Back to / proto / security

Package security

Latest Go to latest

The latest major version is .

Published: Jul 23, 2018 | Licenses: MIT , CC-BY-4.0 , MIT | Module:



const LocalKMSType = KMSType("local")


var (
	ErrInvalidPublicKey       = errors.New("invalid public key")
	ErrInvalidPrivateKey      = errors.New("invalid private key")
	ErrInvalidNonce           = errors.New("invalid nonce")
	ErrMessageIntegrityFailed = errors.New("message integrity failed")
var (
	ErrInvalidKey         = errors.New("invalid key")
	ErrKeyMustBeDecrypted = errors.New("key must be decrypted")
	ErrKeyMustBeEncrypted = errors.New("key must be encrypted")
	ErrIVRequired         = errors.New("IV is required")

	TestMode bool
var (
	ErrInvalidKMSType = errors.New("invalid KMS type")
	ErrNoMasterKey    = errors.New("no master key")

func DecryptGCM

func DecryptGCM(key *ManagedKey, nonce, digest, ciphertext, data []byte) ([]byte, error)

func EncryptGCM

func EncryptGCM(
	key *ManagedKey, nonce, plaintext, data []byte) (digest []byte, ciphertext []byte, err error)

func PublicKeyCapabilityID

func PublicKeyCapabilityID(subjectKey, holderKey *ManagedKeyPair, nonce []byte) string

func RegisterKMSType

func RegisterKMSType(name KMSType, instance KMSCredential)

func SharedSecretCapabilityID

func SharedSecretCapabilityID(key *ManagedKey, nonce []byte) (string, error)

type Capability

type Capability interface {
	// CapabilityID() returns the globally unique identifier of the
	// capability. It should be a string derived from a secret shared
	// with the recipient.
	CapabilityID() string

	// Nonce() returns the random nonce associated with the capability.
	// This is an optional feature (used for public-key based grants).
	// If there is no nonce, nil is returned.
	Nonce() []byte

	// PublicPayload returns the publicly exposed data associated
	// with the capability.
	PublicPayload() []byte

	// EncryptedPayload returns the encrypted payload associated with
	// this capability. Apply your shared secret to the value that
	// Challenge() returns and pass it to Verify() in order to gain
	// access to the plaintext of the payload.
	EncryptedPayload() []byte

Capability is a generic handle on a cryptographic grant of access.

type KMS

type KMS interface {
	GenerateNonce(bytes int) ([]byte, error)

	GenerateEncryptedKey(keyType KeyType, ctxKey, ctxVal string) (*ManagedKey, error)
	DecryptKey(*ManagedKey) error

type KMSCredential

type KMSCredential interface {
	KMSType() KMSType

type KMSType

type KMSType string

func (KMSType) KMSCredential

func (name KMSType) KMSCredential() (KMSCredential, error)

type KeyPairType

type KeyPairType byte
const (
	Curve25519 KeyPairType = iota

func (KeyPairType) Generate

func (t KeyPairType) Generate(randomReader io.Reader) (*ManagedKeyPair, error)

func (KeyPairType) NonceSize

func (t KeyPairType) NonceSize() int

func (KeyPairType) Open

func (t KeyPairType) Open(message, nonce, peersPublicKey, privateKey []byte) ([]byte, error)

func (KeyPairType) PrivateKeySize

func (t KeyPairType) PrivateKeySize() int

func (KeyPairType) PublicKeySize

func (t KeyPairType) PublicKeySize() int

func (KeyPairType) Seal

func (t KeyPairType) Seal(message, nonce, peersPublicKey, privateKey []byte) ([]byte, error)

func (KeyPairType) String

func (t KeyPairType) String() string

type KeyType

type KeyType byte
const (
	AES128 KeyType = iota

func (KeyType) BlockCipher

func (t KeyType) BlockCipher(key []byte) (cipher.Block, error)

func (KeyType) BlockCrypt

func (t KeyType) BlockCrypt(iv, key, data []byte, encrypt bool) error

func (KeyType) BlockMode

func (t KeyType) BlockMode(iv, key []byte, encrypt bool) (cipher.BlockMode, error)

func (KeyType) BlockSize

func (t KeyType) BlockSize() int

func (KeyType) KeySize

func (t KeyType) KeySize() int

func (KeyType) Pad

func (t KeyType) Pad(data []byte) []byte

func (KeyType) String

func (t KeyType) String() string

func (KeyType) Unpad

func (t KeyType) Unpad(data []byte) []byte

type ManagedKey

type ManagedKey struct {
	IV           []byte
	Plaintext    []byte
	Ciphertext   []byte
	ContextKey   string
	ContextValue string

func KeyFromPasscode

func KeyFromPasscode(passcode, salt []byte, keyType KeyType) *ManagedKey

func (*ManagedKey) Clone

func (k *ManagedKey) Clone() ManagedKey

func (*ManagedKey) Decrypt

func (k *ManagedKey) Decrypt(keyKey *ManagedKey) error

func (*ManagedKey) Encrypt

func (k *ManagedKey) Encrypt(keyKey *ManagedKey) error

func (*ManagedKey) Encrypted

func (k *ManagedKey) Encrypted() bool

type ManagedKeyPair

type ManagedKeyPair struct {
	IV                  []byte
	PrivateKey          []byte
	EncryptedPrivateKey []byte
	PublicKey           []byte

func (*ManagedKeyPair) Clone

func (k *ManagedKeyPair) Clone() ManagedKeyPair

func (*ManagedKeyPair) Decrypt

func (k *ManagedKeyPair) Decrypt(keyKey *ManagedKey) error

func (*ManagedKeyPair) Encrypt

func (k *ManagedKeyPair) Encrypt(keyKey *ManagedKey) error

func (*ManagedKeyPair) Encrypted

func (k *ManagedKeyPair) Encrypted() bool

type MockKMS

type MockKMS interface {

	KMSCredential() KMSCredential
	MasterKey() []byte

func LocalKMS

func LocalKMS() MockKMS

func LocalKMSWithRNG

func LocalKMSWithRNG(random io.Reader) MockKMS

type PublicKeyCapability

type PublicKeyCapability struct {

func GrantPublicKeyCapability

func GrantPublicKeyCapability(
	kms KMS, nonce []byte, subjectKey, holderKey *ManagedKeyPair,
	publicData, privateData interface{}) (
	*PublicKeyCapability, error)

func (*PublicKeyCapability) DecryptPayload

func (c *PublicKeyCapability) DecryptPayload(subjectKey, holderKey *ManagedKeyPair) ([]byte, error)

type SharedSecretCapability

type SharedSecretCapability struct {

func GrantSharedSecretCapability

func GrantSharedSecretCapability(key *ManagedKey, nonce []byte, publicData, privateData interface{}) (
	*SharedSecretCapability, error)

func (*SharedSecretCapability) DecryptPayload

func (c *SharedSecretCapability) DecryptPayload(key *ManagedKey) ([]byte, error)

Package Files

  • aesgcm.go
  • clients.go
  • grants.go
  • keypairs.go
  • keys.go
  • kms.go
Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier