types/key: add MachinePrecomputedSharedKey.Open

Follow-up to cfdb862673 Updates tailscale/corp#1709 Change-Id: I7af931a2cb55f9006e1029381663ac21d1794242 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-22 11:38:25 -07:00 · 2022-07-22 11:38:25 -07:00 · 2024008667
parent be8a0859a9
commit 2024008667
2 changed files with 24 additions and 1 deletions
--- a/types/key/machine.go
+++ b/types/key/machine.go
@ -132,6 +132,21 @@ func (k MachinePrecomputedSharedKey) Seal(cleartext []byte) (ciphertext []byte)
 	return box.SealAfterPrecomputation(nonce[:], cleartext, &nonce, &k.k)
 }

+// Open opens the NaCl box ciphertext, which must be a value created by
+// MachinePrecomputedSharedKey.Seal or MachinePrivate.SealTo, and returns the
+// inner cleartext if ciphertext is a valid box for the shared key k.
+func (k MachinePrecomputedSharedKey) Open(ciphertext []byte) (cleartext []byte, ok bool) {
+	if k == (MachinePrecomputedSharedKey{}) {
+		panic("can't open with zero keys")
+	}
+	if len(ciphertext) < 24 {
+		return nil, false
+	}
+	var nonce [24]byte
+	copy(nonce[:], ciphertext)
+	return box.OpenAfterPrecomputation(nil, ciphertext[len(nonce):], &nonce, &k.k)
+}
+
 // OpenFrom opens the NaCl box ciphertext, which must be a value
 // created by SealTo, and returns the inner cleartext if ciphertext is
 // a valid box from p to k.
--- a/types/key/machine_test.go
+++ b/types/key/machine_test.go
@ -107,6 +107,14 @@ func TestSealViaSharedKey(t *testing.T) {
 		t.Fatal("failed to decrypt")
 	}
 	if string(back) != clear {
-		t.Errorf("got %q; want cleartext %q", back, clear)
+		t.Errorf("OpenFrom got %q; want cleartext %q", back, clear)
+	}
+
+	backShared, ok := shared.Open(enc)
+	if !ok {
+		t.Fatal("failed to decrypt from shared key")
+	}
+	if string(backShared) != clear {
+		t.Errorf("Open got %q; want cleartext %q", back, clear)
 	}
 }