Merge pull request #47 from neutronth/feat/fingerprint-obfuscate-value

feat: obfuscate the fingerprint encrypting parameters
neutronth · Jun 30, 2024 · 97adf83 · 97adf83
2 parents e07768d + c344b7d
commit 97adf83
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 7 deletions.
diff --git a/generator/encrypt.go b/generator/encrypt.go
@@ -301,6 +301,21 @@ func decodeValue(value string) (enc []byte, err error) {
 	return base64.StdEncoding.DecodeString(value)
 }
 
+func secretFingerprintIDKey(value, salt []byte) []byte {
+	return argon2.IDKey(value, salt, 1, 46*1024, 1, 32)
+}
+
+func secretFingerprintObfuscatedValue(value string, salt []byte) []byte {
+	sum := secretFingerprintIDKey([]byte(value), salt)
+	mod := int(sum[31]) % 16
+	if mod == 0 {
+		mod = 1
+	}
+
+	truncateIndex := 16 + (int(sum[0]) % mod)
+	return sum[:truncateIndex]
+}
+
 func secretFingerprintCryptoKey(secretName, secretType, key, value string, b64encoded bool,
 	salt []byte,
 	recipients ...config.UpdateKSopsRecipient,
@@ -312,17 +327,17 @@ func secretFingerprintCryptoKey(secretName, secretType, key, value string, b64en
 		secretValue = encodeValue(value)
 	}
 
-	buffer.WriteString(secretName)
-	buffer.WriteString(secretType)
-	buffer.WriteString(key)
-	buffer.WriteString(secretValue)
+	buffer.Write(secretFingerprintObfuscatedValue(secretName, salt))
+	buffer.Write(secretFingerprintObfuscatedValue(secretType, salt))
+	buffer.Write(secretFingerprintObfuscatedValue(key, salt))
+	buffer.Write(secretFingerprintObfuscatedValue(secretValue, salt))
 
 	for _, recipient := range recipients {
-		buffer.WriteString(recipient.Type)
-		buffer.WriteString(recipient.Recipient)
+		buffer.Write(secretFingerprintObfuscatedValue(recipient.Type, salt))
+		buffer.Write(secretFingerprintObfuscatedValue(recipient.Recipient, salt))
 	}
 
-	return argon2.IDKey(buffer.Bytes(), salt, 1, 46*1024, 1, 32)
+	return secretFingerprintIDKey(buffer.Bytes(), salt)
 }
 
 func secretFingerprintSeal(secretName, secretType, key, value string, b64encoded bool,

diff --git a/generator/encrypt_test.go b/generator/encrypt_test.go
@@ -295,6 +295,15 @@ func TestSecretFingerprint(t *testing.T) {
 		if err != nil {
 			t.Errorf("Expect no errors got %v", err)
 		}
+
+		fp, err = secretFingerprintSeal("secret-name", "Opaque", "test", "", false, recipients...)
+		if err != nil {
+			t.Errorf("Expect no errors got %v", err)
+		}
+
+		if fp == "" {
+			t.Errorf("Expect non-empty sealed fingerprint, got %s", fp)
+		}
 	})
 
 	t.Run("generate encrypted files with encrypted_fp added", func(t *testing.T) {