decryptFields decrypts the given field using the key with the given digest. If the value fails to decrypt, sql.ErrNoRows will be returned.
(field *string, digest sql.NullString)
| 956 | // decryptFields decrypts the given field using the key with the given digest. |
| 957 | // If the value fails to decrypt, sql.ErrNoRows will be returned. |
| 958 | func (db *dbCrypt) decryptField(field *string, digest sql.NullString) error { |
| 959 | if field == nil { |
| 960 | return xerrors.Errorf("developer error: decryptField called with nil field") |
| 961 | } |
| 962 | |
| 963 | if !digest.Valid || digest.String == "" { |
| 964 | // This field is not encrypted. |
| 965 | return nil |
| 966 | } |
| 967 | |
| 968 | key, ok := db.ciphers[digest.String] |
| 969 | if !ok { |
| 970 | return &DecryptFailedError{ |
| 971 | Inner: xerrors.Errorf("no cipher with digest %q", digest.String), |
| 972 | } |
| 973 | } |
| 974 | |
| 975 | data, err := b64decode(*field) |
| 976 | if err != nil { |
| 977 | // If it's not valid base64, we should complain loudly. |
| 978 | return &DecryptFailedError{ |
| 979 | Inner: xerrors.Errorf("malformed encrypted field %q: %w", *field, err), |
| 980 | } |
| 981 | } |
| 982 | decrypted, err := key.Decrypt(data) |
| 983 | if err != nil { |
| 984 | return &DecryptFailedError{Inner: err} |
| 985 | } |
| 986 | *field = string(decrypted) |
| 987 | return nil |
| 988 | } |
| 989 | |
| 990 | func (db *dbCrypt) ensureEncryptedWithRetry(ctx context.Context) error { |
| 991 | var err error |