Documentation
¶
Index ¶
- Variables
- func Decrypt(secret, encrypted, aad []byte) (plain []byte, err error)
- func Encrypt(secret, data, aad []byte) (encrypted []byte, err error)
- func SecureBytesCompare(input, secret []byte) bool
- func ValidateKey(key []byte) error
- type Crypto
- type KeyGenerator
- type Keyring
- func (k *Keyring) AddKey(key []byte) error
- func (k *Keyring) Decrypt(cipherText, aad []byte) (plain []byte, err error)
- func (k *Keyring) Encrypt(data, aad []byte) (cipherText []byte, err error)
- func (k *Keyring) GetKeys() [][]byte
- func (k *Keyring) GetPrimaryKey() (key []byte)
- func (k *Keyring) MessageDecrypt(encrypted []byte, aad []byte) ([]byte, error)
- func (k *Keyring) MessageEncrypt(content []byte, aad []byte) (encrypted string, err error)
- func (k *Keyring) MessageSign(message []byte, digest string) (string, error)
- func (k *Keyring) MessageVerify(signed []byte) (decoded []byte, err error)
- type MessageEncryptor
- type MessageVerifier
Constants ¶
This section is empty.
Variables ¶
var ( ErrKeyringEmpty = errors.New("no installed keys") ErrKeyringCannotDecrypt = errors.New("no installed keys could decrypt the message") ErrKeyringCannotVerify = errors.New("no installed keys could verify the message") )
var ( HEADER = []byte("A128GCM") ErrInvalidMessage = errors.New("invalid message") )
var ErrInvalidSignature = errors.New("invalid signature")
var ErrKeySize = errors.New("key size must be 16, 24 or 32 bytes")
Functions ¶
func SecureBytesCompare ¶
SecureBytesCompare Compares the two binaries in constant-time to avoid timing attacks.
See: http://codahale.com/a-lesson-in-timing-attacks/ Source: https://go.dev/play/p/pICufdp1zA
func ValidateKey ¶
ValidateKey will check to see if the key is valid and returns an error if not.
key should be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
Types ¶
type Crypto ¶ added in v1.0.3
type Crypto interface {
Decrypt(secret []byte, encrypted []byte, aad []byte) (plain []byte, err error)
Encrypt(secret []byte, data []byte, aad []byte) (encrypted []byte, err error)
KeyGenerate(secret []byte, salt []byte, iterations int, length int, digest string) []byte
MessageDecrypt(secret []byte, encoded []byte, aad []byte) (content []byte, err error)
MessageEncrypt(secret []byte, content []byte, aad []byte) (encoded string, err error)
MessageSign(secret []byte, message []byte, digest string) string
MessageVerify(secret []byte, signed []byte) (decoded []byte, err error)
}
type KeyGenerator ¶
type KeyGenerator struct {
}
KeyGenerator uses PBKDF2 (Password-Based Key Derivation Function 2), part of PKCS #5 v2.0 (Password-Based Cryptography Specification).
It can be used to derive a number of keys for various purposes from a given secret. This lets applications have a single secure secret, but avoid reusing that key in multiple incompatible contexts.
The returned key is a binary. You may invoke functions in the `base64` module, such as `base64.StdEncoding.EncodeToString()`, to convert this binary into a textual representation.
See http://tools.ietf.org/html/rfc2898#section-5.2
func (*KeyGenerator) Generate ¶
func (g *KeyGenerator) Generate(secret []byte, salt []byte, iterations int, length int, digest string) []byte
Generate Returns a derived key suitable for use.
- `iterations` - defaults to 1000 (increase to at least 2^16 if used for passwords);
- `length` - a length in octets for the derived key. Defaults to 32;
- `digest` - an hmac function to use as the pseudo-random function. Defaults to `sha256`;
type Keyring ¶
type Keyring struct {
// contains filtered or unexported fields
}
func (*Keyring) AddKey ¶
AddKey will install a new key on the ring. Adding a key to the ring will make it available for use in decryption. If the key already exists on the ring, this function will just return noop.
func (*Keyring) Decrypt ¶
Decrypt is used to decrypt a message using Keyring keys, and verify it's contents.
func (*Keyring) GetPrimaryKey ¶
GetPrimaryKey returns the key on the ring at position 0. This is the key used for encrypting messages, and is the first key tried for decrypting messages.
func (*Keyring) MessageDecrypt ¶
MessageDecrypt a message using authenticated encryption.
func (*Keyring) MessageEncrypt ¶
MessageEncrypt a message using authenticated encryption.
func (*Keyring) MessageSign ¶
MessageSign Generates a signed message for the provided value.
type MessageEncryptor ¶
type MessageEncryptor struct {
}
func (*MessageEncryptor) Decrypt ¶
func (e *MessageEncryptor) Decrypt(secret, encoded, aad []byte) (content []byte, err error)
Decrypt a message using authenticated encryption. Accepts keys of 128, 192, or 256 bits based on the length of the secret key. Verifies and decrypts a message using AES128-GCM mode.
Decryption will never be performed prior to verification.
The encrypted content encryption key (CEK) is decrypted with aesGCMKeyUnwrap.
func (*MessageEncryptor) Encrypt ¶
func (e *MessageEncryptor) Encrypt(secret, content, aad []byte) (encoded string, err error)
Encrypt encrypts and authenticates a message using AES128-GCM mode.
A random 128-bit content encryption key (CEK) is generated for every message which is then encrypted with secret and aad using AES GCM mode.
type MessageVerifier ¶
type MessageVerifier struct {
}
MessageVerifier makes it easy to generate and verify messages which are signed to prevent tampering.
func (*MessageVerifier) Sign ¶
func (v *MessageVerifier) Sign(secret []byte, content []byte, digest string) string
Sign Generates a signed message for the provided value.
See https://www.rfc-editor.org/rfc/rfc7515#section-3.2 See https://www.rfc-editor.org/rfc/rfc7515#section-7
Source Files