Merge pull request #25 from jackyzha0/security

Add encryption to content when password is specified

2 files changed, 122 insertions, 0 deletions

diff --git a/backend/security/encrypt.go b/backend/security/encrypt.go
new file mode 100644
index 0000000..4af5e3c
--- /dev/null
+++ b/backend/security/encrypt.go
@@ -0,0 +1,81 @@
+package security
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"golang.org/x/crypto/scrypt"
+)
+
+var EncryptionError = errors.New("could not encrypt the given content")
+
+func Encrypt(key, data string) (string, error) {
+	// initialize aes block cipher with given key
+	blockCipher, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return "", err
+	}
+
+	// wrap block cipher with Galois Counter Mode and standard nonce length
+	gcm, err := cipher.NewGCM(blockCipher)
+	if err != nil {
+		return "", err
+	}
+
+	// generate nonce (number once used) unique to the given key
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err = rand.Read(nonce); err != nil {
+		return "", err
+	}
+
+	// seal nonce with data to use during decryption
+	cipherText := gcm.Seal(nonce, nonce, []byte(data), nil)
+
+	return string(cipherText), nil
+}
+
+func Decrypt(key, data string) (string, error) {
+	// similar to encrypt, create cipher and wrap with GCM
+	blockCipher, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(blockCipher)
+	if err != nil {
+		return "", err
+	}
+
+	// extract the nonce from the data
+	nonce, cipherText := data[:gcm.NonceSize()], data[gcm.NonceSize():]
+
+	// use nonce to decrypt the data
+	plaintext, err := gcm.Open(nil, []byte(nonce), []byte(cipherText), nil)
+	if err != nil {
+		return "", err
+	}
+
+	return string(plaintext), nil
+}
+
+const keyBytes = 16
+const iterations = 16384
+const relativeMemoryCost = 8
+const relativeCPUCost = 1
+
+func DeriveKey(password string, salt []byte) (string, []byte, error) {
+	if salt == nil {
+		salt = make([]byte, keyBytes)
+		if _, err := rand.Read(salt); err != nil {
+			return "", nil, err
+		}
+	}
+
+	key, err := scrypt.Key([]byte(password), salt, iterations, relativeMemoryCost, relativeCPUCost, keyBytes)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return string(key), salt, nil
+}
diff --git a/backend/security/hash.go b/backend/security/hash.go
new file mode 100644
index 0000000..b6ce167
--- /dev/null
+++ b/backend/security/hash.go
@@ -0,0 +1,41 @@
+package security
+
+import (
+	"crypto/md5"
+	"encoding/hex"
+	"golang.org/x/crypto/bcrypt"
+	"math/big"
+	"time"
+)
+
+const UrlLength = 7
+
+// GenerateURI creates a unique identifier for a paste based on ip and timestamp
+func GenerateURI(ip string) string {
+	timeStamp := time.Now().String()
+	return hashString(ip + timeStamp)[:UrlLength]
+}
+
+// hashes using MD5 and then converts to base 62
+func hashString(text string) string {
+	hash := md5.Sum([]byte(text))
+	hexStr := hex.EncodeToString(hash[:])
+
+	bi := big.NewInt(0)
+	bi.SetString(hexStr, 16)
+	return bi.Text(62)
+}
+
+func HashPassword(password string) (string, error) {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	return string(hashedPassword), err
+}
+
+func PasswordsEqual(dbPassword, parsedPassword string) bool {
+	dbPassBytes := []byte(dbPassword)
+	parsedPassBytes := []byte(parsedPassword)
+	compErr := bcrypt.CompareHashAndPassword(dbPassBytes, parsedPassBytes)
+
+	// if comparison error, the given password is not valid
+	return compErr == nil
+}
\ No newline at end of file