crypto

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 11, 2020 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NonceLength = 24
	KeyLength   = 32
)

Variables

View Source 
var (
	KMSDecryptCause       = errors.NewCause(errors.BadRequestCategory, "kms_decrypt")
	SecretBoxDecryptCause = errors.NewCause(errors.BadRequestCategory, "secret_box_decrypt")

	InvalidKeyURLCause = errors.NewCause(errors.BadRequestCategory, "invalid_key_url")
)

Functions

func Decrypt 

func Decrypt(key [KeyLength]byte, encrypted []byte) ([]byte, error)

func Encrypt 

func Encrypt(key [KeyLength]byte, data []byte) ([]byte, error)

func GenerateKey 

func GenerateKey() ([KeyLength]byte, error)

Types

type AzureKMS 

type AzureKMS struct {
	// contains filtered or unexported fields
}

func NewAzureKMS 

func NewAzureKMS(url *KeyURL) (*AzureKMS, error)

func (*AzureKMS) Close 

func (a *AzureKMS) Close() error

func (*AzureKMS) Decrypt 

func (a *AzureKMS) Decrypt(ctx context.Context, ciphertext []byte) ([]byte, error)

func (*AzureKMS) Encrypt 

func (a *AzureKMS) Encrypt(ctx context.Context, plaintext []byte) ([]byte, error)

func (*AzureKMS) EncryptedKeyLength 

func (a *AzureKMS) EncryptedKeyLength() int

func (*AzureKMS) Open 

func (a *AzureKMS) Open(ctx context.Context) error

type EncryptionCodec 

type EncryptionCodec interface {
	Encrypt(context.Context, *base64.Value) (*base64.Value, error)
	Decrypt(context.Context, *base64.Value) (*base64.Value, error)
}

EncryptionCodec represents a way to encrypt binary data with a symmetric key. SecretBoxCodec can be used as an example implementation

type KMS 

type KMS interface {
	Open(context.Context) error
	Encrypt(context.Context, []byte) ([]byte, error)
	Decrypt(context.Context, []byte) ([]byte, error)
	EncryptedKeyLength() int
	Close() error
}

KMS intends to be an abstract interface over a Key Management System which generally is used to wrap DEKs using a key encryption key (KEK).

func LoadKMS 

func LoadKMS(url *KeyURL) (KMS, error)

type KeyURL 

type KeyURL struct {
	*url.URL
}

KeyURL contains a url for a key Used for data encryption and mostly intended to be used with gocloud secrets and related utilities

func KeyURLFromURL 

func KeyURLFromURL(u *url.URL) (*KeyURL, error)

KeyURLFromURL returns a KeyURL from a net/url.URL

func NewBase64KeyURL 

func NewBase64KeyURL(key []byte) (*KeyURL, error)

NewBase64KeyURL generates a KeyURL for you if key is nil. Otherwise key must be KeyLength long.

func NewKeyURL 

func NewKeyURL(in string) (*KeyURL, error)

NewKeyURL parses the given string and returns a key url.

func (*KeyURL) MarshalJSON 

func (d *KeyURL) MarshalJSON() ([]byte, error)

MarshalJSON implements the JSON.Marshaller interface

func (*KeyURL) ToURL 

func (d *KeyURL) ToURL() *url.URL

ToURL returns the underlying url.URL

func (*KeyURL) Type 

func (d *KeyURL) Type() KeyURLType

func (*KeyURL) UnmarshalJSON 

func (d *KeyURL) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the JSON.Unmarshaller interface

func (*KeyURL) Validate 

func (d *KeyURL) Validate() error

Validate returns an error if the uri is not a valid key uri

type KeyURLType 

type KeyURLType string
const (
	Base64Key KeyURLType = "base64key"
	AzureKey  KeyURLType = "azurekeyvault"
)

func (KeyURLType) Validate 

func (k KeyURLType) Validate() error

type LocalKMS 

type LocalKMS struct {
	// contains filtered or unexported fields
}

LocalKMS is a simple simulated KMS that has a single key which is then used to encrypt other keys. This should be able to be expanded to something that can handle rotating keys.

func NewLocalKMS 

func NewLocalKMS(url *KeyURL) (*LocalKMS, error)

func (*LocalKMS) Close 

func (l *LocalKMS) Close() error

func (*LocalKMS) Decrypt 

func (l *LocalKMS) Decrypt(ctx context.Context, wrappedDEK []byte) ([]byte, error)

Decrypt a wrapped dek and return it

func (*LocalKMS) Encrypt 

func (l *LocalKMS) Encrypt(ctx context.Context, dek []byte) ([]byte, error)

Encrypt encrypts the data encryption key (dek) returning the encrypted bytes. The result is appended to the nonce.

func (*LocalKMS) EncryptedKeyLength 

func (l *LocalKMS) EncryptedKeyLength() int

func (*LocalKMS) Open 

func (l *LocalKMS) Open(ctx context.Context) error

type SecretBoxCodec 

type SecretBoxCodec struct {
	// contains filtered or unexported fields
}

SecretBoxCodec implements a envelope encryption scheme where it leverages data encryption keys (DEKs) and key encryption keys (KEKs) to safely encrypt the data and prevent leaking the keys. Here's a pretty good overview of envelope encryption: https://cloud.google.com/kms/docs/envelope-encryption See individual function comments for more information

func NewSecretBoxCodec 

func NewSecretBoxCodec(kms KMS) *SecretBoxCodec

func (*SecretBoxCodec) Decrypt 

func (s *SecretBoxCodec) Decrypt(ctx context.Context, data *base64.Value) (*base64.Value, error)

func (*SecretBoxCodec) Encrypt 

func (s *SecretBoxCodec) Encrypt(ctx context.Context, data *base64.Value) (*base64.Value, error)

Encrypt generates a random nonce and DEK which is then used to call secretbox.Seal. The result is appended to the nonce so the nonce can be used later to decrypt the data. The DEK is then encrypted and the result plus the nonce is appended to the wrapped DEK.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.