Documentation
¶
Overview ¶
Package suite provides the algorithm suites.
See AWS Encryption SDK algorithms reference for more information.
Index ¶
- Constants
- Variables
- func NewEncryptionSuite(algorithm encAlgorithm, mode cipherMode, dataKeyLen, ivLen, authLen int) encryptionSuite
- func NewKdfSuite(KDFFunc func(hash func() hash.Hash, secret, salt, info []byte) io.Reader, ...) kdfSuite
- func ValidateCommitmentPolicy(p CommitmentPolicy) error
- func ValidateContentType(t ContentType) error
- func ValidateFrameLength(frameLength int) error
- func ValidateMessageVersion(v uint8) error
- type AlgorithmSuite
- func (as *AlgorithmSuite) AlgorithmSuiteDataLen() int
- func (as *AlgorithmSuite) GoString() string
- func (as *AlgorithmSuite) IDBytes() []byte
- func (as *AlgorithmSuite) IDString() string
- func (as *AlgorithmSuite) IsCommitting() bool
- func (as *AlgorithmSuite) IsKDFSupported() bool
- func (as *AlgorithmSuite) IsSigning() bool
- func (as *AlgorithmSuite) MessageIDLen() int
- func (as *AlgorithmSuite) Name() string
- func (as *AlgorithmSuite) String() string
- type CommitmentPolicy
- type ContentType
- type EncryptionContext
- type MessageFormatVersion
Constants ¶
const ( MinFrameSize = int(128) // Minimum allowed frame size MaxFrameSize = math.MaxInt32 // Maximum allowed frame size which is math.MaxInt32 BlockSize = int(128) // BlockSize is aes.BlockSize in bits (16 * 8) )
Variables ¶
var ( AES_128_GCM_IV12_TAG16 = newAlgorithmSuite(0x0014, aes_128_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) // Algorithm ID: 00 14 AES_192_GCM_IV12_TAG16 = newAlgorithmSuite(0x0046, aes_192_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) // Algorithm ID: 00 46 AES_256_GCM_IV12_TAG16 = newAlgorithmSuite(0x0078, aes_256_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE) // Algorithm ID: 00 78 AES_128_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0114, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) // Algorithm ID: 01 14 AES_192_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0146, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) // Algorithm ID: 01 46 AES_256_GCM_IV12_TAG16_HKDF_SHA256 = newAlgorithmSuite(0x0178, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE) // Algorithm ID: 01 78 AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 = newAlgorithmSuite(0x0214, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_SHA256_ECDSA_P256) // Algorithm ID: 02 14 AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0346, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 03 46 AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0378, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 03 78 AES_256_GCM_HKDF_SHA512_COMMIT_KEY = newAlgorithmSuite(0x0478, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_NONE) // Algorithm ID: 04 78 AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 = newAlgorithmSuite(0x0578, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 05 78 )
Supported AlgorithmSuite by AWS Encryption SDK.
See AWS Encryption SDK algorithms reference for more information.
var ErrAlgorithmSuite = errors.New("algorithm suite error")
ErrAlgorithmSuite is returned when algorithm suite is invalid or not supported.
Functions ¶
func NewEncryptionSuite ¶
func NewEncryptionSuite(algorithm encAlgorithm, mode cipherMode, dataKeyLen, ivLen, authLen int) encryptionSuite
func NewKdfSuite ¶
func ValidateCommitmentPolicy ¶ added in v0.2.0
func ValidateCommitmentPolicy(p CommitmentPolicy) error
ValidateCommitmentPolicy validates the commitment policy values.
func ValidateContentType ¶ added in v0.2.0
func ValidateContentType(t ContentType) error
ValidateContentType validates the content type values.
The only supported content type is FramedContent.
func ValidateFrameLength ¶ added in v0.2.0
ValidateFrameLength validates the length of a frame. It checks if the frame length is within the allowed range and if it is a multiple of the block size of the crypto algorithm.
If the frame length is out of range or not a multiple of the BlockSize (128), an error is returned. The allowed minimum frame size is MinFrameSize (128).
The allowed maximum frame size is MaxFrameSize the maximum value of a signed 32-bit integer.
The block size of the crypto algorithm is BlockSize 128.
Types ¶
type AlgorithmSuite ¶
type AlgorithmSuite struct {
AlgorithmID uint16 // An identifier for the algorithm. It is a 2-byte value interpreted as a 16-bit unsigned integer.
EncryptionSuite encryptionSuite // Encryption of the algorithm suite
MessageFormatVersion MessageFormatVersion // Message format version
KDFSuite kdfSuite // Key Derivation Suite of the algorithm suite
Authentication authenticationSuite // Authentication Suite of the algorithm suite
// contains filtered or unexported fields
}
AlgorithmSuite represents the algorithm suite used for encryption and decryption.
func ByID ¶ added in v0.4.0
func ByID(algorithmID uint16) (*AlgorithmSuite, error)
ByID returns AlgorithmSuite by its algorithmID 16-bit unsigned integer.
func FromBytes ¶ added in v0.4.0
func FromBytes(b []byte) (*AlgorithmSuite, error)
FromBytes returns AlgorithmSuite from slice of bytes, slice must have a length of 2 bytes.
func (*AlgorithmSuite) AlgorithmSuiteDataLen ¶
func (as *AlgorithmSuite) AlgorithmSuiteDataLen() int
AlgorithmSuiteDataLen returns the length of the Algorithm Suite Data field.
func (*AlgorithmSuite) GoString ¶
func (as *AlgorithmSuite) GoString() string
func (*AlgorithmSuite) IDBytes ¶
func (as *AlgorithmSuite) IDBytes() []byte
IDBytes returns the ID of AlgorithmSuite as a slice of bytes.
func (*AlgorithmSuite) IDString ¶ added in v0.2.0
func (as *AlgorithmSuite) IDString() string
IDString returns the ID of AlgorithmSuite as a string.
Example:
0578
func (*AlgorithmSuite) IsCommitting ¶
func (as *AlgorithmSuite) IsCommitting() bool
IsCommitting indicates whether the AlgorithmSuite is using key commitment. Only V2 message format version supports key commitment.
func (*AlgorithmSuite) IsKDFSupported ¶ added in v0.2.0
func (as *AlgorithmSuite) IsKDFSupported() bool
IsKDFSupported indicates whether the AlgorithmSuite is using key derivation to derive the data encryption key.
func (*AlgorithmSuite) IsSigning ¶
func (as *AlgorithmSuite) IsSigning() bool
IsSigning indicates whether the AlgorithmSuite is using ECDSA for signing over the ciphertext header and body.
func (*AlgorithmSuite) MessageIDLen ¶
func (as *AlgorithmSuite) MessageIDLen() int
MessageIDLen returns the length of the message ID.
func (*AlgorithmSuite) Name ¶
func (as *AlgorithmSuite) Name() string
Name returns the name of AlgorithmSuite.
Example:
AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384
func (*AlgorithmSuite) String ¶
func (as *AlgorithmSuite) String() string
String returns a string representation of AlgorithmSuite.
Example:
AlgID 0x0578: AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384
type CommitmentPolicy ¶
type CommitmentPolicy int8
CommitmentPolicy is a configuration setting that determines whether your application encrypts and decrypts with key commitment.
See Commitment policy for more information.
const ( CommitmentPolicyForbidEncryptAllowDecrypt CommitmentPolicy // 1 - FORBID_ENCRYPT_ALLOW_DECRYPT CommitmentPolicyRequireEncryptAllowDecrypt // 2 - REQUIRE_ENCRYPT_ALLOW_DECRYPT CommitmentPolicyRequireEncryptRequireDecrypt // 3 - REQUIRE_ENCRYPT_REQUIRE_DECRYPT )
Supported commitment policies.
func (CommitmentPolicy) GoString ¶
func (cp CommitmentPolicy) GoString() string
GoString returns the same as String().
func (CommitmentPolicy) String ¶
func (cp CommitmentPolicy) String() string
String returns the string representation of the CommitmentPolicy.
type ContentType ¶
type ContentType uint8
ContentType is the type of encrypted data, either non-framed or framed.
const ( NonFramedContent ContentType = 0x01 // Non-framed content is type 1, encoded as the byte 01 in hexadecimal notation. FramedContent ContentType = 0x02 // Framed content is type 2, encoded as the byte 02 in hexadecimal notation. )
Supported content types.
type EncryptionContext ¶
EncryptionContext represents a map of string key-value pairs that are used to store contextual information for encryption operations.
func (EncryptionContext) Serialize ¶
func (ec EncryptionContext) Serialize() []byte
Serialize transforms the EncryptionContext into a byte slice. The serialized format prepends the length of each key and value as a 2-byte big-endian integer. Keys are sorted to ensure deterministic output. The function accounts for the additional keyValueBytes for each key-value pair when estimating the buffer size to minimize reallocations.
The serialization format is as follows for each key-value pair:
[keyLength][key][valueLength][value] - keyLength: 2 bytes representing the length of the key as a big-endian integer - key: actual bytes of the key - valueLength: 2 bytes representing the length of the value as a big-endian integer - value: actual bytes of the value
Serialization ensures that keys are sorted and the output is consistent for the same EncryptionContext content.
Returns:
[]byte: A byte slice representing the serialized EncryptionContext.
Example:
ec := EncryptionContext{"user": "Alice", "purpose": "encryption"}
serialized := ec.Serialize()
The output will be a byte slice with each key-value pair preceded by their lengths.
type MessageFormatVersion ¶ added in v0.2.0
type MessageFormatVersion uint8
MessageFormatVersion is the version of the message format.
const ( V1 MessageFormatVersion = iota + 1 // Version 1 encoded as the byte 01 in hexadecimal notation. V2 // Version 2 encoded as the byte 02 in hexadecimal notation. )
Supported message format versions.
- Algorithm suites without key commitment use message format version 1.
- Algorithm suites with key commitment use message format version 2.
Source Files