Skip to content

Commit

Permalink
Migrate hmac to []byte and handle transition
Browse files Browse the repository at this point in the history
  • Loading branch information
aerostitch committed Mar 27, 2018
1 parent e8b2d4c commit 27853d4
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 6 deletions.
11 changes: 11 additions & 0 deletions decode.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,18 @@ import (
"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
)

// adjustHmac will force the hmac to be a byte array if present as string
func adjustHmac(record map[string]*dynamodb.AttributeValue) {
if val, ok := record["hmac"]; ok {
if len(val.B) == 0 && val.S != nil {
val.B = []byte(*val.S)
val.S = nil
}
}
}

// Decode decode the supplied struct from the dynamodb result map
func Decode(data map[string]*dynamodb.AttributeValue, rawVal interface{}) error {
adjustHmac(data)
return dynamodbattribute.UnmarshalMap(data, rawVal)
}
9 changes: 5 additions & 4 deletions ds.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package unicreds

import (
"bytes"
"encoding/base64"
"errors"
"io/ioutil"
Expand Down Expand Up @@ -62,7 +63,7 @@ type Credential struct {
Version string `dynamodbav:"version"`
Key string `dynamodbav:"key"`
Contents string `dynamodbav:"contents"`
Hmac string `dynamodbav:"hmac"`
Hmac []byte `dynamodbav:"hmac"`
CreatedAt int64 `dynamodbav:"created_at"`
}

Expand Down Expand Up @@ -168,7 +169,7 @@ func GetHighestVersionSecret(tableName *string, name string, encContext *Encrypt
"#N": aws.String("name"),
},
ExpressionAttributeValues: map[string]*dynamodb.AttributeValue{
":name": &dynamodb.AttributeValue{
":name": {
S: aws.String(name),
},
},
Expand Down Expand Up @@ -235,7 +236,7 @@ func GetHighestVersion(tableName *string, name string) (string, error) {
"#N": aws.String("name"),
},
ExpressionAttributeValues: map[string]*dynamodb.AttributeValue{
":name": &dynamodb.AttributeValue{
":name": {
S: aws.String(name),
},
},
Expand Down Expand Up @@ -548,7 +549,7 @@ func decryptCredential(cred *Credential, encContext *EncryptionContextValue) (*D

hexhmac := ComputeHmac256(contents, hmacKey)

if hexhmac != cred.Hmac {
if !bytes.Equal(hexhmac, cred.Hmac) {
return nil, ErrHmacValidationFailed
}

Expand Down
7 changes: 5 additions & 2 deletions encryptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,13 @@ func Encrypt(key, plaintext []byte) ([]byte, error) {

// ComputeHmac256 compute a hmac256 signature of the supplied message and return
// the value hex encoded
func ComputeHmac256(message, secret []byte) string {
func ComputeHmac256(message, secret []byte) []byte {
h := hmac.New(sha256.New, secret)
h.Write(message)
return hex.EncodeToString(h.Sum(nil))
src := h.Sum(nil)
dst := make([]byte, hex.EncodedLen(len(src)))
hex.Encode(dst, src)
return dst
}

// Decrypt AES encryption method which matches the pycrypto package
Expand Down

0 comments on commit 27853d4

Please sign in to comment.