234 lines
6.1 KiB
Diff
234 lines
6.1 KiB
Diff
From eaaca9cb5962a28e6f546e8c0ce1049f5db5d46b Mon Sep 17 00:00:00 2001
|
|
From: jingxiaolu <lujingxiao@huawei.com>
|
|
Date: Wed, 15 Dec 2021 16:42:12 +0800
|
|
Subject: [PATCH 4/4] utils: remove unused PBKDF2 and AES related
|
|
|
|
Fixes: #I4MO1B
|
|
|
|
Signed-off-by: jingxiaolu <lujingxiao@huawei.com>
|
|
---
|
|
util/cipher.go | 103 --------------------------------------------
|
|
util/cipher_test.go | 75 --------------------------------
|
|
2 files changed, 178 deletions(-)
|
|
|
|
diff --git a/util/cipher.go b/util/cipher.go
|
|
index 67cb52bb..fa0559ae 100644
|
|
--- a/util/cipher.go
|
|
+++ b/util/cipher.go
|
|
@@ -16,8 +16,6 @@ package util
|
|
import (
|
|
"bufio"
|
|
"crypto"
|
|
- "crypto/aes"
|
|
- "crypto/cipher"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/sha256"
|
|
@@ -32,117 +30,16 @@ import (
|
|
"path/filepath"
|
|
|
|
"github.com/pkg/errors"
|
|
- "golang.org/x/crypto/pbkdf2"
|
|
-
|
|
constant "isula.org/isula-build"
|
|
)
|
|
|
|
const (
|
|
- // CryptoKeyLen is secure key length for aes encryption and decryption(AES-256)
|
|
- CryptoKeyLen = 32
|
|
- // iteration is iteration count to hash
|
|
- iteration = 409600
|
|
- aesKeyLenUpperBound = 32
|
|
- aesKeyLenLowerBound = 16
|
|
// DefaultRSAKeySize is secure key length for RSA
|
|
DefaultRSAKeySize = 2048
|
|
// DefaultRSAKeyPath is the default directory to store rsa public key
|
|
DefaultRSAKeyPath = "/etc/isula-build/isula-build.pub"
|
|
)
|
|
|
|
-var (
|
|
- errGenCryptoKey = errors.New("generate crypto key failed")
|
|
-)
|
|
-
|
|
-// GenerateCryptoKey generates a random key with length s
|
|
-// if used with AES, the input length can only be 16, 24, 32,
|
|
-// which stands for AES-128, AES-192, or AES-256.
|
|
-func GenerateCryptoKey(s int) ([]byte, error) {
|
|
- var size int
|
|
- if s >= aesKeyLenLowerBound && s <= aesKeyLenUpperBound {
|
|
- size = s
|
|
- } else {
|
|
- size = aesKeyLenLowerBound
|
|
- }
|
|
- key := make([]byte, size)
|
|
- if _, err := io.ReadFull(rand.Reader, key); err != nil {
|
|
- return nil, errGenCryptoKey
|
|
- }
|
|
-
|
|
- return key, nil
|
|
-}
|
|
-
|
|
-// PBKDF2 is key derivation function to generate one way hash data
|
|
-// if used with AES, the keyLen can only be 16, 24, 32
|
|
-// which stands for AES-128, AES-192 or AES-256
|
|
-// iteration is pre-set to 409600 and salt is generated by random key generator
|
|
-func PBKDF2(password []byte, keyLen int, h func() hash.Hash) (string, error) {
|
|
- if len(password) == 0 {
|
|
- return "", errors.New("encrypt empty string failed")
|
|
- }
|
|
- salt, err := GenerateCryptoKey(CryptoKeyLen)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- df := pbkdf2.Key(password, salt, iteration, keyLen, h)
|
|
-
|
|
- return hex.EncodeToString(df), nil
|
|
-}
|
|
-
|
|
-// EncryptAES encrypts plain text with AES encrypt algorithm(CFB)
|
|
-func EncryptAES(data string, aeskey string) (string, error) {
|
|
- plainText := []byte(data)
|
|
- key, err := hex.DecodeString(aeskey)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- block, err := aes.NewCipher(key)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- iv, err := GenerateCryptoKey(block.BlockSize())
|
|
- if err != nil {
|
|
- return "", errors.Errorf("generate rand data for iv failed: %v", err)
|
|
- }
|
|
- mode := cipher.NewCFBEncrypter(block, iv)
|
|
- encryptData := make([]byte, len(plainText))
|
|
- mode.XORKeyStream(encryptData, plainText)
|
|
- encryptData = append(iv, encryptData...)
