saes

package
v1.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: GPL-3.0 Imports: 4 Imported by: 0

README

pki/saes

Import path: github.com/InsideGallery/core/pki/saes

saes provides deterministic authenticated encryption with AES-SIV through Tink's subtle.NewAESSIV. It implements the shared pki.Cipher contract with a 64-byte AES-SIV key.

Main API

  • SAES implements the pki.Cipher interface.
  • NewSAES() creates a cipher with a random 64-byte key.
  • AESSIV64 is the required key size in bytes.
  • Kind is the string returned by SAES.Kind().
  • Encrypt(origin) calls deterministic AES-SIV encryption with nil associated data.
  • Decrypt(ciphertext) decrypts deterministic AES-SIV ciphertext with nil associated data.
  • ToBinary() returns raw key bytes.
  • FromBinary(raw) restores an SAES cipher from raw key bytes.
  • ErrEncryptedDataIsEmpty reports an empty ciphertext passed to Decrypt.
  • ErrEncryptedDataIsWrongLen is exported for compatibility, but the current implementation does not return it.

Usage

package example

import "github.com/InsideGallery/core/pki/saes"

func seal(value []byte) ([]byte, []byte, error) {
	cipher, err := saes.NewSAES()
	if err != nil {
		return nil, nil, err
	}

	key, err := cipher.ToBinary()
	if err != nil {
		return nil, nil, err
	}

	ciphertext, err := cipher.Encrypt(value)
	if err != nil {
		return nil, nil, err
	}

	return ciphertext, key, nil
}

Security Notes

AES-SIV encryption here is deterministic: the same key and plaintext produce the same ciphertext. That is useful for stable encrypted identifiers, but it does not hide equality of repeated plaintext values. ToBinary exposes raw key material; store it only in a suitable secret store.

Documentation

Index

Constants

View Source 
const (
	// AESSIV64 is byte size of SIV SAES Key which must be twice as long as AES32
	AESSIV64 = 64

	Kind = "saes"
)

Variables

View Source 
var (
	ErrEncryptedDataIsEmpty    = errors.New("encrypted data is empty")
	ErrEncryptedDataIsWrongLen = errors.New("encrypted data is wrong len")
)

Functions

This section is empty.

Types

type SAES 

type SAES struct {
	// contains filtered or unexported fields
}

func FromBinary 

func FromBinary(raw []byte) (*SAES, error)

func NewSAES 

func NewSAES() (*SAES, error)

func (*SAES) Decrypt 

func (a *SAES) Decrypt(ciphertext []byte) ([]byte, error)

func (*SAES) Encrypt 

func (a *SAES) Encrypt(origin []byte) ([]byte, error)

func (*SAES) FromBinary 

func (a *SAES) FromBinary(raw []byte) (localCipher.Cipher, error)

func (*SAES) Kind 

func (a *SAES) Kind() string

func (*SAES) ToBinary 

func (a *SAES) ToBinary() ([]byte, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.