enc

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 25, 2018 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrAuthorOffCurve = errors.New("author public key point not on expected elliptic curve")

ErrAuthorOffCurve indicates that an author ECDSA private key is is not on the expected curve.

View Source 
var ErrIncompleteKeyDefinition = errors.New("incomplete key definition")

ErrIncompleteKeyDefinition indicates that the key definition function was unable to generate the required number of bytes for the encryption keys.

View Source 
var ErrInsufficientEEKBytes = errors.New("insufficient EEK bytes")

ErrInsufficientEEKBytes indicates when the crypto random number generator is unable to generate the sufficient number of bytes for the EEK key.

View Source 
var ErrReaderOffCurve = errors.New("reader public key point not on expected elliptic curve")

ErrReaderOffCurve indicates that a reader ECDSA public key is is not on the expected curve.

View Source 
var ErrUnexpectedCiphertextMAC = errors.New("unexpected ciphertext MAC")

ErrUnexpectedCiphertextMAC indicates when the ciphertext MAC does not match the expected value.

View Source 
var ErrUnexpectedCiphertextSize = errors.New("unexpected ciphertext size")

ErrUnexpectedCiphertextSize indicates when the ciphertext size does not match the expected value.

View Source 
var ErrUnexpectedMAC = errors.New("unexpected MAC")

ErrUnexpectedMAC occurs when the calculated MAC did not match the expected MAC.

View Source 
var ErrUnexpectedUncompressedMAC = errors.New("unexpected uncompressed MAC")

ErrUnexpectedUncompressedMAC indicates when the uncompressed MAC does not match the expected value.

View Source 
var ErrUnexpectedUncompressedSize = errors.New("unexpected uncompressed size")

ErrUnexpectedUncompressedSize indicates when the uncompressed size does not match the expected value.

Functions

func CheckMACs 

func CheckMACs(ciphertextMAC, uncompressedMAC MAC, md *api.EntryMetadata) error

CheckMACs checks that the ciphertext and uncompressed MACs are consistent with the *api.Metadata.

func HMAC 

func HMAC(p []byte, hmacKey []byte) []byte

HMAC returns the HMAC sum for the given input bytes and HMAC-256 key.

func MarshalEEK 

func MarshalEEK(keys *EEK) []byte

MarshalEEK serializes the EEK to their byte representation.

func MarshalKEK 

func MarshalKEK(keys *KEK) []byte

MarshalKEK serializes the EEK to their byte representation.

Types

type Decrypter 

type Decrypter interface {
	// Decrypt decrypts the ciphertext of a particular page.
	Decrypt(ciphertext []byte, pageIndex uint32) ([]byte, error)
}

Decrypter decrypts a page's ciphertext.

func NewDecrypter 

func NewDecrypter(keys *EEK) (Decrypter, error)

NewDecrypter creates a new Decrypter instance using the encryption keys.

type EEK 

type EEK struct {
	// AESKey is the 32-byte AES-256 key used to encrypt Pages and Entry metadata.
	AESKey []byte

	// PageIVSeed is the 32-byte block cipher initialization vector (IV) seed for Page
	// enc.
	PageIVSeed []byte

	// HMACKey is the 32-byte key used for Page HMAC-256 calculations.
	HMACKey []byte

	// MetadataIV is the 12-byte IV for the Entry metadata block cipher.
	MetadataIV []byte
}

EEK (entry encryption keys) are used to encrypt an Entry and its Pages.

func NewEEK 

func NewEEK() (*EEK, error)

NewEEK generates a *EEK instance using the private and public ECDSA keys.

func NewPseudoRandomEEK 

func NewPseudoRandomEEK(rng *mrand.Rand) *EEK

NewPseudoRandomEEK generates a new *EEK instance from a random number generator for use in testing.

func UnmarshalEEK 

func UnmarshalEEK(x []byte) (*EEK, error)

UnmarshalEEK deserializes the EEK from its byte representation.

type EncryptedMetadata 

type EncryptedMetadata struct {
	Ciphertext    []byte
	CiphertextMAC []byte
}

EncryptedMetadata contains both the ciphertext and ciphertext MAC involved in encrypting an *api.EntryMetadata instance.

