ocrypto

package module
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 27, 2026 License: BSD-3-Clause-Clear Imports: 26 Imported by: 12

README

Internal Module

These modules are used by other http://github.com/opentdf/ projects, and are not intended for use elsewhere.

Documentation

Index

Constants

View Source 
const (
	ECCurveP256Size = 256
	ECCurveP384Size = 384
	ECCurveP521Size = 521
	RSA2048Size     = 2048
	RSA4096Size     = 4096
)
View Source 
const (
	P256MLKEM768ECPublicKeySize  = 65   // uncompressed P-256 point
	P256MLKEM768ECPrivateKeySize = 32   // P-256 scalar
	P256MLKEM768MLKEMPubKeySize  = 1184 // mlkem768 encapsulation key
	P256MLKEM768MLKEMPrivKeySize = mlkemSeedSize
	P256MLKEM768MLKEMCtSize      = 1088 // mlkem768 ciphertext

	P256MLKEM768PublicKeySize  = P256MLKEM768ECPublicKeySize + P256MLKEM768MLKEMPubKeySize   // 1249
	P256MLKEM768PrivateKeySize = P256MLKEM768ECPrivateKeySize + P256MLKEM768MLKEMPrivKeySize // 96
	P256MLKEM768CiphertextSize = P256MLKEM768ECPublicKeySize + P256MLKEM768MLKEMCtSize       // 1153

	PEMBlockP256MLKEM768PublicKey  = "SECP256R1 MLKEM768 PUBLIC KEY"
	PEMBlockP256MLKEM768PrivateKey = "SECP256R1 MLKEM768 PRIVATE KEY"
)

Sizes for P-256 + ML-KEM-768 hybrid.

View Source 
const (
	P384MLKEM1024ECPublicKeySize  = 97   // uncompressed P-384 point
	P384MLKEM1024ECPrivateKeySize = 48   // P-384 scalar
	P384MLKEM1024MLKEMPubKeySize  = 1568 // mlkem1024 encapsulation key
	P384MLKEM1024MLKEMPrivKeySize = mlkemSeedSize
	P384MLKEM1024MLKEMCtSize      = 1568 // mlkem1024 ciphertext

	P384MLKEM1024PublicKeySize  = P384MLKEM1024ECPublicKeySize + P384MLKEM1024MLKEMPubKeySize   // 1665
	P384MLKEM1024PrivateKeySize = P384MLKEM1024ECPrivateKeySize + P384MLKEM1024MLKEMPrivKeySize // 112
	P384MLKEM1024CiphertextSize = P384MLKEM1024ECPublicKeySize + P384MLKEM1024MLKEMCtSize       // 1665

	PEMBlockP384MLKEM1024PublicKey  = "SECP384R1 MLKEM1024 PUBLIC KEY"
	PEMBlockP384MLKEM1024PrivateKey = "SECP384R1 MLKEM1024 PRIVATE KEY"
)

Sizes for P-384 + ML-KEM-1024 hybrid.

View Source 
const (
	HybridXWingKey KeyType = "hpqt:xwing"

	XWingPublicKeySize  = xwing.PublicKeySize
	XWingPrivateKeySize = xwing.PrivateKeySize
	XWingCiphertextSize = xwing.CiphertextSize

	PEMBlockXWingPublicKey  = "XWING PUBLIC KEY"
	PEMBlockXWingPrivateKey = "XWING PRIVATE KEY"
)
View Source 
const DefaultNonceSize = 16

DefaultNonceSize The default nonce size for the TDF3 encryption.

View Source 
const GcmStandardNonceSize = 12

Variables

View Source 
var (
	// ErrEmptyKeyData is returned when the key data is empty
	ErrEmptyKeyData = errors.New("key data is empty")
	// ErrPolicyHMACMismatch is returned when policy binding verification fails
	ErrPolicyHMACMismatch = errors.New("policy HMAC mismatch")
)
View Source 
var ErrInvalidCiphertext = errors.New("invalid ciphertext")

ErrInvalidCiphertext is returned when ciphertext or input data is invalid (empty, wrong size, etc.)

View Source 
var ErrInvalidKeyData = errors.New("invalid key data")

ErrInvalidKeyData is returned when key data is invalid (empty, nil, or wrong size)

View Source 
var ErrUnsupportedAESGCMConfiguration = errors.New("unsupported AES-GCM configuration")

ErrUnsupportedAESGCMConfiguration is returned for AES-GCM options that Go strict FIPS mode does not allow.

Functions

func Base64Decode 

func Base64Decode(data []byte) ([]byte, error)

Base64Decode Decode the data using base64 decoding.

func Base64Encode 

func Base64Encode(data []byte) []byte

Base64Encode Encode the data to base64 encoding. Note: bas64 encoding causing ~33% overhead.

func CalculateHKDF added in v0.1.1 

func CalculateHKDF(salt []byte, secret []byte) ([]byte, error)

CalculateHKDF generate a key using key derivation function.

func CalculateSHA256 

func CalculateSHA256(data []byte) []byte

CalculateSHA256 Calculate the SHA256 checksum of the data(32 bytes).

func CalculateSHA256Hmac 

func CalculateSHA256Hmac(secret, data []byte) []byte

CalculateSHA256Hmac Calculate the hmac of the data with given secret.

func CompressedECPublicKey added in v0.1.4 

func CompressedECPublicKey(mode ECCMode, pubKey ecdsa.PublicKey) ([]byte, error)

CompressedECPublicKey - return a compressed key from the supplied curve and public key

func ComputeECDHKey added in v0.1.1 

func ComputeECDHKey(privateKeyInPem []byte, publicKeyInPem []byte) ([]byte, error)

ComputeECDHKey calculate shared secret from public key from one party and the private key from another party.

func ComputeECDHKeyFromEC added in v0.1.4 

func ComputeECDHKeyFromEC(publicKey *ecdsa.PublicKey, privateKey *ecdsa.PrivateKey) ([]byte, error)

func ComputeECDHKeyFromECDHKeys added in v0.1.4 

func ComputeECDHKeyFromECDHKeys(publicKey *ecdh.PublicKey, privateKey *ecdh.PrivateKey) ([]byte, error)

func ComputeECDSASig added in v0.1.4 

func ComputeECDSASig(digest []byte, privKey *ecdsa.PrivateKey) ([]byte, []byte, error)

ComputeECDSASig compute ecdsa signature

func ConvertToECDHPrivateKey added in v0.1.1 

func ConvertToECDHPrivateKey(key interface{}) (*ecdh.PrivateKey, error)

ConvertToECDHPrivateKey convert the ec private key to ECDH private key

func ConvertToECDHPublicKey added in v0.1.1 

func ConvertToECDHPublicKey(key interface{}) (*ecdh.PublicKey, error)

ConvertToECDHPublicKey convert the ec public key to ECDH public key

func ECPrivateKeyFromPem added in v0.1.1 

func ECPrivateKeyFromPem(privateECKeyInPem []byte) (*ecdh.PrivateKey, error)

ECPrivateKeyFromPem generate ec private from pem format

func ECPrivateKeyInPemFormat added in v0.1.4 

func ECPrivateKeyInPemFormat(privateKey ecdsa.PrivateKey) (string, error)

ECPrivateKeyInPemFormat Returns private key in pem format.

func ECPubKeyFromPem added in v0.1.1 

func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error)

ECPubKeyFromPem generate ec public from pem format

func ECPublicKeyInPemFormat added in v0.1.4 

func ECPublicKeyInPemFormat(publicKey ecdsa.PublicKey) (string, error)

ECPublicKeyInPemFormat Returns public key in pem format.

func GetECCurveFromECCMode added in v0.1.5 

func GetECCurveFromECCMode(mode ECCMode) (elliptic.Curve, error)

GetECCurveFromECCMode return elliptic curve from ecc mode

func GetECKeySize added in v0.1.8 

func GetECKeySize(pemData []byte) (int, error)

GetECKeySize returns the curve size from a PEM-encoded EC public key

func HybridWrapDEK added in v0.11.0 

func HybridWrapDEK(ktype KeyType, kasPublicKeyPEM string, dek []byte) ([]byte, error)

HybridWrapDEK parses the recipient's hybrid public key PEM, encapsulates against it using the scheme implied by ktype, and returns the ASN.1-encoded wrapped DEK envelope used in `hybrid-wrapped` manifests. It dispatches across both the X-Wing and NIST EC + ML-KEM families so SDK call sites do not need to repeat the algorithm switch.

The HKDF salt is the default TDF salt; callers that need a non-default salt should call the per-scheme `*WrapDEK` helpers directly.

func IsECKeyType added in v0.1.8 

func IsECKeyType(kt KeyType) bool

func IsHybridKeyType added in v0.11.0 

func IsHybridKeyType(kt KeyType) bool

IsHybridKeyType returns true if the key type is a hybrid post-quantum type.

func IsPEMOrDERPrivateKey added in v0.10.0 

func IsPEMOrDERPrivateKey(data []byte) bool

IsPEMOrDERPrivateKey reports whether data appears to be an unencrypted private key in PEM or DER format. It does not attempt decryption or key unwrapping.

func IsRSAKeyType added in v0.1.8 

func IsRSAKeyType(kt KeyType) bool

func P256MLKEM768Encapsulate added in v0.11.0 

func P256MLKEM768Encapsulate(publicKeyRaw []byte) ([]byte, []byte, error)

P256MLKEM768Encapsulate performs P-256 ECDH + ML-KEM-768 hybrid encapsulation.

func P256MLKEM768PrivateKeyFromPem added in v0.11.0 

func P256MLKEM768PrivateKeyFromPem(data []byte) ([]byte, error)

func P256MLKEM768PubKeyFromPem added in v0.11.0 

func P256MLKEM768PubKeyFromPem(data []byte) ([]byte, error)

func P256MLKEM768UnwrapDEK added in v0.11.0 

func P256MLKEM768UnwrapDEK(privateKeyRaw, wrappedDER []byte) ([]byte, error)

func P256MLKEM768WrapDEK added in v0.11.0 

func P256MLKEM768WrapDEK(publicKeyRaw, dek []byte) ([]byte, error)

func P384MLKEM1024Encapsulate added in v0.11.0 

func P384MLKEM1024Encapsulate(publicKeyRaw []byte) ([]byte, []byte, error)

P384MLKEM1024Encapsulate performs P-384 ECDH + ML-KEM-1024 hybrid encapsulation.

func P384MLKEM1024PrivateKeyFromPem added in v0.11.0 

func P384MLKEM1024PrivateKeyFromPem(data []byte) ([]byte, error)

func P384MLKEM1024PubKeyFromPem added in v0.11.0 

func P384MLKEM1024PubKeyFromPem(data []byte) ([]byte, error)

func P384MLKEM1024UnwrapDEK added in v0.11.0 

func P384MLKEM1024UnwrapDEK(privateKeyRaw, wrappedDER []byte) ([]byte, error)

func P384MLKEM1024WrapDEK added in v0.11.0 

func P384MLKEM1024WrapDEK(publicKeyRaw, dek []byte) ([]byte, error)

func RSAKeyTypeToBits added in v0.1.8 

func RSAKeyTypeToBits(kt KeyType) (int, error)

func RandomBytes 

func RandomBytes(size int) ([]byte, error)

RandomBytes Generates random bytes of given size.

func SHA256AsHex 

func SHA256AsHex(data []byte) []byte

SHA256AsHex Calculate the SHA256 checksum of the data and return in hex format(64 bytes).

func SHA256HmacAsHex 

func SHA256HmacAsHex(secret, data []byte) []byte

SHA256HmacAsHex Calculate the hmac of the data with given secret and return in hex format.

func UncompressECPubKey added in v0.1.5 

func UncompressECPubKey(curve elliptic.Curve, compressedPubKey []byte) (*ecdsa.PublicKey, error)

UncompressECPubKey create EC public key from compressed form

func VerifyECDSASig added in v0.1.5 

func VerifyECDSASig(digest, r, s []byte, pubKey *ecdsa.PublicKey) bool

VerifyECDSASig verify ecdsa signature.

func XWingEncapsulate added in v0.11.0 

func XWingEncapsulate(publicKeyRaw []byte) ([]byte, []byte, error)

XWingEncapsulate performs the X-Wing KEM encapsulation, returning the shared secret and ciphertext without applying KDF or encryption.

func XWingPrivateKeyFromPem added in v0.11.0 

func XWingPrivateKeyFromPem(data []byte) ([]byte, error)

func XWingPubKeyFromPem added in v0.11.0 

func XWingPubKeyFromPem(data []byte) ([]byte, error)

func XWingUnwrapDEK added in v0.11.0 

func XWingUnwrapDEK(privateKeyRaw, wrappedDER []byte) ([]byte, error)

func XWingWrapDEK added in v0.11.0 

func XWingWrapDEK(publicKeyRaw, dek []byte) ([]byte, error)

Types

type AESProtectedKey added in v0.4.0 

type AESProtectedKey struct {
	// contains filtered or unexported fields
}

AESProtectedKey implements the ProtectedKey interface with an in-memory secret key

func NewAESProtectedKey added in v0.4.0 

func NewAESProtectedKey(rawKey []byte) (*AESProtectedKey, error)

NewAESProtectedKey creates a new instance of AESProtectedKey

func (*AESProtectedKey) DecryptAESGCM added in v0.4.0 

func (k *AESProtectedKey) DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)

DecryptAESGCM decrypts data using AES-GCM with the protected key

func (*AESProtectedKey) Export deprecated added in v0.4.0 

func (k *AESProtectedKey) Export(encapsulator Encapsulator) ([]byte, error)

Export returns the raw key data, optionally encrypting it with the provided Encapsulator

Deprecated: Use the Encapsulator's Encapsulate method instead.

func (*AESProtectedKey) VerifyBinding added in v0.4.0 

func (k *AESProtectedKey) VerifyBinding(_ context.Context, policy, policyBinding []byte) error

VerifyBinding checks if the policy binding matches the given policy data

type AesGcm 

type AesGcm struct {
	// contains filtered or unexported fields
}

func NewAESGcm 

func NewAESGcm(key []byte) (AesGcm, error)

NewAESGcm creates and returns a new AesGcm.

func (AesGcm) Decrypt 

func (aesGcm AesGcm) Decrypt(data []byte) ([]byte, error)

Decrypt decrypts data with a 12-byte nonce prefix and a 16-byte AES-GCM authentication tag.

func (AesGcm) Encrypt 

func (aesGcm AesGcm) Encrypt(data []byte) ([]byte, error)

Encrypt encrypts data with symmetric key. NOTE: This method use nonce of 12 bytes and auth tag as aes block size(16 bytes).

func (AesGcm) EncryptInPlace added in v0.8.0 

func (aesGcm AesGcm) EncryptInPlace(data []byte) ([]byte, []byte, error)

type AsymDecryption 

type AsymDecryption struct {
	PrivateKey *rsa.PrivateKey
}

func NewAsymDecryption 

func NewAsymDecryption(privateKeyInPem string) (AsymDecryption, error)

func (AsymDecryption) Decrypt 

func (asymDecryption AsymDecryption) Decrypt(data []byte) ([]byte, error)

Decrypt decrypts ciphertext with private key.

type AsymEncryption 

type AsymEncryption struct {
	PublicKey *rsa.PublicKey
}

func NewAsymEncryption deprecated 

func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error)

NewAsymEncryption creates and returns a new AsymEncryption.

