Documentation ¶
Overview ¶
Package csp provides mid-level cryptographic API based on CryptoAPI 2.0 on Windows and CryptoPro CSP on Linux.
Index ¶
- Constants
- Variables
- func BlockDecrypt(recipient Cert, data BlockEncryptedData) ([]byte, error)
- func Container(cont string) string
- func DecryptData(data []byte, store *CertStore) ([]byte, error)
- func DeleteCtx(container, provider string, provType ProvType) error
- func EncryptData(data []byte, options EncryptOptions) (_ []byte, rErr error)
- type AlgorithmIdentifier
- type BlockEncryptOptions
- type BlockEncryptedData
- type Cert
- func (c Cert) Bytes() []byte
- func (c Cert) Close() error
- func (c Cert) Context() (Ctx, error)
- func (c Cert) GetProperty(propID CertPropertyID) ([]byte, error)
- func (c Cert) Info() CertInfo
- func (c Cert) IsZero() bool
- func (c Cert) MustSubjectID() string
- func (c Cert) MustThumbPrint() string
- func (c Cert) SubjectID() (string, error)
- func (c Cert) ThumbPrint() (string, error)
- type CertInfo
- type CertPropertyID
- type CertStore
- func (s CertStore) Add(cert Cert) error
- func (s CertStore) Certs() (res []Cert)
- func (s CertStore) Close() error
- func (s CertStore) FindBySubject(subject string) []Cert
- func (s CertStore) FindBySubjectId(thumb string) []Cert
- func (s CertStore) FindByThumb(thumb string) []Cert
- func (s CertStore) GetByID(issuerName []byte, serialNumber *big.Int) (res Cert, err error)
- func (s CertStore) GetBySubject(subject string) (res Cert, err error)
- func (s CertStore) GetBySubjectId(keyId string) (res Cert, err error)
- func (s CertStore) GetByThumb(thumb string) (res Cert, err error)
- type CryptFlag
- type CryptoProvider
- type Ctx
- func (c Ctx) CertStore(name string) (res CertStore, err error)
- func (ctx Ctx) Close() error
- func (ctx Ctx) GenKey(at KeyPairID, flags KeyFlag) (res Key, err error)
- func (ctx Ctx) ImportKey(buf SimpleBlob, cryptKey *Key) (Key, error)
- func (ctx Ctx) ImportPublicKeyInfo(cert Cert) (Key, error)
- func (c Ctx) IsZero() bool
- func (ctx Ctx) Key(at KeyPairID) (res Key, err error)
- func (ctx Ctx) SetDHOID(oid string) error
- func (ctx Ctx) SetPassword(pwd string, at KeyPairID) error
- type Decryptor
- type EncodeOptions
- type EncryptOptions
- type Error
- type ErrorCode
- type GOST2001KeyTransport
- type Gost2001KeyTransportASN1
- type Gost28147_89EncryptedKey
- type GostR3410TransportParameters
- type Hash
- type HashOptions
- type Key
- func (key Key) Close() error
- func (key Key) Decrypt(buf []byte, hash *Hash) ([]byte, error)
- func (key Key) Encode(cryptKey *Key) (SimpleBlob, error)
- func (key Key) Encrypt(buf []byte, hash *Hash) ([]byte, error)
- func (key Key) GetAlgID() (res C.ALG_ID, err error)
- func (key Key) GetCipherOID() ([]byte, error)
- func (key Key) GetDHOID() (string, error)
- func (key Key) GetHashOID() (string, error)
- func (key Key) GetOID() (string, error)
- func (key Key) GetParam(param KeyParamID) (res []byte, err error)
- func (key Key) IsZero() bool
- func (key Key) SetAlgID(algID C.ALG_ID) error
- func (key Key) SetCipherOID(oid []byte) error
- func (key Key) SetIV(iv []byte) error
- func (key Key) SetMode(mode C.DWORD) error
- func (key Key) SetPadding(padding C.DWORD) error
- type KeyFlag
- type KeyPairID
- type KeyParamID
- type Msg
- type ProvType
- type SessionKey
- type SignParams
- type SimpleBlob
- type SubjectPublicKeyInfo
Constants ¶
const ( GOSTR341012256 = "1.2.643.7.1.1.1.1" GOSTR341012512 = "1.2.643.7.1.1.1.2" )
Public key algorithm IDs
Variables ¶
var ( GOST_R3411 asn1.ObjectIdentifier = []int{1, 2, 643, 2, 2, 9} GOST_R3411_12_256 asn1.ObjectIdentifier = []int{1, 2, 643, 7, 1, 1, 2, 2} GOST_R3411_12_512 asn1.ObjectIdentifier = []int{1, 2, 643, 7, 1, 1, 2, 3} MD5RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 4} SHA1RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 5} SETOAEP_RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 6} SHA256RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 11} SHA384RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 12} SHA512RSA asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 1, 13} )
Common object identifiers
Functions ¶
func BlockDecrypt ¶
func BlockDecrypt(recipient Cert, data BlockEncryptedData) ([]byte, error)
func DecryptData ¶
DecryptData decrypts byte slice using provided certificate store for private key lookup
func EncryptData ¶
func EncryptData(data []byte, options EncryptOptions) (_ []byte, rErr error)
EncryptData encrypts arbitrary byte slice for one or more recipient certificates
Types ¶
type AlgorithmIdentifier ¶ added in v2.4.1
type AlgorithmIdentifier struct { PublicKeyOID asn1.ObjectIdentifier SignParams SignParams }
type BlockEncryptOptions ¶
type BlockEncryptedData ¶
type BlockEncryptedData struct { IV []byte CipherText []byte SessionKey SessionKey SessionPublicKey []byte KeyExp C.DWORD DHParamsOID string DigestOID string PublicKeyOID string }
func BlockEncrypt ¶
func BlockEncrypt(opts BlockEncryptOptions, data []byte) (BlockEncryptedData, error)
func (BlockEncryptedData) ToGOST2001KeyTransport ¶
func (s BlockEncryptedData) ToGOST2001KeyTransport() []byte
func (BlockEncryptedData) ToGOST2001KeyTransportASN1 ¶ added in v2.4.1
func (s BlockEncryptedData) ToGOST2001KeyTransportASN1() (res Gost2001KeyTransportASN1, _ error)
type Cert ¶
type Cert struct {
// contains filtered or unexported fields
}
Cert encapsulates certificate context
func (Cert) GetProperty ¶
func (c Cert) GetProperty(propID CertPropertyID) ([]byte, error)
GetProperty is a base function for extracting certificate context properties
func (Cert) MustSubjectID ¶
MustSubjectID returns certificate's subject id or panics
func (Cert) MustThumbPrint ¶
MustThumbPrint returns certificate's hash as a hexadecimal string or panics
func (Cert) SubjectID ¶
SubjectID returns certificate's subject public key ID as a hexadecimal string
func (Cert) ThumbPrint ¶
ThumbPrint returns certificate's hash as a hexadecimal string
type CertInfo ¶
type CertInfo struct {
// contains filtered or unexported fields
}
CertInfo encapsulates certificate properties
func (CertInfo) PublicKeyAlgorithm ¶
PublicKeyAlgorithm returns certificate subject public key algorithm as object ID string
func (CertInfo) PublicKeyBytes ¶
PublicKeyBytes returns certificate subject public key as byte slice
func (CertInfo) SignatureAlgorithm ¶
SignatureAlgorithm returns certificate signature algorithm as object ID string
func (CertInfo) SubjectStr ¶
SubjectStr returns certificate subject converted to Go string
type CertPropertyID ¶
CertPropertyID corresponds to a C type of DWORD
const ( CertHashProp CertPropertyID = C.CERT_HASH_PROP_ID CertKeyIDentifierProp CertPropertyID = C.CERT_KEY_IDENTIFIER_PROP_ID CertProvInfoProp CertPropertyID = C.CERT_KEY_PROV_INFO_PROP_ID )
Constants for certificate property IDs
type CertStore ¶
type CertStore struct {
// contains filtered or unexported fields
}
CertStore incapsulates certificate store
func MemoryStore ¶
MemoryStore returns handle to new empty in-memory certificate store
func SystemStore ¶
SystemStore returns handle to certificate store with certain name, using default system cryptoprovider
func (CertStore) Add ¶
Add inserts certificate into store replacing existing certificate link if it's already added
func (CertStore) FindBySubject ¶
FindBySubject returns slice of certificates with a subject that matches string
func (CertStore) FindBySubjectId ¶
FindBySubjectId returns slice of certificates that match given subject key ID. If ID supplied could not be decoded from string, FindBySubjectId will return nil slice
func (CertStore) FindByThumb ¶
FindByThumb returns slice of certificates that match given thumbprint. If thumbprint supplied could not be decoded from string, FindByThumb will return nil slice
func (CertStore) GetByID ¶ added in v2.3.5
GetByID returns certificate with specified issuer and serial number
func (CertStore) GetBySubject ¶
GetBySubject returns first certificate with a subject that matches given string
func (CertStore) GetBySubjectId ¶
GetBySubjectId returns first certificate in store that match given subject key ID
type CryptFlag ¶
CryptFlag determines behaviour of acquired context
const ( CryptVerifyContext CryptFlag = C.CRYPT_VERIFYCONTEXT CryptNewKeyset CryptFlag = C.CRYPT_NEWKEYSET CryptMachineKeyset CryptFlag = C.CRYPT_MACHINE_KEYSET CryptDeleteKeyset CryptFlag = C.CRYPT_DELETEKEYSET CryptSilent CryptFlag = C.CRYPT_SILENT )
Flags for acquiring context
type CryptoProvider ¶
CryptoProvider struct contains description of CSP that can be used for creation of CSP Context.
func EnumProviders ¶
func EnumProviders() (res []CryptoProvider, err error)
EnumProviders returns slice of CryptoProvider structures, describing available CSPs.
type Ctx ¶
type Ctx struct {
// contains filtered or unexported fields
}
Ctx is a CSP context nessessary for cryptographic functions.
func AcquireCtx ¶
func AcquireCtx(container, provider string, provType ProvType, flags CryptFlag) (res Ctx, err error)
AcquireCtx acquires new CSP context from container name, provider name, type and flags. Empty strings for container and provider names are typically used for CryptVerifyContext flag setting. Created context must be eventually released with its Close method.
func (Ctx) GenKey ¶
GenKey generates public/private key pair for given context. Flags parameter determines if generated key will be exportable or archivable and at parameter determines KeyExchange or Signature key pair. Resulting key must be eventually closed by calling Close.
func (Ctx) ImportKey ¶
func (ctx Ctx) ImportKey(buf SimpleBlob, cryptKey *Key) (Key, error)
ImportKey transfers a cryptographic key from a key BLOB into a context.
func (Ctx) ImportPublicKeyInfo ¶
ImportPublicKeyInfo imports public key information into the context and returns public key
func (Ctx) Key ¶
Key extracts public key from container represented by context ctx, from key pair given by at parameter. It must be released after use by calling Close method.
type Decryptor ¶
type Decryptor struct {
// contains filtered or unexported fields
}
type EncodeOptions ¶
type EncodeOptions struct { Detached bool // Signature is detached HashAlg asn1.ObjectIdentifier // Signature hash algorithm ID Signers []Cert // Signing certificate list }
EncodeOptions specifies message creation details
type EncryptOptions ¶
type EncryptOptions struct {
Receivers []Cert // Receiving certificate list
}
EncryptOptions specifies message encryption details
type Error ¶
type Error struct { Code ErrorCode // Code indicates exact CryptoAPI error code // contains filtered or unexported fields }
Error provides error type
type ErrorCode ¶
ErrorCode corresponds to a C type DWORD
const ( ErrBadKeysetParam ErrorCode = C.NTE_BAD_KEYSET_PARAM & (1<<32 - 1) // Typically occurs when trying to acquire context ErrFail ErrorCode = C.NTE_FAIL & (1<<32 - 1) // Misc error // ErrInvalidParameter ErrorCode = C.NTE_INVALID_PARAMETER & (1<<32 - 1) // Bad parameter to cryptographic function ErrNoKey ErrorCode = C.NTE_NO_KEY & (1<<32 - 1) // Key not found ErrExists ErrorCode = C.NTE_EXISTS & (1<<32 - 1) // Object already exists ErrNotFound ErrorCode = C.NTE_NOT_FOUND & (1<<32 - 1) // Object not found ErrKeysetNotDef ErrorCode = C.NTE_KEYSET_NOT_DEF & (1<<32 - 1) // Operation on unknown container ErrBadKeyset ErrorCode = C.NTE_BAD_KEYSET & (1<<32 - 1) // Operation on unknown container ErrStreamNotReady ErrorCode = C.CRYPT_E_STREAM_MSG_NOT_READY & (1<<32 - 1) // Returned until stream header is parsed ErrCryptNotFound ErrorCode = C.CRYPT_E_NOT_FOUND & (1<<32 - 1) ErrMoreData ErrorCode = C.ERROR_MORE_DATA & (1<<32 - 1) )
Some C error codes translated to Go constants
type GOST2001KeyTransport ¶
type GOST2001KeyTransport [172]byte
func (GOST2001KeyTransport) ToBlockEncryptedData ¶
func (s GOST2001KeyTransport) ToBlockEncryptedData(dataStream []byte) BlockEncryptedData
type Gost2001KeyTransportASN1 ¶ added in v2.4.1
type Gost2001KeyTransportASN1 struct { SessionKey Gost28147_89EncryptedKey TransportParameters GostR3410TransportParameters `asn1:"tag:0,optional"` }
GostR3410-KeyTransport ::= SEQUENCE { sessionEncryptedKey Gost28147-89-EncryptedKey, transportParameters [0] IMPLICIT GostR3410-TransportParameters OPTIONAL }
func (Gost2001KeyTransportASN1) ToBlockEncryptedData ¶ added in v2.4.1
func (k Gost2001KeyTransportASN1) ToBlockEncryptedData(dataStream []byte) (BlockEncryptedData, error)
type Gost28147_89EncryptedKey ¶ added in v2.4.1
type Gost28147_89EncryptedKey struct { EncryptedKey []byte MaskKey []byte `asn1:"tag:0,optional"` MacKey []byte }
Gost28147-89-EncryptedKey ::= SEQUENCE { encryptedKey Gost28147-89-Key, maskKey [0] IMPLICIT Gost28147-89-Key OPTIONAL, macKey Gost28147-89-MAC }
type GostR3410TransportParameters ¶ added in v2.4.1
type GostR3410TransportParameters struct { EncryptionParamSet asn1.ObjectIdentifier EphemeralPublicKey SubjectPublicKeyInfo `asn1:"tag:0,optional"` SeanceVector []byte }
GostR3410-TransportParameters ::= SEQUENCE { encryptionParamSet OBJECT IDENTIFIER, ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo OPTIONAL, ukm OCTET STRING }
type Hash ¶
type Hash struct {
// contains filtered or unexported fields
}
Hash encapsulates GOST hash
func NewHMAC ¶
func NewHMAC(hashAlg asn1.ObjectIdentifier, key []byte) (_ *Hash, rErr error)
NewHMAC creates HMAC object initialized with given byte key
func NewHash ¶
func NewHash(options HashOptions) (*Hash, error)
func (*Hash) BlockSize ¶
BlockSize returns the hash's underlying block size. The Write method must be able to accept any amount of data, but it may operate more efficiently if all writes are a multiple of the block size.
type HashOptions ¶
type HashOptions struct { HashAlg asn1.ObjectIdentifier // Hash algorithm ID SignCert Cert // Certificate with a reference to private key container used to sign the hash HMACKey Key // HMAC key for creating hash in HMAC mode }
HashOptions describe hash creation parameters
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
Key incapsulates key pair functions
func (Key) Encode ¶
func (key Key) Encode(cryptKey *Key) (SimpleBlob, error)
Encode exports a cryptographic key or a key pair in a secure manner. If cryptKey is nil, exports public key in unencrypted for, else -- session key.
func (Key) GetCipherOID ¶ added in v2.4.0
GetCipherOID retrieves key's cipher OID
func (Key) GetHashOID ¶ added in v2.4.1
GetHashOID retrieves key's HASH OID
func (Key) GetParam ¶
func (key Key) GetParam(param KeyParamID) (res []byte, err error)
GetParam retrieves data that governs the operations of a key.
func (Key) SetCipherOID ¶ added in v2.4.0
SetCipherOID sets key's cipher OID
type KeyFlag ¶
KeyFlag sets options on created key pair
const ( KeyArchivable KeyFlag = C.CRYPT_ARCHIVABLE KeyExportable KeyFlag = C.CRYPT_EXPORTABLE )
Key flags
type KeyPairID ¶
KeyPairID selects public/private key pair from CSP container
const ( AtKeyExchange KeyPairID = C.AT_KEYEXCHANGE AtSignature KeyPairID = C.AT_SIGNATURE )
Key specification
type KeyParamID ¶
KeyParamID represents key parameters that can be retrieved for key.
const (
KeyCertificateParam KeyParamID = C.KP_CERTIFICATE // X.509 certificate that has been encoded by using DER
)
Certificate parameter IDs
type Msg ¶
type Msg struct {
// contains filtered or unexported fields
}
Msg encapsulates stream decoder of PKCS7 message
func OpenToDecode ¶
OpenToDecode creates new Msg in decode mode. If detachedSig parameter is specified, it must contain detached P7S signature
func OpenToEncode ¶
func OpenToEncode(dest io.Writer, options EncodeOptions) (msg *Msg, rErr error)
OpenToEncode creates new Msg in encode mode.
func OpenToEncrypt ¶
func OpenToEncrypt(dest io.Writer, options EncryptOptions) (*Msg, error)
OpenToEncrypt creates new Msg in encrypt mode.
func OpenToVerify ¶
OpenToVerify creates new Msg in decode mode. If detachedSig parameter is specified, it must contain detached P7S signature
func (*Msg) CertStore ¶
CertStore returns message certificate store. As a side-effect, source stream is fully read and parsed.
func (*Msg) Close ¶
Close needs to be called to release internal message handle and flush underlying encoded message.
func (*Msg) GetSignerCert ¶ added in v2.3.4
GetSignerCert returns i-th message signer certificate from provided certificate store (usually acquired by msg.CertStore() method).
func (*Msg) GetSignerCount ¶ added in v2.3.4
GetSignerCount returns number of signer infos in message
type SessionKey ¶
type SessionKey struct { SeanceVector []byte EncryptedKey []byte MACKey []byte EncryptionParamSet []byte }
func (SessionKey) ToSimpleBlob ¶
func (s SessionKey) ToSimpleBlob() SimpleBlob
type SignParams ¶ added in v2.4.1
type SignParams struct { DHParamsOID asn1.ObjectIdentifier DigestOID asn1.ObjectIdentifier }
type SimpleBlob ¶
type SimpleBlob []byte
func (SimpleBlob) ToSessionKey ¶
func (s SimpleBlob) ToSessionKey() (SessionKey, error)
type SubjectPublicKeyInfo ¶ added in v2.4.1
type SubjectPublicKeyInfo struct { Algorithm AlgorithmIdentifier EncapsulatedPublicKey asn1.BitString }