crypto

Documentation

Index

• func ComputeSignature(accessSecretKey, payload string, headers map[string]string) string
• func DecryptWithKey(ctx context.Context, key, cipeherText string) ([]byte, error)
• func EncryptWithKey(ctx context.Context, key, plainText string) (string, error)
• func GenerateAesKey(ctx context.Context, key string) (string, error)
• func VerifySignature(authorizationHeader, signedHeader, payload string, ...) (bool, error)
• type AccessSecretProvider
• type CryptoConfig
• type CryptoUtil
  • func NewCryptoUtil(cfg *CryptoConfig) (*CryptoUtil, error)
  • func (u *CryptoUtil) CompareHash(ctx context.Context, plainName, storedHash []byte) (bool, error)
  • func (u *CryptoUtil) CreateAlias(ctx context.Context, plain []byte) ([]byte, error)
  • func (u *CryptoUtil) Decrypt(ctx context.Context, cipeherText string, ad []byte) ([]byte, error)
  • func (u *CryptoUtil) Encrypt(ctx context.Context, plainText, ad []byte) (string, error)
• type DbAccessSecretProvider
  • func NewDbAccessSecretProvider(db *gorm.DB) *DbAccessSecretProvider
  • func (p *DbAccessSecretProvider) GetAccessSecret(accessKeyId string) (string, error)

Functions

func ComputeSignature

func ComputeSignature(accessSecretKey, payload string, headers map[string]string) string

ComputeSignature generates a cryptographic signature for API request validation. It uses HMAC-SHA256 algorithm to create a signature based on the provided secret key, payload, and headers.

Parameters:

• accessSecretKey: The secret key used for signature generation
• payload: The request body or payload to be signed
• headers: A map containing required headers:
• "ts": Timestamp
• "api": API name
• "ver": API version
• "chnl": Channel identifier
• "usrid": User ID

Returns:

• string: The computed signature as a hexadecimal string

The signature is computed using the following steps:

1. Generate a signing key using the secret key and header information
2. Calculate SHA256 hash of the payload
3. Combine channel, userId, and payload hash
4. Create final signature using algorithm, timestamp, and request hash

func DecryptWithKey

func DecryptWithKey(ctx context.Context, key, cipeherText string) ([]byte, error)

DecryptWithKey decrypts the given cipher text with the given key. It returns the decrypted value of the cipher text.

func EncryptWithKey

func EncryptWithKey(ctx context.Context, key, plainText string) (string, error)

EncryptWithKey encrypts the given plain text with the given key. It returns the encrypted value of the plain text.

func GenerateAesKey

func GenerateAesKey(ctx context.Context, key string) (string, error)

GenerateAesKey generates an AES key. It returns the AES key.

func VerifySignature

func VerifySignature(authorizationHeader, signedHeader, payload string, accessSecretProvider AccessSecretProvider) (bool, error)

VerifySignature validates the authenticity of a request by comparing the provided signature with a computed signature using the request payload and headers.

Parameters:

• authorizationHeader: The authorization header containing algorithm, credentials, and signature Format: "alg=HMAC-SHA256/creds=access-key:value/sign=signature"
• signedHeader: Headers used in signature computation Format: "ts=timestamp/api=apiName/ver=version/chnl=channel/usrid=userId"
• payload: The request body or payload to verify
• accessSecretProvider: Interface to retrieve access secrets for signature computation

Returns:

• bool: true if signature is valid, false otherwise
• error: Error if validation fails or if required parameters are missing/invalid

Possible errors:

• INVALID_AUTHORIZATION_HEADER: If authorization header format is incorrect
• INVALID_ALGORITHM: If algorithm is not HMAC-SHA256
• INVALID_ACCESS_KEY_ID: If access key is missing
• SIGNATURE_MISSING: If signature is not provided
• INVALID_SIGNED_HEADERS: If required headers are missing
• SIGNATURE_MISMATCH: If computed signature doesn't match provided signature

Types

type AccessSecretProvider

type AccessSecretProvider interface {
	GetAccessSecret(accessKeyId string) (string, error)
}

AccessSecretProvider is an interface for retrieving access secrets. Implementations of this interface should provide a method to get an access secret given an access key ID.

type CryptoConfig

type CryptoConfig struct {
	KmsUri       string
	KmsUriPrefix string
	KeysetData   string
	HmacKey      string
	KekAd        []byte
}

type CryptoUtil

type CryptoUtil struct {
	// contains filtered or unexported fields
}

func NewCryptoUtil

func NewCryptoUtil(cfg *CryptoConfig) (*CryptoUtil, error)

func (*CryptoUtil) CompareHash

func (u *CryptoUtil) CompareHash(ctx context.Context, plainName, storedHash []byte) (bool, error)

CompareHash compares the plain text with the stored hash. It returns true if the plain text is the same as the stored hash.

func (*CryptoUtil) CreateAlias

func (u *CryptoUtil) CreateAlias(ctx context.Context, plain []byte) ([]byte, error)

CreateAlias creates an alias for the given plain text. It returns the hashed value of the plain text.

func (*CryptoUtil) Decrypt

func (u *CryptoUtil) Decrypt(ctx context.Context, cipeherText string, ad []byte) ([]byte, error)

Decrypt decrypts the given cipher text. It returns the decrypted value of the cipher text.

func (*CryptoUtil) Encrypt

func (u *CryptoUtil) Encrypt(ctx context.Context, plainText, ad []byte) (string, error)

Encrypt encrypts the given plain text. It returns the encrypted value of the plain text.

type DbAccessSecretProvider

type DbAccessSecretProvider struct {
	// contains filtered or unexported fields
}

func NewDbAccessSecretProvider

func NewDbAccessSecretProvider(db *gorm.DB) *DbAccessSecretProvider

func (*DbAccessSecretProvider) GetAccessSecret

func (p *DbAccessSecretProvider) GetAccessSecret(accessKeyId string) (string, error)

GetAccessSecret retrieves the access secret for a given access key ID. It first checks the in-memory cache, and if not found, queries the database. The retrieved secret is then cached for future use.