Deprecated: Use FromPublicPEM instead.

func (AsymEncryption) Encrypt 

func (e AsymEncryption) Encrypt(data []byte) ([]byte, error)

func (AsymEncryption) EphemeralKey added in v0.1.8 

func (e AsymEncryption) EphemeralKey() []byte

func (AsymEncryption) KeyType added in v0.7.0 

func (e AsymEncryption) KeyType() KeyType

func (AsymEncryption) Metadata added in v0.1.8 

func (e AsymEncryption) Metadata() (map[string]string, error)

func (AsymEncryption) PublicKeyInPemFormat 

func (e AsymEncryption) PublicKeyInPemFormat() (string, error)

func (AsymEncryption) Type added in v0.1.8 

func (e AsymEncryption) Type() SchemeType

type ECCMode 

type ECCMode uint8
const (
	ECCModeSecp256r1 ECCMode = 0
	ECCModeSecp384r1 ECCMode = 1
	ECCModeSecp521r1 ECCMode = 2
	ECCModeSecp256k1 ECCMode = 3
)

func ECKeyTypeToMode added in v0.1.8 

func ECKeyTypeToMode(kt KeyType) (ECCMode, error)

func ECSizeToMode added in v0.1.8 

func ECSizeToMode(size int) (ECCMode, error)

ECSizeToMode converts a curve size to an ECCMode

func (ECCMode) String added in v0.1.6 

func (mode ECCMode) String() string

type ECDecryptor added in v0.1.8 

type ECDecryptor struct {
	// contains filtered or unexported fields
}

func NewECDecryptor added in v0.1.8 

func NewECDecryptor(sk *ecdh.PrivateKey) (ECDecryptor, error)

func NewSaltedECDecryptor added in v0.2.0 

func NewSaltedECDecryptor(sk *ecdh.PrivateKey, salt, info []byte) (ECDecryptor, error)

func (ECDecryptor) Decrypt added in v0.1.8 

func (e ECDecryptor) Decrypt(_ []byte) ([]byte, error)

func (ECDecryptor) DecryptWithEphemeralKey added in v0.1.8 

func (e ECDecryptor) DecryptWithEphemeralKey(data, ephemeral []byte) ([]byte, error)

type ECEncryptor added in v0.1.8 

type ECEncryptor struct {
	// contains filtered or unexported fields
}

func (ECEncryptor) Encrypt added in v0.1.8 

func (e ECEncryptor) Encrypt(data []byte) ([]byte, error)

Encrypts the data with the EC public key.

func (ECEncryptor) EphemeralKey added in v0.1.8 

func (e ECEncryptor) EphemeralKey() []byte

func (ECEncryptor) KeyType added in v0.7.0 

func (e ECEncryptor) KeyType() KeyType

func (ECEncryptor) Metadata added in v0.1.8 

func (e ECEncryptor) Metadata() (map[string]string, error)

func (ECEncryptor) PublicKeyInPemFormat added in v0.1.8 

func (e ECEncryptor) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

func (ECEncryptor) Type added in v0.1.8 

func (e ECEncryptor) Type() SchemeType

type ECKeyPair 

type ECKeyPair struct {
	PrivateKey *ecdsa.PrivateKey
}

func NewECKeyPair 

func NewECKeyPair(mode ECCMode) (ECKeyPair, error)

NewECKeyPair Generates an EC key pair of the given bit size.

func (ECKeyPair) GetKeyType added in v0.1.8 

func (keyPair ECKeyPair) GetKeyType() KeyType

GetKeyType returns the key type (ECKey)

func (ECKeyPair) KeySize 

func (keyPair ECKeyPair) KeySize() (int, error)

KeySize Return the size of this ec key pair.

func (ECKeyPair) PrivateKeyInPemFormat 

func (keyPair ECKeyPair) PrivateKeyInPemFormat() (string, error)

PrivateKeyInPemFormat Returns private key in pem format.

func (ECKeyPair) PublicKeyInPemFormat 

func (keyPair ECKeyPair) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

type Encapsulator added in v0.4.0 

type Encapsulator interface {
	// Encapsulate wraps a secret key with the encapsulation key
	Encapsulate(dek ProtectedKey) ([]byte, error)

	// Encrypt wraps a secret key with the encapsulation key
	Encrypt(data []byte) ([]byte, error)

	// PublicKeyAsPEM exports the public key, used to encapsulate the value, in Privacy-Enhanced Mail format,
	// or the empty string if not present.
	PublicKeyAsPEM() (string, error)

	// For EC schemes, this method returns the public part of the ephemeral key.
	// Otherwise, it returns nil.
	EphemeralKey() []byte
}

Encapsulator enables key encapsulation with a public key

type HybridNISTDecryptor added in v0.11.0 

type HybridNISTDecryptor struct {
	// contains filtered or unexported fields
}

HybridNISTDecryptor implements PrivateKeyDecryptor for NIST hybrid schemes.

func NewP256MLKEM768Decryptor added in v0.11.0 

func NewP256MLKEM768Decryptor(privateKey []byte) (*HybridNISTDecryptor, error)

func NewP384MLKEM1024Decryptor added in v0.11.0 

func NewP384MLKEM1024Decryptor(privateKey []byte) (*HybridNISTDecryptor, error)

func NewSaltedP256MLKEM768Decryptor added in v0.11.0 

func NewSaltedP256MLKEM768Decryptor(privateKey, salt, info []byte) (*HybridNISTDecryptor, error)

func NewSaltedP384MLKEM1024Decryptor added in v0.11.0 

func NewSaltedP384MLKEM1024Decryptor(privateKey, salt, info []byte) (*HybridNISTDecryptor, error)

func (*HybridNISTDecryptor) Decrypt added in v0.11.0 

func (d *HybridNISTDecryptor) Decrypt(data []byte) ([]byte, error)

type HybridNISTEncryptor added in v0.11.0 

type HybridNISTEncryptor struct {
	// contains filtered or unexported fields
}

HybridNISTEncryptor implements PublicKeyEncryptor for NIST hybrid schemes.

func NewP256MLKEM768Encryptor added in v0.11.0 

func NewP256MLKEM768Encryptor(publicKey, salt, info []byte) (*HybridNISTEncryptor, error)

func NewP384MLKEM1024Encryptor added in v0.11.0 

func NewP384MLKEM1024Encryptor(publicKey, salt, info []byte) (*HybridNISTEncryptor, error)

func (*HybridNISTEncryptor) Encrypt added in v0.11.0 

func (e *HybridNISTEncryptor) Encrypt(data []byte) ([]byte, error)

func (*HybridNISTEncryptor) EphemeralKey added in v0.11.0 

func (e *HybridNISTEncryptor) EphemeralKey() []byte

func (*HybridNISTEncryptor) KeyType added in v0.11.0 

func (e *HybridNISTEncryptor) KeyType() KeyType

func (*HybridNISTEncryptor) Metadata added in v0.11.0 

func (e *HybridNISTEncryptor) Metadata() (map[string]string, error)

func (*HybridNISTEncryptor) PublicKeyInPemFormat added in v0.11.0 

func (e *HybridNISTEncryptor) PublicKeyInPemFormat() (string, error)

func (*HybridNISTEncryptor) Type added in v0.11.0 

func (e *HybridNISTEncryptor) Type() SchemeType

type HybridNISTKeyPair added in v0.11.0 

type HybridNISTKeyPair struct {
	// contains filtered or unexported fields
}

HybridNISTKeyPair holds a hybrid EC + ML-KEM keypair as raw bytes.

func NewP256MLKEM768KeyPair added in v0.11.0 

func NewP256MLKEM768KeyPair() (HybridNISTKeyPair, error)

func NewP384MLKEM1024KeyPair added in v0.11.0 

func NewP384MLKEM1024KeyPair() (HybridNISTKeyPair, error)

func (HybridNISTKeyPair) GetKeyType added in v0.11.0 

func (k HybridNISTKeyPair) GetKeyType() KeyType

func (HybridNISTKeyPair) PrivateKeyInPemFormat added in v0.11.0 

func (k HybridNISTKeyPair) PrivateKeyInPemFormat() (string, error)

func (HybridNISTKeyPair) PublicKeyInPemFormat added in v0.11.0 

func (k HybridNISTKeyPair) PublicKeyInPemFormat() (string, error)

type HybridNISTWrappedKey added in v0.11.0 

type HybridNISTWrappedKey struct {
	HybridCiphertext []byte `asn1:"tag:0"`
	EncryptedDEK     []byte `asn1:"tag:1"`
}

