cryptor

package
v0.0.0-...-3f826ee Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 28, 2018 License: BSD-2-Clause Imports: 17 Imported by: 0

Documentation

Overview

Package cryptor encrypts and decrypts files using the Red October vault and key cache.

Copyright (c) 2013 CloudFlare, Inc.

Index

Constants

View Source
const (
	DEFAULT_VERSION = 1
)

Variables

View Source
var ErrNotEnoughDelegations = errors.New("need more delegated keys")

ErrNotEnoughDelegations is a error returned by Decrypt.

View Source
var ErrRestoreDelegations = errors.New("cryptor: need more delegations")

ErrRestoreDelegations is a sentinal value returned when more delegations are needed for the restore to continue.

Functions

This section is empty.

Types

type AccessStructure

type AccessStructure struct {
	Minimum int
	Names   []string

	LeftNames  []string
	RightNames []string

	Predicate string
}

AccessStructure represents different possible access structures for encrypted data. If len(Names) > 0, then at least 2 of the users in the list must be delegated to decrypt. If len(LeftNames) > 0 & len(RightNames) > 0, then at least one from each list must be delegated (if the same user is in both, then he can decrypt it alone). If a predicate is present, it must be satisfied to decrypt.

type Cryptor

type Cryptor struct {
	// contains filtered or unexported fields
}

func New

func New(records *passvault.Records, cache *keycache.Cache, config *config.Config) (*Cryptor, error)

func (*Cryptor) Decrypt

func (c *Cryptor) Decrypt(in []byte, user string) (resp []byte, labels, names []string, usages []string, secure bool, err error)

Decrypt decrypts a file using the keys in the key cache.

func (*Cryptor) Delegate

func (c *Cryptor) Delegate(record passvault.PasswordRecord, name, password string, users, labels []string, uses int, slot, durationString string) (err error)

Delegate attempts to decrypt a key for the specified user and add the key to the key cache.

func (*Cryptor) DelegateStatus

func (c *Cryptor) DelegateStatus(name string, labels, admins []string) (adminsDelegated []string, hasDelegated int)

DelegateStatus will return a list of admins who have delegated to a particular user, for a particular label. This is useful information to have when determining the status of an order and conveying order progress.

func (*Cryptor) Encrypt

func (c *Cryptor) Encrypt(in []byte, labels []string, usages []string, access AccessStructure) (resp []byte, err error)

Encrypt encrypts data with the keys associated with names. This requires a minimum of min keys to decrypt. NOTE: as currently implemented, the maximum value for min is 2.

func (*Cryptor) Flush

func (c *Cryptor) Flush() error

Flush removes all delegations.

func (*Cryptor) GetOwners

func (c *Cryptor) GetOwners(in []byte) (names, labels []string, predicate string, err error)

GetOwners returns the list of users that can delegate their passwords to decrypt the given encrypted secret.

func (*Cryptor) LiveSummary

func (c *Cryptor) LiveSummary() map[string]keycache.ActiveUser

LiveSummary returns a list of the users currently delegated.

func (*Cryptor) Refresh

func (c *Cryptor) Refresh() error

Refresh purges all expired or fully-used delegations in the crypto's key cache. It returns an error if the delegations should have been stored, but couldn't be.

func (*Cryptor) ResetPersisted

func (c *Cryptor) ResetPersisted() (*persist.Status, error)

ResetPersisted clears any persisted delegations and returns the vault to an active delegation state if configured.

func (*Cryptor) Restore

func (c *Cryptor) Restore(name, password string, uses int, slot, durationString string) error

Restore delegates the named user to the persistence key cache. If enough delegations are present to restore the cache, the current Red October key cache is replaced with the persisted one.

func (*Cryptor) Status

func (c *Cryptor) Status() *persist.Status

Status returns the status of the underlying persistence store.

type EncryptedData

type EncryptedData struct {
	Version int
	VaultId int      `json:",omitempty"`
	Labels  []string `json:",omitempty"`
	// Usages list the endpoints which may use this data
	// If empty, only decryption in permitted
	Usages    []string                    `json:",omitempty"`
	Predicate string                      `json:",omitempty"`
	KeySet    []MultiWrappedKey           `json:",omitempty"`
	KeySetRSA map[string]SingleWrappedKey `json:",omitempty"`
	ShareSet  map[string][][]byte         `json:",omitempty"`
	IV        []byte                      `json:",omitempty"`
	Data      []byte
	Signature []byte
}

EncryptedData is the format for encrypted data containing all the keys necessary to decrypt it when delegated.

type MultiWrappedKey

type MultiWrappedKey struct {
	Name []string
	Key  []byte
}

MultiWrappedKey is a structure containing a 16-byte key encrypted once for each of the keys corresponding to the names of the users in Name in order.

type SingleWrappedKey

type SingleWrappedKey struct {
	Key []byte
	// contains filtered or unexported fields
}

SingleWrappedKey is a structure containing a 16-byte key encrypted by an RSA or EC key.

type UserDatabase

type UserDatabase struct {
	// contains filtered or unexported fields
}

Implements msp.UserDatabase

func (UserDatabase) CanGetShare

func (u UserDatabase) CanGetShare(name string) bool

func (UserDatabase) GetShare

func (u UserDatabase) GetShare(name string) ([][]byte, error)

func (UserDatabase) ValidUser

func (u UserDatabase) ValidUser(name string) bool

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL