artifactcrypto

package
v0.0.0-...-1e94318 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2026 License: BSD-3-Clause Imports: 12 Imported by: 0

Documentation

Overview

Package artifactcrypto encrypts and decrypts artifacts under a caller-supplied 32-byte AES-256 key.

An artifact is encrypted as a sequence of AES-256-GCM chunks. Each chunk is sealed with a fresh random 96-bit nonce, and the chunk index and a final-chunk flag are bound into the AEAD additional data so chunk reordering and truncation are detected. A header (magic marker, format version, key id, and key fingerprint) precedes the chunks; its bytes are hashed into every chunk's AAD, so altering or stripping the header makes decryption fail.

The header records a key id and a SHA-256 fingerprint of the key, never the key bytes.

Index

Constants

View Source
const (
	// KeySize is the required key length in bytes (AES-256).
	KeySize = 32

	// DefaultChunkSize is the plaintext size of every chunk except the last.
	DefaultChunkSize = 1 << 20 // 1 MiB
	// PayloadFilename is the conventional name of the encrypted payload file
	// inside a private-ingredient artifact. The publish (produce) and runtime
	// (consume) sides share it so they agree on what to write and look for.
	PayloadFilename = "payload.enc"
)

Variables

View Source
var (
	// ErrBadMagic indicates the payload does not begin with the v1 magic marker.
	ErrBadMagic = errs.New("not an encrypted artifact (bad magic marker)")
	// ErrUnsupportedVersion indicates a payload format version this build cannot read.
	ErrUnsupportedVersion = errs.New("unsupported payload format version")
	// ErrCorruptPayload indicates a tampered, reordered, or otherwise unauthentic payload.
	ErrCorruptPayload = errs.New("corrupt or tampered payload")
	// ErrTruncated indicates the payload ended before a final chunk was authenticated.
	ErrTruncated = errs.New("truncated payload (no authenticated final chunk)")
	// ErrWrongKey indicates the supplied key does not match the payload's key fingerprint.
	ErrWrongKey = errs.New("key does not match payload fingerprint")
	// ErrInvalidKeySize indicates the supplied key is not a 32-byte AES-256 key.
	ErrInvalidKeySize = errs.New("key must be 32 bytes (AES-256)")
	// ErrHeaderTooLarge indicates the serialized header (driven by the key id length) exceeds the readable maximum.
	ErrHeaderTooLarge = errs.New("encrypted payload header exceeds the maximum size")
)

Functions

func Decrypt

func Decrypt(src io.Reader, destPath string, key []byte) (rerr error)

Decrypt reads an encrypted payload from src, verifies it under the supplied 32-byte AES-256 key, and writes the recovered plaintext to destPath.

Decrypt fails closed: it streams into a sibling temporary file and renames it onto destPath only after the entire payload verifies. On any failure the temporary file is removed and destPath is left untouched.

func Encrypt

func Encrypt(src io.Reader, dst io.Writer, key []byte, keyID string) error

Encrypt reads the artifact from src and writes the encrypted payload to dst, sealed under the supplied 32-byte AES-256 key. keyID is recorded in the header. Encryption streams with memory bounded by the chunk size. A zero-byte input produces a single empty final chunk.

func Fingerprint

func Fingerprint(key []byte) string

Fingerprint returns an identifier for a key as "sha256:<hex>".

func IsEncrypted

func IsEncrypted(src io.Reader) (bool, error)

IsEncrypted reports whether src begins with the v1 payload marker. It reads only the leading length prefix and magic, so a non-payload stream (or one too short to be a payload) returns false without error. A stream whose marker matches but whose body is malformed still returns true here; that is caught when the payload is actually parsed or decrypted, so detection and validation stay distinct.

Types

type Header struct {
	Version     uint8
	ChunkSize   uint32
	KeyID       string
	Fingerprint string // "sha256:<hex>" over the raw key bytes
	// contains filtered or unexported fields
}

Header is a parsed payload header. It carries only public metadata, never key bytes.

func ParseHeader

func ParseHeader(src io.Reader) (Header, error)

ParseHeader reads the header from src, consuming exactly the header bytes and leaving src positioned at the first chunk.

func (Header) CheckKey

func (h Header) CheckKey(key []byte) error

CheckKey reports whether key matches the fingerprint recorded in the header, returning ErrWrongKey if it does not.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL