Documentation ¶
Index ¶
- Constants
- Variables
- func DecodeString(s string) ([]byte, error)
- func Decrypt(src io.Reader, identities ...Identity) (io.Reader, error)
- func Encrypt(dst io.Writer, recipients ...Recipient) (io.WriteCloser, error)
- func FindSSHKeys() ([]string, error)
- func NewlineWriter(dst io.Writer) io.Writer
- func SSHAgentSigners() ([]ssh.Signer, error)
- type ChallengeIdentity
- type ChallengeRecipient
- type Ed25519Identity
- type Ed25519Recipient
- type EncryptedSSHIdentity
- type Header
- type Identity
- type IdentityMatcher
- type LazyScryptIdentity
- type ParseError
- type RSAIdentity
- type RSARecipient
- type Recipient
- type ScryptIdentity
- type ScryptRecipient
- type Stanza
Constants ¶
const BytesPerLine = ColumnsPerLine / 4 * 3
const ColumnsPerLine = 64
Variables ¶
var EncodeToString = b64.EncodeToString
var ErrIncorrectIdentity = errors.New("incorrect identity for recipient block")
Functions ¶
func DecodeString ¶
func Decrypt ¶
Decrypt returns a Reader reading the decrypted plaintext of the encrypted file read from src. All identities will be tried until one successfully decrypts the file.
func Encrypt ¶
Encrypt returns a WriteCloser. Writes to the returned value are encrypted and written to dst as an encrypted file. Every recipient will be able to decrypt the file.
The caller must call Close on the returned value when done for the last chunk to be encrypted and flushed to dst.
func FindSSHKeys ¶
FindSSHKeys looks in a user's ~/.ssh dir for possible SSH keys. If no keys are found we return an empty slice.
func NewlineWriter ¶
NewlineWriter returns a Writer that writes to dst, inserting an LF character every ColumnsPerLine bytes. It does not insert a newline neither at the beginning nor at the end of the stream.
func SSHAgentSigners ¶
SSHAgentSigners connect to ssh-agent and returns all available signers.
Types ¶
type ChallengeIdentity ¶
type ChallengeIdentity struct {
// contains filtered or unexported fields
}
ChallengeIdentity is a challenge-based identity, supporting SSH agents.
func NewChallengeIdentity ¶
func NewChallengeIdentity(signer ssh.Signer) (*ChallengeIdentity, error)
NewChallengeIdentity returns a new ChallengeIdentity with the provided challenge signer.
func (*ChallengeIdentity) Match ¶
func (i *ChallengeIdentity) Match(block *Stanza) error
Match implements IdentityMatcher without decrypting the payload, to ensure the agent is only contacted if necessary.
func (*ChallengeIdentity) Type ¶
func (*ChallengeIdentity) Type() string
type ChallengeRecipient ¶
type ChallengeRecipient struct {
// contains filtered or unexported fields
}
func NewChallengeRecipient ¶
func NewChallengeRecipient(signer ssh.Signer) (*ChallengeRecipient, error)
NewChallengeRecipient returns a new ChallengeRecipient with the provided signer.
func (*ChallengeRecipient) Type ¶
func (*ChallengeRecipient) Type() string
type Ed25519Identity ¶
type Ed25519Identity struct {
// contains filtered or unexported fields
}
func NewEd25519Identity ¶
func NewEd25519Identity(key ed25519.PrivateKey) (*Ed25519Identity, error)
func (*Ed25519Identity) Type ¶
func (*Ed25519Identity) Type() string
type Ed25519Recipient ¶
type Ed25519Recipient struct {
// contains filtered or unexported fields
}
func NewEd25519Recipient ¶
func NewEd25519Recipient(pk ssh.PublicKey) (*Ed25519Recipient, error)
func (*Ed25519Recipient) Type ¶
func (*Ed25519Recipient) Type() string
type EncryptedSSHIdentity ¶
type EncryptedSSHIdentity struct {
// contains filtered or unexported fields
}
EncryptedSSHIdentity is an IdentityMatcher implementation based on a passphrase encrypted SSH private key.
It provides public key based matching and deferred decryption so the passphrase is only requested if necessary. If the application knows it will unconditionally have to decrypt the private key, it would be simpler to use ssh.ParseRawPrivateKeyWithPassphrase directly and pass the result to NewEd25519Identity or NewRSAIdentity.
func NewEncryptedSSHIdentity ¶
func NewEncryptedSSHIdentity(pubKey ssh.PublicKey, pemBytes []byte, passphrase func() ([]byte, error)) (*EncryptedSSHIdentity, error)
NewEncryptedSSHIdentity returns a new EncryptedSSHIdentity.
pubKey must be the public key associated with the encrypted private key, and it must have type "ssh-ed25519" or "ssh-rsa". For OpenSSH encrypted files it can be extracted from an ssh.PassphraseMissingError, otherwise in can often be found in ".pub" files.
pemBytes must be a valid input to ssh.ParseRawPrivateKeyWithPassphrase. passphrase is a callback that will be invoked by Unwrap when the passphrase is necessary.
func (*EncryptedSSHIdentity) Match ¶
func (i *EncryptedSSHIdentity) Match(block *Stanza) error
Match implements IdentityMatcher without decrypting the private key, to ensure the passphrase is only obtained if necessary.
func (*EncryptedSSHIdentity) Type ¶
func (i *EncryptedSSHIdentity) Type() string
Type returns the type of the underlying private key, "ssh-ed25519" or "ssh-rsa".
type Header ¶
type Identity ¶
An Identity is a private key or other value that can decrypt an opaque file key from a recipient stanza.
Unwrap must return ErrIncorrectIdentity for recipient blocks that don't match the identity, any other error might be considered fatal.
func FindIdentities ¶
func FindIdentities() []Identity
FindIdentities returns all available identities.
func ParseIdentitiesFile ¶
ParseIdentitiesFile retrieves all identities found in a private key.
type IdentityMatcher ¶
IdentityMatcher can be optionally implemented by an Identity that can communicate whether it can decrypt a recipient stanza without decrypting it.
If an Identity implements IdentityMatcher, its Unwrap method will only be invoked on blocks for which Match returned nil. Match must return ErrIncorrectIdentity for recipient blocks that don't match the identity, any other error might be considered fatal.
type LazyScryptIdentity ¶
func (*LazyScryptIdentity) Type ¶
func (i *LazyScryptIdentity) Type() string
type ParseError ¶
type ParseError string
func (ParseError) Error ¶
func (e ParseError) Error() string
type RSAIdentity ¶
type RSAIdentity struct {
// contains filtered or unexported fields
}
func NewRSAIdentity ¶
func NewRSAIdentity(key *rsa.PrivateKey) (*RSAIdentity, error)
func (*RSAIdentity) Type ¶
func (*RSAIdentity) Type() string
type RSARecipient ¶
type RSARecipient struct {
// contains filtered or unexported fields
}
func NewRSARecipient ¶
func NewRSARecipient(pk ssh.PublicKey) (*RSARecipient, error)
func (*RSARecipient) Type ¶
func (*RSARecipient) Type() string
type Recipient ¶
A Recipient is a public key or other value that can encrypt an opaque file key to a recipient stanza.
func FindRecipients ¶
func FindRecipients() []Recipient
FindRecipients returns all available recipients.
func ParseRecipient ¶
ParseRecipient creates a Recipient from an SSH public key.
type ScryptIdentity ¶
type ScryptIdentity struct {
// contains filtered or unexported fields
}
ScryptIdentity is a password-based identity.
func NewScryptIdentity ¶
func NewScryptIdentity(password string) (*ScryptIdentity, error)
NewScryptIdentity returns a new ScryptIdentity with the provided password.
func (*ScryptIdentity) Type ¶
func (*ScryptIdentity) Type() string
type ScryptRecipient ¶
type ScryptRecipient struct {
// contains filtered or unexported fields
}
ScryptRecipient is a password-based recipient.
If a ScryptRecipient is used, it must be the only recipient for the file: it can't be mixed with other recipient types and can't be used multiple times for the same file.
func NewScryptRecipient ¶
func NewScryptRecipient(password string) (*ScryptRecipient, error)
NewScryptRecipient returns a new ScryptRecipient with the provided password.
func (*ScryptRecipient) Type ¶
func (*ScryptRecipient) Type() string