crypto

package

v0.53.1 Latest Latest Go to latest Published: Mar 2, 2024 License: BSD-3-Clause Imports: 12 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/shuLhan/share

Links

Open Source Insights

Documentation ¶

Overview ¶

Package crypto provide a wrapper for standard crypto package and golang.org/x/crypto.

Index ¶

Variables
func DecryptOaep(hash hash.Hash, random io.Reader, pkey *rsa.PrivateKey, cipher, label []byte) (plain []byte, err error)
func EncryptOaep(hash hash.Hash, random io.Reader, pub *rsa.PublicKey, msg, label []byte) (cipher []byte, err error)
func LoadPrivateKey(file string, passphrase []byte) (pkey crypto.PrivateKey, err error)
func LoadPrivateKeyInteractive(termrw io.ReadWriter, file string) (pkey crypto.PrivateKey, err error)

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrEmptyPassphrase = errors.New(`empty passphrase`)

ErrEmptyPassphrase returned when private key is encrypted and loaded interactively, using LoadPrivateKeyInteractive, but the readed passphrase is empty.

This is to catch error "bcrypt_pbkdf: empty password" earlier that cannot be catched using errors.Is after ssh.ParseRawPrivateKeyWithPassphrase.

View Source

var ErrStdinPassphrase = errors.New(`cannot read passhprase from stdin`)

ErrStdinPassphrase error when program cannot changes os.Stdin for reading passphrase in terminal. The original error message is "inappropriate ioctl for device".

Functions ¶

func DecryptOaep ¶ added in v0.50.0

func DecryptOaep(hash hash.Hash, random io.Reader, pkey *rsa.PrivateKey, cipher, label []byte) (plain []byte, err error)

DecryptOaep extend the rsa.DecryptOAEP to make it able to decrypt a message larger than its public modulus size.

func EncryptOaep ¶ added in v0.50.0

func EncryptOaep(hash hash.Hash, random io.Reader, pub *rsa.PublicKey, msg, label []byte) (cipher []byte, err error)

EncryptOaep extend the rsa.EncryptOAEP to make it able to encrypt a message larger than its than (public modulus size - 2*hash.Size - 2).

The function signature is the same with rsa.EncryptOAEP except the name, to make it distinguishable.

func LoadPrivateKey ¶

func LoadPrivateKey(file string, passphrase []byte) (pkey crypto.PrivateKey, err error)

LoadPrivateKey read and parse PEM formatted private key from file. This is a wrapper for ssh.ParseRawPrivate that can return either *dsa.PrivateKey, ecdsa.PrivateKey, *ed25519.PrivateKey, or *rsa.PrivateKey.

The passphrase is optional and will only be used if the private key is encrypted. If its set it will use ssh.ParseRawPrivateKeyWithPassphrase.

Example ¶

ExampleLoadPrivateKey test loading private key from file and convert the returned type to original type.

var (
	file string
	err  error
	pkey crypto.PrivateKey
	ok   bool
)

// RSA key with PKCS#8 generated using openssl v3.1.2,
//	$ openssl genpkey -algorithm rsa -out openssl_rsa.key

file = `testdata/openssl_rsa.key`
pkey, err = LoadPrivateKey(file, nil)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*rsa.PrivateKey)
if !ok {
	log.Fatalf(`expecting *rsa.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T from %s\n", pkey, file)

// ecdsa key generated using openssl v3.1.2,
//	$ openssl ecparam -name prime256v1 -genkey -noout -out openssl_ecdsa.key

file = `testdata/openssl_ecdsa.key`
pkey, err = LoadPrivateKey(file, nil)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*ecdsa.PrivateKey)
if !ok {
	log.Fatalf(`expecting *ecdsa.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T from %s\n", pkey, file)

// ed25519 key generated using openssh v9.4p1-4.

file = `testdata/openssh_ed25519.key`
pkey, err = LoadPrivateKey(file, nil)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*ed25519.PrivateKey)
if !ok {
	log.Fatalf(`expecting *ed25519.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T from %s\n", pkey, file)

Output:

Loaded *rsa.PrivateKey from testdata/openssl_rsa.key
Loaded *ecdsa.PrivateKey from testdata/openssl_ecdsa.key
Loaded *ed25519.PrivateKey from testdata/openssh_ed25519.key

Example (WithPassphrase) ¶

RSA key with PKCS#8 generated using openssl v3.1.2,

$ openssl genpkey -algorithm rsa -out openssl_rsa.key

and then encrypted using passphrase,

$ cp openssl_rsa.key openssl_rsa_pass.key
$ ssh-keygen -p -f openssl_rsa_pass.key -N s3cret

Using openssl to encrypt private key will cause the LoadPrivateKey return an error,

unsupported key type "ENCRYPTED PRIVATE KEY"

ecdsa key generated using openssl v3.1.2,

$ openssl ecparam -name prime256v1 -genkey -noout \
	-out openssl_ecdsa.key

and then ecrypted using passphrase,

$ openssl ec -aes256 -in openssl_ecdsa.key -out \
	openssl_ecdsa_pass.key -passout pass:s3cret

ed25519 key generated using openssh v9.4p1-4,

$ ssh-keygen -t ed25519 -f openssh_ed25519.key

and then encrypted using passphrase,

$ cp openssh_ed25519.key openssh_ed25519_pass.key
$ ssh-keygen -p -f openssh_ed25519_pass.key -N s3cret

var (
	passphrase = []byte(`s3cret`)

	file string
	err  error
	pkey crypto.PrivateKey
	ok   bool
)

file = `testdata/openssl_rsa_pass.key`
pkey, err = LoadPrivateKey(file, passphrase)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*rsa.PrivateKey)
if !ok {
	log.Fatalf(`expecting *rsa.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T with passphrase from %s\n", pkey, file)

file = `testdata/openssl_ecdsa_pass.key`
pkey, err = LoadPrivateKey(file, passphrase)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*ecdsa.PrivateKey)
if !ok {
	log.Fatalf(`expecting *ecdsa.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T with passphrase from %s\n", pkey, file)

file = `testdata/openssh_ed25519_pass.key`
pkey, err = LoadPrivateKey(file, passphrase)
if err != nil {
	log.Fatalf(`%s: %s`, file, err)
}

_, ok = pkey.(*ed25519.PrivateKey)
if !ok {
	log.Fatalf(`expecting *ed25519.PrivateKey, got %T`, pkey)
}
fmt.Printf("Loaded %T with passphrase from %s\n", pkey, file)

Output:

Loaded *rsa.PrivateKey with passphrase from testdata/openssl_rsa_pass.key
Loaded *ecdsa.PrivateKey with passphrase from testdata/openssl_ecdsa_pass.key
Loaded *ed25519.PrivateKey with passphrase from testdata/openssh_ed25519_pass.key

func LoadPrivateKeyInteractive ¶ added in v0.50.0

func LoadPrivateKeyInteractive(termrw io.ReadWriter, file string) (pkey crypto.PrivateKey, err error)

LoadPrivateKeyInteractive load the private key from file. If the private key file is encrypted, it will prompt for the passphrase from terminal or from program defined in SSH_ASKPASS environment variable.

The termrw parameter is optional, default to os.Stdin if its nil. Its provide as reader-and-writer to prompt and read password from terminal (or for testing).

The SSH_ASKPASS is controlled by environment SSH_ASKPASS_REQUIRE.

If SSH_ASKPASS_REQUIRE is empty the passphrase will read from terminal first, if not possible then using SSH_ASKPASS program.
If SSH_ASKPASS_REQUIRE is set to "never", the passphrase will read from terminal only.
If SSH_ASKPASS_REQUIRE is set to "prefer", the passphrase will read using SSH_ASKPASS program not from terminal, but require DISPLAY environment to be set.
If SSH_ASKPASS_REQUIRE is set to "force", the passphrase will read using SSH_ASKPASS program not from terminal without checking DISPLAY environment.

See ssh(1) manual page for more information.

Types ¶

This section is empty.

Source Files ¶

View all Source files

crypto.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL