chefcrypto

package module

v1.0.0 Latest Latest Go to latest Published: Mar 31, 2021 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bhoriuchi/go-chef-crypto

Links

Open Source Insights

README ¶

go-chef-crypto

Functions for working with Chef encrypted data bags in go

Usage

This package does not obtain data bag data, it simply encrypts or decrypts it.

Documentation ¶

Overview ¶

Package chefcrypto provides functions for encrypting and decrypting Chef encrypted data bag items.

This package does not fetch data from the Chef server.

When encrypting, data must be encoded in JSON (i.e. for a string "\"foo\"" not just "foo")

Example

package main

import (
	"fmt"
	"encoding/json"

	cc "github.com/bhoriuchi/go-chef-crypto"
)

func main() {
	// generate a key for encryption
	key, _ := cc.NewSecretKey(512)
	secretData := "foo"

	// Encrypt some data
	databag, _ := cc.Encrypt(key, []byte(secretData), cc.VersionLatest)

	// marshal the data
	databagJSON, _ := json.MarshalIndent(databag, "", "  ")

	// Decrypt the databag
	var value interface{}
	cc.Decrypt(key, []byte(databagJSON), &value)

	// Print the data
	fmt.Printf("Secret: %s", value.(string))
}

Index ¶

Constants
Variables
func Decrypt(key, data []byte, target interface{}) error
func IsEncryptedDataBagItem(data []byte) (bool, int, error)
func NewSecretKey(length int) ([]byte, error)
func NewSecretKeyBase64(length int) (*string, error)
type EncryptedDataBagItem
- func Encrypt(key, data []byte, version int) (EncryptedDataBagItem, error)
type EncryptedDataBagItemV1
- func EncryptDataBagItemV1(key, jsonData []byte) (*EncryptedDataBagItemV1, error)
type EncryptedDataBagItemV2
- func EncryptDataBagItemV2(key, data []byte) (*EncryptedDataBagItemV2, error)
type EncryptedDataBagItemV3
- func EncryptDataBagItemV3(key, jsonData []byte) (*EncryptedDataBagItemV3, error)

Constants ¶

View Source

const (
	// MinimumVersion is the minimum encryption version supported
	MinimumVersion = 1

	// MaximumVersion is the maximum encryption version supported
	MaximumVersion = 3

	// Version1 version 1 encrypted data bag item
	Version1 = 1

	// Version2 version 2 encrypted data bag item
	Version2 = 2

	// Version3 version 3 encrypted data bag item
	Version3 = 3

	// VersionLatest latest version supported currently 3
	VersionLatest = 3
)

View Source

const CipherV1 = "aes-256-cbc"

CipherV1 the v1 cipher used

View Source

const CipherV2 = "aes-256-cbc"

CipherV2 the v2 cipher used

View Source

const CipherV3 = "aes-256-gcm"

CipherV3 the v3 cipher used

Variables ¶

View Source

var ErrDecryptFailed = errors.New("failed to decrypt data bag")

ErrDecryptFailed decryption failed

View Source

var ErrInvalidSecretKey = errors.New("key must be a non-empty byte array")

ErrInvalidSecretKey invalid secret key

View Source

var ErrInvalidTarget = errors.New("target must be a non-nil pointer")

ErrInvalidTarget invalid target pointer

View Source

var ErrItemNotValid = errors.New("data is not an encrypted data bag item")

ErrItemNotValid invalid data bag

View Source

var ErrSignatureValidationFailed = errors.New("signature validation failed, an invalid secret key was most likely used")

ErrSignatureValidationFailed hmac validation failed

View Source

var ErrUnsupportedVersion = errors.New("unsupported encryption version")

ErrUnsupportedVersion unsupported encryption version

Functions ¶

func Decrypt ¶

func Decrypt(key, data []byte, target interface{}) error

Decrypt decrypts the data bag item with the appropriate encryption version

func IsEncryptedDataBagItem ¶

func IsEncryptedDataBagItem(data []byte) (bool, int, error)

