jedarden/ai-code-battle
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ai-code-battle/cmd/acb-api/crypto.go
jedarden e5dc3bc543 fix: accept base64-encoded AES keys (OpenBao stores keys as base64, not hex) 
The encryption key stored in OpenBao/K8s secrets is base64-encoded but
the API and worker crypto functions expected hex. Add parseAESKey() that
accepts both formats (tries hex first, falls back to base64).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-30 23:04:29 -04:00

102 lines
2.2 KiB
Go
Raw Blame History

package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"fmt"
"io"
)
// parseAESKey decodes a 32-byte AES key encoded as either 64 hex chars or 44 base64 chars.
func parseAESKey(s string) ([]byte, error) {
if b, err := hex.DecodeString(s); err == nil && len(b) == 32 {
return b, nil
}
b, err := base64.StdEncoding.DecodeString(s)
if err != nil {
b, err = base64.RawStdEncoding.DecodeString(s)
}
if err != nil {
return nil, fmt.Errorf("decode key: not valid hex or base64")
}
if len(b) != 32 {
return nil, fmt.Errorf("encryption key must be 32 bytes")
}
return b, nil
}
func generateID(prefix string, nBytes int) (string, error) {
b := make([]byte, nBytes)
if _, err := io.ReadFull(rand.Reader, b); err != nil {
return "", err
}
return prefix + hex.EncodeToString(b), nil
}
func generateSecret() (string, error) {
b := make([]byte, 32) // 256-bit
if _, err := io.ReadFull(rand.Reader, b); err != nil {
return "", err
}
return hex.EncodeToString(b), nil
}
func encryptSecret(plaintext, keyStr string) (string, error) {
key, err := parseAESKey(keyStr)
if err != nil {
return "", err
}
block, err := aes.NewCipher(key)
if err != nil {
return "", err
}
aead, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
nonce := make([]byte, aead.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return "", err
}
ciphertext := aead.Seal(nonce, nonce, []byte(plaintext), nil)
return hex.EncodeToString(ciphertext), nil
}
func decryptSecret(ciphertextHex, keyStr string) (string, error) {
key, err := parseAESKey(keyStr)
if err != nil {
return "", err
}
ciphertext, err := hex.DecodeString(ciphertextHex)
if err != nil {
return "", fmt.Errorf("decode ciphertext: %w", err)
}
block, err := aes.NewCipher(key)
if err != nil {
return "", err
}
aead, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
nonceSize := aead.NonceSize()
if len(ciphertext) < nonceSize {
return "", fmt.Errorf("ciphertext too short")
}
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
plaintext, err := aead.Open(nil, nonce, ciphertext, nil)
if err != nil {
return "", err
}
return string(plaintext), nil
}
Reference in a new issue View git blame Copy permalink