monoadmin/the-other-dude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05e5595c2b25e328b9bfde98063586a8be0ad3c0
the-other-dude/poller/internal/device/crypto.go
Jason Staack b840047e19 feat: The Other Dude v9.0.1 — full-featured email system 
ci: add GitHub Pages deployment workflow for docs site

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 19:30:44 -05:00

62 lines
2.0 KiB
Go
Raw Blame History

package device
import (
"crypto/aes"
"crypto/cipher"
"encoding/json"
"fmt"
)
// credentialsJSON is the JSON structure stored in encrypted device credentials.
// Must match the Python backend's encryption format.
type credentialsJSON struct {
Username string `json:"username"`
Password string `json:"password"`
}
// DecryptCredentials decrypts AES-256-GCM encrypted credentials and returns the
// username and password stored within.
//
// The ciphertext format MUST match what Python's cryptography.hazmat.primitives.ciphers.aead.AESGCM
// produces when called as: nonce + AESGCM.encrypt(nonce, plaintext, None)
//
// Layout on disk:
// - bytes [0:12] — 12-byte random nonce (GCM standard)
// - bytes [12:] — ciphertext + 16-byte GCM authentication tag (appended by library)
//
// Go's cipher.AEAD.Open expects the GCM tag appended to the ciphertext, which is exactly
// how Python's cryptography library stores it, so the two are directly compatible.
func DecryptCredentials(ciphertext []byte, key []byte) (username, password string, err error) {
if len(key) != 32 {
return "", "", fmt.Errorf("encryption key must be 32 bytes, got %d", len(key))
}
if len(ciphertext) < 12+16 {
return "", "", fmt.Errorf("ciphertext too short: need at least 28 bytes (12 nonce + 16 tag), got %d", len(ciphertext))
}
block, err := aes.NewCipher(key)
if err != nil {
return "", "", fmt.Errorf("creating AES cipher: %w", err)
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return "", "", fmt.Errorf("creating GCM cipher: %w", err)
}
nonce := ciphertext[:12]
encryptedData := ciphertext[12:]
plaintext, err := gcm.Open(nil, nonce, encryptedData, nil)
if err != nil {
return "", "", fmt.Errorf("decrypting credentials (wrong key or tampered data): %w", err)
}
var creds credentialsJSON
if err := json.Unmarshal(plaintext, &creds); err != nil {
return "", "", fmt.Errorf("unmarshalling decrypted credentials JSON: %w", err)
}
return creds.Username, creds.Password, nil
}
Reference in New Issue View Git Blame Copy Permalink