
}
func EncryptData(plaintext []byte, dek DEK) (Ciphertext, error) {
ct, err := encryptAEAD(plaintext, []byte(dek), aadDataMsg)
+
return Ciphertext(ct), err
}
@@ -121,6 +126,7 @@ func decryptAEAD(ciphertext, key, aad []byte) ([]byte, error) {
nonce := ciphertext[:ns]
body := ciphertext[ns:]
+
return gcm.Open(nil, nonce, body, aad)
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-11 22:17:07 +0000