func NewEncryptedMetadata 

func NewEncryptedMetadata(ciphertext, ciphertextMAC []byte) (*EncryptedMetadata, error)

NewEncryptedMetadata creates a new *EncryptedMetadata instance if the ciphertext and ciphertextMAC are valid.

type Encrypter 

type Encrypter interface {
	// Encrypt encrypts the given plaintext for a given pageIndex, returning the ciphertext.
	Encrypt(plaintext []byte, pageIndex uint32) ([]byte, error)
}

Encrypter encrypts (compressed) plaintext of a page.

func NewEncrypter 

func NewEncrypter(keys *EEK) (Encrypter, error)

NewEncrypter creates a new Encrypter using the encryption keys.

type EntryMetadataEncrypter added in v0.2.0 

type EntryMetadataEncrypter interface {
	// EncryptMetadata encrypts an *api.EntryMetadata instance using the AES key and the MetadataIV
	// key for the MAC.
	Encrypt(m *api.EntryMetadata, keys *EEK) (*EncryptedMetadata, error)
}

EntryMetadataEncrypter encrypts *api.EntryMetadata.

type KEK 

type KEK struct {
	// AESKey is the 32-byte AES-256 key used to encrypt the EEK.
	AESKey []byte

	// IV is the 12-byte block cipher initialization vector (IV) seed.
	IV []byte

	// HMACKey is the 32-byte key used for the EEK ciphertext HMAC-256.
	HMACKey []byte
}

KEK (key encryption keys) are used to encrypt an EEK.

func NewKEK 

func NewKEK(priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey) (*KEK, error)

NewKEK generates a new *KEK instance from the shared secret between a random ECDSA private and separate ECDSA public key.

func NewPseudoRandomKEK 

func NewPseudoRandomKEK(rng *mrand.Rand) (*KEK, []byte, []byte)

NewPseudoRandomKEK generates a new *KEK instance from a random number generator for use in testing.

func UnmarshalKEK 

func UnmarshalKEK(x []byte) (*KEK, error)

UnmarshalKEK deserializes the KEK from its byte representation.

func (*KEK) Decrypt 

func (kek *KEK) Decrypt(eekCiphertext []byte, eekCiphertextMAC []byte) (*EEK, error)

Decrypt checkes the EEK ciphertext MAC and decrypts it to a an EEK.

func (*KEK) Encrypt 

func (kek *KEK) Encrypt(eek *EEK) ([]byte, []byte, error)

Encrypt encrypts the EEK, returning the EEK ciphertext and ciphertext MAC.

type MAC 

type MAC interface {
	io.Writer

	// Sum returns the MAC after writing the given bytes.
	Sum(in []byte) []byte

	// Reset resets the MAC.
	Reset()

	// MessageSize returns the total number of digested bytes.
	MessageSize() uint64
}

MAC wraps a hash function to return a message authentication code (MAC) and the total number of bytes it has digested.

func NewHMAC 

func NewHMAC(hmacKey []byte) MAC

NewHMAC returns a MAC internally using an HMAC-256 with a a given key.

type MetadataDecrypter 

type MetadataDecrypter interface {
	// Decrypt decrypts an *EncryptedMetadata instance, using the AES key and the MetadataIV
	// key. It returns UnexpectedMACErr if the calculated ciphertext MAC does not match the
	// expected ciphertext MAC.
	Decrypt(em *EncryptedMetadata, keys *EEK) (*api.EntryMetadata, error)
}

MetadataDecrypter decrypts *EncryptedMetadata.

type MetadataEncrypterDecrypter 

type MetadataEncrypterDecrypter interface {
	EntryMetadataEncrypter
	MetadataDecrypter
}

MetadataEncrypterDecrypter encrypts *api.EntryMetadata and decrypts *EncryptedMetadata.

func NewMetadataEncrypterDecrypter 

func NewMetadataEncrypterDecrypter() MetadataEncrypterDecrypter

NewMetadataEncrypterDecrypter creates a new MetadataEncrypterDecrypter.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.