IsEncryptedDataBagItem determines if the databag is encrypted and if so what version

func NewSecretKey ¶

func NewSecretKey(length int) ([]byte, error)

NewSecretKey generates a new secret key of specified length

func NewSecretKeyBase64 ¶

func NewSecretKeyBase64(length int) (*string, error)

NewSecretKeyBase64 generates a new secret key of specified length

Types ¶

type EncryptedDataBagItem ¶

type EncryptedDataBagItem interface {
	Decrypt(key []byte, target interface{}) error
	IsValid() bool
	GetVersion() int
}

EncryptedDataBagItem item interface

func Encrypt ¶

func Encrypt(key, data []byte, version int) (EncryptedDataBagItem, error)

Encrypt encrypts the data using the specified key and encryption version

type EncryptedDataBagItemV1 ¶

type EncryptedDataBagItemV1 struct {
	EncryptedData string `json:"encrypted_data"`
	IV            string `json:"iv"`
	Version       int    `json:"version"`
	Cipher        string `json:"cipher"`
}

EncryptedDataBagItemV1 version 1 encrypted databag

func EncryptDataBagItemV1 ¶

func EncryptDataBagItemV1(key, jsonData []byte) (*EncryptedDataBagItemV1, error)

EncryptDataBagItemV1 encrypts a databag with the v1 specification

func (*EncryptedDataBagItemV1) Decrypt ¶

func (c *EncryptedDataBagItemV1) Decrypt(key []byte, target interface{}) error

Decrypt decrypts the v1 databag

func (*EncryptedDataBagItemV1) GetVersion ¶

func (c *EncryptedDataBagItemV1) GetVersion() int

GetVersion returns the databag version

func (*EncryptedDataBagItemV1) IsValid ¶

func (c *EncryptedDataBagItemV1) IsValid() bool

IsValid validates the encrypted databag

type EncryptedDataBagItemV2 ¶

type EncryptedDataBagItemV2 struct {
	EncryptedData string `json:"encrypted_data"`
	HMAC          string `json:"hmac"`
	IV            string `json:"iv"`
	Version       int    `json:"version"`
	Cipher        string `json:"cipher"`
}

EncryptedDataBagItemV2 version 2 encrypted databag

func EncryptDataBagItemV2 ¶

func EncryptDataBagItemV2(key, data []byte) (*EncryptedDataBagItemV2, error)

EncryptDataBagItemV2 encrypts a databag with the v2 specification

func (*EncryptedDataBagItemV2) Decrypt ¶

func (c *EncryptedDataBagItemV2) Decrypt(key []byte, target interface{}) error

Decrypt decrypts the v2 databag

func (*EncryptedDataBagItemV2) GetVersion ¶

func (c *EncryptedDataBagItemV2) GetVersion() int

GetVersion returns the databag version

func (*EncryptedDataBagItemV2) IsValid ¶

func (c *EncryptedDataBagItemV2) IsValid() bool

IsValid validates the encrypted databag

type EncryptedDataBagItemV3 ¶

type EncryptedDataBagItemV3 struct {
	EncryptedData string `json:"encrypted_data"`
	IV            string `json:"iv"`
	AuthTag       string `json:"auth_tag"`
	Version       int    `json:"version"`
	Cipher        string `json:"cipher"`
}

EncryptedDataBagItemV3 version 3 encrypted databag

func EncryptDataBagItemV3 ¶

func EncryptDataBagItemV3(key, jsonData []byte) (*EncryptedDataBagItemV3, error)

EncryptDataBagItemV3 encrypts a databag with the v1 specification

func (*EncryptedDataBagItemV3) Decrypt ¶

func (c *EncryptedDataBagItemV3) Decrypt(key []byte, target interface{}) error

Decrypt decrypts the v3 databag

func (*EncryptedDataBagItemV3) GetVersion ¶

func (c *EncryptedDataBagItemV3) GetVersion() int

GetVersion returns the databag version

func (*EncryptedDataBagItemV3) IsValid ¶

func (c *EncryptedDataBagItemV3) IsValid() bool

IsValid validates the encrypted databag

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL