crypto

Documentation

Overview

Package crypto implements a simple convenience wrapper around golang.org/x/crypto/nacl/box. It ultimately models a situation where you don't care about authenticating the encryptor, so the nonce and encryption public key are prepended to the encrypted message.

Shared key precomputation is used when encrypting but not when decrypting. This is not an inherent limitation, but it would complicate the implementation a little bit to do precomputation during decryption also. If performance becomes an issue (highly unlikely), it's completely feasible to add.

Index

• Variables
• type Decrypter
  • func (d *Decrypter) Decrypt(message []byte) ([]byte, error)
• type Encrypter
  • func (e *Encrypter) Encrypt(message []byte) ([]byte, error)
• type Keypair
  • func (k *Keypair) Decrypter() *Decrypter
  • func (k *Keypair) Encrypter(peerPublic [32]byte) *Encrypter
  • func (k *Keypair) Generate() (err error)
  • func (k *Keypair) PrivateString() string
  • func (k *Keypair) PublicString() string

Variables

var ErrDecryptionFailed = errors.New("couldn't decrypt message")

ErrDecryptionFailed means the decryption didn't work. This normally indicates that the message was corrupted or the wrong keypair was used.

Types

type Decrypter

type Decrypter struct {
	Keypair *Keypair
}

Decrypter is generated from a keypair (a fixed keypair, generally, whose private key is stored in configuration management or otherwise), and used to decrypt messages. It should normally be obtained by calling Decrypter() on a Keypair instance.

func (*Decrypter) Decrypt

func (d *Decrypter) Decrypt(message []byte) ([]byte, error)

Decrypt is passed an encrypted message or a particular format (the format generated by (*Encrypter)Encrypt(), which includes the nonce and public key used to create the ciphertext. It returns the decrypted string. Note that, unlike with encryption, Shared-key-precomputation is not used for decryption.

type Encrypter

type Encrypter struct {
	Keypair    *Keypair
	PeerPublic [32]byte
	SharedKey  [32]byte
}

Encrypter is generated from a keypair (typically a newly-generated ephemeral keypair, used only for this session) with the public key of an authorized decrypter. It is then capable of encrypting messages to that decrypter's private key. An instance should normally be obtained only by calling Encrypter() on a Keypair instance.

func (*Encrypter) Encrypt

func (e *Encrypter) Encrypt(message []byte) ([]byte, error)

Encrypt takes a plaintext message and returns an encrypted message. Unlike raw nacl/box encryption, this message is decryptable without passing the nonce or public key out-of-band, as it includes both. This is not less secure, it just doesn't allow for authorizing the encryptor. That's fine, since authorization isn't a desired property of this particular cryptosystem.

type Keypair

type Keypair struct {
	Public  [32]byte
	Private [32]byte
}

Keypair models a Curve25519 keypair. To generate a new Keypair, declare an empty one and call Generate() on it.

func (*Keypair) Decrypter

func (k *Keypair) Decrypter() *Decrypter

Decrypter returns a Decrypter instance, used to decrypt properly formatted messages from arbitrary encrypters.

func (*Keypair) Encrypter

func (k *Keypair) Encrypter(peerPublic [32]byte) *Encrypter

Encrypter returns an Encrypter instance, given a public key, to encrypt messages to the paired, unknown, private key.

func (*Keypair) Generate

func (k *Keypair) Generate() (err error)

Generate generates a new Curve25519 keypair into a (presumably) empty Keypair structure.

func (*Keypair) PrivateString

func (k *Keypair) PrivateString() string

PrivateString returns the private key in the canonical hex-encoded printable form.

func (*Keypair) PublicString

func (k *Keypair) PublicString() string

PublicString returns the public key in the canonical hex-encoded printable form.