|
|
-
|
|
- return hex.EncodeToString(encryptData), nil
|
|
-}
|
|
-
|
|
-// DecryptAES decrypts text with AES decrypt algorithm(CFB)
|
|
-func DecryptAES(data string, aeskey string) (string, error) {
|
|
- key, err := hex.DecodeString(aeskey)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- cipherText, err := hex.DecodeString(data)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- block, err := aes.NewCipher(key)
|
|
- if err != nil {
|
|
- return "", err
|
|
- }
|
|
-
|
|
- if len(cipherText) <= block.BlockSize() {
|
|
- return "", errors.Errorf("invalid cipher text length %v, it must larger than %v", len(cipherText), block.BlockSize())
|
|
- }
|
|
-
|
|
- decrypter := cipher.NewCFBDecrypter(block, cipherText[:block.BlockSize()])
|
|
- decryptData := make([]byte, len(cipherText)-block.BlockSize())
|
|
- decrypter.XORKeyStream(decryptData, cipherText[block.BlockSize():])
|
|
-
|
|
- return string(decryptData), nil
|
|
-}
|
|
-
|
|
// GenerateRSAKey generates a RAS key pair with key size s
|
|
// the recommend key size is 4096 and which will be use when
|
|
// key size is less than it
|
|
diff --git a/util/cipher_test.go b/util/cipher_test.go
|
|
index 4bbe894b..834c297c 100644
|
|
--- a/util/cipher_test.go
|
|
+++ b/util/cipher_test.go
|
|
@@ -40,81 +40,6 @@ const (
|
|
maxRepeatTime = 1000000
|
|
)
|
|
|
|
-func TestAES(t *testing.T) {
|
|
- var testcases = []struct {
|
|
- name string
|
|
- length int
|
|
- wantErr bool
|
|
- text string
|
|
- hash func() hash.Hash
|
|
- }{
|
|
- {
|
|
- name: "TC1 - normal case with key length 16",
|
|
- length: 16,
|
|
- text: "abcdefghijklmnopqrstuvwxyz",
|
|
- hash: sha256.New,
|
|
- wantErr: false,
|
|
- },
|
|
- {
|
|
- name: "TC2 - normal case with key length 24",
|
|
- length: 24,
|
|
- text: "1234567890",
|
|
- hash: sha256.New,
|
|
- wantErr: false,
|
|
- },
|
|
- {
|
|
- name: "TC3 - normal case with key length 32",
|
|
- length: 32,
|
|
- text: "!@#$%^&*()_+:><?",
|
|
- hash: sha256.New,
|
|
- wantErr: false,
|
|
- },
|
|
- {
|
|
- name: "TC4 - normal case with sha1",
|
|
- length: 32,
|
|
- text: "1234567890",
|
|
- hash: sha1.New,
|
|
- wantErr: false,
|
|
- },
|
|
- {
|
|
- name: "TC5 - normal case with sha256",
|
|
- length: 32,
|
|
- text: "abcdefghijklmnopqrstuvwxyz",
|
|
- hash: sha512.New,
|
|
- wantErr: false,
|
|
- },
|
|
- {
|
|
- name: "TC6 - abnormal case with invalid key length 0",
|
|
- length: 0,
|
|
- text: "!@#$%^&*()_+:><?",
|
|
- hash: sha256.New,
|
|
- wantErr: true,
|
|
- },
|
|
- {
|
|
- name: "TC7 - abnormal case with invalid ken length 63",
|
|
- length: 63,
|
|
- text: "This is test 7",
|
|
- hash: sha256.New,
|
|
- wantErr: true,
|
|
- },
|
|
- }
|
|
- for _, tt := range testcases {
|
|
- t.Run(tt.name, func(t *testing.T) {
|
|
- oriKey, err := GenerateCryptoKey(tt.length)
|
|
- key, err := PBKDF2(oriKey, tt.length, tt.hash)
|
|
- encryptData, err := EncryptAES(tt.text, key)
|
|
- decryptData, err := DecryptAES(encryptData, key)
|
|
- if err == nil {
|
|
- assert.Equal(t, tt.text, decryptData)
|
|
- assert.Assert(t, string(oriKey) != key)
|
|
- }
|
|
- if (err != nil) != tt.wantErr {
|
|
- t.Errorf("%s error = %v, wantErr %v", tt.name, err, tt.wantErr)
|
|
- }
|
|
- })
|
|
- }
|
|
-}
|
|
-
|
|
func TestRSA(t *testing.T) {
|
|
type args struct {
|
|
data string
|
|
--
|
|
2.27.0
|
|
|