HybridNISTWrappedKey is the ASN.1 envelope stored in wrapped_key.

type KeyPair added in v0.1.8 

type KeyPair interface {
	PublicKeyInPemFormat() (string, error)
	PrivateKeyInPemFormat() (string, error)
	GetKeyType() KeyType
}

func NewHybridKeyPair added in v0.11.0 

func NewHybridKeyPair(kt KeyType) (KeyPair, error)

NewHybridKeyPair creates a key pair for the given hybrid key type.

func NewKeyPair added in v0.1.8 

func NewKeyPair(kt KeyType) (KeyPair, error)

type KeyType added in v0.1.8 

type KeyType string
const (
	RSA2048Key KeyType = "rsa:2048"
	RSA4096Key KeyType = "rsa:4096"
	EC256Key   KeyType = "ec:secp256r1"
	EC384Key   KeyType = "ec:secp384r1"
	EC521Key   KeyType = "ec:secp521r1"
)
const (
	HybridSecp256r1MLKEM768Key  KeyType = "hpqt:secp256r1-mlkem768"
	HybridSecp384r1MLKEM1024Key KeyType = "hpqt:secp384r1-mlkem1024"
)

func ParseKeyType added in v0.11.0 

func ParseKeyType(alg string) (KeyType, error)

ParseKeyType validates a string as a known KeyType, returning an error for unrecognized values.

type PrivateKeyDecryptor added in v0.1.8 

type PrivateKeyDecryptor interface {
	// Decrypt decrypts ciphertext with private key.
	Decrypt(data []byte) ([]byte, error)
}

func FromPrivatePEM added in v0.1.8 

func FromPrivatePEM(privateKeyInPem string) (PrivateKeyDecryptor, error)

FromPrivatePEM creates and returns a new AsymDecryption.

func FromPrivatePEMWithSalt added in v0.2.0 

func FromPrivatePEMWithSalt(privateKeyInPem string, salt, info []byte) (PrivateKeyDecryptor, error)

type ProtectedKey added in v0.4.0 

type ProtectedKey interface {
	// VerifyBinding checks if the policy binding matches the given policy data
	VerifyBinding(ctx context.Context, policy, policyBinding []byte) error

	// Export returns the raw key data, optionally encrypting it with the provided encapsulator
	//
	// Deprecated: Use the Encapsulator's Encapsulate method instead.
	Export(encapsulator Encapsulator) ([]byte, error)

	// DecryptAESGCM decrypts encrypted policies and metadata
	DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)
}

ProtectedKey represents a decrypted key with operations that can be performed on it

type PublicKeyEncryptor added in v0.1.8 

type PublicKeyEncryptor interface {
	// Encrypt encrypts data with public key.
	Encrypt(data []byte) ([]byte, error)

	// PublicKeyInPemFormat Returns public key in pem format, or the empty string if not present
	PublicKeyInPemFormat() (string, error)

	// Type required to use the scheme for encryption - notably, if it procduces extra metadata.
	Type() SchemeType

	// KeyType returns the key type, e.g. RSA or EC.
	KeyType() KeyType

	// For EC schemes, this method returns the public part of the ephemeral key.
	// Otherwise, it returns nil.
	EphemeralKey() []byte

	// Any extra metadata, e.g. the ephemeral public key for EC scheme keys.
	Metadata() (map[string]string, error)
}

func FromPublicPEM added in v0.1.8 

func FromPublicPEM(publicKeyInPem string) (PublicKeyEncryptor, error)

func FromPublicPEMWithSalt added in v0.2.0 

func FromPublicPEMWithSalt(publicKeyInPem string, salt, info []byte) (PublicKeyEncryptor, error)

type RsaKeyPair 

type RsaKeyPair struct {
	// contains filtered or unexported fields
}

func FromRSA added in v0.1.4 

func FromRSA(k *rsa.PrivateKey) RsaKeyPair

func NewRSAKeyPair 

func NewRSAKeyPair(bits int) (RsaKeyPair, error)

NewRSAKeyPair Generates an RSA key pair of the given bit size.

func (RsaKeyPair) GetKeyType added in v0.1.8 

func (keyPair RsaKeyPair) GetKeyType() KeyType

GetKeyType returns the key type (RSAKey)

func (RsaKeyPair) KeySize 

func (keyPair RsaKeyPair) KeySize() (int, error)

KeySize Return the size of this rsa key pair.

func (RsaKeyPair) PrivateKeyInPemFormat 

func (keyPair RsaKeyPair) PrivateKeyInPemFormat() (string, error)

PrivateKeyInPemFormat Returns private key in pem format.

func (RsaKeyPair) PublicKeyInPemFormat 

func (keyPair RsaKeyPair) PublicKeyInPemFormat() (string, error)

PublicKeyInPemFormat Returns public key in pem format.

type SchemeType added in v0.1.8 

type SchemeType string
const (
	RSA    SchemeType = "wrapped"
	EC     SchemeType = "ec-wrapped"
	Hybrid SchemeType = "hybrid-wrapped"
)

type XWingDecryptor added in v0.11.0 

type XWingDecryptor struct {
	// contains filtered or unexported fields
}

func NewSaltedXWingDecryptor added in v0.11.0 

func NewSaltedXWingDecryptor(privateKey, salt, info []byte) (*XWingDecryptor, error)

func NewXWingDecryptor added in v0.11.0 

func NewXWingDecryptor(privateKey []byte) (*XWingDecryptor, error)

func (*XWingDecryptor) Decrypt added in v0.11.0 

func (d *XWingDecryptor) Decrypt(data []byte) ([]byte, error)

type XWingEncryptor added in v0.11.0 

type XWingEncryptor struct {
	// contains filtered or unexported fields
}

func NewXWingEncryptor added in v0.11.0 

func NewXWingEncryptor(publicKey, salt, info []byte) (*XWingEncryptor, error)

func (*XWingEncryptor) Encrypt added in v0.11.0 

func (e *XWingEncryptor) Encrypt(data []byte) ([]byte, error)

func (*XWingEncryptor) EphemeralKey added in v0.11.0 

func (e *XWingEncryptor) EphemeralKey() []byte

func (*XWingEncryptor) KeyType added in v0.11.0 

func (e *XWingEncryptor) KeyType() KeyType

func (*XWingEncryptor) Metadata added in v0.11.0 

func (e *XWingEncryptor) Metadata() (map[string]string, error)

func (*XWingEncryptor) PublicKeyInPemFormat added in v0.11.0 

func (e *XWingEncryptor) PublicKeyInPemFormat() (string, error)

func (*XWingEncryptor) Type added in v0.11.0 

func (e *XWingEncryptor) Type() SchemeType

type XWingKeyPair added in v0.11.0 

type XWingKeyPair struct {
	// contains filtered or unexported fields
}

func NewXWingKeyPair added in v0.11.0 

func NewXWingKeyPair() (XWingKeyPair, error)

func (XWingKeyPair) GetKeyType added in v0.11.0 

func (k XWingKeyPair) GetKeyType() KeyType

func (XWingKeyPair) PrivateKeyInPemFormat added in v0.11.0 

func (k XWingKeyPair) PrivateKeyInPemFormat() (string, error)

func (XWingKeyPair) PublicKeyInPemFormat added in v0.11.0 

func (k XWingKeyPair) PublicKeyInPemFormat() (string, error)

type XWingWrappedKey added in v0.11.0 

type XWingWrappedKey struct {
	XWingCiphertext []byte `asn1:"tag:0"`
	EncryptedDEK    []byte `asn1:"tag:1"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.