BlockStorage/repertory
1
0
Fork 0
Code Issues 4 Pull Requests Releases 8 Wiki Activity

Implement secure key via KDF for transparent data encryption/decryption #60

Browse Source
This commit is contained in:
Scott E. Graves
2025-08-29 19:39:36 -05:00
parent 62194271c0
commit 72db4e12cd
5 changed files with 115 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
support/include/utils/encryption.hpp
View File

@@ -143,6 +143,16 @@ struct kdf_config final {
return {sub_key, cfg};
}
template <typename hash_t>
[[nodiscard]] auto recreate_subkey(kdf_context ctx,
const hash_t &master_key) const -> hash_t {
hash_t sub_key;
crypto_kdf_derive_from_key(sub_key.data(), sub_key.size(), unique_id,
get_kdf_context_name(ctx).data(),
master_key.data());
return sub_key;
}
[[nodiscard]] static auto from_header(data_cspan data, kdf_config &cfg)
-> bool;
@@ -201,19 +211,19 @@ template <typename string_t>
utils::hash::hash_256_t &key) -> bool;
template <typename hash_t, typename string_t>
[[nodiscard]] inline bool
[[nodiscard]] inline auto
detect_and_recreate_key(string_t password, data_cspan header, hash_t &key,
std::optional<kdf_config> &cfg);
std::optional<kdf_config> &cfg) -> bool;
template <typename hash_t>
[[nodiscard]] inline bool
[[nodiscard]] inline auto
detect_and_recreate_key(std::string_view password, data_cspan header,
hash_t &key, std::optional<kdf_config> &cfg);
hash_t &key, std::optional<kdf_config> &cfg) -> bool;
template <typename hash_t>
[[nodiscard]] inline bool
[[nodiscard]] inline auto
detect_and_recreate_key(std::wstring_view password, data_cspan header,
hash_t &key, std::optional<kdf_config> &cfg);
hash_t &key, std::optional<kdf_config> &cfg) -> bool;
[[nodiscard]] auto decrypt_file_name(std::string_view encryption_token,
std::string &file_name) -> bool;
@@ -229,6 +239,12 @@ detect_and_recreate_key(std::wstring_view password, data_cspan header,
const kdf_config &cfg,
std::string &file_path) -> bool;
[[nodiscard]] auto decrypt_file_name(const utils::hash::hash_256_t &master_key,
std::string &file_name) -> bool;
[[nodiscard]] auto decrypt_file_path(const utils::hash::hash_256_t &master_key,
std::string &file_path) -> bool;
template <typename result_t, typename arr_t, std::size_t arr_size>
[[nodiscard]] inline auto decrypt_data(const std::array<arr_t, arr_size> &key,
const unsigned char *buffer,
@@ -570,9 +586,9 @@ inline auto recreate_key(std::wstring_view password, const kdf_config &cfg)
}
template <typename hash_t, typename string_t>
inline bool detect_and_recreate_key(string_t password, data_cspan header,
hash_t &key,
std::optional<kdf_config> &cfg) {
inline auto detect_and_recreate_key(string_t password, data_cspan header,
hash_t &key, std::optional<kdf_config> &cfg)
-> bool {
if (header.size() >= kdf_config::size()) {
kdf_config tmp{};
if (kdf_config::from_header(header.first(kdf_config::size()), tmp)) {
@@ -587,17 +603,17 @@ inline bool detect_and_recreate_key(string_t password, data_cspan header,
}
template <typename hash_t>
inline bool detect_and_recreate_key(std::string_view password,
inline auto detect_and_recreate_key(std::string_view password,
data_cspan header, hash_t &key,
std::optional<kdf_config> &cfg) {
std::optional<kdf_config> &cfg) -> bool {
return detect_and_recreate_key<hash_t, std::string_view>(password, header,
key, cfg);
}
template <typename hash_t>
inline bool detect_and_recreate_key(std::wstring_view password,
inline auto detect_and_recreate_key(std::wstring_view password,
data_cspan header, hash_t &key,
std::optional<kdf_config> &cfg) {
std::optional<kdf_config> &cfg) -> bool {
return detect_and_recreate_key<hash_t, std::wstring_view>(password, header,
key, cfg);
}

41
support/src/utils/encryption.cpp
View File

@@ -126,6 +126,27 @@ auto decrypt_file_path(std::string_view encryption_token, const kdf_config &cfg,
return true;
}
auto decrypt_file_path(const utils::hash::hash_256_t &master_key,
std::string &file_path) -> bool {
std::vector<std::string> decrypted_parts;
for (const auto &part : std::filesystem::path(file_path)) {
auto file_name = part.string();
if (file_name == "/") {
continue;
}
if (not decrypt_file_name(master_key, file_name)) {
return false;
}
decrypted_parts.push_back(file_name);
}
file_path =
utils::path::create_api_path(utils::string::join(decrypted_parts, '/'));
return true;
}
auto decrypt_file_name(std::string_view encryption_token,
std::string &file_name) -> bool {
data_buffer buffer;
@@ -149,6 +170,26 @@ auto decrypt_file_name(std::string_view encryption_token, const kdf_config &cfg,
file_name);
}
auto decrypt_file_name(const utils::hash::hash_256_t &master_key,
std::string &file_name) -> bool {
data_buffer buffer;
if (not utils::collection::from_hex_string(file_name, buffer)) {
return false;
}
utils::encryption::kdf_config path_cfg;
if (not utils::encryption::kdf_config::from_header(buffer, path_cfg)) {
return false;
}
auto path_key = path_cfg.recreate_subkey(utils::encryption::kdf_context::path,
master_key);
file_name.clear();
return utils::encryption::decrypt_data(
path_key, &buffer[utils::encryption::kdf_config::size()], file_name);
}
template <typename data_t>
[[nodiscard]] auto
read_encrypted_range(http_range range, const utils::hash::hash_256_t &key,