Documentation ¶
Index ¶
- Constants
- Variables
- func CreateAcraBlock(data []byte, key []byte, context []byte) ([]byte, error)
- func CreateAcraBlockWithBackends(data []byte, key []byte, context []byte, ...) ([]byte, error)
- func ProcessAcraBlocks(ctx context.Context, inBuffer []byte, outBuffer []byte, processor Processor) ([]byte, error)
- type AcraBlock
- func (b AcraBlock) Build(encryptedKey, encryptedData []byte) ([]byte, error)
- func (b AcraBlock) DataEncryptionBackend() SymmetricBackend
- func (b AcraBlock) Decrypt(keys [][]byte, context []byte) ([]byte, error)
- func (b AcraBlock) EncryptedDataEncryptionKeyLength() int
- func (b AcraBlock) KeyEncryptionBackend() SymmetricBackend
- func (b AcraBlock) SetDataEncryptionType(t DataEncryptionBackendType) error
- func (b AcraBlock) SetKeyEncryptionKeyID(key, context []byte, idGenerator KeyIDGenerator) error
- func (b AcraBlock) SetKeyEncryptionKeyType(t KeyEncryptionBackendType) error
- type DataEncryptionBackendType
- type DataEncryptor
- type KeyEncryptionBackendType
- type KeyIDGenerator
- type Processor
- type SecureCellSymmetricBackend
- type Sha256KeyIDGenerator
- type SymmetricBackend
Constants ¶
const ( TagBeginSize = 4 KeyEncryptionKeyTypeSize = 1 KeyEncryptionKeyIDSize = 2 DataEncryptionKeyLengthSize = 2 DataEncryptionTypeSize = 1 RestAcraBlockLengthSize = 8 AcraBlockMinSize = TagBeginSize + KeyEncryptionKeyTypeSize + KeyEncryptionKeyIDSize + DataEncryptionKeyLengthSize + DataEncryptionTypeSize + RestAcraBlockLengthSize )
Set of constants with sizes of each part of AcraBlock
const ( RestAcraBlockLengthPosition = TagBeginSize KeyEncryptionKeyTypePosition = RestAcraBlockLengthPosition + RestAcraBlockLengthSize KeyEncryptionKeyIDPosition = KeyEncryptionKeyTypePosition + KeyEncryptionKeyTypeSize DataEncryptionTypePosition = KeyEncryptionKeyIDPosition + KeyEncryptionKeyIDSize DataEncryptionKeyLengthPosition = DataEncryptionTypePosition + DataEncryptionTypeSize EncryptedDataEncryptionKeyPosition = DataEncryptionKeyLengthPosition + DataEncryptionKeyLengthSize )
AcraBlock length parts constants
const SymmetricDataEncryptionKeyLength = 32
SymmetricDataEncryptionKeyLength size for each new random symmetric key for new AcraBlock
Variables ¶
var ErrDataEncryptionKeyGeneration = errors.New("can't generate random data encryption key")
ErrDataEncryptionKeyGeneration used when can't generate random key with crypto.Rand
var ErrInvalidAcraBlock = errors.New("invalid AcraBlock")
ErrInvalidAcraBlock defines invalid AcraBlock error
Functions ¶
func CreateAcraBlock ¶
CreateAcraBlock construct AcraBlock like tag_begin[4] + rest_sum_length[*] + kek_encryption_type[1] + kek_id[2] + data_encryption_type[1] + dek_length[2] + dek + encrypted_data
func CreateAcraBlockWithBackends ¶
func CreateAcraBlockWithBackends(data []byte, key []byte, context []byte, keyEncryptionBackend KeyEncryptionBackendType, dataEncryptionBackend DataEncryptionBackendType) ([]byte, error)
CreateAcraBlockWithBackends create AcraBlock using specified encryption backends
func ProcessAcraBlocks ¶
func ProcessAcraBlocks(ctx context.Context, inBuffer []byte, outBuffer []byte, processor Processor) ([]byte, error)
ProcessAcraBlocks find AcraBlocks in inBuffer, call processor on every recognized AcraStruct and replace it with result into outBuffer until end of data from inBuffer or any error result On error it returns inBuffer as is
Types ¶
type AcraBlock ¶
type AcraBlock []byte
AcraBlock array of several parts: TagBegin[4] + LengthOfRestData[4] + KeyEncryptionKeyType[1] + KeyEncryptionKeyID[2] + DataEncryptionType[1] + DataEncryptionKeyLength[2] + EncryptedDataEncryptionKey[*] + EncryptedData[*]
func ExtractAcraBlockFromData ¶
ExtractAcraBlockFromData return AcraBlock that stored at start of data and return size in bytes of parsed AcraBlockLength
func NewAcraBlockFromData ¶
NewAcraBlockFromData expects that whole data is one AcraBlock, validate and return, otherwise error
func NewEmptyAcraBlock ¶
NewEmptyAcraBlock create empty block for desired length and filled TagBegin
func (AcraBlock) DataEncryptionBackend ¶
func (b AcraBlock) DataEncryptionBackend() SymmetricBackend
DataEncryptionBackend read SymmetricBackend by DataEncryptionTypePosition
func (AcraBlock) Decrypt ¶
Decrypt AcraBlock using all keys sequentially until successful decryption and context
func (AcraBlock) EncryptedDataEncryptionKeyLength ¶
EncryptedDataEncryptionKeyLength return encryption key length of encrypted data
func (AcraBlock) KeyEncryptionBackend ¶
func (b AcraBlock) KeyEncryptionBackend() SymmetricBackend
KeyEncryptionBackend read SymmetricBackend by KeyEncryptionKeyTypePosition
func (AcraBlock) SetDataEncryptionType ¶
func (b AcraBlock) SetDataEncryptionType(t DataEncryptionBackendType) error
SetDataEncryptionType place marshalled type into AcraBlock
func (AcraBlock) SetKeyEncryptionKeyID ¶
func (b AcraBlock) SetKeyEncryptionKeyID(key, context []byte, idGenerator KeyIDGenerator) error
SetKeyEncryptionKeyID place generated key id into AcraBlock
func (AcraBlock) SetKeyEncryptionKeyType ¶
func (b AcraBlock) SetKeyEncryptionKeyType(t KeyEncryptionBackendType) error
SetKeyEncryptionKeyType place marshalled type into AcraBlock
type DataEncryptionBackendType ¶
type DataEncryptionBackendType uint8
DataEncryptionBackendType used as storage for known backends to encrypt data in AcraBlock
const (
DataEncryptionBackendTypeSecureCell DataEncryptionBackendType = iota
)
Set of known backends for data encryption in AcraBlock
func (DataEncryptionBackendType) MarshalBinary ¶
func (t DataEncryptionBackendType) MarshalBinary() (data []byte, err error)
MarshalBinary encode backend type to bytes
type DataEncryptor ¶
type DataEncryptor struct {
// contains filtered or unexported fields
}
DataEncryptor that uses AcraBlocks for encryption
func NewDataEncryptor ¶
func NewDataEncryptor(keyStore keystore.DataEncryptorKeyStore) (*DataEncryptor, error)
NewDataEncryptor return new DataEncryptor that uses AcraBlock to encrypt data which may be used by other encryptors
func NewStandaloneDataEncryptor ¶
func NewStandaloneDataEncryptor(keyStore keystore.DataEncryptorKeyStore) (*DataEncryptor, error)
NewStandaloneDataEncryptor return new DataEncryptor that uses AcraBlock to encrypt data as separate OnColumn processor and checks passed setting that it configured only for transparent AcraBlock encryption
func (*DataEncryptor) EncryptWithClientID ¶
func (d *DataEncryptor) EncryptWithClientID(clientID, data []byte, setting config.ColumnEncryptionSetting) ([]byte, error)
EncryptWithClientID encrypt data using AcraBlock
type KeyEncryptionBackendType ¶
type KeyEncryptionBackendType uint8
KeyEncryptionBackendType used as storage for known backends to encrypt symmetric keys in AcraBLock
const (
KeyEncryptionBackendTypeSecureCell KeyEncryptionBackendType = iota
)
Set of known backends for key encryption
func (KeyEncryptionBackendType) MarshalBinary ¶
func (k KeyEncryptionBackendType) MarshalBinary() (data []byte, err error)
MarshalBinary encode backend type to bytes
type KeyIDGenerator ¶
KeyIDGenerator abstract logic to generate ID for symmetric key which will be placed in AcraBlock
type Processor ¶
Processor interface used as callback for recognized AcraStructs and should return data instead AcraStruct
type SecureCellSymmetricBackend ¶
type SecureCellSymmetricBackend struct{}
SecureCellSymmetricBackend implement SymmetricBackend with SecureCell backend
type Sha256KeyIDGenerator ¶
type Sha256KeyIDGenerator struct{}
Sha256KeyIDGenerator generate ID for key using sha256 hash function for key value and context
func (Sha256KeyIDGenerator) GenerateKeyID ¶
func (s Sha256KeyIDGenerator) GenerateKeyID(key, context []byte) ([]byte, error)
GenerateKeyID generate sha256 hash by provided key and context