tink

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2019 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package tink defines interfaces for the crypto primitives that Tink supports.

Index

Constants

View Source 
const (
	// Prefix size of Tink and Legacy key types.
	NonRawPrefixSize = 5

	// Legacy or Crunchy prefix starts with \x00 and followed by a 4-byte key id.
	LegacyPrefixSize = NonRawPrefixSize
	LegacyStartByte  = byte(0)

	// Tink prefix starts with \x01 and followed by a 4-byte key id.
	TinkPrefixSize = NonRawPrefixSize
	TinkStartByte  = byte(1)

	// Raw prefix is empty.
	RawPrefixSize = 0
	RawPrefix     = ""
)

*

  • Constants and convenience methods that deal with crypto format.

Variables

This section is empty.

Functions

func CleartextKeysetHandle 

func CleartextKeysetHandle() *cleartextKeysetHandle

CleartextKeysetHandle returns the single instance of cleartextKeysetHandle.

func CreateEncryptedKeyset added in v1.1.1 

func CreateEncryptedKeyset(encryptedKeySet []byte, info *tinkpb.KeysetInfo) *tinkpb.EncryptedKeyset

CreateEncryptedKeyset creates a new EncryptedKeyset with a specified parameters.

func CreateKey added in v1.1.1 

func CreateKey(keyData *tinkpb.KeyData,
	status tinkpb.KeyStatusType,
	keyID uint32,
	prefixType tinkpb.OutputPrefixType) *tinkpb.Keyset_Key

CreateKey creates a new Key with the specified parameters.

func CreateKeyData added in v1.1.1 

func CreateKeyData(typeURL string,
	value []byte,
	materialType tinkpb.KeyData_KeyMaterialType) *tinkpb.KeyData

CreateKeyData creates a new KeyData with the specified parameters.

func CreateKeyset added in v1.1.1 

func CreateKeyset(primaryKeyID uint32,
	keys []*tinkpb.Keyset_Key) *tinkpb.Keyset

CreateKeyset creates a new Keyset with the specified parameters.

func DecryptKeyset 

func DecryptKeyset(encryptedKeyset *tinkpb.EncryptedKeyset,
	masterKey Aead) (*tinkpb.Keyset, error)

DecryptKeyset decrypts the given keyset using the given master key

func EncryptKeyset 

func EncryptKeyset(keyset *tinkpb.Keyset,
	masterKey Aead) (*tinkpb.EncryptedKeyset, error)

EncryptKeyset encrypts the given keyset using the given master key.

func GetCurveName added in v1.1.0 

func GetCurveName(curve commonpb.EllipticCurveType) string

GetCurveName returns the name of the EllipticCurveType.

func GetHashName added in v1.1.0 

func GetHashName(hashType commonpb.HashType) string

GetHashName returns the name of the HashType.

func GetKeyInfo added in v1.1.0 

func GetKeyInfo(key *tinkpb.Keyset_Key) (*tinkpb.KeysetInfo_KeyInfo, error)

GetKeyInfo returns a KeyInfo from a Key protobuf.

func GetKeysetInfo added in v1.1.0 

func GetKeysetInfo(keyset *tinkpb.Keyset) (*tinkpb.KeysetInfo, error)

GetKeysetInfo returns a KeysetInfo from a Keyset protobuf.

func GetOutputPrefix 

func GetOutputPrefix(key *tinkpb.Keyset_Key) (string, error)

GetOutputPrefix generates the prefix of all cryptographic outputs (ciphertexts, signatures, MACs, ...) produced by the specified {@code key}. The prefix can be either empty (for RAW-type prefix), or consists of a 1-byte indicator of the type of the prefix, followed by 4 bytes of {@code key.KeyId} in Big Endian encoding. @throws error if the prefix type of {@code key} is unknown. @return a prefix.

func GetPrimitiveFromKey added in v1.1.1 

func GetPrimitiveFromKey(typeURL string,
	key proto.Message) (interface{}, error)

GetPrimitiveFromKey creates a new primitive for the given key using the KeyManager identified by the given typeURL.

func GetPrimitiveFromKeyData added in v1.1.1 

func GetPrimitiveFromKeyData(keyData *tinkpb.KeyData) (interface{}, error)

GetPrimitiveFromKeyData creates a new primitive for the key given in the given KeyData.

func GetPrimitiveFromSerializedKey added in v1.1.1 

func GetPrimitiveFromSerializedKey(typeURL string,
	serializedKey []byte) (interface{}, error)

GetPrimitiveFromSerializedKey creates a new primitive for the given serialized key using the KeyManager identified by the given typeURL.

func NewKeyData added in v1.1.0 

func NewKeyData(template *tinkpb.KeyTemplate) (*tinkpb.KeyData, error)

NewKeyData generates a new KeyData for the given KeyTemplate.

func NewKeyFromKeyFormat added in v1.1.1 

func NewKeyFromKeyFormat(typeURL string,
	format proto.Message) (proto.Message, error)

NewKeyFromKeyFormat generates a new key for the given KeyFormat using the KeyManager identified by the given typeURL.

func NewKeyFromKeyTemplate added in v1.1.1 

func NewKeyFromKeyTemplate(template *tinkpb.KeyTemplate) (proto.Message, error)

NewKeyFromKeyTemplate generates a new key for the given KeyTemplate.

func RegisterKeyManager added in v1.1.1 

func RegisterKeyManager(manager KeyManager) (bool, error)

RegisterKeyManager registers the given key manager. It does nothing if there already exists a key manager with the same type url. It returns true if the key manager is registered; false otherwise.

func ValidateKey added in v1.1.0 

func ValidateKey(key *tinkpb.Keyset_Key) error

ValidateKey validates the given key. Returns nil if it is valid; an error otherwise.

func ValidateKeyset added in v1.1.0 

func ValidateKeyset(keyset *tinkpb.Keyset) error

ValidateKeyset validates the given key set. Returns nil if it is valid; an error otherwise.

func ValidateVersion added in v1.1.0 

func ValidateVersion(version uint32, maxExpected uint32) error

ValidateVersion checks whether the given version is valid. The version is valid only if it is the range [0..maxExpected]

Types

type Aead 

type Aead interface {
	// Encrypt encrypts {@code plaintext} with {@code additionalData} as additional
	// authenticated data. The resulting ciphertext allows for checking
	// authenticity and integrity of additional data ({@code additionalData}),
	// but does not guarantee its secrecy.
	Encrypt(plaintext []byte, additionalData []byte) ([]byte, error)

	// Decrypt decrypts {@code ciphertext} with {@code additionalData} as additional
	// authenticated data. The decryption verifies the authenticity and integrity
	// of the additional data, but there are no guarantees wrt. secrecy of that data.
	Decrypt(ciphertext []byte, additionalData []byte) ([]byte, error)
}

Aead is the interface for authenticated encryption with additional authenticated data. Implementations of this interface are secure against adaptive chosen ciphertext attacks. Encryption with additional data ensures authenticity and integrity of that data, but not its secrecy. (see RFC 5116, https://tools.ietf.org/html/rfc5116)

type Entry 

type Entry struct {
	// contains filtered or unexported fields
}

Entry represents a single entry in the keyset. In addition to the actual primitive, it holds the identifier and status of the primitive.

func NewEntry 

func NewEntry(p interface{}, id string, stt tinkpb.KeyStatusType,
	outputPrefixType tinkpb.OutputPrefixType) *Entry

NewEntry creates a new instance of Entry using the given information.

func (*Entry) Identifier 

func (e *Entry) Identifier() string

Identifier returns the identifier of the key entry.

func (*Entry) OutputPrefixType 

func (e *Entry) OutputPrefixType() tinkpb.OutputPrefixType

OutputPrefixType returns the OutputPrefixType of the key entry.

func (*Entry) Primitive 

func (e *Entry) Primitive() interface{}

Primitive returns the crypto primitive associated with the key entry.

func (*Entry) Status 

func (e *Entry) Status() tinkpb.KeyStatusType

Status returns the status of the key entry.

type KeyManager 

type KeyManager interface {
	// GetPrimitiveFromSerializedKey constructs a primitive instance for the key given in
	// serializedKey, which must be a serialized key protocol buffer handled by this manager.
	GetPrimitiveFromSerializedKey(serializedKey []byte) (interface{}, error)

	// GetPrimitiveFromKey constructs a primitive instance for the key given in {@code key}.
	GetPrimitiveFromKey(key proto.Message) (interface{}, error)

	// NewKeyFromSerializedKeyFormat Generates a new key according to specification in {@code serializedKeyFormat},
	// which must be a serialized key format protocol buffer handled by this manager.
	NewKeyFromSerializedKeyFormat(serializedKeyFormat []byte) (proto.Message, error)

	// NewKeyFromKeyFormat generates a new key according to specification in {@code keyFormat}.
	NewKeyFromKeyFormat(keyFormat proto.Message) (proto.Message, error)

	// DoesSupport returns true iff this KeyManager supports key type identified by {@code typeURL}.
	DoesSupport(typeURL string) bool

	// GetKeyType returns the type URL that identifes the key type of keys managed by this KeyManager.
	GetKeyType() string

	// NewKeyData generates a new {@code KeyData} according to specification in {@code serializedkeyFormat}.
	// This should be used solely by the key management API.
	NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error)
}

KeyManager "understands" keys of a specific key types: it can generate keys of a supported type and create primitives for supported keys. A key type is identified by the global name of the protocol buffer that holds the corresponding key material, and is given by type_url-field of KeyData-protocol buffer.

func GetKeyManager added in v1.1.1 

func GetKeyManager(typeURL string) (KeyManager, error)

GetKeyManager returns the key manager for the given type url if existed.

type KeysetHandle 

type KeysetHandle struct {
	// contains filtered or unexported fields
}

KeysetHandle provides abstracted access to Keysets, to limit the exposure of actual protocol buffers that hold sensitive key material.

