ocrypto

package module
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2026 License: BSD-3-Clause-Clear Imports: 23 Imported by: 10

README

Internal Module

These modules are used by other http://github.com/opentdf/ projects, and are not intended for use elsewhere.

Documentation

Index

Constants

View Source 
const (
	ECCurveP256Size = 256
	ECCurveP384Size = 384
	ECCurveP521Size = 521
	RSA2048Size     = 2048
	RSA4096Size     = 4096
)
View Source 
const DefaultNonceSize = 16

DefaultNonceSize The default nonce size for the TDF3 encryption.

View Source 
const GcmStandardNonceSize = 12

Variables

View Source 
var (
	// ErrEmptyKeyData is returned when the key data is empty
	ErrEmptyKeyData = errors.New("key data is empty")
	// ErrPolicyHMACMismatch is returned when policy binding verification fails
	ErrPolicyHMACMismatch = errors.New("policy HMAC mismatch")
)
View Source 
var ErrInvalidCiphertext = errors.New("invalid ciphertext")

ErrInvalidCiphertext is returned when ciphertext or input data is invalid (empty, wrong size, etc.)

View Source 
var ErrInvalidKeyData = errors.New("invalid key data")

ErrInvalidKeyData is returned when key data is invalid (empty, nil, or wrong size)

Functions

func Base64Decode 

func Base64Decode(data []byte) ([]byte, error)

Base64Decode Decode the data using base64 decoding.

func Base64Encode 

func Base64Encode(data []byte) []byte

Base64Encode Encode the data to base64 encoding. Note: bas64 encoding causing ~33% overhead.

func CalculateHKDF added in v0.1.1 

func CalculateHKDF(salt []byte, secret []byte) ([]byte, error)

CalculateHKDF generate a key using key derivation function.

func CalculateSHA256 

func CalculateSHA256(data []byte) []byte

CalculateSHA256 Calculate the SHA256 checksum of the data(32 bytes).

func CalculateSHA256Hmac 

func CalculateSHA256Hmac(secret, data []byte) []byte

CalculateSHA256Hmac Calculate the hmac of the data with given secret.

func CompressedECPublicKey added in v0.1.4 

func CompressedECPublicKey(mode ECCMode, pubKey ecdsa.PublicKey) ([]byte, error)

CompressedECPublicKey - return a compressed key from the supplied curve and public key

func ComputeECDHKey added in v0.1.1 

func ComputeECDHKey(privateKeyInPem []byte, publicKeyInPem []byte) ([]byte, error)

ComputeECDHKey calculate shared secret from public key from one party and the private key from another party.

func ComputeECDHKeyFromEC added in v0.1.4 

func ComputeECDHKeyFromEC(publicKey *ecdsa.PublicKey, privateKey *ecdsa.PrivateKey) ([]byte, error)

func ComputeECDHKeyFromECDHKeys added in v0.1.4 

func ComputeECDHKeyFromECDHKeys(publicKey *ecdh.PublicKey, privateKey *ecdh.PrivateKey) ([]byte, error)

func ComputeECDSASig added in v0.1.4 

func ComputeECDSASig(digest []byte, privKey *ecdsa.PrivateKey) ([]byte, []byte, error)

ComputeECDSASig compute ecdsa signature

func ConvertToECDHPrivateKey added in v0.1.1 

func ConvertToECDHPrivateKey(key interface{}) (*ecdh.PrivateKey, error)

ConvertToECDHPrivateKey convert the ec private key to ECDH private key

func ConvertToECDHPublicKey added in v0.1.1 

func ConvertToECDHPublicKey(key interface{}) (*ecdh.PublicKey, error)

ConvertToECDHPublicKey convert the ec public key to ECDH public key

func ECPrivateKeyFromPem added in v0.1.1 

func ECPrivateKeyFromPem(privateECKeyInPem []byte) (*ecdh.PrivateKey, error)

ECPrivateKeyFromPem generate ec private from pem format

func ECPrivateKeyInPemFormat added in v0.1.4 

func ECPrivateKeyInPemFormat(privateKey ecdsa.PrivateKey) (string, error)

ECPrivateKeyInPemFormat Returns private key in pem format.

func ECPubKeyFromPem added in v0.1.1 

func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error)

ECPubKeyFromPem generate ec public from pem format

func ECPublicKeyInPemFormat added in v0.1.4 

func ECPublicKeyInPemFormat(publicKey ecdsa.PublicKey) (string, error)

ECPublicKeyInPemFormat Returns public key in pem format.

func GetECCurveFromECCMode added in v0.1.5 

func GetECCurveFromECCMode(mode ECCMode) (elliptic.Curve, error)

GetECCurveFromECCMode return elliptic curve from ecc mode

func GetECKeySize added in v0.1.8 

func GetECKeySize(pemData []byte) (int, error)

GetECKeySize returns the curve size from a PEM-encoded EC public key

func IsECKeyType added in v0.1.8 

func IsECKeyType(kt KeyType) bool

func IsPEMOrDERPrivateKey added in v0.10.0 

func IsPEMOrDERPrivateKey(data []byte) bool

IsPEMOrDERPrivateKey reports whether data appears to be an unencrypted private key in PEM or DER format. It does not attempt decryption or key unwrapping.

func IsRSAKeyType added in v0.1.8 

func IsRSAKeyType(kt KeyType) bool

func RSAKeyTypeToBits added in v0.1.8 

func RSAKeyTypeToBits(kt KeyType) (int, error)

func RandomBytes 

func RandomBytes(size int) ([]byte, error)

RandomBytes Generates random bytes of given size.

func SHA256AsHex 

func SHA256AsHex(data []byte) []byte

SHA256AsHex Calculate the SHA256 checksum of the data and return in hex format(64 bytes).

func SHA256HmacAsHex 

func SHA256HmacAsHex(secret, data []byte) []byte

SHA256HmacAsHex Calculate the hmac of the data with given secret and return in hex format.

func UncompressECPubKey added in v0.1.5 

func UncompressECPubKey(curve elliptic.Curve, compressedPubKey []byte) (*ecdsa.PublicKey, error)

UncompressECPubKey create EC public key from compressed form

func VerifyECDSASig added in v0.1.5 

func VerifyECDSASig(digest, r, s []byte, pubKey *ecdsa.PublicKey) bool

VerifyECDSASig verify ecdsa signature.

Types

type AESProtectedKey added in v0.4.0 

type AESProtectedKey struct {
	// contains filtered or unexported fields
}

AESProtectedKey implements the ProtectedKey interface with an in-memory secret key

func NewAESProtectedKey added in v0.4.0 

func NewAESProtectedKey(rawKey []byte) (*AESProtectedKey, error)

NewAESProtectedKey creates a new instance of AESProtectedKey

func (*AESProtectedKey) DecryptAESGCM added in v0.4.0 

func (k *AESProtectedKey) DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)

DecryptAESGCM decrypts data using AES-GCM with the protected key

func (*AESProtectedKey) Export deprecated added in v0.4.0 

func (k *AESProtectedKey) Export(encapsulator Encapsulator) ([]byte, error)

Export returns the raw key data, optionally encrypting it with the provided Encapsulator

Deprecated: Use the Encapsulator's Encapsulate method instead.

func (*AESProtectedKey) VerifyBinding added in v0.4.0 

func (k *AESProtectedKey) VerifyBinding(_ context.Context, policy, policyBinding []byte) error

VerifyBinding checks if the policy binding matches the given policy data

type AesGcm 

type AesGcm struct {
	// contains filtered or unexported fields
}

func NewAESGcm 

func NewAESGcm(key []byte) (AesGcm, error)

NewAESGcm creates and returns a new AesGcm.

func (AesGcm) Decrypt 

func (aesGcm AesGcm) Decrypt(data []byte) ([]byte, error)

Decrypt decrypts data with symmetric key. NOTE: This method use nonce of 12 bytes and auth tag as aes block size(16 bytes) also expects IV as preamble of data.

func (AesGcm) DecryptWithIVAndTagSize added in v0.1.4 

func (aesGcm AesGcm) DecryptWithIVAndTagSize(iv, data []byte, authTagSize int) ([]byte, error)

DecryptWithIVAndTagSize decrypts data with symmetric key. NOTE: This method expects gcm standard nonce size(12) of iv.

func (AesGcm) DecryptWithTagSize 

func (aesGcm AesGcm) DecryptWithTagSize(data []byte, authTagSize int) ([]byte, error)

DecryptWithTagSize decrypts data with symmetric key. NOTE: This method expects gcm standard nonce size(12) of iv.

func (AesGcm) Encrypt 

func (aesGcm AesGcm) Encrypt(data []byte) ([]byte, error)

Encrypt encrypts data with symmetric key. NOTE: This method use nonce of 12 bytes and auth tag as aes block size(16 bytes).

func (AesGcm) EncryptInPlace added in v0.8.0 

func (aesGcm AesGcm) EncryptInPlace(data []byte) ([]byte, []byte, error)

func (AesGcm) EncryptWithIV 

func (aesGcm AesGcm) EncryptWithIV(iv, data []byte) ([]byte, error)

EncryptWithIV encrypts data with symmetric key. NOTE: This method use default auth tag as aes block size(16 bytes) and expects iv of 16 bytes.

func (AesGcm) EncryptWithIVAndTagSize 

func (aesGcm AesGcm) EncryptWithIVAndTagSize(iv, data []byte, authTagSize int) ([]byte, error)

