crypt

Documentation

Overview

Package crypt provides cryptographic utilities including encryption, hashing, key derivation, HMAC, and checksum functions.

Index

• func AESGCMDecrypt(ciphertext, key []byte) ([]byte, error)
• func AESGCMEncrypt(plaintext, key []byte) ([]byte, error)
• func ChaCha20Decrypt(ciphertext, key []byte) ([]byte, error)
• func ChaCha20Encrypt(plaintext, key []byte) ([]byte, error)
• func Decrypt(ciphertext, passphrase []byte) ([]byte, error)
• func DecryptAES(ciphertext, passphrase []byte) ([]byte, error)
• func DeriveKey(passphrase, salt []byte, keyLen uint32) []byte
• func DeriveKeyScrypt(passphrase, salt []byte, keyLen int) ([]byte, error)
• func Encrypt(plaintext, passphrase []byte) ([]byte, error)
• func EncryptAES(plaintext, passphrase []byte) ([]byte, error)
• func HKDF(secret, salt, info []byte, keyLen int) ([]byte, error)
• func HMACSHA256(message, key []byte) []byte
• func HMACSHA512(message, key []byte) []byte
• func HashBcrypt(password string, cost int) (string, error)
• func HashPassword(password string) (string, error)
• func SHA256File(path string) (string, error)
• func SHA256Sum(data []byte) string
• func SHA512File(path string) (string, error)
• func SHA512Sum(data []byte) string
• func VerifyBcrypt(password, hash string) (bool, error)
• func VerifyHMAC(message, key, mac []byte, hashFunc func() hash.Hash) bool
• func VerifyPassword(password, hash string) (bool, error)

Functions

func AESGCMDecrypt

func AESGCMDecrypt(ciphertext, key []byte) ([]byte, error)

AESGCMDecrypt decrypts ciphertext encrypted with AESGCMEncrypt. The key must be 32 bytes. Expects the nonce prepended to the ciphertext.

func AESGCMEncrypt

func AESGCMEncrypt(plaintext, key []byte) ([]byte, error)

AESGCMEncrypt encrypts plaintext using AES-256-GCM. The key must be 32 bytes. The nonce is randomly generated and prepended to the ciphertext.

func ChaCha20Decrypt

func ChaCha20Decrypt(ciphertext, key []byte) ([]byte, error)

ChaCha20Decrypt decrypts ciphertext encrypted with ChaCha20Encrypt. The key must be 32 bytes. Expects the nonce prepended to the ciphertext.

func ChaCha20Encrypt

func ChaCha20Encrypt(plaintext, key []byte) ([]byte, error)

ChaCha20Encrypt encrypts plaintext using ChaCha20-Poly1305. The key must be 32 bytes. The nonce is randomly generated and prepended to the ciphertext.

func Decrypt

func Decrypt(ciphertext, passphrase []byte) ([]byte, error)

Decrypt decrypts data encrypted with Encrypt. Expects format: salt (16 bytes) + nonce (24 bytes) + ciphertext.

func DecryptAES

func DecryptAES(ciphertext, passphrase []byte) ([]byte, error)

DecryptAES decrypts data encrypted with EncryptAES. Expects format: salt (16 bytes) + nonce (12 bytes) + ciphertext.

func DeriveKey

func DeriveKey(passphrase, salt []byte, keyLen uint32) []byte

DeriveKey derives a key from a passphrase using Argon2id with default parameters. The salt must be argon2SaltLen bytes. keyLen specifies the desired key length.

func DeriveKeyScrypt

func DeriveKeyScrypt(passphrase, salt []byte, keyLen int) ([]byte, error)

DeriveKeyScrypt derives a key from a passphrase using scrypt. Uses recommended parameters: N=32768, r=8, p=1.

func Encrypt

func Encrypt(plaintext, passphrase []byte) ([]byte, error)

Encrypt encrypts data with a passphrase using ChaCha20-Poly1305. A random salt is generated and prepended to the output. Format: salt (16 bytes) + nonce (24 bytes) + ciphertext.

func EncryptAES

func EncryptAES(plaintext, passphrase []byte) ([]byte, error)

EncryptAES encrypts data using AES-256-GCM with a passphrase. A random salt is generated and prepended to the output. Format: salt (16 bytes) + nonce (12 bytes) + ciphertext.

func HKDF

func HKDF(secret, salt, info []byte, keyLen int) ([]byte, error)

HKDF derives a key using HKDF-SHA256. secret is the input keying material, salt is optional (can be nil), info is optional context, and keyLen is the desired output length.

func HMACSHA256

func HMACSHA256(message, key []byte) []byte

HMACSHA256 computes the HMAC-SHA256 of a message using the given key.

func HMACSHA512

func HMACSHA512(message, key []byte) []byte

HMACSHA512 computes the HMAC-SHA512 of a message using the given key.

func HashBcrypt

func HashBcrypt(password string, cost int) (string, error)

HashBcrypt hashes a password using bcrypt with the given cost. Cost must be between bcrypt.MinCost and bcrypt.MaxCost.

func HashPassword

func HashPassword(password string) (string, error)

HashPassword hashes a password using Argon2id with default parameters. Returns a string in the format: $argon2id$v=19$m=65536,t=3,p=4$<base64salt>$<base64hash>

func SHA256File

func SHA256File(path string) (string, error)

SHA256File computes the SHA-256 checksum of a file and returns it as a hex string.

func SHA256Sum

func SHA256Sum(data []byte) string

SHA256Sum computes the SHA-256 checksum of data and returns it as a hex string.

func SHA512File

func SHA512File(path string) (string, error)

SHA512File computes the SHA-512 checksum of a file and returns it as a hex string.

func SHA512Sum

func SHA512Sum(data []byte) string

SHA512Sum computes the SHA-512 checksum of data and returns it as a hex string.

func VerifyBcrypt

func VerifyBcrypt(password, hash string) (bool, error)

VerifyBcrypt verifies a password against a bcrypt hash.

func VerifyHMAC

func VerifyHMAC(message, key, mac []byte, hashFunc func() hash.Hash) bool

VerifyHMAC verifies an HMAC using constant-time comparison. hashFunc should be sha256.New, sha512.New, etc.

func VerifyPassword

func VerifyPassword(password, hash string) (bool, error)

VerifyPassword verifies a password against an Argon2id hash string. The hash must be in the format produced by HashPassword.