crypto

package
v2.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2022 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Examples

Constants

View Source
const (
	// MinWrapSize is the smallest key byte length that may be wrapped.
	MinWrapSize = 16
	// MaxWrapSize is the largest key byte length that may be wrapped.
	MaxWrapSize = 8192
)
View Source
const EncryptionKeyLength = 32
View Source
const Overhead = int(tagLength + nonceLength)
View Source
const TagLength = 32
View Source
const TaggerKeyLength = 32
View Source
const WrapperKeyLength = 32

Variables

View Source
var ErrInvalidKeyLength = fmt.Errorf("invalid key length, accepted key length is %d bytes", WrapperKeyLength)

Functions

func KMACKDF

func KMACKDF(size int, kik, label []byte, context ...[]byte) []byte

KMACKDF uses KMAC to derive a `size`-byte cryptographic key from a key initialization key (`kik`), a `label`, and a `context`. Implemented according to: * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf section 4: KMAC * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-draft.pdf section 5.4: KDF Using KMAC

func NewKMAC128

func NewKMAC128(key []byte, tagSize int, customizationString []byte) hash.Hash

NewKMAC128 returns a new KMAC hash providing 128 bits of security using the given key, which must have 16 bytes or more, generating the given tagSize bytes output and using the given customizationString. Note that unlike other hash implementations in the standard library, the returned Hash does not implement encoding.BinaryMarshaler or encoding.BinaryUnmarshaler.

func NewKMAC256

func NewKMAC256(key []byte, tagSize int, customizationString []byte) hash.Hash

NewKMAC256 returns a new KMAC hash providing 256 bits of security using the given key, which must have 32 bytes or more, generating the given tagSize bytes output and using the given customizationString. Note that unlike other hash implementations in the standard library, the returned Hash does not implement encoding.BinaryMarshaler or encoding.BinaryUnmarshaler.

Example
key := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long")
tag := make([]byte, 16)
msg := []byte("The quick brown fox jumps over the lazy dog")
// Example 1: Simple KMAC
k := NewKMAC256(key, len(tag), []byte("Partition1"))
k.Write(msg)
k.Sum(tag[:0])
fmt.Println(hex.EncodeToString(tag))
// Example 2: Different customization string produces different digest
k = NewKMAC256(key, 16, []byte("Partition2"))
k.Write(msg)
k.Sum(tag[:0])
fmt.Println(hex.EncodeToString(tag))
Output:

3814d78758add078334b8ab9e5c4f942
3762371e99e1e01ab17742b95c0360da

Types

type AEADInterface

type AEADInterface interface {
	// Encrypt encrypts uses the key to encrypt and authenticate the plaintext and authenticated the
	// associated data. The backing array of `plaintext` is likely modified during this operation.
	Encrypt(plaintext, data, key []byte) ([]byte, error)

	// Decrypt uses the key to verify the authenticity of the ciphertext and associated data and
	// decrypt the ciphertext. The `ciphertext` array is modified during this operation.
	Decrypt(ciphertext, data, key []byte) ([]byte, error)
}

AEADInterface represents an Authenticated Encryption scheme with Associated Data.

type AES256GCM

type AES256GCM struct {
	Random RandomInterface
}

AES256GCM implements AEADInterface.

func (*AES256GCM) Decrypt

func (a *AES256GCM) Decrypt(ciphertext, aad, key []byte) ([]byte, error)

func (*AES256GCM) Encrypt

func (a *AES256GCM) Encrypt(plaintext, aad, key []byte) ([]byte, error)

type Cryptor

type Cryptor struct {
	// contains filtered or unexported fields
}

Cryptor implements the CryptorInterface.

func NewAESCryptor

func NewAESCryptor(KEK []byte) (Cryptor, error)

NewAESCryptor creates a Cryptor which uses AES-256 in GCM mode.

func (*Cryptor) Decrypt

func (c *Cryptor) Decrypt(plaintext, data interface{}, wrappedKey, ciphertext []byte) error

func (*Cryptor) Encrypt

func (c *Cryptor) Encrypt(plaintext, data interface{}) ([]byte, []byte, error)

type CryptorInterface

type CryptorInterface interface {
	// Encrypt encrypts plaintext and associated data with a random key. It returns the wrapped key
	// and the ciphertext.
	Encrypt(plaintext, data interface{}) (wrappedKey, ciphertext []byte, err error)

	// Decrypt decrypts a ciphertext using the provided wrapped key and associated data. It
	// deserializes the result into `plaintext`.
	Decrypt(plaintext, data interface{}, wrappedKey, ciphertext []byte) (err error)
}

CryptorInterface provides an API to encrypt/decrypt data and additional associated data with a (wrapped) random key.

type KWP

type KWP struct {
	// contains filtered or unexported fields
}

KWP is an implementation of an AES-KWP key wrapping cipher.

func NewKWP

func NewKWP(wrappingKey []byte) (*KWP, error)

NewKWP returns a KWP instance. The key argument should be the AES wrapping key, either 16 or 32 bytes to select AES-128 or AES-256.

func (*KWP) Unwrap

func (kwp *KWP) Unwrap(data []byte) ([]byte, error)

Unwrap unwraps a wrapped key.

func (*KWP) Wrap

func (kwp *KWP) Wrap(data []byte) ([]byte, error)

Wrap wraps the provided key material.

type KeyWrapperInterface

type KeyWrapperInterface interface {
	// Wrap wraps the provided key material.
	Wrap(key []byte) ([]byte, error)

	// Unwrap unwraps a wrapped key.
	Unwrap(key []byte) ([]byte, error)
}

KeyWrapperInterface provides an API to wrap/unwrap key material.

type MockRandom

type MockRandom struct {
	Bytes []byte
}

MockRandom is a mock implementation of RandomInterface for testing.

func (*MockRandom) GetBytes

func (r *MockRandom) GetBytes(n uint) ([]byte, error)

type NativeRandom

type NativeRandom struct {
}

NativeRandom implements RandomInterface.

func (*NativeRandom) GetBytes

func (r *NativeRandom) GetBytes(n uint) ([]byte, error)

type PasswordHasher

type PasswordHasher struct {
	// contains filtered or unexported fields
}

PasswordHasher implements PasswordHasherInterface using pbkdf2.

func NewPasswordHasher

func NewPasswordHasher() *PasswordHasher

func (*PasswordHasher) Compare

func (p *PasswordHasher) Compare(password string, saltAndHash []byte) bool

func (*PasswordHasher) GeneratePassword

func (p *PasswordHasher) GeneratePassword() (string, []byte, error)

type PasswordHasherInterface

type PasswordHasherInterface interface {
	// GeneratePassword returns a random password and a salted hash of that password.
	GeneratePassword() (string, []byte, error)

	// Compare checks if the password matches the given hash.
	Compare(password string, saltAndHash []byte) bool
}

PasswordHasherInterface provides an API for securely generating and checking passwords.

type RandomInterface

type RandomInterface interface {
	// GetBytes generates the requested number of random bytes.
	GetBytes(n uint) ([]byte, error)
}

RandomInterface provides an API for getting cryptographically secure random bytes.

type Tagger

type Tagger struct {
	Key []byte
}

Tagger implements the TaggerInterface

func NewKMAC256Tagger

func NewKMAC256Tagger(key []byte) (Tagger, error)

NewKMAC256Tagger creates a Tagger which uses KMAC256.

func (*Tagger) Tag

func (t *Tagger) Tag(data interface{}) ([]byte, error)

type TaggerInterface

type TaggerInterface interface {
	// Tag creates a cryptographic tag of data.
	Tag(data interface{}) (mac []byte, err error)
}

TaggerInterface provides an API to create a cryptographic tag, i.e. a piece of information used for authenticating data.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL