Documentation ¶
Overview ¶
Package client is the client library for STET.
Index ¶
- Variables
- func AeadDecrypt(key shares.DEK, input io.Reader, output io.Writer, aad []byte) error
- func AeadEncrypt(key shares.DEK, input io.Reader, output io.Writer, aad []byte) error
- func MetadataToAAD(md *configpb.Metadata) ([]byte, error)
- func PrivateKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PrivateKey, error)
- func PublicKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PublicKey, error)
- func ReadMetadata(input io.Reader) (*configpb.Metadata, error)
- func WriteSTETHeader(output io.Writer, metadataLen int) error
- type STETHeader
- type StetClient
- type StetMetadata
Constants ¶
This section is empty.
Variables ¶
var STETMagic = [13]byte{'S', 'T', 'E', 'T', 'E', 'N', 'C', 'R', 'Y', 'P', 'T', 'E', 'D'}
STETMagic is the magic string for a STET encrypted file header ("STETENCRYPTED").
Functions ¶
func AeadDecrypt ¶
AeadDecrypt uses the provided key and AAD to decode the ciphertext passed in via `input`, writing the output to `output.
func AeadEncrypt ¶
AeadEncrypt uses the provided key and AAD to encrypt the plaintext passed in via `input`, writing the output to `output`.
func MetadataToAAD ¶
MetadataToAAD processes metadata to use as AAD for AEAD Encryption. The serialization scheme is as follows (given n := len(md.shares)):
len(md.shares[0].wrappedShare) || md.shares[0].wrappedShare || len(md.shares[0].hash) || md.shares[0].hash ... || len(md.shares[n-1].wrappedShare) || md.shares[n-1].wrappedShare || len(md.shares[n-1].hash) || md.shares[n-1].hash || len(md.blobID) || md.blobID
Note that KeyConfig is explicitly omitted from the serialization, as its presence is not important to the AAD.
func PrivateKeyForRSAFingerprint ¶
func PrivateKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PrivateKey, error)
PrivateKeyForRSAFingerprint iterates through the private keys defined in `keys`, searching for one that matches `kek`. If one is found, returns it, otherwise returns nil.
func PublicKeyForRSAFingerprint ¶
func PublicKeyForRSAFingerprint(kek *configpb.KekInfo, keys *configpb.AsymmetricKeys) (*rsa.PublicKey, error)
PublicKeyForRSAFingerprint Iterates through the public keys defined in `keys`, searching for one that matches `kek`. If one is found, returns it, otherwise returns nil.
func ReadMetadata ¶
ReadMetadata parses and returns metadata from the input.
Types ¶
type STETHeader ¶
type STETHeader struct { Magic [13]byte // len([]byte(STETMagic)) == 13 Version uint8 // 1 byte MetadataLen uint16 // 2 bytes }
STETHeader is the file header for the encrypted STET file format.
func ReadSTETHeader ¶
func ReadSTETHeader(input io.Reader) (*STETHeader, error)
ReadSTETHeader reads a STET encrypted file header from `input`, returning a STETHeader.
type StetClient ¶
type StetClient struct { // Whether to skip verification of the inner TLS session cert. InsecureSkipVerify bool // The version of STET, if set. This is used to construct user agent // strings for Cloud KMS requests. Version string // contains filtered or unexported fields }
StetClient provides Encryption and Decryption services through the Split Trust Encryption Tool.
func (*StetClient) Decrypt ¶
func (c *StetClient) Decrypt(ctx context.Context, input io.Reader, output io.Writer, stetConfig *configpb.StetConfig) (*StetMetadata, error)
Decrypt writes the decrypted data to the `output` writer, and returns the key URIs used during decryption and the blob ID decrypted.
func (*StetClient) Encrypt ¶
func (c *StetClient) Encrypt(ctx context.Context, input io.Reader, output io.Writer, stetConfig *configpb.StetConfig, blobID string) (*StetMetadata, error)
Encrypt generates a DEK and creates EncryptedData in accordance with the EKM encryption protocol.
type StetMetadata ¶
StetMetadata represents metadata associated with data encrypted/decrypted by the client.
Directories ¶
Path | Synopsis |
---|---|
Package cloudkms contains utilities for communicating with CloudKMS.
|
Package cloudkms contains utilities for communicating with CloudKMS. |
Package confidentialspace defines methods for integration with Confidential Space.
|
Package confidentialspace defines methods for integration with Confidential Space. |
Package ekmclient defines an HTTP client for contacting Confidential EKM services.
|
Package ekmclient defines an HTTP client for contacting Confidential EKM services. |
Package jwt contains utility functions for generating JWTs from a service account.
|
Package jwt contains utility functions for generating JWTs from a service account. |
Package securesession defines a client for making RPC calls to the SecureSession service.
|
Package securesession defines a client for making RPC calls to the SecureSession service. |
Package shares contains functions for processing DEK shares.
|
Package shares contains functions for processing DEK shares. |
Package testutil contains utilities for unit tests.
|
Package testutil contains utilities for unit tests. |
Package vpc contains utilties for handling VPC-protected keys.
|
Package vpc contains utilties for handling VPC-protected keys. |