Implement secure key via KDF for transparent data encryption/decryption #60

2025-08-30 19:13:54 -05:00
parent 40e30defb3
commit edc4465d15
6 changed files with 666 additions and 122 deletions
--- a/support/src/utils/encrypting_reader.cpp
+++ b/support/src/utils/encrypting_reader.cpp
@@ -23,6 +23,7 @@

 #include "utils/encrypting_reader.hpp"

+#include "utils/base64.hpp"
 #include "utils/collection.hpp"
 #include "utils/common.hpp"
 #include "utils/config.hpp"
@@ -444,11 +445,7 @@ void encrypting_reader::common_initialize_kdf_path(
    const utils::hash::hash_256_t &master_key) {
  REPERTORY_USES_FUNCTION_NAME();

-  data_buffer buffer;
-  if (not utils::collection::from_hex_string(encrypted_file_path_, buffer)) {
-    throw utils::error::create_exception(
-        function_name, {"failed to convert encrypted path from hex to bytes"});
-  }
+  auto buffer = macaron::Base64::Decode(encrypted_file_path_);

  kdf_config path_cfg;
  if (not kdf_config::from_header(buffer, path_cfg)) {
@@ -475,7 +472,10 @@ void encrypting_reader::create_encrypted_paths(
                  kdf_headers_->second.end());
  }

-  encrypted_file_name_ = utils::collection::to_hex_string(result);
+  encrypted_file_name_ =
+      kdf_headers_.has_value()
+          ? macaron::Base64::EncodeUrlSafe(result.data(), result.size())
+          : utils::collection::to_hex_string(result);

  if (not relative_parent_path.has_value()) {
    return;
@@ -492,7 +492,11 @@ void encrypting_reader::create_encrypted_paths(
                    kdf_headers_->second.end());
    }

-    encrypted_file_path_ += '/' + utils::collection::to_hex_string(result);
+    encrypted_file_path_ +=
+        '/' +
+        (kdf_headers_.has_value()
+             ? macaron::Base64::EncodeUrlSafe(result.data(), result.size())
+             : utils::collection::to_hex_string(result));
  }

  encrypted_file_path_ += '/' + encrypted_file_name_;
--- a/support/src/utils/encryption.cpp
+++ b/support/src/utils/encryption.cpp
@@ -23,6 +23,7 @@

 #include "utils/encryption.hpp"

+#include "utils/base64.hpp"
 #include "utils/collection.hpp"
 #include "utils/encrypting_reader.hpp"
 #include "utils/hash.hpp"
@@ -97,10 +98,7 @@ auto decrypt_file_name(std::string_view encryption_token,

 auto decrypt_file_name(std::string_view encryption_token, const kdf_config &cfg,
                       std::string &file_name) -> bool {
-  data_buffer buffer;
-  if (not utils::collection::from_hex_string(file_name, buffer)) {
-    return false;
-  }
+  auto buffer = macaron::Base64::Decode(file_name);

  file_name.clear();
  return utils::encryption::decrypt_data(encryption_token, cfg, buffer,
@@ -109,10 +107,7 @@ auto decrypt_file_name(std::string_view encryption_token, const kdf_config &cfg,

 auto decrypt_file_name(const utils::hash::hash_256_t &master_key,
                       std::string &file_name) -> bool {
-  data_buffer buffer;
-  if (not utils::collection::from_hex_string(file_name, buffer)) {
-    return false;
-  }
+  auto buffer = macaron::Base64::Decode(file_name);

  utils::encryption::kdf_config path_cfg;
  if (not utils::encryption::kdf_config::from_header(buffer, path_cfg)) {