ntfy/crypto/crypto.go

package crypto

import (
	"crypto/sha256"
	"golang.org/x/crypto/pbkdf2"
	"gopkg.in/square/go-jose.v2"
)

const (
	jweEncryption = jose.A256GCM
	jweAlgorithm  = jose.DIRECT
	keyLenBytes   = 32 // 256-bit for AES-256
	keyDerivIter  = 50000
)

func DeriveKey(password, topicURL string) []byte {
	salt := sha256.Sum256([]byte(topicURL))
	return pbkdf2.Key([]byte(password), salt[:], keyDerivIter, keyLenBytes, sha256.New)
}

func Encrypt(plaintext []byte, key []byte) (string, error) {
	enc, err := jose.NewEncrypter(jweEncryption, jose.Recipient{Algorithm: jweAlgorithm, Key: key}, nil)
	if err != nil {
		return "", err
	}
	jwe, err := enc.Encrypt(plaintext)
	if err != nil {
		return "", err
	}
	return jwe.CompactSerialize()
}

func Decrypt(ciphertext string, key []byte) ([]byte, error) {
	jwe, err := jose.ParseEncrypted(ciphertext)
	if err != nil {
		return nil, err
	}
	out, err := jwe.Decrypt(key)
	if err != nil {
		return nil, err
	}
	return out, nil
}