cryptox

package
v0.32.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAtLeastOneKeyRequired        = errors.New("at least one of privateKey or publicKey must be provided")
	ErrPublicKeyRequiredForEncrypt  = errors.New("public key is required for encryption")
	ErrPrivateKeyRequiredForDecrypt = errors.New("private key is required for decryption")
	ErrPrivateKeyRequiredForSign    = errors.New("private key is required for signing")
	ErrPublicKeyRequiredForVerify   = errors.New("public key is required for verification")
	ErrFailedDecodePEMBlock         = errors.New("failed to decode PEM block")
	ErrUnsupportedPEMType           = errors.New("unsupported PEM type")
	ErrInvalidAESKeySize            = errors.New("invalid AES key size")
	ErrInvalidIVSizeCBC             = errors.New("invalid IV size for CBC mode")
	ErrCiphertextNotMultipleOfBlock = errors.New("ciphertext is not a multiple of the block size")
	ErrCiphertextTooShort           = errors.New("ciphertext too short")
	ErrDataEmpty                    = errors.New("data is empty")
	ErrInvalidPadding               = errors.New("invalid padding")
	ErrNotRSAPrivateKey             = errors.New("not an RSA private key")
	ErrNotRSAPublicKey              = errors.New("not an RSA public key")
	ErrNotECDSAPrivateKey           = errors.New("not an ECDSA private key")
	ErrNotECDSAPublicKey            = errors.New("not an ECDSA public key")
	ErrInvalidSM4KeySize            = errors.New("invalid SM4 key size")
	ErrInvalidSignature             = errors.New("invalid signature format")
)

Functions

func GenerateECDSAKey

func GenerateECDSAKey(curve ECDSACurve) (*ecdsa.PrivateKey, error)

func GenerateECIESKey

func GenerateECIESKey(curve ECIESCurve) (*ecdh.PrivateKey, error)

Types

type AESMode

type AESMode string
const (
	AesModeCbc AESMode = "CBC"
	AesModeGcm AESMode = "GCM"
)

type AESOption

type AESOption func(*aesCipher)

func WithAESIv

func WithAESIv(iv []byte) AESOption

WithAESIv supplies a fixed IV for the CBC interop decrypt path only.

It does NOT affect Encrypt: CBC encryption always generates a fresh random IV and prepends it to the ciphertext (layout: IV || ciphertext). The fixed IV configured here is consumed solely by DecryptWithFixedIV, which decrypts bare ciphertext produced by an external client that uses a constant IV.

func WithAESMode

func WithAESMode(mode AESMode) AESOption

type Cipher

type Cipher interface {
	// Encrypt encrypts the plaintext string and returns the encrypted string.
	// The returned string is typically base64-encoded or hex-encoded.
	// Returns an error if encryption fails.
	Encrypt(plaintext string) (string, error)
	// Decrypt decrypts the encrypted string and returns the plaintext string.
	// The encrypted string is typically base64-encoded or hex-encoded.
	// Returns an error if decryption fails (e.g., invalid format, wrong key, corrupted data).
	Decrypt(ciphertext string) (string, error)
}

Cipher defines the interface for encryption and decryption operations.

func NewAES

func NewAES(key []byte, opts ...AESOption) (Cipher, error)

func NewAESFromBase64

func NewAESFromBase64(keyBase64 string, opts ...AESOption) (Cipher, error)

func NewAESFromHex

func NewAESFromHex(keyHex string, opts ...AESOption) (Cipher, error)

func NewECIES

func NewECIES(privateKey *ecdh.PrivateKey, publicKey *ecdh.PublicKey) (Cipher, error)

func NewECIESFromBase64

func NewECIESFromBase64(privateKeyBase64, publicKeyBase64 string, curve ECIESCurve) (Cipher, error)

func NewECIESFromBytes

func NewECIESFromBytes(privateKeyBytes, publicKeyBytes []byte, curve ECIESCurve) (Cipher, error)

func NewECIESFromHex

func NewECIESFromHex(privateKeyHex, publicKeyHex string, curve ECIESCurve) (Cipher, error)

func NewSM4

func NewSM4(key []byte, opts ...SM4Option) (Cipher, error)

func NewSM4FromBase64

func NewSM4FromBase64(keyBase64 string, opts ...SM4Option) (Cipher, error)

func NewSM4FromHex

func NewSM4FromHex(keyHex string, opts ...SM4Option) (Cipher, error)

type CipherSigner

type CipherSigner interface {
	Cipher
	Signer
}

CipherSigner defines the interface for encryption, decryption, signing, and verifying.

func NewRSA

func NewRSA(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, opts ...RSAOption) (CipherSigner, error)

func NewRSAFromBase64

func NewRSAFromBase64(privateKeyBase64, publicKeyBase64 string, opts ...RSAOption) (CipherSigner, error)

func NewRSAFromHex

func NewRSAFromHex(privateKeyHex, publicKeyHex string, opts ...RSAOption) (CipherSigner, error)

func NewRSAFromPEM added in v0.28.0

func NewRSAFromPEM(privatePEM, publicPEM []byte, opts ...RSAOption) (CipherSigner, error)

func NewSM2

func NewSM2(privateKey *sm2.PrivateKey, publicKey *sm2.PublicKey) (CipherSigner, error)

func NewSM2FromBase64

func NewSM2FromBase64(privateKeyBase64, publicKeyBase64 string) (CipherSigner, error)

func NewSM2FromHex

func NewSM2FromHex(privateKeyHex, publicKeyHex string) (CipherSigner, error)

func NewSM2FromPEM

func NewSM2FromPEM(privatePEM, publicPEM []byte) (CipherSigner, error)

type ECDSACurve

type ECDSACurve string
const (
	EcdsaCurveP224 ECDSACurve = "P224"
	EcdsaCurveP256 ECDSACurve = "P256"
	EcdsaCurveP384 ECDSACurve = "P384"
	EcdsaCurveP521 ECDSACurve = "P521"
)

type ECIESCurve

type ECIESCurve string
const (
	EciesCurveP256   ECIESCurve = "P256"
	EciesCurveP384   ECIESCurve = "P384"
	EciesCurveP521   ECIESCurve = "P521"
	EciesCurveX25519 ECIESCurve = "X25519"
)

type FixedIVDecrypter added in v0.29.0

type FixedIVDecrypter interface {
	// DecryptWithFixedIV decrypts base64-encoded ciphertext that carries no
	// prepended IV, using the fixed IV the cipher was constructed with.
	// Returns an error if no valid fixed IV was configured or decryption fails.
	DecryptWithFixedIV(ciphertext string) (string, error)
}

FixedIVDecrypter is implemented by block ciphers (AES-CBC, SM4-CBC) that can decrypt bare ciphertext using a caller-supplied constant IV.

It is an interop escape hatch: native VEF ciphertext prepends a fresh random IV and is read back through Cipher.Decrypt, but an external client that encrypts with a fixed IV produces ciphertext without that prefix. DecryptWithFixedIV decrypts such input using the IV configured at construction (WithAESIv / WithSM4Iv).

type RSAMode

type RSAMode string
const (
	RsaModeOAEP RSAMode = "OAEP"
	// RsaModePKCS1v15 selects RSAES-PKCS1-v1_5 encryption padding.
	// WARNING: insecure — PKCS#1 v1.5 decryption is a Bleichenbacher padding
	// oracle (Go 1.26 deprecated the standard-library primitives for this
	// reason). Use only for interop with legacy peers that cannot do OAEP;
	// the default RsaModeOAEP should be preferred for all new systems.
	RsaModePKCS1v15 RSAMode = "PKCS1v15"
)

type RSAOption

type RSAOption func(*rsaCipher)

func WithRSAMode

func WithRSAMode(mode RSAMode) RSAOption

func WithRSASignMode

func WithRSASignMode(signMode RSASignMode) RSAOption

type RSASignMode

type RSASignMode string
const (
	RsaSignModePSS      RSASignMode = "PSS"
	RsaSignModePKCS1v15 RSASignMode = "PKCS1v15"
)

type SM4Option

type SM4Option func(*sm4Cipher)

func WithSM4Iv

func WithSM4Iv(iv []byte) SM4Option

WithSM4Iv supplies a fixed IV for the CBC interop decrypt path only.

It does NOT affect Encrypt: SM4-CBC encryption always generates a fresh random IV and prepends it to the ciphertext (layout: IV || ciphertext). The fixed IV configured here is consumed solely by DecryptWithFixedIV, which decrypts bare ciphertext produced by an external client that uses a constant IV.

type Signer

type Signer interface {
	// Sign signs the data string and returns the signature.
	// The returned signature is typically base64-encoded.
	// Returns an error if signing fails.
	Sign(data string) (signature string, err error)
	// Verify verifies the signature against the data.
	// Returns true if the signature is valid, false otherwise.
	// Returns an error if verification process fails (e.g., invalid format).
	Verify(data, signature string) (bool, error)
}

Signer defines the interface for signing and verifying operations.

func NewECDSA

func NewECDSA(privateKey *ecdsa.PrivateKey, publicKey *ecdsa.PublicKey) (Signer, error)

func NewECDSAFromBase64

func NewECDSAFromBase64(privateKeyBase64, publicKeyBase64 string) (Signer, error)

func NewECDSAFromHex

func NewECDSAFromHex(privateKeyHex, publicKeyHex string) (Signer, error)

func NewECDSAFromPEM added in v0.28.0

func NewECDSAFromPEM(privatePEM, publicPEM []byte) (Signer, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL