Documentation ¶
Index ¶
- Variables
- func DecryptShortBuffer(k []byte, rcvd any) ([]byte, error)
- func ECDHDecrypt(data []byte, privateKey ECDHHandler) ([]byte, error)
- func ECDHEncrypt(rnd io.Reader, data []byte, remote *ecdh.PublicKey) ([]byte, error)
- func EncryptShortBuffer(rand io.Reader, k []byte, rcvd crypto.PublicKey) ([]byte, error)
- func Hash(b []byte, alg ...func() hash.Hash) []byte
- func MemClr(b []byte)
- func Sign(rand io.Reader, key crypto.Signer, buf []byte, opts ...crypto.SignerOpts) ([]byte, error)
- func Verify(key crypto.PublicKey, buf, sig []byte, opts ...crypto.SignerOpts) error
- type Bottle
- type ECDHHandler
- type IDCard
- func (id *IDCard) AddKeychain(kc *Keychain)
- func (id *IDCard) FindGroup(k any) (*Membership, error)
- func (id *IDCard) FindKey(k any, create bool) (*SubKey, error)
- func (id *IDCard) GetKeys(purpose string) []crypto.PublicKey
- func (id *IDCard) SetKeyDuration(k crypto.PublicKey, t time.Duration) error
- func (id *IDCard) SetKeyPurposes(k crypto.PublicKey, purposes ...string) error
- func (id *IDCard) Sign(rand io.Reader, k crypto.Signer) ([]byte, error)
- func (id *IDCard) TestKeyPurpose(k any, purpose string) error
- func (id *IDCard) UnmarshalBinary(b []byte) error
- func (id *IDCard) UpdateGroups(data [][]byte) error
- type Keychain
- func (kc *Keychain) AddKey(k any) error
- func (kc *Keychain) AddKeys(keys ...any) error
- func (kc *Keychain) FirstSigner() crypto.Signer
- func (kc *Keychain) GetKey(public any) (PrivateKey, error)
- func (kc *Keychain) GetSigner(public any) (crypto.Signer, error)
- func (kc *Keychain) Sign(rand io.Reader, publicKey any, buf []byte, opts ...crypto.SignerOpts) ([]byte, error)
- type Membership
- type MessageFormat
- type MessageRecipient
- type MessageSignature
- type OpenResult
- type Opener
- func (o *Opener) Open(b *Bottle) ([]byte, *OpenResult, error)
- func (o *Opener) OpenCbor(b []byte) ([]byte, *OpenResult, error)
- func (o *Opener) OpenJson(b []byte) ([]byte, *OpenResult, error)
- func (o *Opener) Unmarshal(b *Bottle, v any) (*OpenResult, error)
- func (o *Opener) UnmarshalCbor(b []byte, v any) (*OpenResult, error)
- func (o *Opener) UnmarshalJson(b []byte, v any) (*OpenResult, error)
- type PrivateKey
- type PublicKeyIntf
- type SubKey
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoAppropriateKey = errors.New("no appropriate key available to open bottle") ErrVerifyFailed = errors.New("signature verification failed") ErrKeyNotFound = wraperr("the key was not found", fs.ErrNotExist) ErrGroupNotFound = wraperr("the group was not found", fs.ErrNotExist) ErrKeyUnfit = errors.New("the provided key was not fit") )
var EmptyOpener = &Opener{}
EmptyOpener is an opener without any keys that can open bottles, but can't check keys
Functions ¶
func DecryptShortBuffer ¶ added in v0.1.1
DecryptShortBuffer decrypts a given buffer
func ECDHDecrypt ¶
func ECDHDecrypt(data []byte, privateKey ECDHHandler) ([]byte, error)
ECDHDecrypt decrypts data received for us, using the private key passed (can be a tpm, etc)
func ECDHEncrypt ¶
ECDHEncrypt encrypts data for receiving by remote
func EncryptShortBuffer ¶ added in v0.1.1
EncryptShortBuffer performs a simple encryption of a buffer
func Hash ¶ added in v0.1.1
Hash is a helper function to perform hashes on buffers, including multi-level hashing
func MemClr ¶ added in v0.1.1
func MemClr(b []byte)
MemClr is a simple function that will clear a buffer in order to make it easier to reset memory storing private keys on defer.
func Sign ¶ added in v0.1.4
Sign generates a signature for the given buffer. Hash will be performed as needed
func Verify ¶ added in v0.1.4
Verify will verify the given buffer against the signature, depending on the key type. If the key is a RSA key and PSS options are given, then the signature will be handled as a PSS signature.
