decrypt

package
v0.0.0-...-2a87563 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2022 License: LGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MetaBucket is the s3 bucket name
	MetaBucket = "X-FrogHub-Internal-Bucket"

	// MetaObject is the s3 object name
	MetaObject = "X-FrogHub-Internal-Object"

	// MetaIV is the random initialization vector (IV) used for
	// the FrogHub-internal key derivation.
	MetaIV = "X-FrogHub-Internal-Server-Side-Encryption-Iv"

	// MetaAlgorithm is the algorithm used to derive internal keys
	// and encrypt the objects.
	MetaAlgorithm = "X-FrogHub-Internal-Server-Side-Encryption-Seal-Algorithm"

	// MetaSealedKeyKMS is the sealed object encryption key in case of SSE-KMS
	MetaSealedKeyKMS = "X-FrogHub-Internal-Server-Side-Encryption-Kms-Sealed-Key"

	// MetaKeyID is the KMS master key ID used to generate/encrypt the data
	// encryption key (DEK).
	MetaKeyID = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Key-Id"

	// MetaDataEncryptionKey is the sealed data encryption key (DEK) received from
	// the KMS.
	MetaDataEncryptionKey = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key"

	// ErrDecrypt is returned by a KES server when it fails to decrypt
	// a ciphertext. It may occur when a client uses the wrong key or
	// the ciphertext has been (maliciously) modified.
	KesErrDecrypt = "decryption failed: ciphertext is not authentic"
)
View Source 
const (
	// MaxSize is the maximum byte size of an encoded key.
	MaxSize = 1 << 20

	// Size is the byte size of a cryptographic key.
	Size = 256 / 8

	// If FIPS-140 is enabled no non-NIST/FIPS approved
	// primitives must be used.
	Enabled = 0 == 1
)
View Source 
const (
	// SealAlgorithm is the encryption/sealing algorithm used to derive & seal
	// the key-encryption-key and to en/decrypt the object data.
	SealAlgorithm = "DAREv2-HMAC-SHA256"

	// InsecureSealAlgorithm is the legacy encryption/sealing algorithm used
	// to derive & seal the key-encryption-key and to en/decrypt the object data.
	// This algorithm should not be used for new objects because its key derivation
	InsecureSealAlgorithm = "DARE-SHA256"
)
View Source 
const KMSConfig = "kms-config.json"

Variables

This section is empty.

Functions

func BytesToInt 

func BytesToInt(b []byte) int

func EscapeStringJSON 

func EscapeStringJSON(dst *bytes.Buffer, s string)

EscapeStringJSON will escape a string for JSON and write it to dst.

func FileExist 

func FileExist(filepath string) (bool, error)

func FsOpenFile 

func FsOpenFile(ctx context.Context, readPath string, offset int64) (io.ReadCloser, int64, error)

Opens the file at given path, optionally from an offset. Upon success returns a readable stream and the size of the readable stream.

func GenerateIV 

func GenerateIV(random io.Reader) (iv [32]byte)

GenerateIV generates a new random 256 bit IV from the provided source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.

func GetKmsKeys 

func GetKmsKeys(filepath string) (map[string]string, error)

func IsETagSealed 

func IsETagSealed(etag []byte) bool

IsETagSealed returns true if the etag seems to be encrypted.

func MarshalText 

func MarshalText(kmsCtx map[string]string) ([]byte, error)

MarshalText sorts the context keys and writes the sorted key-value pairs as canonical JSON object. The sort order is based on the un-escaped keys. It never returns an error.

func MkdirAll 

func MkdirAll(path string) error

func Unseal 

func Unseal(reader io.Reader, metadata map[string]string, secretKey string) (io.Reader, error)

func WriteFile 

func WriteFile(reader io.Reader, dest string) error

Types

type Algorithm 

type Algorithm string

Algorithm is a cryptographic algorithm that requires a cryptographic key. 

const (
	// AlgorithmGeneric is a generic value that indicates
	// that the key can be used with multiple algorithms.
	AlgorithmGeneric Algorithm = ""

	// AES256_GCM_SHA256 is an algorithm that uses HMAC-SHA256
	// for key derivation and AES256-GCM for en/decryption.
	AES256_GCM_SHA256 Algorithm = "AES256-GCM_SHA256"

	// XCHACHA20_POLY1305 is an algorithm that uses HChaCha20
	// for key derivation and ChaCha20-Poly1305 for en/decryption.
	XCHACHA20_POLY1305 Algorithm = "XCHACHA20-POLY1305"
)

func (Algorithm) KeySize 

func (a Algorithm) KeySize() int

KeySize returns the Algorithm's key size.

func (Algorithm) String 

func (a Algorithm) String() string

String returns the Algorithm's string representation.

type Identity 

type Identity string

An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc. 

const IdentityUnknown Identity = ""

IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.

func (Identity) IsUnknown 

func (id Identity) IsUnknown() bool

IsUnknown returns true if and only if the identity is IdentityUnknown.

func (Identity) String 

func (id Identity) String() string

String returns the string representation of the identity.

type IdentityInfo 

type IdentityInfo struct {
	Identity  Identity
	IsAdmin   bool      // Indicates whether the identity has admin privileges
	Policy    string    // Name of the associated policy
	CreatedAt time.Time // Point in time when the identity was created
	CreatedBy Identity  // Identity that created the identity
}

IdentityInfo describes a KES identity.

type IdentityIterator 

type IdentityIterator struct {
	// contains filtered or unexported fields
}

IdentityIterator iterates over a stream of IdentityInfo objects. Close the IdentityIterator to release associated resources.

func (*IdentityIterator) Close 

func (i *IdentityIterator) Close() error

Close closes the IdentityIterator and releases any associated resources

func (*IdentityIterator) CreatedAt 

func (i *IdentityIterator) CreatedAt() time.Time

CreatedAt returns the created-at timestamp of the current identity. It is a short-hand for Value().CreatedAt.

func (*IdentityIterator) CreatedBy 

func (i *IdentityIterator) CreatedBy() Identity

CreatedBy returns the identiy that created the current identity. It is a short-hand for Value().CreatedBy.

func (*IdentityIterator) Identity 

func (i *IdentityIterator) Identity() Identity

Identity returns the current identity. It is a short-hand for Value().Identity.

func (*IdentityIterator) Next 

func (i *IdentityIterator) Next() bool

Next returns true if there is another IdentityInfo. It returns false if there are no more IdentityInfo objects or when the IdentityIterator encounters an error.

func (*IdentityIterator) Policy 

func (i *IdentityIterator) Policy() string

Policy returns the policy assigned to the current identity. It is a short-hand for Value().Policy.

func (*IdentityIterator) Value 

func (i *IdentityIterator) Value() IdentityInfo

Value returns the current IdentityInfo. It remains valid until Next is called again.

type Key 

type Key struct {
	// contains filtered or unexported fields
}

Key is a symmetric cryptographic key.

func New 

func New(algorithm Algorithm, key []byte, owner Identity) (Key, error)

New returns an new Key for the given cryptographic algorithm. The key len must match algorithm's key size. The returned key is owned to the specified identity.

func Random 

func Random(algorithm Algorithm, owner Identity) (Key, error)

Random generates a new random Key for the cryptographic algorithm. The returned key is owned to the specified identity.

func (*Key) Algorithm 

func (k *Key) Algorithm() Algorithm

Algorithm returns the cryptographic algorithm for which the key can be used.

func (*Key) Clone 

func (k *Key) Clone() Key

Clone returns a deep copy of the key.

func (*Key) CreatedAt 

func (k *Key) CreatedAt() time.Time

CreatedAt returns the point in time when the key has been created.

func (*Key) CreatedBy 

func (k *Key) CreatedBy() Identity

CreatedBy returns the identity that created the key.

func (*Key) Equal 

func (k *Key) Equal(other Key) bool

Equal returns true if and only if both keys are identical.

func (*Key) ID 

func (k *Key) ID() string

ID returns the k's key ID.

func (*Key) UnMarshalText 

func (k *Key) UnMarshalText(text []byte) error

UnMarshalText parses and decodes text as encoded key.

func (*Key) Unwrap 

func (k *Key) Unwrap(ciphertext, associatedData []byte) ([]byte, error)

Unwrap decrypts the ciphertext and returns the resulting plaintext.

It verifies that the associatedData matches the value used when the ciphertext has been generated.

type ObjectKey 

type ObjectKey [32]byte

ObjectKey is a 256 bit secret key used to encrypt the object. It must never be stored in plaintext.

func GenerateKey 

func GenerateKey(extKey []byte, random io.Reader) (key ObjectKey)

GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.

func (ObjectKey) DerivePartKey 

func (key ObjectKey) DerivePartKey(id uint32) (partKey [32]byte)

DerivePartKey derives an unique 256 bit key from an ObjectKey and the part index.

func (ObjectKey) Seal 

func (key ObjectKey) Seal(extKey []byte, iv [32]byte, domain, bucket, object string) SealedKey

Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed key is also cryptographically bound to the object's path (bucket/object) and the domain (SSE-C or SSE-S3).

func (ObjectKey) SealETag 

func (key ObjectKey) SealETag(etag []byte) []byte

SealETag seals the etag using the object key. It does not encrypt empty ETags because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend can pick an ETag value.

func (*ObjectKey) Unseal 

func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket, object string) error

Unseal decrypts a sealed key using the 256 bit external key. Since the sealed key may be cryptographically bound to the object's path the same bucket/object as during sealing must be provided. On success the ObjectKey contains the decrypted sealed key.

func (ObjectKey) UnsealETag 

func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error)

UnsealETag unseals the etag using the provided object key. It does not try to decrypt the ETag if len(etag) == 16 because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend has picked an ETag value.

type SealedKey 

type SealedKey struct {
	Key       [64]byte // The encrypted and authenticted object-key.
	IV        [32]byte // The random IV used to encrypt the object-key.
	Algorithm string   // The sealing algorithm used to encrypt the object key.
}

SealedKey represents a sealed object key. It can be stored at an untrusted location.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.