client

package
v0.0.0-...-ce7e112 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 3, 2024 License: Apache-2.0, BSD-2-Clause, BSD-3-Clause, + 2 more Imports: 29 Imported by: 0

Documentation

Overview

Package client is the client library for STET.

Index

Constants

This section is empty.

Variables

View Source 
var STETMagic = [13]byte{'S', 'T', 'E', 'T', 'E', 'N', 'C', 'R', 'Y', 'P', 'T', 'E', 'D'}

STETMagic is the magic string for a STET encrypted file header ("STETENCRYPTED").

Functions

func AeadDecrypt 

func AeadDecrypt(key shares.DEK, input io.Reader, output io.Writer, aad []byte) error

AeadDecrypt uses the provided key and AAD to decode the ciphertext passed in via `input`, writing the output to `output.

func AeadEncrypt 

func AeadEncrypt(key shares.DEK, input io.Reader, output io.Writer, aad []byte) error

AeadEncrypt uses the provided key and AAD to encrypt the plaintext passed in via `input`, writing the output to `output`.

func MetadataToAAD 

func MetadataToAAD(md *configpb.Metadata) ([]byte, error)

MetadataToAAD processes metadata to use as AAD for AEAD Encryption. The serialization scheme is as follows (given n := len(md.shares)): 

len(md.shares[0].wrappedShare)      || md.shares[0].wrappedShare
|| len(md.shares[0].hash)           || md.shares[0].hash
...
|| len(md.shares[n-1].wrappedShare) || md.shares[n-1].wrappedShare
|| len(md.shares[n-1].hash)         || md.shares[n-1].hash
|| len(md.blobID)                   || md.blobID

Note that KeyConfig is explicitly omitted from the serialization, as its presence is not important to the AAD.

func PrivateKeyForRSAFingerprint 

func PrivateKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PrivateKey, error)

PrivateKeyForRSAFingerprint iterates through the private keys defined in `keys`, searching for one that matches `kek`. If one is found, returns it, otherwise returns nil.

func PublicKeyForRSAFingerprint 

func PublicKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PublicKey, error)

PublicKeyForRSAFingerprint Iterates through the public keys defined in `keys`, searching for one that matches `kek`. If one is found, returns it, otherwise returns nil.

func ReadMetadata 

func ReadMetadata(input io.Reader) (*configpb.Metadata, error)

ReadMetadata parses and returns metadata from the input.

func WriteSTETHeader 

func WriteSTETHeader(output io.Writer, metadataLen int) error

WriteSTETHeader writes a STET encrypted file header with the given properties to `output`.

Types

type STETHeader 

type STETHeader struct {
	Magic       [13]byte // len([]byte(STETMagic)) == 13
	Version     uint8    // 1 byte
	MetadataLen uint16   // 2 bytes
}

STETHeader is the file header for the encrypted STET file format.

func ReadSTETHeader 

func ReadSTETHeader(input io.Reader) (*STETHeader, error)

ReadSTETHeader reads a STET encrypted file header from `input`, returning a STETHeader.

type StetClient 

type StetClient struct {

	// Whether to skip verification of the inner TLS session cert.
	InsecureSkipVerify bool

	// The version of STET, if set. This is used to construct user agent
	// strings for Cloud KMS requests.
	Version string
	// contains filtered or unexported fields
}

StetClient provides Encryption and Decryption services through the Split Trust Encryption Tool.

func (*StetClient) Decrypt 

func (c *StetClient) Decrypt(ctx context.Context, input io.Reader, output io.Writer, stetConfig *configpb.StetConfig) (*StetMetadata, error)

Decrypt writes the decrypted data to the `output` writer, and returns the key URIs used during decryption and the blob ID decrypted.

func (*StetClient) Encrypt 

func (c *StetClient) Encrypt(ctx context.Context, input io.Reader, output io.Writer, stetConfig *configpb.StetConfig, blobID string) (*StetMetadata, error)

Encrypt generates a DEK and creates EncryptedData in accordance with the EKM encryption protocol.

type StetMetadata 

type StetMetadata struct {
	KeyUris []string
	BlobID  string
}

StetMetadata represents metadata associated with data encrypted/decrypted by the client.

Source Files

View all Source files

Directories

Path Synopsis
Package cloudkms contains utilities for communicating with CloudKMS.
 Package cloudkms contains utilities for communicating with CloudKMS.
Package confidentialspace defines methods for integration with Confidential Space.
 Package confidentialspace defines methods for integration with Confidential Space.
Package ekmclient defines an HTTP client for contacting Confidential EKM services.
 Package ekmclient defines an HTTP client for contacting Confidential EKM services.
Package jwt contains utility functions for generating JWTs from a service account.
 Package jwt contains utility functions for generating JWTs from a service account.
Package securesession defines a client for making RPC calls to the SecureSession service.
 Package securesession defines a client for making RPC calls to the SecureSession service.
Package shares contains functions for processing DEK shares.
 Package shares contains functions for processing DEK shares.
Package testutil contains utilities for unit tests.
 Package testutil contains utilities for unit tests.
Package vpc contains utilties for handling VPC-protected keys.
 Package vpc contains utilties for handling VPC-protected keys.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.