DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key
(opts DecryptTreeOpts)
| 83 | |
| 84 | // DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key |
| 85 | func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error) { |
| 86 | dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices, opts.DecryptionOrder) |
| 87 | if err != nil { |
| 88 | return nil, NewExitError(err, codes.CouldNotRetrieveKey) |
| 89 | } |
| 90 | computedMac, err := opts.Tree.Decrypt(dataKey, opts.Cipher) |
| 91 | if err != nil { |
| 92 | return nil, NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), codes.ErrorDecryptingTree) |
| 93 | } |
| 94 | fileMac, err := opts.Cipher.Decrypt(opts.Tree.Metadata.MessageAuthenticationCode, dataKey, opts.Tree.Metadata.LastModified.Format(time.RFC3339)) |
| 95 | if !opts.IgnoreMac { |
| 96 | if err != nil { |
| 97 | return nil, NewExitError(fmt.Sprintf("Cannot decrypt MAC: %s", err), codes.MacMismatch) |
| 98 | } |
| 99 | if fileMac != computedMac { |
| 100 | // If the file has an empty MAC, display "no MAC" instead of not displaying anything |
| 101 | if fileMac == "" { |
| 102 | fileMac = "no MAC" |
| 103 | } |
| 104 | return nil, NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", fileMac, computedMac), codes.MacMismatch) |
| 105 | } |
| 106 | } |
| 107 | return dataKey, nil |
| 108 | } |
| 109 | |
| 110 | // EncryptTreeOpts are the options needed to encrypt a tree |
| 111 | type EncryptTreeOpts struct { |
no test coverage detected