EncryptWithIVAndTagSize encrypts data with symmetric key. NOTE: This method expects gcm standard nonce size(12) of iv.

type AsymDecryption 

type AsymDecryption struct {
	PrivateKey *rsa.PrivateKey
}

func NewAsymDecryption 

func NewAsymDecryption(privateKeyInPem string) (AsymDecryption, error)

func (AsymDecryption) Decrypt 

func (asymDecryption AsymDecryption) Decrypt(data []byte) ([]byte, error)

Decrypt decrypts ciphertext with private key.

type AsymEncryption 

type AsymEncryption struct {
	PublicKey *rsa.PublicKey
}

func NewAsymEncryption deprecated 

func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error)

NewAsymEncryption creates and returns a new AsymEncryption.

Deprecated: Use FromPublicPEM instead.

func (AsymEncryption) Encrypt 

func (e AsymEncryption) Encrypt(data []byte) ([]byte, error)

func (AsymEncryption) EphemeralKey added in v0.1.8 

func (e AsymEncryption) EphemeralKey() []byte

func (AsymEncryption) KeyType added in v0.7.0 

func (e AsymEncryption) KeyType() KeyType

func (AsymEncryption) Metadata added in v0.1.8 

func (e AsymEncryption) Metadata() (map[string]string, error)

func (AsymEncryption) PublicKeyInPemFormat 

func (e AsymEncryption) PublicKeyInPemFormat() (string, error)

func (AsymEncryption) Type added in v0.1.8 

func (e AsymEncryption) Type() SchemeType

type ECCMode 

type ECCMode uint8
const (
	ECCModeSecp256r1 ECCMode = 0
	ECCModeSecp384r1 ECCMode = 1
	ECCModeSecp521r1 ECCMode = 2
	ECCModeSecp256k1 ECCMode = 3
)

func ECKeyTypeToMode added in v0.1.8 

func ECKeyTypeToMode(kt KeyType) (ECCMode, error)

func ECSizeToMode added in v0.1.8 

func ECSizeToMode(size int) (ECCMode, error)

ECSizeToMode converts a curve size to an ECCMode

func (ECCMode) String added in v0.1.6 

func (mode ECCMode) String() string

type ECDecryptor added in v0.1.8 

type ECDecryptor struct {
	// contains filtered or unexported fields
}

func NewECDecryptor added in v0.1.8 

func NewECDecryptor(sk *ecdh.PrivateKey) (ECDecryptor, error)

func NewSaltedECDecryptor added in v0.2.0 

func NewSaltedECDecryptor(sk *ecdh.PrivateKey, salt, info []byte) (ECDecryptor, error)

func (ECDecryptor) Decrypt added in v0.1.8 

func (e ECDecryptor) Decrypt(_ []byte) ([]byte, error)

func (ECDecryptor) DecryptWithEphemeralKey added in v0.1.8 

func (e ECDecryptor) DecryptWithEphemeralKey(data, ephemeral []byte) ([]byte, error)

type ECEncryptor added in v0.1.8 

type ECEncryptor struct {
	// contains filtered or unexported fields
}

func (ECEncryptor) Encrypt added in v0.1.8 

func (e ECEncryptor) Encrypt(data []byte) ([]byte, error)

Encrypts the data with the EC public key.

func (ECEncryptor) EphemeralKey added in v0.1.8 

func (e ECEncryptor) EphemeralKey() []byte

func (ECEncryptor) KeyType added in v0.7.0 

func (e ECEncryptor) KeyType() KeyType

func (ECEncryptor) Metadata added in v0.1.8 

func (e ECEncryptor) Metadata() (map[string]string, error)

func (ECEncryptor) PublicKeyInPemFormat added in v0.1.8 

func (e ECEncryptor) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

func (ECEncryptor) Type added in v0.1.8 

func (e ECEncryptor) Type() SchemeType

type ECKeyPair 

type ECKeyPair struct {
	PrivateKey *ecdsa.PrivateKey
}

func NewECKeyPair 

func NewECKeyPair(mode ECCMode) (ECKeyPair, error)

NewECKeyPair Generates an EC key pair of the given bit size.

func (ECKeyPair) GetKeyType added in v0.1.8 

func (keyPair ECKeyPair) GetKeyType() KeyType

GetKeyType returns the key type (ECKey)

func (ECKeyPair) KeySize 

func (keyPair ECKeyPair) KeySize() (int, error)

KeySize Return the size of this ec key pair.

func (ECKeyPair) PrivateKeyInPemFormat 

func (keyPair ECKeyPair) PrivateKeyInPemFormat() (string, error)

PrivateKeyInPemFormat Returns private key in pem format.

func (ECKeyPair) PublicKeyInPemFormat 

func (keyPair ECKeyPair) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

type Encapsulator added in v0.4.0 

type Encapsulator interface {
	// Encapsulate wraps a secret key with the encapsulation key
	Encapsulate(dek ProtectedKey) ([]byte, error)

	// Encrypt wraps a secret key with the encapsulation key
	Encrypt(data []byte) ([]byte, error)

	// PublicKeyAsPEM exports the public key, used to encapsulate the value, in Privacy-Enhanced Mail format,
	// or the empty string if not present.
	PublicKeyAsPEM() (string, error)

	// For EC schemes, this method returns the public part of the ephemeral key.
	// Otherwise, it returns nil.
	EphemeralKey() []byte
}

Encapsulator enables key encapsulation with a public key

type KeyPair added in v0.1.8 

type KeyPair interface {
	PublicKeyInPemFormat() (string, error)
	PrivateKeyInPemFormat() (string, error)
	GetKeyType() KeyType
}

func NewKeyPair added in v0.1.8 

func NewKeyPair(kt KeyType) (KeyPair, error)

type KeyType added in v0.1.8 

type KeyType string
const (
	RSA2048Key KeyType = "rsa:2048"
	RSA4096Key KeyType = "rsa:4096"
	EC256Key   KeyType = "ec:secp256r1"
	EC384Key   KeyType = "ec:secp384r1"
	EC521Key   KeyType = "ec:secp521r1"
)

type PrivateKeyDecryptor added in v0.1.8 

type PrivateKeyDecryptor interface {
	// Decrypt decrypts ciphertext with private key.
	Decrypt(data []byte) ([]byte, error)
}

func FromPrivatePEM added in v0.1.8 

func FromPrivatePEM(privateKeyInPem string) (PrivateKeyDecryptor, error)

FromPrivatePEM creates and returns a new AsymDecryption.

func FromPrivatePEMWithSalt added in v0.2.0 

func FromPrivatePEMWithSalt(privateKeyInPem string, salt, info []byte) (PrivateKeyDecryptor, error)

type ProtectedKey added in v0.4.0 

type ProtectedKey interface {
	// VerifyBinding checks if the policy binding matches the given policy data
	VerifyBinding(ctx context.Context, policy, policyBinding []byte) error

	// Export returns the raw key data, optionally encrypting it with the provided encapsulator
	//
	// Deprecated: Use the Encapsulator's Encapsulate method instead.
	Export(encapsulator Encapsulator) ([]byte, error)

	// DecryptAESGCM decrypts encrypted policies and metadata
	DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)
}

ProtectedKey represents a decrypted key with operations that can be performed on it

type PublicKeyEncryptor added in v0.1.8 

type PublicKeyEncryptor interface {
	// Encrypt encrypts data with public key.
	Encrypt(data []byte) ([]byte, error)

	// PublicKeyInPemFormat Returns public key in pem format, or the empty string if not present
	PublicKeyInPemFormat() (string, error)

	// Type required to use the scheme for encryption - notably, if it procduces extra metadata.
	Type() SchemeType

	// KeyType returns the key type, e.g. RSA or EC.
	KeyType() KeyType

	// For EC schemes, this method returns the public part of the ephemeral key.
	// Otherwise, it returns nil.
	EphemeralKey() []byte

	// Any extra metadata, e.g. the ephemeral public key for EC scheme keys.
	Metadata() (map[string]string, error)
}

func FromPublicPEM added in v0.1.8 

func FromPublicPEM(publicKeyInPem string) (PublicKeyEncryptor, error)

func FromPublicPEMWithSalt added in v0.2.0 

func FromPublicPEMWithSalt(publicKeyInPem string, salt, info []byte) (PublicKeyEncryptor, error)

type RsaKeyPair 

type RsaKeyPair struct {
	// contains filtered or unexported fields
}

func FromRSA added in v0.1.4 

func FromRSA(k *rsa.PrivateKey) RsaKeyPair

func NewRSAKeyPair 

func NewRSAKeyPair(bits int) (RsaKeyPair, error)

NewRSAKeyPair Generates an RSA key pair of the given bit size.

func (RsaKeyPair) GetKeyType added in v0.1.8 

func (keyPair RsaKeyPair) GetKeyType() KeyType

GetKeyType returns the key type (RSAKey)

func (RsaKeyPair) KeySize 

func (keyPair RsaKeyPair) KeySize() (int, error)

KeySize Return the size of this rsa key pair.

func (RsaKeyPair) PrivateKeyInPemFormat 

func (keyPair RsaKeyPair) PrivateKeyInPemFormat() (string, error)

PrivateKeyInPemFormat Returns private key in pem format.

func (RsaKeyPair) PublicKeyInPemFormat 

func (keyPair RsaKeyPair) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

type SchemeType added in v0.1.8 

type SchemeType string
const (
	RSA SchemeType = "wrapped"
	EC  SchemeType = "ec-wrapped"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.