Documentation
¶
Overview ¶
Package domain defines core transit encryption domain models.
Package domain defines transit encryption domain models and errors.
Index ¶
Constants ¶
const ( // MaxTransitKeyNameLength is the maximum allowed length for transit key names. // This limit aligns with database schema constraints (VARCHAR(255)) and prevents // excessively long identifiers that could impact performance or cause display issues. MaxTransitKeyNameLength = 255 )
Variables ¶
var ( // ErrInvalidBlobFormat indicates the encrypted blob format is invalid. ErrInvalidBlobFormat = errors.Wrap(errors.ErrInvalidInput, "invalid encrypted blob format") // ErrInvalidBlobVersion indicates the version string cannot be parsed. ErrInvalidBlobVersion = errors.Wrap(errors.ErrInvalidInput, "invalid encrypted blob version") // ErrInvalidBlobBase64 indicates the ciphertext is not valid base64. ErrInvalidBlobBase64 = errors.Wrap(errors.ErrInvalidInput, "invalid encrypted blob base64") // ErrTransitKeyNotFound indicates the transit key was not found. ErrTransitKeyNotFound = errors.Wrap(errors.ErrNotFound, "transit key not found") // ErrTransitKeyAlreadyExists indicates a transit key with the same name and version already exists. ErrTransitKeyAlreadyExists = errors.Wrap(errors.ErrConflict, "transit key already exists") )
Transit encryption error definitions.
These domain-specific errors wrap standard errors from internal/errors to provide context for transit encryption failures.
Functions ¶
This section is empty.
Types ¶
type EncryptedBlob ¶
type EncryptedBlob struct {
Version uint // Transit key version used for this encryption/decryption operation
Ciphertext []byte // Encrypted data with nonce prepended (empty after decryption)
Plaintext []byte // Decrypted data (only populated after decryption, should be zeroed after use)
}
EncryptedBlob represents an encrypted data blob with version and ciphertext. Format: "version:ciphertext-base64"
func NewEncryptedBlob ¶
func NewEncryptedBlob(content string) (EncryptedBlob, error)
NewEncryptedBlob creates an EncryptedBlob from string format "version:ciphertext-base64".
func (EncryptedBlob) String ¶
func (eb EncryptedBlob) String() string
String serializes the EncryptedBlob to format "version:ciphertext-base64".
func (*EncryptedBlob) Validate ¶ added in v0.22.0
func (eb *EncryptedBlob) Validate() error
Validate checks if the encrypted blob contains valid data. Returns an error if any field violates domain constraints.
type TransitKey ¶
type TransitKey struct {
ID uuid.UUID // Unique identifier for this specific transit key version
Name string // Human-readable name (shared across all versions of this key)
Version uint // Key version number (increments with rotation, starts at 1)
DekID uuid.UUID // Reference to the Data Encryption Key used to encrypt this transit key
CreatedAt time.Time // Timestamp when this key version was created (UTC)
DeletedAt *time.Time // Soft deletion timestamp (nil if active, set when deleted)
}
TransitKey represents a versioned encryption key for transit encryption operations. Supports key rotation by maintaining multiple versions with the same name. The active version (highest number) is used for encryption while older versions remain available for decryption. Soft deletion via DeletedAt field preserves keys for historical decryption.
func (*TransitKey) Validate ¶ added in v0.22.0
func (tk *TransitKey) Validate() error
Validate checks if the transit key contains valid data. Returns an error if any field violates domain constraints.
Source Files