Unlike Verify methods found in most packages, this one takes in the actual buffer to be signed and will perform the hash if it needs to be done.
Types ¶
type Bottle ¶ added in v0.1.1
type Bottle struct { Header map[string]any `json:"hdr,omitempty"` // extra values to be stored, will not be signed/encrypted unless the message is bottled Message []byte `json:"msg"` Format MessageFormat `json:"fmt"` Recipients []*MessageRecipient `json:"dst,omitempty"` // if Format != ClearText Signatures []*MessageSignature `json:"sig,omitempty"` // signature // contains filtered or unexported fields }
Bottle is a signed, encrypted message container. Any Format other than ClearText means the Message contains a Bottle that has been encrypted.
func AsCborBottle ¶ added in v0.1.3
AsCborBottle considers data to be a cbor-encoded Bottle, and will return a Bottle container matching this assumption
func AsJsonBottle ¶ added in v0.1.3
AsJsonBottle considers data to be a json-encoded Bottle, and will return a Bottle container matching this assumption
func MarshalJson ¶ added in v0.2.2
MarshalJson will use json to marshal data into a bottle
func NewBottle ¶ added in v0.1.1
NewBottle will return a new clean bottle only containing the provided data
func (*Bottle) BottleUp ¶ added in v0.1.1
BottleUp encodes the current message into itself, allowing application of extra layers
func (*Bottle) Child ¶ added in v0.2.4
Child is the reverse operation as BottleUp and will return the bottle's child. This will fail if the bottle is encrypted or does not contain another bottle.
func (*Bottle) Encrypt ¶ added in v0.1.1
Encrypt encrypts the message so only recipients can decrypt it
func (*Bottle) IsCleanBottle ¶ added in v0.1.1
IsCleanBottle returns true if the Bottle is clean (ie. so signature has been scribbed on top) and contains another Bottle.
func (*Bottle) Sign ¶ added in v0.1.1
Sign signs the message, and can be called multiple times. Any message can be signed, including a raw message. It is however recommanded to bottle up an encrypted message before signing in order to ensure the encryption information is signed too.
Attempting to apply encryption to a message with a signature will always cause it to be bottled up
type IDCard ¶ added in v0.1.1
type IDCard struct { Self []byte `json:"self" cbor:"1,keyasint"` // our own public key (PKIX) Issued time.Time `json:"iss" cbor:"2,keyasint"` // issuance date. If two IDCard exist for the same public key, the most recent one will be taken into account SubKeys []*SubKey `json:"sub" cbor:"3,keyasint"` // known sub keys Revoke []*SubKey `json:"rev" cbor:"4,keyasint"` // any key into the revoke list will be strongly rejected Groups []*Membership `json:"grp" cbor:"5,keyasint"` // groups this key is member of Meta map[string]string `json:"meta" cbor:"6,keyasint"` // self-defined metadata }
IDCard is a basic ID for a given signature key that allows it to specify keys that can be used for encryption/etc
func (*IDCard) AddKeychain ¶ added in v0.2.12
AddKeychain adds the keys found in Keychain to the IDCard.
func (*IDCard) FindGroup ¶ added in v0.2.10
func (id *IDCard) FindGroup(k any) (*Membership, error)
FindGroup locates the Membership matching the given key
func (*IDCard) FindKey ¶ added in v0.2.9
FindKey locates the SubKey matching the given key, and optionally creates one if create is set to true
func (*IDCard) GetKeys ¶ added in v0.1.1
GetKeys returns all the keys of an IDCard that fit a given purpose
func (*IDCard) SetKeyDuration ¶ added in v0.1.1
SetKeyDuration specifies the duration for the given key
func (*IDCard) SetKeyPurposes ¶ added in v0.1.1
SetKeyPurposes specifies the purpose of a given key (sign, decrypt, etc)
func (*IDCard) TestKeyPurpose ¶ added in v0.2.9
TestKeyPurpose return nil if the provided key is fit for the given purpose, a not found error if the key couldn't be found, or a ErrKeyUnfit
func (*IDCard) UnmarshalBinary ¶ added in v0.1.1
UnmarshalBinary will read a signed ID card, returning an error if it wasn't signed
func (*IDCard) UpdateGroups ¶ added in v0.2.15
UpdateGroups update the attached memberships based on the provided data
type Keychain ¶ added in v0.2.11
type Keychain struct {
// contains filtered or unexported fields
}
Keychain is an object storing private keys that can be used to sign or decrypt things.
func NewKeychain ¶ added in v0.2.11
func NewKeychain() *Keychain
NewKeychain returns a new, empty keychain
func (*Keychain) AddKey ¶ added in v0.2.11
AddKey adds a key to the keychain. The value passed must be a PrivateKey whose Public() method returns a public key object that can be marshalled by crypto/x509.MarshalPKIXPublicKey. If another Keychain is passed all its keys will be added.
func (*Keychain) AddKeys ¶ added in v0.2.11
AddKeys adds a number of keys to the keychain, and stops at the first error found.
func (*Keychain) FirstSigner ¶ added in v0.2.18
FirstSigner returns the first crypto.Signer that was added to this Keychain.
func (*Keychain) GetKey ¶ added in v0.2.11
func (kc *Keychain) GetKey(public any) (PrivateKey, error)
GetKey returns the private key matching the passed public key, if known. A []byte of the PKIX marshalled public key or a public key object can be passed.
func (*Keychain) GetSigner ¶ added in v0.2.11
GetSigner will return the signer matching the public key
func (*Keychain) Sign ¶ added in v0.2.11
func (kc *Keychain) Sign(rand io.Reader, publicKey any, buf []byte, opts ...crypto.SignerOpts) ([]byte, error)
Sign will use the specified key from the keychain to sign the given buffer. Unlike Go's standard sign method, the whole buffer should be passed and will be signed as needed.
type Membership ¶ added in v0.1.4
type Membership struct { Subject []byte `json:"sub" cbor:"1,keyasint"` // must be == parent.Self (if empty, fill with parent.Self before sig) Key []byte `json:"key" cbor:"2,keyasint"` // group key (group identification) Status string `json:"sta" cbor:"3,keyasint"` // status of membership (valid|suspended) Issued time.Time `json:"iss" cbor:"4,keyasint"` // update time of membership info Info map[string]string `json:"nfo" cbor:"5,keyasint"` // subject information (name, etc) SignKey []byte `json:"sky" cbor:"6,keyasint"` // signature generating key (must be listed as sign key for the Key's IDCard) Signature []byte `json:"sig" cbor:"7,keyasint"` // signature of structure with sign=nil by group key }
Membership is a membership in a group.
func NewMembership ¶ added in v0.1.4
func NewMembership(member *IDCard, key []byte) *Membership
func (*Membership) Sign ¶ added in v0.1.4
func (m *Membership) Sign(rand io.Reader, key crypto.Signer, opts ...crypto.SignerOpts) error
Sign signs the membership using the provided key
func (*Membership) SignatureBytes ¶ added in v0.1.4
func (m *Membership) SignatureBytes() ([]byte, error)
SignatureBytes returns a representation of Membership that can be used to sign or verify the structure
func (*Membership) Verify ¶ added in v0.2.3
func (m *Membership) Verify(groupId *IDCard) error
Verify ensures the signature is correct. If the group ID is known, it must be passed.
type MessageFormat ¶ added in v0.1.1
type MessageFormat int
const ( ClearText MessageFormat = iota CborBottle // bottle in a bottle AES // AES+AEAD encrypted cbor bottle JsonBottle // bottle in a bottle (json version) )
type MessageRecipient ¶ added in v0.1.1
type MessageSignature ¶ added in v0.1.1
type MessageSignature struct { Type int `json:"typ,omitempty"` // always 0 (for now) Signer []byte `json:"key"` // signature's key Data []byte `json:"dat"` // signature payload, similar format to jwt (NOTE: ECDSA signatures are weird) // contains filtered or unexported fields }
func (*MessageSignature) Verify ¶ added in v0.1.1
func (sig *MessageSignature) Verify(buf []byte, opts ...crypto.SignerOpts) error
type OpenResult ¶ added in v0.1.1
type OpenResult struct { Decryption int // number of performed decryptions Signatures []*MessageSignature // verified message signatures Bottles []*Bottle }
func (*OpenResult) Last ¶ added in v0.2.1
func (or *OpenResult) Last() *Bottle
Last returns the last (inside-most) bottle
type Opener ¶ added in v0.1.1
type Opener struct {
// contains filtered or unexported fields
}
Opener allows opening a Bottle
func MustOpener ¶ added in v0.2.1
MustOpener returns an opener that can be used to open a Bottle and panics if it fails
func NewOpener ¶ added in v0.1.1
NewOpener returns an opener that can be used to open a Bottle using any or all of the given keys.
func (*Opener) Open ¶ added in v0.1.1
func (o *Opener) Open(b *Bottle) ([]byte, *OpenResult, error)
Open opens the given Bottle, decrypting any encrypted elements, checking all signatures and returning the embedded buffer in the end
func (*Opener) OpenCbor ¶ added in v0.1.3
func (o *Opener) OpenCbor(b []byte) ([]byte, *OpenResult, error)
OpenCbor opens the given Bottle encoded as cbor data.
func (*Opener) OpenJson ¶ added in v0.1.3
func (o *Opener) OpenJson(b []byte) ([]byte, *OpenResult, error)
OpenJson opens the given Bottle encoded as json data.
func (*Opener) Unmarshal ¶ added in v0.2.1
func (o *Opener) Unmarshal(b *Bottle, v any) (*OpenResult, error)
Unmarshal will open the given bottle and pour the contents into v
func (*Opener) UnmarshalCbor ¶ added in v0.2.1
func (o *Opener) UnmarshalCbor(b []byte, v any) (*OpenResult, error)
UnmarshalCbor will open the given cbor-encoded bottle and pour the contents into v
func (*Opener) UnmarshalJson ¶ added in v0.2.1
func (o *Opener) UnmarshalJson(b []byte, v any) (*OpenResult, error)
UnmarshalJson will open the given json-encoded bottle and pour the contents into v
type PrivateKey ¶ added in v0.2.16
PrivateKey represents a private key using an unspecified algorithm.
All private keys must implement a method to retrieve the matching public key. The ones in the standard lbirary do.
type PublicKeyIntf ¶ added in v0.2.17
PublicKeyIntf represents a public key using an unspecified algorithm.
all public key types in the standard library implement this interface
func PublicKey ¶ added in v0.2.14
func PublicKey(privKey crypto.PrivateKey) PublicKeyIntf
PublicKey returns the public key for a given private key, or nil if the argumlent is not a private key or if its Public() method returned nil.
type SubKey ¶ added in v0.1.1
type SubKey struct { Key []byte `json:"key" cbor:"1,keyasint"` // public key as PKIX Issued time.Time `json:"iss" cbor:"2,keyasint"` // issuance (addition) date Expires *time.Time `json:"exp,omitempty" cbor:"3,keyasint,omitempty"` // expiration date (if any) Purposes []string `json:"pur" cbor:"4,keyasint"` // purposes: can contain "sign", "decrypt" }
SubKey is a key found in a given id card
func (*SubKey) HasPurpose ¶ added in v0.2.9
HasPurpose returns true if the key has the specified purpose listed