Documentation ¶
Index ¶
- Constants
- Variables
- func NewEncryptionSuite(algorithm encAlgorithm, mode cipherMode, dataKeyLen, ivLen, authLen int) encryptionSuite
- func NewKdfSuite(KDFFunc func(hash func() hash.Hash, secret, salt, info []byte) io.Reader, ...) kdfSuite
- func ValidateCommitmentPolicy(p CommitmentPolicy) error
- func ValidateContentType(t ContentType) error
- func ValidateFrameLength(frameLength int) error
- func ValidateMessageVersion(v uint8) error
- type AlgorithmSuite
- func (as *AlgorithmSuite) AlgorithmSuiteDataLen() int
- func (as *AlgorithmSuite) GoString() string
- func (as *AlgorithmSuite) IDBytes() []byte
- func (as *AlgorithmSuite) IDString() string
- func (as *AlgorithmSuite) IsCommitting() bool
- func (as *AlgorithmSuite) IsKDFSupported() bool
- func (as *AlgorithmSuite) IsSigning() bool
- func (as *AlgorithmSuite) MessageIDLen() int
- func (as *AlgorithmSuite) Name() string
- func (as *AlgorithmSuite) String() string
- type CommitmentPolicy
- type ContentAADString
- type ContentType
- type EncryptionContext
- type MessageFormatVersion
- type MessageType
Constants ¶
const ( MinFrameSize = int(128) // Minimum allowed frame size MaxFrameSize = math.MaxInt32 // Maximum allowed frame size which is math.MaxInt32 BlockSize = int(128) // BlockSize is aes.BlockSize in bits (16 * 8) )
Variables ¶
var ( AES_128_GCM_IV12_TAG16 = newAlgorithmSuite(0x0014, aes_128_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) AES_192_GCM_IV12_TAG16 = newAlgorithmSuite(0x0046, aes_192_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) AES_256_GCM_IV12_TAG16 = newAlgorithmSuite(0x0078, aes_256_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) AES_128_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0114, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) AES_192_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0146, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) AES_256_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0178, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 = newAlgorithmSuite(0x0214, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_SHA256_ECDSA_P256) AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0346, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0378, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) AES_256_GCM_HKDF_SHA512_COMMIT_KEY = newAlgorithmSuite(0x0478, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_NONE) AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 = newAlgorithmSuite(0x0578, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_SHA256_ECDSA_P384) )
var Algorithm algorithm
var ErrAlgorithmSuite = errors.New("algorithm suite error")
Functions ¶
func NewEncryptionSuite ¶
func NewEncryptionSuite(algorithm encAlgorithm, mode cipherMode, dataKeyLen, ivLen, authLen int) encryptionSuite
func NewKdfSuite ¶
func ValidateCommitmentPolicy ¶ added in v0.2.0
func ValidateCommitmentPolicy(p CommitmentPolicy) error
func ValidateContentType ¶ added in v0.2.0
func ValidateContentType(t ContentType) error
func ValidateFrameLength ¶ added in v0.2.0
ValidateFrameLength validates the length of a frame. It checks if the frame length is within the allowed range and if it is a multiple of the block size of the crypto algorithm.
If the frame length is out of range or not a multiple of the BlockSize (128), an error is returned. The allowed minimum frame size is MinFrameSize (128).
The allowed maximum frame size is MaxFrameSize the maximum value of a signed 32-bit integer.
The block size of the crypto algorithm is BlockSize 128.
func ValidateMessageVersion ¶ added in v0.2.0
Types ¶
type AlgorithmSuite ¶
type AlgorithmSuite struct { AlgorithmID uint16 EncryptionSuite encryptionSuite MessageFormatVersion MessageFormatVersion KDFSuite kdfSuite Authentication authenticationSuite // contains filtered or unexported fields }
func (*AlgorithmSuite) AlgorithmSuiteDataLen ¶
func (as *AlgorithmSuite) AlgorithmSuiteDataLen() int
func (*AlgorithmSuite) GoString ¶
func (as *AlgorithmSuite) GoString() string
func (*AlgorithmSuite) IDBytes ¶
func (as *AlgorithmSuite) IDBytes() []byte
func (*AlgorithmSuite) IDString ¶ added in v0.2.0
func (as *AlgorithmSuite) IDString() string
func (*AlgorithmSuite) IsCommitting ¶
func (as *AlgorithmSuite) IsCommitting() bool
func (*AlgorithmSuite) IsKDFSupported ¶ added in v0.2.0
func (as *AlgorithmSuite) IsKDFSupported() bool
func (*AlgorithmSuite) IsSigning ¶
func (as *AlgorithmSuite) IsSigning() bool
func (*AlgorithmSuite) MessageIDLen ¶
func (as *AlgorithmSuite) MessageIDLen() int
func (*AlgorithmSuite) Name ¶
func (as *AlgorithmSuite) Name() string
func (*AlgorithmSuite) String ¶
func (as *AlgorithmSuite) String() string
type CommitmentPolicy ¶
type CommitmentPolicy int8
const ( CommitmentPolicyForbidEncryptAllowDecrypt CommitmentPolicy // 1 - FORBID_ENCRYPT_ALLOW_DECRYPT CommitmentPolicyRequireEncryptAllowDecrypt // 2 - REQUIRE_ENCRYPT_ALLOW_DECRYPT CommitmentPolicyRequireEncryptRequireDecrypt // 3 - REQUIRE_ENCRYPT_REQUIRE_DECRYPT )
func (CommitmentPolicy) GoString ¶
func (cp CommitmentPolicy) GoString() string
func (CommitmentPolicy) String ¶
func (cp CommitmentPolicy) String() string
type ContentAADString ¶
type ContentAADString string
const ( ContentAADFrame ContentAADString = "AWSKMSEncryptionClient Frame" ContentAADFinalFrame ContentAADString = "AWSKMSEncryptionClient Final Frame" )
type ContentType ¶
type ContentType uint8
const ( NonFramedContent ContentType = 0x01 FramedContent ContentType = 0x02 )
type EncryptionContext ¶
EncryptionContext represents a map of string key-value pairs that are used to store contextual information for encryption operations.
func (EncryptionContext) Serialize ¶
func (ec EncryptionContext) Serialize() []byte
Serialize transforms the EncryptionContext into a byte slice. The serialized format prepends the length of each key and value as a 2-byte big-endian integer. Keys are sorted to ensure deterministic output. The function accounts for the additional keyValueBytes for each key-value pair when estimating the buffer size to minimize reallocations.
The serialization format is as follows for each key-value pair:
[keyLength][key][valueLength][value] - keyLength: 2 bytes representing the length of the key as a big-endian integer - key: actual bytes of the key - valueLength: 2 bytes representing the length of the value as a big-endian integer - value: actual bytes of the value
Serialization ensures that keys are sorted and the output is consistent for the same EncryptionContext content.
Returns:
[]byte: A byte slice representing the serialized EncryptionContext.
Example:
ec := EncryptionContext{"user": "Alice", "purpose": "encryption"} serialized := ec.Serialize() The output will be a byte slice with each key-value pair preceded by their lengths.
type MessageFormatVersion ¶ added in v0.2.0
type MessageFormatVersion uint8
const ( V1 MessageFormatVersion = iota + 1 // 1 is V1 MessageFormatVersion V2 // 2 is V2 MessageFormatVersion )
type MessageType ¶ added in v0.2.0
type MessageType int
const (
CustomerAEData MessageType = 128 // 128 is 80 in hex
)