crypto

Documentation

Overview

Package crypto provides cryptography functions for generating keys and certificates, deriving keys, calculating HMACs and such

Index

• Constants
• func CalculatePublicKeyHash(cert *x509.Certificate) ([]byte, error)
• func EncodeCert(cert *x509.Certificate) ([]byte, error)
• func EncodeCurlPinnedPublicKeyHash(hash []byte) string
• func EncodeKey(key *Key) string
• func GenerateAuthHMAC(key []byte, method string, path string, ttl time.Duration) (string, error)
• func GenerateKeyAndCert(hostname string) (string, string, error)
• func LoadCertFromFile(filename string) (*x509.Certificate, error)
• func ReadCurlPinnedPublicKeyFromFile(filename string) (string, error)
• type Key
  • func DecodeKey(s string) (*Key, error)
  • func DeriveKey(password []byte, salt []byte) *Key
  • func GenerateKey(password []byte) (*Key, error)

Constants

const (
	// KeyLenBytes is a constant that defines the length of the key that is derived from the password (128-bit)
	KeyLenBytes = 32

	// KeyDerivIter is the number of PBKDF2 iterations used to derive the key from the password
	KeyDerivIter = 10000
)

Functions

func CalculatePublicKeyHash

func CalculatePublicKeyHash(cert *x509.Certificate) ([]byte, error)

CalculatePublicKeyHash calculates the SHA-256 hash of the DER PKIX representation of the public key contained in the given certificate. This is useful to use with the --pinnedpubkey option in curl.

func EncodeCert

func EncodeCert(cert *x509.Certificate) ([]byte, error)

EncodeCert encodes a X.509 certificates as PEM.

func EncodeCurlPinnedPublicKeyHash

func EncodeCurlPinnedPublicKeyHash(hash []byte) string

EncodeCurlPinnedPublicKeyHash encodes a public key hash in the format that curl's --pinnedpubkey option expects.

func EncodeKey

func EncodeKey(key *Key) string

EncodeKey encodes the raw key and salt into a string in the format SALT:KEY, with both parts being base64 encoded.

func GenerateAuthHMAC

func GenerateAuthHMAC(key []byte, method string, path string, ttl time.Duration) (string, error)

GenerateAuthHMAC generates the HMAC auth header used to authorize uthenticate against the server. The result can be used in the HTTP "X-Authorization" header. If the TTL is non-zero, the authorization header will only be valid for the given duration.

func GenerateKeyAndCert

func GenerateKeyAndCert(hostname string) (string, string, error)

GenerateKeyAndCert generates a ECDSA P-256 key, and a self-signed certificate. It returns both as PEM-encoded values.

func LoadCertFromFile

func LoadCertFromFile(filename string) (*x509.Certificate, error)

LoadCertFromFile loads the first PEM-encoded certificate from the given filename

func ReadCurlPinnedPublicKeyFromFile

func ReadCurlPinnedPublicKeyFromFile(filename string) (string, error)

ReadCurlPinnedPublicKeyFromFile reads a cert from the given filename and calculates the public key for curl

Types

type Key

type Key struct {
	Bytes []byte
	Salt  []byte
}

Key defines the symmetric key that is derived from the user password. It consists of the raw key bytes and the randomly generated salt.

func DecodeKey

func DecodeKey(s string) (*Key, error)

DecodeKey decodes a key that was previously encoded with the EncodeKey function.

func DeriveKey

func DeriveKey(password []byte, salt []byte) *Key

DeriveKey derives a key using PBKDF2 from the given password, using the given salt. This function can be used to derive and then verify a key from a kkown salt and password.

func GenerateKey

func GenerateKey(password []byte) (*Key, error)

GenerateKey generates a new random salt and then derives a key from the given password using the DeriveKey function. This function is meant to be used when a new server is set up.