Documentation
¶
Index ¶
- func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, ...) ([]byte, error)
- func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byte, error)
- func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error
- func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, ...) ([]byte, error)
- type DecryptFunc
- type PSSOptions
- type PrivateKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptOAEP ¶
func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error)
DecryptOAEP decrypts ciphertext using RSA-OAEP.
OAEP is parameterised by a hash function that is used as a random oracle. Encryption and decryption of a given message must use the same hash function and sha256.New() is a reasonable choice.
The random parameter, if not nil, is used to blind the private-key operation and avoid timing side-channel attacks. Blinding is purely internal to this function – the random data need not match that used when encrypting.
The label parameter must match the value given when encrypting. See EncryptOAEP for details.
func DecryptPKCS1v15 ¶
DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5. If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
Note that whether this function returns an error or not discloses secret information. If an attacker can cause this function to run repeatedly and learn whether each instance returned an error then they can decrypt and forge signatures as if they had the private key. See DecryptPKCS1v15SessionKey for a way of solving this problem.
func DecryptPKCS1v15SessionKey ¶
func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error
DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5. If rand != nil, it uses RSA blinding to avoid timing side-channel attacks. It returns an error if the ciphertext is the wrong length or if the ciphertext is greater than the public modulus. Otherwise, no error is returned. If the padding is valid, the resulting plaintext message is copied into key. Otherwise, key is unchanged. These alternatives occur in constant time. It is intended that the user of this function generate a random session key beforehand and continue the protocol with the resulting value. This will remove any possibility that an attacker can learn any information about the plaintext. See “Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1”, Daniel Bleichenbacher, Advances in Cryptology (Crypto '98).
Note that if the session key is too small then it may be possible for an attacker to brute-force it. If they can do that then they can learn whether a random value was used (because it'll be different for the same ciphertext) and thus whether the padding was correct. This defeats the point of this function. Using at least a 16-byte key will protect against this attack.
func SignPSS ¶
func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *rsa.PSSOptions) ([]byte, error)
SignPSS calculates the signature of hashed using RSASSA-PSS [1]. Note that hashed must be the result of hashing the input message using the given hash function. The opts argument may be nil, in which case sensible defaults are used.
Types ¶
type DecryptFunc ¶
DecryptFunc describes an external decrypt function.
type PSSOptions ¶
type PSSOptions struct {
*rsa.PSSOptions
}
PSSOptions is a wrapper around rsa.PSSOptions, because its saltLength function isn't exported.
type PrivateKey ¶
type PrivateKey struct {
rsa.PrivateKey
DecryptFunc DecryptFunc
}
PrivateKey is a wrapper around rsa.PrivateKey and DecryptFunc in an attempt to showcase a possibly way to use RSA encryption with an external private key store.
Source Files