Documentation
¶
Index ¶
- Constants
- func Decrypt[T interface{ ... }](passphrase string, blob []byte) (T, error)
- func Encrypt[T interface{ ... }](passphrase string, plaintext T) ([]byte, error)
- func GeneratePrivateKey() (*rsa.PrivateKey, error)
- func GenerateSalt() ([]byte, error)
- func ParseCertificatePEM(value []byte) (*x509.Certificate, error)
- func ParsePrivateKeyPEM(value []byte, passphrase string) (*rsa.PrivateKey, error)
- func PrivateKeyPEM(key *rsa.PrivateKey) (string, error)
- type Key
- type Passphrases
- func (s *Passphrases) Decrypt(version uint64, ciphertext string) ([]byte, error)
- func (s *Passphrases) DecryptString(version uint64, ciphertext string) (string, error)
- func (s *Passphrases) Encrypt(version uint64, plaintext []byte) (uint64, string, error)
- func (s *Passphrases) EncryptString(version uint64, plaintext string) (uint64, string, error)
- func (s *Passphrases) Get(version uint64) (string, uint64)
- func (s *Passphrases) Keys() []uint64
- func (s *Passphrases) Set(version uint64, passphrase string) error
Constants ¶
const ( // SaltSize is the length of a random salt in bytes. SaltSize = 16 // MinPassphraseLen is the minimum acceptable passphrase length. MinPassphraseLen = 8 )
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
Decrypt splits the salt from the blob, re-derives the key, and decrypts ciphertext produced by Encrypt. The type parameter controls the return type.
func Encrypt ¶
Encrypt generates a fresh salt, derives a key from the passphrase, and encrypts plaintext using AES-256-GCM. The returned blob is:
salt (16 bytes) || nonce (12 bytes) || ciphertext + tag
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*rsa.PrivateKey, error)
GeneratePrivateKey creates a new 2048-bit RSA private key suitable for signing tokens.
func GenerateSalt ¶
GenerateSalt returns a cryptographically random 16-byte salt.
func ParseCertificatePEM ¶
func ParseCertificatePEM(value []byte) (*x509.Certificate, error)
ParseCertificatePEM parses a PEM-encoded X.509 certificate.
func ParsePrivateKeyPEM ¶
func ParsePrivateKeyPEM(value []byte, passphrase string) (*rsa.PrivateKey, error)
ParsePrivateKeyPEM parses a PEM-encoded RSA private key in either PKCS#8 or PKCS#1 format.
func PrivateKeyPEM ¶
func PrivateKeyPEM(key *rsa.PrivateKey) (string, error)
PrivateKeyPEM encodes an RSA private key as PKCS#8 PEM.
Types ¶
type Key ¶
type Key []byte
Key is a 256-bit encryption key derived from a passphrase.
func DeriveKey ¶
DeriveKey derives a 256-bit encryption key from a passphrase and salt using Argon2id.
type Passphrases ¶
type Passphrases struct {
// contains filtered or unexported fields
}
Passphrases keeps certificate passphrases in memory keyed by passphrase version. Version 0 is reserved to mean "latest" when retrieving a passphrase, so stored versions must start at 1.
func NewPassphrases ¶
func NewPassphrases() *Passphrases
func (*Passphrases) Decrypt ¶
func (s *Passphrases) Decrypt(version uint64, ciphertext string) ([]byte, error)
Decrypt resolves a passphrase by version and decrypts a base64-encoded ciphertext produced by Encrypt.
func (*Passphrases) DecryptString ¶
func (s *Passphrases) DecryptString(version uint64, ciphertext string) (string, error)
DecryptString resolves a passphrase by version and decrypts a base64-encoded ciphertext to a UTF-8 string.
func (*Passphrases) Encrypt ¶
Encrypt resolves a passphrase by version, encrypts the plaintext, and returns the resolved passphrase version with the ciphertext encoded as a base64 string.
func (*Passphrases) EncryptString ¶
EncryptString resolves a passphrase by version, encrypts the plaintext string, and returns the resolved passphrase version with the ciphertext encoded as a base64 string.
func (*Passphrases) Get ¶
func (s *Passphrases) Get(version uint64) (string, uint64)
Get returns the passphrase and resolved version for a specific version, or the latest passphrase when version is zero. If no passphrase is found, version zero and an empty passphrase are returned.
func (*Passphrases) Keys ¶
func (s *Passphrases) Keys() []uint64
Keys returns all stored passphrase versions in sorted order.
Source Files