chore: import upstream snapshot with attribution
govulncheck / govulncheck (push) Has been cancelled
Lint / golangci-lint (push) Has been cancelled
Run Tests / Unit Tests (push) Has been cancelled
Run Tests / Etcd Integration Tests (push) Has been cancelled
Harness (E2E) / Harnesses (mock LLM) (push) Has been cancelled
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 12:40:33 +08:00
commit e071084ebe
982 changed files with 160368 additions and 0 deletions
+88
View File
@@ -0,0 +1,88 @@
// Package box is an asymmetric implementation of config/secrets using nacl/box
package box
import (
"crypto/rand"
"github.com/pkg/errors"
"go-micro.dev/v6/config/secrets"
naclbox "golang.org/x/crypto/nacl/box"
)
const keyLength = 32
type box struct {
options secrets.Options
publicKey [keyLength]byte
privateKey [keyLength]byte
}
// NewSecrets returns a nacl-box codec.
func NewSecrets(opts ...secrets.Option) secrets.Secrets {
b := &box{}
for _, o := range opts {
o(&b.options)
}
return b
}
func (b *box) Init(opts ...secrets.Option) error {
for _, o := range opts {
o(&b.options)
}
if len(b.options.PrivateKey) != keyLength || len(b.options.PublicKey) != keyLength {
return errors.Errorf("a public key and a private key of length %d must both be provided", keyLength)
}
copy(b.privateKey[:], b.options.PrivateKey)
copy(b.publicKey[:], b.options.PublicKey)
return nil
}
// Options returns options.
func (b *box) Options() secrets.Options {
return b.options
}
// String returns nacl-box.
func (*box) String() string {
return "nacl-box"
}
// Encrypt encrypts a message with the sender's private key and the receipient's public key.
func (b *box) Encrypt(in []byte, opts ...secrets.EncryptOption) ([]byte, error) {
var options secrets.EncryptOptions
for _, o := range opts {
o(&options)
}
if len(options.RecipientPublicKey) != keyLength {
return []byte{}, errors.New("recepient's public key must be provided")
}
var recipientPublicKey [keyLength]byte
copy(recipientPublicKey[:], options.RecipientPublicKey)
var nonce [24]byte
if _, err := rand.Reader.Read(nonce[:]); err != nil {
return []byte{}, errors.Wrap(err, "couldn't obtain a random nonce from crypto/rand")
}
return naclbox.Seal(nonce[:], in, &nonce, &recipientPublicKey, &b.privateKey), nil
}
// Decrypt Decrypts a message with the receiver's private key and the sender's public key.
func (b *box) Decrypt(in []byte, opts ...secrets.DecryptOption) ([]byte, error) {
var options secrets.DecryptOptions
for _, o := range opts {
o(&options)
}
if len(options.SenderPublicKey) != keyLength {
return []byte{}, errors.New("sender's public key bust be provided")
}
var nonce [24]byte
var senderPublicKey [32]byte
copy(nonce[:], in[:24])
copy(senderPublicKey[:], options.SenderPublicKey)
decrypted, ok := naclbox.Open(nil, in[24:], &nonce, &senderPublicKey, &b.privateKey)
if !ok {
return []byte{}, errors.New("incoming message couldn't be verified / decrypted")
}
return decrypted, nil
}
+66
View File
@@ -0,0 +1,66 @@
package box
import (
"crypto/rand"
"reflect"
"testing"
"go-micro.dev/v6/config/secrets"
naclbox "golang.org/x/crypto/nacl/box"
)
func TestBox(t *testing.T) {
alicePublicKey, alicePrivateKey, err := naclbox.GenerateKey(rand.Reader)
if err != nil {
t.Fatal(err)
}
bobPublicKey, bobPrivateKey, err := naclbox.GenerateKey(rand.Reader)
if err != nil {
t.Fatal(err)
}
alice, bob := NewSecrets(secrets.PublicKey(alicePublicKey[:]), secrets.PrivateKey(alicePrivateKey[:])), NewSecrets()
if err := alice.Init(); err != nil {
t.Error(err)
}
if err := bob.Init(secrets.PublicKey(bobPublicKey[:]), secrets.PrivateKey(bobPrivateKey[:])); err != nil {
t.Error(err)
}
if alice.String() != "nacl-box" {
t.Error("String() doesn't return nacl-box")
}
aliceSecret := []byte("Why is a raven like a writing-desk?")
if _, err := alice.Encrypt(aliceSecret); err == nil {
t.Error("alice.Encrypt succeeded without a public key")
}
enc, err := alice.Encrypt(aliceSecret, secrets.RecipientPublicKey(bob.Options().PublicKey))
if err != nil {
t.Error("alice.Encrypt failed")
}
if _, err := bob.Decrypt(enc); err == nil {
t.Error("bob.Decrypt succeeded without a public key")
}
if dec, err := bob.Decrypt(enc, secrets.SenderPublicKey(alice.Options().PublicKey)); err == nil {
if !reflect.DeepEqual(dec, aliceSecret) {
t.Errorf("Bob's decrypted message didn't match Alice's encrypted message: %v != %v", aliceSecret, dec)
}
} else {
t.Errorf("bob.Decrypt failed (%s)", err)
}
bobSecret := []byte("I haven't the slightest idea")
enc, err = bob.Encrypt(bobSecret, secrets.RecipientPublicKey(alice.Options().PublicKey))
if err != nil {
t.Error(err)
}
_, err = alice.Decrypt(enc, secrets.SenderPublicKey(bob.Options().PrivateKey))
if err == nil {
t.Error(err)
}
dec, err := alice.Decrypt(enc, secrets.SenderPublicKey(bob.Options().PublicKey))
if err != nil {
t.Error(err)
}
if !reflect.DeepEqual(dec, bobSecret) {
t.Errorf("Alice's decrypted message didn't match Bob's encrypted message %v != %v", bobSecret, dec)
}
}