Documentation ¶
Index ¶
- Variables
- func CheckMACs(ciphertextMAC, uncompressedMAC MAC, md *api.EntryMetadata) error
- func HMAC(p []byte, hmacKey []byte) []byte
- func MarshalEEK(keys *EEK) []byte
- func MarshalKEK(keys *KEK) []byte
- type Decrypter
- type EEK
- type EncryptedMetadata
- type Encrypter
- type EntryMetadataEncrypter
- type KEK
- type MAC
- type MetadataDecrypter
- type MetadataEncrypterDecrypter
Constants ¶
This section is empty.
Variables ¶
var ErrAuthorOffCurve = errors.New("author public key point not on expected elliptic curve")
ErrAuthorOffCurve indicates that an author ECDSA private key is is not on the expected curve.
var ErrIncompleteKeyDefinition = errors.New("incomplete key definition")
ErrIncompleteKeyDefinition indicates that the key definition function was unable to generate the required number of bytes for the encryption keys.
var ErrInsufficientEEKBytes = errors.New("insufficient EEK bytes")
ErrInsufficientEEKBytes indicates when the crypto random number generator is unable to generate the sufficient number of bytes for the EEK key.
var ErrReaderOffCurve = errors.New("reader public key point not on expected elliptic curve")
ErrReaderOffCurve indicates that a reader ECDSA public key is is not on the expected curve.
var ErrUnexpectedCiphertextMAC = errors.New("unexpected ciphertext MAC")
ErrUnexpectedCiphertextMAC indicates when the ciphertext MAC does not match the expected value.
var ErrUnexpectedCiphertextSize = errors.New("unexpected ciphertext size")
ErrUnexpectedCiphertextSize indicates when the ciphertext size does not match the expected value.
var ErrUnexpectedMAC = errors.New("unexpected MAC")
ErrUnexpectedMAC occurs when the calculated MAC did not match the expected MAC.
var ErrUnexpectedUncompressedMAC = errors.New("unexpected uncompressed MAC")
ErrUnexpectedUncompressedMAC indicates when the uncompressed MAC does not match the expected value.
var ErrUnexpectedUncompressedSize = errors.New("unexpected uncompressed size")
ErrUnexpectedUncompressedSize indicates when the uncompressed size does not match the expected value.
Functions ¶
func CheckMACs ¶
func CheckMACs(ciphertextMAC, uncompressedMAC MAC, md *api.EntryMetadata) error
CheckMACs checks that the ciphertext and uncompressed MACs are consistent with the *api.Metadata.
func MarshalEEK ¶
MarshalEEK serializes the EEK to their byte representation.
func MarshalKEK ¶
MarshalKEK serializes the EEK to their byte representation.
Types ¶
type Decrypter ¶
type Decrypter interface { // Decrypt decrypts the ciphertext of a particular page. Decrypt(ciphertext []byte, pageIndex uint32) ([]byte, error) }
Decrypter decrypts a page's ciphertext.
func NewDecrypter ¶
NewDecrypter creates a new Decrypter instance using the encryption keys.
type EEK ¶
type EEK struct { // AESKey is the 32-byte AES-256 key used to encrypt Pages and Entry metadata. AESKey []byte // PageIVSeed is the 32-byte block cipher initialization vector (IV) seed for Page // enc. PageIVSeed []byte // HMACKey is the 32-byte key used for Page HMAC-256 calculations. HMACKey []byte // MetadataIV is the 12-byte IV for the Entry metadata block cipher. MetadataIV []byte }
EEK (entry encryption keys) are used to encrypt an Entry and its Pages.
func NewPseudoRandomEEK ¶
NewPseudoRandomEEK generates a new *EEK instance from a random number generator for use in testing.
func UnmarshalEEK ¶
UnmarshalEEK deserializes the EEK from its byte representation.
type EncryptedMetadata ¶
EncryptedMetadata contains both the ciphertext and ciphertext MAC involved in encrypting an *api.EntryMetadata instance.
func NewEncryptedMetadata ¶
func NewEncryptedMetadata(ciphertext, ciphertextMAC []byte) (*EncryptedMetadata, error)
NewEncryptedMetadata creates a new *EncryptedMetadata instance if the ciphertext and ciphertextMAC are valid.
type Encrypter ¶
type Encrypter interface { // Encrypt encrypts the given plaintext for a given pageIndex, returning the ciphertext. Encrypt(plaintext []byte, pageIndex uint32) ([]byte, error) }
Encrypter encrypts (compressed) plaintext of a page.
func NewEncrypter ¶
NewEncrypter creates a new Encrypter using the encryption keys.
type EntryMetadataEncrypter ¶ added in v0.2.0
type EntryMetadataEncrypter interface { // EncryptMetadata encrypts an *api.EntryMetadata instance using the AES key and the MetadataIV // key for the MAC. Encrypt(m *api.EntryMetadata, keys *EEK) (*EncryptedMetadata, error) }
EntryMetadataEncrypter encrypts *api.EntryMetadata.
type KEK ¶
type KEK struct { // AESKey is the 32-byte AES-256 key used to encrypt the EEK. AESKey []byte // IV is the 12-byte block cipher initialization vector (IV) seed. IV []byte // HMACKey is the 32-byte key used for the EEK ciphertext HMAC-256. HMACKey []byte }
KEK (key encryption keys) are used to encrypt an EEK.
func NewKEK ¶
NewKEK generates a new *KEK instance from the shared secret between a random ECDSA private and separate ECDSA public key.
func NewPseudoRandomKEK ¶
NewPseudoRandomKEK generates a new *KEK instance from a random number generator for use in testing.
func UnmarshalKEK ¶
UnmarshalKEK deserializes the KEK from its byte representation.
type MAC ¶
type MAC interface { io.Writer // Sum returns the MAC after writing the given bytes. Sum(in []byte) []byte // Reset resets the MAC. Reset() // MessageSize returns the total number of digested bytes. MessageSize() uint64 }
MAC wraps a hash function to return a message authentication code (MAC) and the total number of bytes it has digested.
type MetadataDecrypter ¶
type MetadataDecrypter interface { // Decrypt decrypts an *EncryptedMetadata instance, using the AES key and the MetadataIV // key. It returns UnexpectedMACErr if the calculated ciphertext MAC does not match the // expected ciphertext MAC. Decrypt(em *EncryptedMetadata, keys *EEK) (*api.EntryMetadata, error) }
MetadataDecrypter decrypts *EncryptedMetadata.
type MetadataEncrypterDecrypter ¶
type MetadataEncrypterDecrypter interface { EntryMetadataEncrypter MetadataDecrypter }
MetadataEncrypterDecrypter encrypts *api.EntryMetadata and decrypts *EncryptedMetadata.
func NewMetadataEncrypterDecrypter ¶
func NewMetadataEncrypterDecrypter() MetadataEncrypterDecrypter
NewMetadataEncrypterDecrypter creates a new MetadataEncrypterDecrypter.