Documentation
¶
Index ¶
- Constants
- Variables
- func NewPublicDecryptStream(plaintext io.Writer, keyring Keyring) (ciphertext io.WriteCloser, err error)
- func NewPublicEncryptStream(ciphertext io.Writer, sender BoxSecretKey, receivers [][]BoxPublicKey) (plaintext io.WriteCloser, err error)
- func Open(ciphertext []byte, keyring Keyring) (plaintext []byte, err error)
- func Seal(plaintext []byte, sender BoxSecretKey, receivers [][]BoxPublicKey) (out []byte, err error)
- type BoxPublicKey
- type BoxSecretKey
- type EncryptionBlock
- type EncryptionHeader
- type ErrBadCiphertext
- type ErrBadGroupID
- type ErrBadNonce
- type ErrBadVersion
- type ErrMACMismatch
- type ErrRepeatedKey
- type ErrUnexpectedMAC
- type ErrWrongPacketTag
- type Keyring
- type Nonce
- type PacketSeqno
- type PacketTag
- type PacketVersion
- type RawBoxKey
- type SymmetricKey
Constants ¶
const EncryptionBlockSize int = 1048576
EncryptionBlockSize is by default 1MB and can't currently be tweaked.
Variables ¶
var ( // ErrNoDecryptionKey is an error indicating no decryption key was found for the // incoming message. You'll get one of these if you respond to a Keyring.LookupSecretBoxKey // request with a (-1,nil) return value. ErrNoDecryptionKey = errors.New("no decryption key found for message") // ErrNoSenderKey indicates that on decryption we couldn't find a public key // for the sender. ErrNoSenderKey = errors.New("no sender key found for message") // ErrTrailingGarbage indicates that additional msgpack packets were found after the // end of the encryption stream. ErrTrailingGarbage = errors.New("trailing garbage found at end of message") // ErrPacketOverflow indicates that more than (2^64-2) packets were found in an encryption // stream. This would indicate a very big message, and results in an error here. ErrPacketOverflow = errors.New("no more than 2^32 packets in a message are supported") // ErrBadFrame indiciates improper msgpack framing ErrBadFrame = errors.New("bad msgpack framing byte") // ErrUnexpectedEOF is produced when an EOF happens unexpectedly when parsing an // incoming encryption. Usually it means a message was truncated, but could indicate // malicious truncation ErrUnexpectedEOF = errors.New("unexpected EOF; the message was truncated") // ErrInsufficientRandomness is generated when the encryption fails to collect // enough randomness to proceed. We're using the standard crypto/rand source // of randomness, so this should never happen ErrInsufficientRandomness = errors.New("could not collect enough randomness") // ErrNoGroupMACKey is produced when we lack a group MAC key but the authenticated // ciphertexts indicated that one was required. ErrNoGroupMACKey = errors.New("no group MAC key, but we needed one") )
Functions ¶
func NewPublicDecryptStream ¶
func NewPublicDecryptStream(plaintext io.Writer, keyring Keyring) (ciphertext io.WriteCloser, err error)
NewPublicDecryptStream starts a streaming decryption. You should give it an io.Writer to write plaintext output to, and also a Keyring to lookup private and public keys as necessary. The stream will only ever write validated data. It returns an io.Writer that you can write the ciphertext stream to, and an error if anything goes wrong in the construction process.
func NewPublicEncryptStream ¶
func NewPublicEncryptStream(ciphertext io.Writer, sender BoxSecretKey, receivers [][]BoxPublicKey) (plaintext io.WriteCloser, err error)
NewPublicEncryptStream creates a stream that consumes plaintext data. It will write out encrypted data to the io.Writer passed in as ciphertext. The encryption is from the specified sender, and is encrypted for the given receivers. Note that receivers as specified as two-dimensional array. Each inner group of receivers shares the same pairwise MAC-key, so should represent a logic receiver split across multiple devices. Each group of receivers represents a mutually distrustful set of receivers, and will each get their own pairwise-MAC keys.
Returns an io.WriteClose that accepts plaintext data to be encrypted; and also returns an error if initialization failed.
func Open ¶
Open simply opens a ciphertext given the set of keys in the specified keyring. It return a plaintext on sucess, and an error on failure.
func Seal ¶
func Seal(plaintext []byte, sender BoxSecretKey, receivers [][]BoxPublicKey) (out []byte, err error)
Seal a plaintext from the given sender, for the specified receiver groups. Returns a ciphertext, or an error if something bad happened.
Types ¶
type BoxPublicKey ¶
type BoxPublicKey interface {
// ToKID outputs the "key ID" that corresponds to this BoxPublicKey.
// You can do whatever you'd like here, but probably it makes sense just
// to output the public key as is.
ToKID() []byte
// ToRawBoxKeyPointer returns this public key as a *[32]byte,
// for use with nacl.box.Seal
ToRawBoxKeyPointer() *RawBoxKey
}
BoxPublicKey is an generic interface to NaCl's public key Box function.
type BoxSecretKey ¶
type BoxSecretKey interface {
// Box boxes up data, sent from this secret key, and to the receiver
// specified.
Box(receiver BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error)
// Unobx opens up the box, using this secret key as the receiver key
// abd the give public key as the sender key.
Unbox(sender BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error)
// GetPublicKey gets the public key associated with this secret key
GetPublicKey() BoxPublicKey
}
BoxSecretKey is the secret key corresponding to a BoxPublicKey
type EncryptionBlock ¶
type EncryptionBlock struct {
Version PacketVersion `codec:"vers"`
Tag PacketTag `codec:"tag"`
Ciphertext []byte `codec:"ctext"`
MACs [][]byte `codec:"macs"`
// contains filtered or unexported fields
}
EncryptionBlock contains a block of encrypted data. It cointains the ciphertext, and any necessary MACs.
type EncryptionHeader ¶
type EncryptionHeader struct {
Version PacketVersion `codec:"vers"`
Tag PacketTag `codec:"tag"`
Nonce []byte `codec:"nonce"`
Receivers []receiverKeysCiphertext `codec:"rcvrs"`
Sender []byte `codec:"sender"`
// contains filtered or unexported fields
}
EncryptionHeader is the first packet in an encrypted message. It contains the encryptions of the session keys, and various message metadata.
type ErrBadCiphertext ¶
type ErrBadCiphertext PacketSeqno
ErrBadCiphertext is generated when decryption fails due to improper authentication. It specifies which Packet sequence number the bad packet was in.
func (ErrBadCiphertext) Error ¶
func (e ErrBadCiphertext) Error() string
type ErrBadGroupID ¶
type ErrBadGroupID int
ErrBadGroupID is produced if a GroupID is encountered that out-of-range
func (ErrBadGroupID) Error ¶
func (e ErrBadGroupID) Error() string
type ErrBadNonce ¶
type ErrBadNonce struct {
// contains filtered or unexported fields
}
ErrBadNonce is produced when a header nonce is of the wrong size; it should be 20 bytes.
func (ErrBadNonce) Error ¶
func (e ErrBadNonce) Error() string
type ErrBadVersion ¶
type ErrBadVersion struct {
// contains filtered or unexported fields
}
ErrBadVersion is returned if a packet of an unsupported version is found. Current, only Version1 is supported.
func (ErrBadVersion) Error ¶
func (e ErrBadVersion) Error() string
type ErrMACMismatch ¶
type ErrMACMismatch PacketSeqno
ErrMACMismatch is generated when a MAC fails to check properly. It specifies which Packet sequence number the bad packet was in.
func (ErrMACMismatch) Error ¶
func (e ErrMACMismatch) Error() string
type ErrRepeatedKey ¶
type ErrRepeatedKey []byte
ErrRepeatedKey is produced during encryption if a key is repeated; keys must be unique.
func (ErrRepeatedKey) Error ¶
func (e ErrRepeatedKey) Error() string
type ErrUnexpectedMAC ¶
type ErrUnexpectedMAC PacketSeqno
ErrUnexpectedMAC is produced when an encryption includes an additional MAC but none was needed.
func (ErrUnexpectedMAC) Error ¶
func (e ErrUnexpectedMAC) Error() string
type ErrWrongPacketTag ¶
type ErrWrongPacketTag struct {
// contains filtered or unexported fields
}
ErrWrongPacketTag is produced if one packet tag was expected, but a packet of another tag was found.
func (ErrWrongPacketTag) Error ¶
func (e ErrWrongPacketTag) Error() string
type Keyring ¶
type Keyring interface {
// LookupBoxSecretKey looks in the Keyring for the secret key corresponding
// to one of the given Key IDs. Returns the index and the key on success,
// or -1 and nil on failure.
LookupBoxSecretKey(kids [][]byte) (int, BoxSecretKey)
// LookupBoxPublicKey returns a public key given the specified key ID.
// For most cases, the key ID will be the key itself.
LookupBoxPublicKey(kid []byte) BoxPublicKey
}
Keyring is an interface used with decryption; it is call to recover public or private keys during the decryption process. Calls can block on network action.
type Nonce ¶
type Nonce [24]byte
Nonce is a NaCl-style nonce, with 24 bytes of data, some of which can be counter values, and some of which can be truly random values.
type PacketSeqno ¶
type PacketSeqno int
PacketSeqno is a special int type used to describe which packet in the sequence we're dealing with. The header is always at seqno=0. Other packets follow. Note that there is a distinction between PacketSeqno and EncryptionBlockNumber. In general, the former is one more than the latter.
type PacketTag ¶
type PacketTag int
PacketTag is an int used to describe what "tag" or "type" of packet it is.
const PacketTagEncryptionBlock PacketTag = 2
PacketTagEncryptionBlock is a packet tag to describe the body of an encryption.
const PacketTagEncryptionHeader PacketTag = 1
PacketTagEncryptionHeader is a packet tag to describe the first packet in an encryption message.
const PacketTagSignature PacketTag = 3
PacketTagSignature is a packet tag for describing a signature packet
type PacketVersion ¶
type PacketVersion int
PacketVersion is an int used to capture the packet version. Right now, only Version=1 is supported
const PacketVersion1 PacketVersion = 1
PacketVersion1 is currently the only supported packet version
type RawBoxKey ¶
type RawBoxKey [32]byte
RawBoxKey is the raw byte-representation of what a box key should look like --- a static 32-byte buffer
type SymmetricKey ¶
type SymmetricKey [32]byte
SymmetricKey is a template for a symmetric key, a 32-byte static buffer. Used for both NaCl SecretBox and also HMAC keys.
Source Files