crypto

package
v1.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 7, 2020 License: Apache-2.0 Imports: 20 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AesCbcDecrypt

func AesCbcDecrypt(data string, passphrase string) (string, error)

AesCbcDecrypt will decrypt using aes cbc 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated

func AesCbcEncrypt

func AesCbcEncrypt(data string, passphrase string) (string, error)

AesCbcEncrypt will encrypt using aes cbc 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated, encrypted data is represented in hex value

func AesCfbDecrypt

func AesCfbDecrypt(data string, passphrase string) (string, error)

AesCfbDecrypt will decrypt using aes cfb 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated

func AesCfbEncrypt

func AesCfbEncrypt(data string, passphrase string) (string, error)

AesCfbEncrypt will encrypt using aes cfb 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated, encrypted data is represented in hex value

func AesGcmDecrypt

func AesGcmDecrypt(data string, passphrase string) (string, error)

AesGcmDecrypt will decrypt using aes gcm 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated

func AesGcmEncrypt

func AesGcmEncrypt(data string, passphrase string) (string, error)

AesGcmEncrypt will encrypt using aes gcm 256 bit, passphrase must be 32 bytes, if over 32 bytes, it be truncated, encrypted data is represented in hex value

func AppendHmac

func AppendHmac(encryptedData string, key string) (string, error)

AppendHmac will calculate the hmac for the given encrypted data based on the given key, and append the Hmac to the end of the encrypted data and return the newly assembled encrypted data with hmac key must be 32 bytes

func Generate32ByteRandomKey

func Generate32ByteRandomKey(passphrase string) (string, error)

Generate32ByteRandomKey will generate a random 32 byte key based on passphrase and random salt, passphrase does not need to be any specific length

func Md5

func Md5(data string, salt string) string

Md5 hashing

func PasswordHash

func PasswordHash(password string, cost int) (string, error)

PasswordHash uses BCrypt to hash the given password and return a corresponding hash, suggested cost = 13 (440ms), if cost is left as 0, then default 13 is assumed

func PasswordVerify

func PasswordVerify(password string, hash string) (bool, error)

PasswordVerify uses BCrypt to verify the input password against a prior hash version to see if match

func RsaAesParseTPKHashFromEncryptedPayload

func RsaAesParseTPKHashFromEncryptedPayload(encryptedData string) string

RsaAesParseTPKHashFromEncryptedPayload will get the public key TPK hash from the embedded encrypted data string

func RsaAesPrivateKeyDecryptAndVerify

func RsaAesPrivateKeyDecryptAndVerify(encryptedData string, recipientPrivateKeyHexOrPem string) (plainText string, senderPublicKeyHexOrPem string, err error)

RsaAesPrivateKeyDecryptAndVerify is a simplified wrapper method to decrypt incoming encrypted payload envelop that was previously encrypted using the RsaAesPublicKeyEncryptAndSign(), this function will use recipient's private key to decrypt the rsa encrypted dynamic aes key and then using the dynamic aes key to decrypt the aes encrypted data payload, this function will then parse the decrypted payload and perform a verification of signature using the sender's public key

usage tip: the sender's public key can then be used to encrypt the return data back to the sender as a reply using RsaAesPublicKeyEncryptedAndSign(),

in this usage pattern, only the public key is used in each messaging cycle, while the aes key is dynamically generated each time and no prior knowledge of it is known,
since the public key encrypted data cannot be decrypted unless with private key, then as long as the private key is protected, then the messaging pipeline will be secured,
furthermore, by using sender private key sign and sender public key verify into the message authentication, we further ensure the plain text data is coming from the expected source

recipientPrivateKeyHexOrPem = can be either HEX or PEM

func RsaAesPublicKeyEncryptAndSign

func RsaAesPublicKeyEncryptAndSign(plainText string, recipientPublicKeyHexOrPem string, senderPublicKeyHexOrPem string, senderPrivateKeyHexOrPem string) (encryptedData string, err error)

RsaAesPublicKeyEncryptAndSign is a simplified wrapper method to generate a random AES key, then encrypt plainText using AES GCM, and then sign plain text data using sender's private key, and then using recipient's public key to encrypt the dynamic aes key, and finally compose the encrypted payload that encapsulates a full envelop:

<STX>RsaPublicKeyEncryptedAESKeyData + AesGcmEncryptedPayload(PlainTextData<VT>SenderPublicKey<VT>PlainTextDataSignature)<ETX>

warning: VT is used in encrypted payload as separator, make sure to escape VT if it is to be used inside the plainTextData <<< IMPORTANT

recipientPublicKeyHexOrPem = can be either HEX or PEM senderPublicKeyHexOrPem = can be either HEX or PEM senderPrivateKeyHexOrPem = can be either HEX or PEM

func RsaCreateKey

func RsaCreateKey() (privateKey string, publicKey string, err error)

RsaCreateKey generates the private and public key pair, expressed in hex code value

func RsaPrivateKeyDecrypt

func RsaPrivateKeyDecrypt(data string, privateKeyHexOrPem string) (string, error)

RsaPrivateKeyDecrypt will decrypt rsa public key encrypted data using its corresponding rsa private key

privateKeyHexOrPem = can be either HEX or PEM

func RsaPrivateKeyDecryptAndPublicKeyVerify

func RsaPrivateKeyDecryptAndPublicKeyVerify(data string, recipientPrivateKeyHexOrPem string, signatureHex string, senderPublicKeyHexOrPem string) (plaintext string, verified bool, err error)

RsaPrivateKeyDecryptAndPublicKeyVerify will decrypt given data using recipient's rsa private key, and then using sender's rsa public key to verify if the signature given is a match, NOTE: data represents the encrypted data

recipientPrivateKeyHexOrPem = can be either HEX or PEM senderPublicKeyHexOrPem = can be either HEX or PEM

func RsaPrivateKeySign

func RsaPrivateKeySign(data string, privateKeyHexOrPem string) (string, error)

RsaPrivateKeySign will sign the plaintext data using the given private key, NOTE: data must be plain text before encryption as signature verification is against plain text data signature is returned via hex

privateKeyHexOrPem = can be either HEX or PEM

func RsaPublicKeyEncrypt

func RsaPublicKeyEncrypt(data string, publicKeyHexOrPem string) (string, error)

RsaPublicKeyEncrypt will encrypt given data using rsa public key, encrypted data is represented in hex value

publicKeyHexOrPem = can be either HEX or PEM

func RsaPublicKeyEncryptAndPrivateKeySign

func RsaPublicKeyEncryptAndPrivateKeySign(data string, recipientPublicKeyHexOrPem string, senderPrivateKeyHexOrPem string) (encryptedData string, signature string, err error)

RsaPublicKeyEncryptAndPrivateKeySign will encrypt given data using recipient's rsa public key, and then using sender's rsa private key to sign, NOTE: data represents the plaintext data, encrypted data and signature are represented in hex values

recipientPublicKeyHexOrPem = can be either HEX or PEM senderPrivateKeyHexOrPem = can be either HEX or PEM

func RsaPublicKeyVerify

func RsaPublicKeyVerify(data string, publicKeyHexOrPem string, signatureHex string) error

RsaPublicKeyVerify will verify the plaintext data using the given public key, NOTE: data must be plain text before encryption as signature verification is against plain text data if verification is successful, nil is returned, otherwise error is returned

publicKeyHexOrPem = can be either HEX or PEM

func Sha256

func Sha256(data string, salt string) string

Sha256 hashing (always 64 bytes output)

func ValidateHmac

func ValidateHmac(encryptedDataWithHmac string, key string) (string, error)

ValidateHmac will verify if the appended hmac validates against the message based on the given key, and parse the hmac out and return the actual message if hmac validation succeeds, if hmac validation fails, then blank is returned and the error contains the failure reason

Types

type TlsConfig

type TlsConfig struct{}

func (*TlsConfig) GetClientTlsConfig

func (t *TlsConfig) GetClientTlsConfig(serverCaCertPemPath []string,
	clientCertPemPath string,
	clientKeyPemPath string) (*tls.Config, error)

GetClientTlsConfig returns *tls.config configured for server TLS or mTLS based on parameters

serverCaCertPath = (required) one or more server ca cert path and file name, required for both server TLS or mTLS clientCertPemPath = (optional) for mTLS setup, path and file name to the client cert pem (unencrypted version) clientKeyPemPath = (optional) for mTLS setup, path and file name to the client key pem (unencrypted version)

func (*TlsConfig) GetServerTlsConfig

func (t *TlsConfig) GetServerTlsConfig(serverCertPemPath string,
	serverKeyPemPath string,
	clientCaCertPemPath []string) (*tls.Config, error)

GetServerTlsConfig returns *tls.config configured for server TLS or mTLS based on parameters

serverCertPemPath = (required) path and file name to the server cert pem (unencrypted version) serverKeyPemPath = (required) path and file name to the server key pem (unencrypted version) clientCaCertPath = (optional) one or more client ca cert path and file name, in case tls.config is for mTLS

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL