Last active
March 9, 2023 18:18
-
-
Save nnewc/a23f9866d203d20c4304ebe9b214d4cc to your computer and use it in GitHub Desktop.
etcd decrypt secret
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/aes" | |
"crypto/cipher" | |
"fmt" | |
"os" | |
) | |
const transformerPrefix = "k8s:enc:aescbc:v1:k-wcldg:" | |
func main() { | |
args := os.Args | |
if len(args) < 3 { | |
panic("Supply at least the args for key and filename") | |
} | |
key := os.Args[1] | |
fileName := os.Args[2] | |
aesCipher, err := aes.NewCipher([]byte(key)) | |
if err != nil { | |
panic(fmt.Errorf("invalid key %s", err.Error())) | |
} | |
blockCipher := cbc{ | |
block: aesCipher, | |
} | |
content, err := os.ReadFile(fileName) | |
if err != nil { | |
panic(fmt.Errorf("unable to read file %s", err.Error())) | |
} | |
trimmed := content[len(transformerPrefix):] | |
trimmed = trimmed[:len(trimmed)-1] | |
decodedContent, _, err := blockCipher.TransformFromStorage(trimmed) | |
if err != nil { | |
panic(fmt.Errorf("unable to unencrypt content %s", err.Error())) | |
} | |
err = os.WriteFile("decrypted_"+fileName, decodedContent, 0600) | |
if err != nil { | |
panic(fmt.Errorf("unable to output decoded content %s", err.Error())) | |
} | |
fmt.Printf("Output is available at %s \n", "decrypted_"+ fileName) | |
} | |
type cbc struct { | |
block cipher.Block | |
} | |
func (t *cbc) TransformFromStorage(data []byte) ([]byte, bool, error) { | |
blockSize := 16 | |
if len(data) < blockSize { | |
return nil, false, fmt.Errorf("the stored data was shorter than the required size") | |
} | |
iv := data[:blockSize] | |
data = data[blockSize:] | |
if len(data)%blockSize != 0 { | |
fmt.Printf("%d \n", len(data)) | |
return nil, false, fmt.Errorf("invalid block size") | |
} | |
result := make([]byte, len(data)) | |
copy(result, data) | |
mode := cipher.NewCBCDecrypter(t.block, iv) | |
mode.CryptBlocks(result, result) | |
// remove and verify PKCS#7 padding for CBC | |
c := result[len(result)-1] | |
paddingSize := int(c) | |
size := len(result) - paddingSize | |
if paddingSize == 0 || paddingSize > len(result) { | |
return nil, false, fmt.Errorf("invalid PKCS7 data (empty or not padded)") | |
} | |
for i := 0; i < paddingSize; i++ { | |
if result[size+i] != c { | |
return nil, false, fmt.Errorf("invalid PKCS7 data (empty or not padded)") | |
} | |
} | |
return result[:size], false, nil | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment