-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
98 lines (83 loc) · 2.21 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/json"
"fmt"
"github.com/containers/ocicrypt/keywrap/keyprovider"
"io"
"log"
"os"
)
var (
key = []byte("passphrasewhichneedstobe32bytes!")
)
//Mock annotation packet, which goes into container image manifest
type annotationPacket struct {
KeyUrl string `json:"key_url"`
WrappedKey []byte `json:"wrapped_key"`
WrapType string `json:"wrap_type"`
}
func main() {
var input keyprovider.KeyProviderKeyWrapProtocolInput
err := json.NewDecoder(os.Stdin).Decode(&input)
if err != nil {
log.Fatal("decoding input", err)
}
if input.Operation == keyprovider.OpKeyWrap {
b, err := WrapKey(input)
if err != nil {
log.Fatal(err)
}
fmt.Printf("%s", b)
} else if input.Operation == keyprovider.OpKeyUnwrap {
b, err := UnwrapKey(input)
if err != nil {
log.Fatal(err)
}
fmt.Printf("%s", b)
} else {
log.Fatalf("Operation %v not recognized", input.Operation)
}
return
}
func WrapKey(keyP keyprovider.KeyProviderKeyWrapProtocolInput) ([]byte, error) {
c, _ := aes.NewCipher(key)
gcm, _ := cipher.NewGCM(c)
nonce := make([]byte, gcm.NonceSize())
_, err := io.ReadFull(rand.Reader, nonce)
if err != nil {
return nil, err
}
wrappedKey := gcm.Seal(nonce, nonce, keyP.KeyWrapParams.OptsData, nil)
jsonString, _ := json.Marshal(annotationPacket{
KeyUrl: "https://key-provider/key-uuid",
WrappedKey: wrappedKey,
WrapType: "AES",
})
return json.Marshal(keyprovider.KeyProviderKeyWrapProtocolOutput{
KeyWrapResults: keyprovider.KeyWrapResults{
Annotation: jsonString,
},
})
}
func UnwrapKey(keyP keyprovider.KeyProviderKeyWrapProtocolInput) ([]byte, error) {
apkt := annotationPacket{}
err := json.Unmarshal(keyP.KeyUnwrapParams.Annotation, &apkt)
if err != nil {
return nil, err
}
ciphertext := apkt.WrappedKey
c, _ := aes.NewCipher(key)
gcm, _ := cipher.NewGCM(c)
nonceSize := gcm.NonceSize()
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
unwrappedKey, err := gcm.Open(nil, nonce, ciphertext, nil)
if err != nil {
return nil, err
}
return json.Marshal(keyprovider.KeyProviderKeyWrapProtocolOutput{
KeyUnwrapResults: keyprovider.KeyUnwrapResults{OptsData: unwrappedKey},
})
}