encryptor

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2017 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package encryptor implements various encyption methods for use with cryptic.

Everything in this package implements the EncryptDecryptor interface.

See the KMS implementation for an example of how encryptors can be chained together to create layered solutions.

Where suitable, implementors of the EncryptDecryptor interface should return the errors defined in this package.

Encryptors must support binary secrets.

Index

Constants

View Source 
const (
	Nop uint8 = iota
	AESCTR
	KMSWrapped
	Pbkdf2
	AESGCM
)

Used to identify different Encryptor types

Variables

View Source 
var (
	// ErrWrongType indicates a EncryptedData struct was created with a
	// different Encryptor than what is being used to decrypt.
	ErrWrongType = errors.New("encryptor: wrong encryptor type")

	// ErrInvalidHmac indicates message authentication has failed.
	ErrInvalidHmac = errors.New("encryptor: invalid HMAC")

	// ErrKeyTooShort indicates the encryption key provided is too short to be
	// useful.
	ErrKeyTooShort = errors.New("encryptor: key provided is too short")

	// ErrHmacKeyTooShort indicates the HMAC key is too short to be useful.
	ErrHmacKeyTooShort = errors.New("encryptor: HMAC key is required")

	//ErrInvalidCiphertext indicates the ciphertext cannot be decrypted.
	ErrInvalidCiphertext = errors.New("encryptor: invalid ciphertext")

	// ErrMissingContext indicates required contextual data is missing.
	ErrMissingContext = errors.New("encryptor: missing required context data")
)

Functions

This section is empty.

Types

type AESCTREncryptor 

type AESCTREncryptor struct {
	// contains filtered or unexported fields
}

AESCTREncryptor provides AES encryption of secrets with SHA-256 used for message authentication.

func NewAES 

func NewAES(aesKey, hmacKey []byte) (*AESCTREncryptor, error)

NewAES returns an initialised Encryptor using AES in CTR (counter) mode and SHA-256 for message authentication.

func (*AESCTREncryptor) Decrypt 

func (e *AESCTREncryptor) Decrypt(data *EncryptedData) ([]byte, error)

Decrypt checks data has been created previously by AESCTREncryptor, validates the HMAC in constant time to prevent a timing side-channel attack (and detect any corruption of the ciphertext), and decrypts the cipher-text, returning the original plain-text.

func (*AESCTREncryptor) Encrypt 

func (e *AESCTREncryptor) Encrypt(secret []byte) (*EncryptedData, error)

Encrypt generates a unique IV for each encryption, and encrypts the plain-text secret with the configured AES key.

A HMAC is then generated using SHA256 with the configured HMAC key.

type AESGCMEncryptor added in v1.2.0 

type AESGCMEncryptor struct {
	// contains filtered or unexported fields
}

AESGCMEncryptor provides AES encryption of secrets using GCM (Galois Counter Mode) to ensure data integrity.

func NewAESGCM added in v1.2.0 

func NewAESGCM(aesKey []byte) (*AESGCMEncryptor, error)

NewAESGCM returns an initalised Encryptor using AES with GCM (Galois Counter Mode) to ensure data integrity.

func (*AESGCMEncryptor) Decrypt added in v1.2.0 

func (e *AESGCMEncryptor) Decrypt(data *EncryptedData) ([]byte, error)

Decrypt ensures data was encrypted with AESGCMEncryptor before decrypting the cipher-text (which also ensures data integrity) and returning the plain-text.

func (*AESGCMEncryptor) Encrypt added in v1.2.0 

func (e *AESGCMEncryptor) Encrypt(plaintext []byte) (*EncryptedData, error)

Encrypt generates a unique nonce for each encryption, and encrypts the plain-text secret with the configured AES key.

type Decryptor 

type Decryptor interface {
	Decrypt(data *EncryptedData) ([]byte, error)
}

Decryptor defines the Decrypt method, used to decrypt the given cipher-text.

type EncryptDecryptor 

type EncryptDecryptor interface {
	Encryptor
	Decryptor
}

EncryptDecryptor defines the methods used by our encryptor structs.

type EncryptedData 

type EncryptedData struct {
	Ciphertext []byte
	HMAC       []byte
	Type       uint8
	Context    map[string]interface{}
}

EncryptedData holds the result of a call to Encrypt(), where Ciphertext is the encrypted input, HMAC is the Encryptor-designated hash (typically SHA512) of Ciphertext, and Context provides Encryptor-specific information for decryption.

Context should not hold any secret information, as the entire EncryptedData struct is stored in plain-text by the storage back-end.

func (EncryptedData) MarshalBinary 

func (e EncryptedData) MarshalBinary() ([]byte, error)

MarshalBinary returns the EncryptedData struct encoded into a slice of bytes using Gob.

func (*EncryptedData) UnmarshalBinary 

func (e *EncryptedData) UnmarshalBinary(data []byte) error

UnmarshalBinary returns an EncryptedData struct decoded from a slice of bytes using Gob.

type EncryptionProvider 

type EncryptionProvider func(key []byte) (EncryptDecryptor, error)

EncryptionProvider implementers should return an initalised Encryptor where key is the key material for initalisation.

type Encryptor 

type Encryptor interface {
	Encrypt(secret []byte) (*EncryptedData, error)
}

Encryptor defines the Encrypt method, used to encrypt the given plain-text.

type KDF added in v1.1.0 

type KDF struct {
	Provider   EncryptionProvider
	SaltSize   int
	Iterations int
	SourceKey  []byte
}

KDF implements PBKDF2, deriving a key using SHA-512 and passing it to Provider.

By default Provider is AES-512.

func NewKDF added in v1.1.0 

func NewKDF(sourceKey []byte) (*KDF, error)

NewKDF by default returns a AESCTR struct that has been wrapped with KDF, enabling PBKDF2 support.

func (KDF) Decrypt added in v1.1.0 

func (e KDF) Decrypt(data *EncryptedData) ([]byte, error)

Decrypt uses values stored in Context to derive the key material from SourceKey, and passes it to the Encryptor provided by Provider.

func (KDF) Encrypt added in v1.1.0 

func (e KDF) Encrypt(secret []byte) (*EncryptedData, error)

Encrypt uses the Encryptor returned by Provider, supplying it with key material derived from SourceKey using SHA-512.

type KMS 

type KMS struct {
	KeySize  int64
	Provider EncryptionProvider
	// contains filtered or unexported fields
}

KMS is used to wrap the output of any other Encryptor using Amazon KMS, by default using AES-256.

func NewKMS 

func NewKMS(keyID, region string) *KMS

NewKMS returns an initialised Encryptor using Amazon KMS to wrap the underlying Encryptor's keys used to encrypt secrets.

By default, KMS uses AESCTREncryptor with a 32 byte key (AES-256).

func (*KMS) Decrypt 

func (e *KMS) Decrypt(data *EncryptedData) ([]byte, error)

Decrypt decrypts the embedded encyption key using Amazon KMS, and then passes the plain-text key to the EncryptionProvider to decrypt the secret.

func (*KMS) Encrypt 

func (e *KMS) Encrypt(secret []byte) (*EncryptedData, error)

Encrypt generates a new encryption key using Amazon KMS, passing it to the configured EncryptionProvider as the encryption key to encrypt the secret.

type NopEncryptor 

type NopEncryptor struct{}

NopEncryptor returns a EncryptedData struct that's not encrypted in any way for development purposes.

It does nothing! It should not be used for production, obviously.

func (NopEncryptor) Decrypt 

func (e NopEncryptor) Decrypt(data *EncryptedData) ([]byte, error)

Decrypt extracts the plain-text secret from data

func (NopEncryptor) Encrypt 

func (e NopEncryptor) Encrypt(secret []byte) (*EncryptedData, error)

Encrypt does nothing! It simply returns an initalised EncryptedData struct with NO ENCRYPTION.

Don't use it for anything other than tests. Seriously.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.