osscrypto

package
v3.0.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 15, 2022 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (
	OssClientSideEncryptionKey                      string = "client-side-encryption-key"
	OssClientSideEncryptionStart                           = "client-side-encryption-start"
	OssClientSideEncryptionCekAlg                          = "client-side-encryption-cek-alg"
	OssClientSideEncryptionWrapAlg                         = "client-side-encryption-wrap-alg"
	OssClientSideEncryptionMatDesc                         = "client-side-encryption-matdesc"
	OssClientSideEncryptionUnencryptedContentLength        = "client-side-encryption-unencrypted-content-length"
	OssClientSideEncryptionUnencryptedContentMD5           = "client-side-encryption-unencrypted-content-md5"
	OssClientSideEncryptionDataSize                        = "client-side-encryption-data-size"
	OssClientSideEncryptionPartSize                        = "client-side-encryption-part-size"
)

for client sider encryption oss meta

View Source
const (
	RsaCryptoWrap    string = "RSA/NONE/PKCS1Padding"
	KmsAliCryptoWrap string = "KMS/ALICLOUD"
	AesCtrAlgorithm  string = "AES/CTR/NoPadding"
)

encryption Algorithm

View Source
const (
	EncryptionUaSuffix string = "OssEncryptionClient"
)

user agent tag for client encryption

Variables

This section is empty.

Functions

This section is empty.

Types

type Cipher

type Cipher interface {
	Encrypter
	Decrypter
}

Cipher is interface for encryption or decryption of an object

type CipherData

type CipherData struct {
	IV            []byte
	Key           []byte
	MatDesc       string
	WrapAlgorithm string
	CEKAlgorithm  string
	EncryptedIV   []byte
	EncryptedKey  []byte
}

CipherData is secret key information

func (*CipherData) Clone

func (cd *CipherData) Clone() CipherData

func (*CipherData) GetIV

func (cd *CipherData) GetIV() uint64

func (*CipherData) RandomKeyIv

func (cd *CipherData) RandomKeyIv(keyLen int, ivLen int) error

func (*CipherData) SeekIV

func (cd *CipherData) SeekIV(startPos uint64)

func (*CipherData) SetIV

func (cd *CipherData) SetIV(iv uint64)

type ContentCipher

type ContentCipher interface {
	EncryptContent(io.Reader) (io.ReadCloser, error)
	DecryptContent(io.Reader) (io.ReadCloser, error)
	Clone(cd CipherData) (ContentCipher, error)
	GetEncryptedLen(int64) int64
	GetCipherData() *CipherData
	GetAlignLen() int
}

ContentCipher is used to encrypt or decrypt object's data

type ContentCipherBuilder

type ContentCipherBuilder interface {
	ContentCipher() (ContentCipher, error)
	ContentCipherEnv(Envelope) (ContentCipher, error)
	GetMatDesc() string
}

ContentCipherBuilder is used to create ContentCipher for encryting object's data

func CreateAesCtrCipher

func CreateAesCtrCipher(cipher MasterCipher) ContentCipherBuilder

CreateAesCtrCipher creates ContentCipherBuilder

type CryptoBucket

type CryptoBucket struct {
	oss.Bucket
	ContentCipherBuilder ContentCipherBuilder
	ExtraCipherBuilder   ExtraCipherBuilder
	MasterCipherManager  MasterCipherManager
	AliKmsClient         *kms.Client
}

CryptoBucket implements the operations for encrypting and decrypting objects ContentCipherBuilder is used to encrypt and decrypt objects by default when the object's MatDesc which you want to decrypt is emtpy or same to the master key's MatDesc you provided in ContentCipherBuilder, sdk try to use ContentCipherBuilder to decrypt

func GetCryptoBucket

func GetCryptoBucket(client *oss.Client, bucketName string, builder ContentCipherBuilder,
	options ...CryptoBucketOption) (*CryptoBucket, error)

GetCryptoBucket create a client encyrption bucket

func (CryptoBucket) AddEncryptionUaSuffix

func (bucket CryptoBucket) AddEncryptionUaSuffix(options []oss.Option) []oss.Option

func (CryptoBucket) AppendObject

func (bucket CryptoBucket) AppendObject(objectKey string, reader io.Reader, appendPosition int64, options ...oss.Option) (int64, error)

AppendObject please refer to Bucket.AppendObject

func (CryptoBucket) CopyFile

func (bucket CryptoBucket) CopyFile(srcBucketName, srcObjectKey, destObjectKey string, partSize int64, options ...oss.Option) error

CopyFile with multi part mode, temporarily not supported

func (CryptoBucket) DoAppendObject

func (bucket CryptoBucket) DoAppendObject(request *oss.AppendObjectRequest, options []oss.Option) (*oss.AppendObjectResult, error)

DoAppendObject please refer to Bucket.DoAppendObject

func (CryptoBucket) DoGetObject

func (bucket CryptoBucket) DoGetObject(request *oss.GetObjectRequest, options []oss.Option) (*oss.GetObjectResult, error)

DoGetObject is the actual API that gets the encrypted or not encrypted object. It's the internal function called by other public APIs.

func (CryptoBucket) DoGetObjectWithURL

func (bucket CryptoBucket) DoGetObjectWithURL(signedURL string, options []oss.Option) (*oss.GetObjectResult, error)

DoGetObjectWithURL please refer to Bucket.DoGetObjectWithURL

func (CryptoBucket) DoPutObjectWithURL

func (bucket CryptoBucket) DoPutObjectWithURL(signedURL string, reader io.Reader, options []oss.Option) (*oss.Response, error)

DoPutObjectWithURL please refer to Bucket.DoPutObjectWithURL

func (CryptoBucket) DownloadFile

func (bucket CryptoBucket) DownloadFile(objectKey, filePath string, partSize int64, options ...oss.Option) error

DownloadFile with multi part mode, temporarily not supported

func (CryptoBucket) GetObject

func (bucket CryptoBucket) GetObject(objectKey string, options ...oss.Option) (io.ReadCloser, error)

GetObject downloads the object from oss If the object is encrypted, sdk decrypt it automaticly

func (CryptoBucket) GetObjectToFile

func (bucket CryptoBucket) GetObjectToFile(objectKey, filePath string, options ...oss.Option) error

GetObjectToFile downloads the object from oss to local file If the object is encrypted, sdk decrypt it automaticly

func (CryptoBucket) GetObjectToFileWithURL

func (bucket CryptoBucket) GetObjectToFileWithURL(signedURL, filePath string, options ...oss.Option) error

GetObjectToFileWithURL please refer to Bucket.GetObjectToFileWithURL

func (CryptoBucket) GetObjectWithURL

func (bucket CryptoBucket) GetObjectWithURL(signedURL string, options ...oss.Option) (io.ReadCloser, error)

GetObjectWithURL please refer to Bucket.GetObjectWithURL

func (CryptoBucket) InitiateMultipartUpload

func (bucket CryptoBucket) InitiateMultipartUpload(objectKey string, cryptoContext *PartCryptoContext, options ...oss.Option) (oss.InitiateMultipartUploadResult, error)

InitiateMultipartUpload initializes multipart upload for client encryption cryptoContext.PartSize and cryptoContext.DataSize are input parameter cryptoContext.PartSize must aligned to the secret iv length cryptoContext.ContentCipher is output parameter cryptoContext will be used in next API

func (CryptoBucket) ProcessObject

func (bucket CryptoBucket) ProcessObject(objectKey string, process string, options ...oss.Option) (oss.ProcessObjectResult, error)

ProcessObject please refer to Bucket.ProcessObject

func (CryptoBucket) PutObject

func (bucket CryptoBucket) PutObject(objectKey string, reader io.Reader, options ...oss.Option) error

PutObject creates a new object and encyrpt it on client side when uploading to oss

func (CryptoBucket) PutObjectFromFile

func (bucket CryptoBucket) PutObjectFromFile(objectKey, filePath string, options ...oss.Option) error

PutObjectFromFile creates a new object from the local file the object will be encrypted automaticly on client side when uploaded to oss

func (CryptoBucket) PutObjectFromFileWithURL

func (bucket CryptoBucket) PutObjectFromFileWithURL(signedURL, filePath string, options ...oss.Option) error

PutObjectFromFileWithURL please refer to Bucket.PutObjectFromFileWithURL

func (CryptoBucket) PutObjectWithURL

func (bucket CryptoBucket) PutObjectWithURL(signedURL string, reader io.Reader, options ...oss.Option) error

PutObjectWithURL please refer to Bucket.PutObjectWithURL

func (CryptoBucket) UploadFile

func (bucket CryptoBucket) UploadFile(objectKey, filePath string, partSize int64, options ...oss.Option) error

UploadFile with multi part mode

func (CryptoBucket) UploadPart

func (bucket CryptoBucket) UploadPart(imur oss.InitiateMultipartUploadResult, reader io.Reader,
	partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPart uploads parts to oss, the part data are encrypted automaticly on client side cryptoContext is the input parameter

func (CryptoBucket) UploadPartCopy

func (bucket CryptoBucket) UploadPartCopy(imur oss.InitiateMultipartUploadResult, srcBucketName, srcObjectKey string,
	startPosition, partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPartCopy uploads part copy

func (CryptoBucket) UploadPartFromFile

func (bucket CryptoBucket) UploadPartFromFile(imur oss.InitiateMultipartUploadResult, filePath string,
	startPosition, partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPartFromFile uploads part from the file, the part data are encrypted automaticly on client side cryptoContext is the input parameter

type CryptoBucketOption

type CryptoBucketOption func(*CryptoBucket)

CryptoBucketOption CryptoBucket option such as SetAliKmsClient, SetMasterCipherManager, SetDecryptCipherManager.

func SetAliKmsClient

func SetAliKmsClient(client *kms.Client) CryptoBucketOption

SetAliKmsClient set field AliKmsClient of CryptoBucket If the objects you need to decrypt are encrypted with ali kms master key,but not with ContentCipherBuilder you provided, you must provide this interface

func SetExtraCipherBuilder

func SetExtraCipherBuilder(extraBuilder ExtraCipherBuilder) CryptoBucketOption

SetExtraCipherBuilder set field ExtraCipherBuilder of CryptoBucket

func SetMasterCipherManager

func SetMasterCipherManager(manager MasterCipherManager) CryptoBucketOption

SetMasterCipherManager set field MasterCipherManager of CryptoBucket

type CryptoDecrypter

type CryptoDecrypter struct {
	Body      io.Reader
	Decrypter io.Reader
	// contains filtered or unexported fields
}

CryptoDecrypter provides close method for Decrypter

func (*CryptoDecrypter) Close

func (rc *CryptoDecrypter) Close() error

Close lets the CryptoDecrypter satisfy io.ReadCloser interface

func (*CryptoDecrypter) Read

func (rc *CryptoDecrypter) Read(b []byte) (int, error)

Read lets the CryptoDecrypter satisfy io.ReadCloser interface

type CryptoEncrypter

type CryptoEncrypter struct {
	Body      io.Reader
	Encrypter io.Reader
	// contains filtered or unexported fields
}

CryptoEncrypter provides close method for Encrypter

func (*CryptoEncrypter) Close

func (rc *CryptoEncrypter) Close() error

Close lets the CryptoEncrypter satisfy io.ReadCloser interface

func (*CryptoEncrypter) Read

func (rc *CryptoEncrypter) Read(b []byte) (int, error)

Read lets the CryptoEncrypter satisfy io.ReadCloser interface

type Decrypter

type Decrypter interface {
	Decrypt(io.Reader) io.Reader
}

Decrypter is interface with only decrypt method

type DefaultExtraCipherBuilder

type DefaultExtraCipherBuilder struct {
	AliKmsClient *kms.Client
}

DefaultExtraCipherBuilder is Default implementation of the ExtraCipherBuilder for rsa and kms master keys

func (*DefaultExtraCipherBuilder) GetDecryptCipher

func (decb *DefaultExtraCipherBuilder) GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error)

GetDecryptCipher is used to get ContentCipher for decrypt object

type Encrypter

type Encrypter interface {
	Encrypt(io.Reader) io.Reader
}

Encrypter is interface with only encrypt method

type Envelope

type Envelope struct {
	IV                    string
	CipherKey             string
	MatDesc               string
	WrapAlg               string
	CEKAlg                string
	UnencryptedMD5        string
	UnencryptedContentLen string
}

Envelope is stored in oss object's meta

func (Envelope) IsValid

func (el Envelope) IsValid() bool

func (Envelope) String

func (el Envelope) String() string

type ExtraCipherBuilder

type ExtraCipherBuilder interface {
	GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error)
}

ExtraCipherBuilder is interface for creating a decrypt ContentCipher with Envelope If the objects you need to decrypt are neither encrypted with ContentCipherBuilder you provided, nor encrypted with rsa and ali kms master keys, you must provide this interface

ContentCipher the interface used to decrypt objects

type MasterAliKmsCipher

type MasterAliKmsCipher struct {
	MatDesc   string
	KmsID     string
	KmsClient *kms.Client
}

MasterAliKmsCipher ali kms master key interface

func (MasterAliKmsCipher) Decrypt

func (mkms MasterAliKmsCipher) Decrypt(cryptoData []byte) ([]byte, error)

Decrypt decrypt data by ali kms Mainly used to decrypt object's symmetric secret key and iv

func (MasterAliKmsCipher) Encrypt

func (mkms MasterAliKmsCipher) Encrypt(plainData []byte) ([]byte, error)

Encrypt encrypt data by ali kms Mainly used to encrypt object's symmetric secret key and iv

func (MasterAliKmsCipher) GetMatDesc

func (mkms MasterAliKmsCipher) GetMatDesc() string

GetMatDesc get master key describe

func (MasterAliKmsCipher) GetWrapAlgorithm

func (mrc MasterAliKmsCipher) GetWrapAlgorithm() string

GetWrapAlgorithm get master key wrap algorithm

type MasterCipher

type MasterCipher interface {
	Encrypt([]byte) ([]byte, error)
	Decrypt([]byte) ([]byte, error)
	GetWrapAlgorithm() string
	GetMatDesc() string
}

MasterCipher encrypt or decrpt CipherData support master key: rsa && ali kms

func CreateMasterAliKms

func CreateMasterAliKms(matDesc map[string]string, kmsID string, kmsClient *kms.Client) (MasterCipher, error)

CreateMasterAliKms Create master key interface implemented by ali kms matDesc will be converted to json string

func CreateMasterRsa

func CreateMasterRsa(matDesc map[string]string, publicKey string, privateKey string) (MasterCipher, error)

CreateMasterRsa Create master key interface implemented by rsa matDesc will be converted to json string

type MasterCipherManager

type MasterCipherManager interface {
	GetMasterKey(matDesc map[string]string) ([]string, error)
}

MasterCipherManager is interface for getting master key with MatDesc(material desc) If you may use different master keys for encrypting and decrypting objects,each master key must have a unique, non-emtpy, unalterable MatDesc(json string format) and you must provide this interface If you always use the same master key for encrypting and decrypting objects, MatDesc can be empty and you don't need to provide this interface

matDesc map[string]string:is converted by matDesc json string return: []string the secret key information,such as {"rsa-public-key","rsa-private-key"} or {"non-rsa-key"}

type MasterRsaCipher

type MasterRsaCipher struct {
	MatDesc    string
	PublicKey  string
	PrivateKey string
}

MasterRsaCipher rsa master key interface

func (MasterRsaCipher) Decrypt

func (mrc MasterRsaCipher) Decrypt(cryptoData []byte) ([]byte, error)

Decrypt Decrypt data by rsa private key Mainly used to decrypt object's symmetric secret key and iv

func (MasterRsaCipher) Encrypt

func (mrc MasterRsaCipher) Encrypt(plainData []byte) ([]byte, error)

Encrypt encrypt data by rsa public key Mainly used to encrypt object's symmetric secret key and iv

func (MasterRsaCipher) GetMatDesc

func (mrc MasterRsaCipher) GetMatDesc() string

GetMatDesc get master key describe

func (MasterRsaCipher) GetWrapAlgorithm

func (mrc MasterRsaCipher) GetWrapAlgorithm() string

GetWrapAlgorithm get master key wrap algorithm

type PartCryptoContext

type PartCryptoContext struct {
	ContentCipher ContentCipher
	DataSize      int64
	PartSize      int64
}

PartCryptoContext save encryption or decryption information

func (PartCryptoContext) Valid

func (pcc PartCryptoContext) Valid() bool

Valid judge PartCryptoContext is valid or not

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL