crypto

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2026 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AESKeySize   = 32 // 256-bit AES key size
	GMCNonceSize = 12 // GCM standard nonce size
)

Variables

This section is empty.

Functions

func DecryptObjectDeterministic 

func DecryptObjectDeterministic(ct []byte, context string, dek []byte) ([]byte, error)

func DecryptObjectLinearOPE 

func DecryptObjectLinearOPE(ct []byte, dek []byte) (uint64, error)

DecryptObjectLinearOPE decrypts data encrypted with EncryptObjectLinearOPE. Performs inverse linear transformation: pt = (ct - b) / a

func DecryptObjectProbabilistic 

func DecryptObjectProbabilistic(ct []byte, dek []byte) ([]byte, error)

func DenormalizeFloat32 

func DenormalizeFloat32(v uint64) float32

func DenormalizeFloat64 

func DenormalizeFloat64(v uint64) float64

func DenormalizeInt32 

func DenormalizeInt32(v uint64) int32

func DenormalizeInt64 

func DenormalizeInt64(v uint64) int64

func DenormalizeTime 

func DenormalizeTime(v uint64) time.Time

func DenormalizeTimeSeconds 

func DenormalizeTimeSeconds(v uint64) time.Time

func DenormalizeUint32 

func DenormalizeUint32(v uint64) uint32

func EncryptObjectDeterministic 

func EncryptObjectDeterministic(pt []byte, context string, dek []byte) ([]byte, error)

func EncryptObjectDeterministicFixed 

func EncryptObjectDeterministicFixed(pt []byte, context string, dek []byte) ([]byte, error)

func EncryptObjectLinearOPE 

func EncryptObjectLinearOPE(plaintext uint64, dek []byte) ([]byte, error)

WARNING: This is trivially breakable with known plaintext attacks TODO: Replace with a more secure OPE scheme (CRITICAL!!!!!) Could replace this algorithm with a ported version of pyope (https://github.com/tonyo/pyope), which implements Boldyreva's symmetric OPE scheme.

ct format: encrypted value (8 bytes)

func EncryptObjectProbabilistic 

func EncryptObjectProbabilistic(pt []byte, dek []byte) ([]byte, error)

func GenerateEphemeralKeypair 

func GenerateEphemeralKeypair() (clientPriv [32]byte, clientPub [32]byte, err error)

func NormalizeFloat32 

func NormalizeFloat32(v float32) uint64

func NormalizeFloat64 

func NormalizeFloat64(v float64) uint64

func NormalizeInt32 

func NormalizeInt32(v int32) uint64

func NormalizeInt64 

func NormalizeInt64(v int64) uint64

func NormalizeTime 

func NormalizeTime(t time.Time) uint64

Second-level normalization for time values to preserve order and allow range queries while encrypting with OPE.

func NormalizeTimeSeconds 

func NormalizeTimeSeconds(t time.Time) uint64

Use NormalizeTimeSeconds for historical dates or far-future timestamps

func NormalizeUint32 

func NormalizeUint32(v uint32) uint64

func NormalizeValue 

func NormalizeValue(v any) (uint64, error)

func UnwrapSingleDEK 

func UnwrapSingleDEK(ctx context.Context, config SessionConfig, wrappedDEK []byte, nonce []byte) ([]byte, error)

Types

type EnclaveSecureSession 

type EnclaveSecureSession struct {
	SessionId           string
	ClientPriv          [32]byte // x25519 private key
	ClientPub           [32]byte // x25519 public key
	EnclavePubRaw       []byte   // enclave's ephemeral public key (decoded)
	SessionKey          []byte   // derived session key
	ExpiresAt           time.Time
	Attestation         []byte
	ExpectedNonce       []byte
	AttestationVerified bool
	AttestationResult   *verificationResult
	// contains filtered or unexported fields
}

func InitEnclaveSecureSession 

func InitEnclaveSecureSession(ctx context.Context, config SessionConfig) (*EnclaveSecureSession, error)

func (*EnclaveSecureSession) Close 

func (ess *EnclaveSecureSession) Close()

Close zeros out sensitive data

func (*EnclaveSecureSession) GenerateDEK 

func (ess *EnclaveSecureSession) GenerateDEK(ctx context.Context, tableHash string, count int) (generatedDEKs []GeneratedDEK, iek []byte, err error)

func (*EnclaveSecureSession) GetAttestationInfo 

func (ess *EnclaveSecureSession) GetAttestationInfo() map[string]any

func (*EnclaveSecureSession) GetTableIEK 

func (ess *EnclaveSecureSession) GetTableIEK(ctx context.Context, tableHash string) ([]byte, error)

func (*EnclaveSecureSession) SessionUnwrap 

func (ess *EnclaveSecureSession) SessionUnwrap(ctx context.Context, items []enclaveproto.SessionUnwrapItem) (enclaveproto.SessionUnwrapResponse, error)

func (*EnclaveSecureSession) UnsealDEK 

func (ess *EnclaveSecureSession) UnsealDEK(ctx context.Context, encryptedDEK []byte, nonce []byte, objectID string) ([]byte, error)

type GeneratedDEK 

type GeneratedDEK struct {
	PlaintextDEK          []byte
	KMSEncryptedDEK       []byte
	MasterKeyEncryptedDEK []byte
	MasterKeyNonce        []byte
}

type SessionConfig 

type SessionConfig struct {
	// base URL of the proxy server
	Endpoint string
	// Tenant ID for authentication
	TenantID string
	// API Key for authentication
	APIKey string
	// PCR values you expect from the enclave
	// Key: PCR index; Value: hex-encoded PCR hash
	// Note: use "nitro-cli describe-eif --eif-path enclave.eif" to get these
	ExpectedPCRs map[uint]string
	// AWS Nitro Root CA certificate (optional)
	RootCA *x509.Certificate
	// Maximum age of the attestation document
	MaxAttestationAge time.Duration
	// Whether to verify PCR values
	// Set to false during development, true in production
	VerifyPCRs bool
	// HTTPTimeout for requests
	HTTPTimeout time.Duration
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.