crypto

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2026 License: MIT Imports: 15 Imported by: 0

README

Crypto Module

The crypto module provides cryptographic utilities for the Service Layer.

Overview

This module provides secure cryptographic operations including:

  • Hashing (SHA-256, RIPEMD-160)
  • Key derivation (HKDF)
  • Encryption/Decryption (AES-GCM)
  • Digital signatures (ECDSA P-256)
  • Neo N3 address utilities

Functions

Hashing
// SHA-256 hash
hash := crypto.Hash256(data)

// RIPEMD-160 hash (for Neo addresses)
hash160 := crypto.Hash160(data)
Key Derivation
// Derive a key using HKDF
derivedKey := crypto.DeriveKey(masterKey, salt, info, keyLength)
Encryption
// AES-GCM encryption
ciphertext, err := crypto.Encrypt(key, plaintext)

// AES-GCM decryption
plaintext, err := crypto.Decrypt(key, ciphertext)
Random Generation
// Generate cryptographically secure random bytes
randomBytes, err := crypto.GenerateRandomBytes(32)
Neo N3 Utilities
// Convert public key to Neo script hash
scriptHash := crypto.PublicKeyToScriptHash(publicKey)

// Convert script hash to Neo address
address := crypto.ScriptHashToAddress(scriptHash)
Memory Safety
// Securely zero memory (for sensitive data)
crypto.ZeroBytes(sensitiveData)

Security Considerations

  1. Key Material: All key material should be zeroed after use
  2. Random Generation: Uses crypto/rand for secure randomness
  3. Encryption: AES-256-GCM with random nonces
  4. Key Derivation: HKDF with SHA-256

Usage Example

package main

import (
    "github.com/R3E-Network/service_layer/infrastructure/crypto"
)

func main() {
    // Generate a random key
    key, _ := crypto.GenerateRandomBytes(32)
    defer crypto.ZeroBytes(key)

    // Encrypt sensitive data
    plaintext := []byte("sensitive data")
    ciphertext, _ := crypto.Encrypt(key, plaintext)

    // Decrypt
    decrypted, _ := crypto.Decrypt(key, ciphertext)

    // Hash data
    hash := crypto.Hash256(decrypted)
}

Testing

go test ./infrastructure/crypto/... -v

Current test coverage: 71.9%

Documentation

Overview

Package crypto provides cryptographic operations for the service layer.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(key, ciphertext []byte) ([]byte, error)

Decrypt decrypts data using AES-256-GCM.

func DecryptEnvelope 

func DecryptEnvelope(masterKey, subject []byte, info string, ciphertext []byte) ([]byte, error)

DecryptEnvelope decrypts ciphertext previously produced by EncryptEnvelope.

func DeriveKey 

func DeriveKey(masterKey, salt []byte, info string, keyLen int) ([]byte, error)

DeriveKey derives a key using HKDF-SHA256.

UPGRADE SAFETY: This function is designed to produce identical keys across enclave upgrades (MRENCLAVE changes). Key derivation depends ONLY on:

  • masterKey: Injected by MarbleRun Coordinator (manifest-defined, stable)
  • salt: Business identifier like accountID (application-defined, stable)
  • info: Service context string (code constant, stable)

This function intentionally does NOT use:

  • MRENCLAVE or MRSIGNER (enclave identity)
  • SGX sealing keys (tied to enclave measurement)
  • Any enclave report fields

As long as the manifest secrets remain unchanged, derived keys will be identical regardless of enclave version, enabling seamless upgrades.

func Encrypt 

func Encrypt(key, plaintext []byte) ([]byte, error)

Encrypt encrypts data using AES-256-GCM.

func EncryptEnvelope 

func EncryptEnvelope(masterKey, subject []byte, info string, plaintext []byte) ([]byte, error)

EncryptEnvelope encrypts plaintext using a key derived from masterKey + subject + info. The output is ASCII-safe (`v1:` + base64url(nonce|ciphertext)).

func GenerateRandomBytes 

func GenerateRandomBytes(n int) ([]byte, error)

GenerateRandomBytes generates cryptographically secure random bytes.

func HMACSign 

func HMACSign(key, data []byte) []byte

HMACSign generates an HMAC-SHA256 signature.

func HMACVerify 

func HMACVerify(key, data, signature []byte) bool

HMACVerify verifies an HMAC-SHA256 signature.

func Hash160 

func Hash160(data []byte) []byte

Hash160 computes RIPEMD160(SHA256(data)).

func Hash256 

func Hash256(data []byte) []byte

Hash256 computes SHA256 hash.

func PublicKeyFromBytes 

func PublicKeyFromBytes(data []byte) (*ecdsa.PublicKey, error)

PublicKeyFromBytes parses a compressed or uncompressed public key.

func PublicKeyToAddress 

func PublicKeyToAddress(publicKey *ecdsa.PublicKey) string

PublicKeyToAddress converts a public key to a Neo N3 address.

func PublicKeyToBytes 

func PublicKeyToBytes(pub *ecdsa.PublicKey) []byte

PublicKeyToBytes converts a public key to compressed format (33 bytes).

func PublicKeyToScriptHash 

func PublicKeyToScriptHash(publicKey []byte) []byte

PublicKeyToScriptHash converts a public key to a Neo N3 script hash.

func ScriptHashToAddress 

func ScriptHashToAddress(scriptHash []byte) string

ScriptHashToAddress converts a script hash to a Neo N3 address.

func Sign 

func Sign(privateKey *ecdsa.PrivateKey, data []byte) ([]byte, error)

Sign signs data using ECDSA.

func Verify 

func Verify(publicKey *ecdsa.PublicKey, data, signature []byte) bool

Verify verifies an ECDSA signature.

func ZeroBytes 

func ZeroBytes(b []byte)

ZeroBytes securely zeros a byte slice.

Types

type KeyPair 

type KeyPair struct {
	PrivateKey *ecdsa.PrivateKey
	PublicKey  *ecdsa.PublicKey
}

KeyPair represents an ECDSA key pair.

func GenerateKeyPair 

func GenerateKeyPair() (*KeyPair, error)

GenerateKeyPair generates a new ECDSA key pair using P-256 (secp256r1).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.