func (*KeysetHandle) EncryptedKeyset 

func (h *KeysetHandle) EncryptedKeyset() *tinkpb.EncryptedKeyset

EncryptedKeyset returns the EncryptedKeyset component of this handle.

func (*KeysetHandle) GetPublicKeysetHandle 

func (h *KeysetHandle) GetPublicKeysetHandle() (*KeysetHandle, error)

GetPublicKeysetHandle returns a KeysetHandle of the public keys if the managed keyset contains private keys.

func (*KeysetHandle) Keyset 

func (h *KeysetHandle) Keyset() *tinkpb.Keyset

Keyset returns the Keyset component of this handle.

func (*KeysetHandle) KeysetInfo 

func (h *KeysetHandle) KeysetInfo() (*tinkpb.KeysetInfo, error)

KeysetInfo returns a KeysetInfo of the Keyset of this handle. KeysetInfo doesn't contain actual key material.

func (*KeysetHandle) String 

func (h *KeysetHandle) String() string

String returns the string representation of the KeysetInfo.

type KeysetManager 

type KeysetManager struct {
	// contains filtered or unexported fields
}

KeysetManager manages a Keyset-proto, with convenience methods that rotate, disable, enable or destroy keys. Note: It is not thread-safe.

func NewKeysetManager 

func NewKeysetManager(keyTemplate *tinkpb.KeyTemplate,
	masterKey Aead,
	keyset *tinkpb.Keyset) *KeysetManager

NewKeysetManager creates a new instance of keyset manager.

func (*KeysetManager) GetKeysetHandle 

func (km *KeysetManager) GetKeysetHandle() (*KeysetHandle, error)

GetKeysetHandle creates a new KeysetHandle for the managed keyset.

func (*KeysetManager) KeyTemplate 

func (km *KeysetManager) KeyTemplate() *tinkpb.KeyTemplate

KeyTemplate returns the key template of the manager.

func (*KeysetManager) Keyset 

func (km *KeysetManager) Keyset() *tinkpb.Keyset

Keyset returns the keyset of the manager.

func (*KeysetManager) MasterKey 

func (km *KeysetManager) MasterKey() Aead

MasterKey returns the master key of the manager.

func (*KeysetManager) Rotate 

func (km *KeysetManager) Rotate() error

Rotate generates a fresh key using the key template of the current keyset manager and sets the new key as the primary key.

func (*KeysetManager) RotateWithTemplate 

func (km *KeysetManager) RotateWithTemplate(keyTemplate *tinkpb.KeyTemplate) error

RotateWithTemplate generates a fresh key using the given key template and sets the new key as the primary key.

func (*KeysetManager) SetKeyTemplate 

func (km *KeysetManager) SetKeyTemplate(template *tinkpb.KeyTemplate)

SetKeyTemplate sets the key template of the manager.

func (*KeysetManager) SetKeyset 

func (km *KeysetManager) SetKeyset(keyset *tinkpb.Keyset)

SetKeyset sets the keyset of the manager. If the input is nil, it will use an empty keyset as the input instead.

func (*KeysetManager) SetMasterKey 

func (km *KeysetManager) SetMasterKey(masterKey Aead)

SetMasterKey sets the master key of the manager.

type Mac 

type Mac interface {

	// ComputeMac Computes message authentication code (MAC) for {@code data}.
	ComputeMac(data []byte) ([]byte, error)

	// VerifyMac verifies whether {@code mac} is a correct authentication code (MAC) for {@code data}.
	VerifyMac(mac []byte, data []byte) (bool, error)
}

Mac is the interface for MACs (Message Authentication Codes). This interface should be used for authentication only, and not for other purposes (for example, it should not be used to generate pseudorandom bytes).

type PrimitiveSet 

type PrimitiveSet struct {
	// contains filtered or unexported fields
}

PrimitiveSet is a container class for a set of primitives (i.e. implementations of cryptographic primitives offered by Tink). It provides also additional properties for the primitives it holds. In particular, one of the primitives in the set can be distinguished as "the primary" one. <p>

PrimitiveSet is an auxiliary class used for supporting key rotation: primitives in a set correspond to keys in a keyset. Users will usually work with primitive instances, which essentially wrap primitive sets. For example an instance of an Aead-primitive for a given keyset holds a set of Aead-primitives corresponding to the keys in the keyset, and uses the set members to do the actual crypto operations: to encrypt data the primary Aead-primitive from the set is used, and upon decryption the ciphertext's prefix determines the id of the primitive from the set. <p>

PrimitiveSet is a public class to allow its use in implementations of custom primitives.

func GetPrimitives added in v1.1.1 

func GetPrimitives(keysetHandle *KeysetHandle) (*PrimitiveSet, error)

GetPrimitives creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keysetHandle, assuming all the corresponding key managers are present (keys with status!=ENABLED are skipped).

The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.

func GetPrimitivesWithCustomManager added in v1.1.1 

func GetPrimitivesWithCustomManager(
	keysetHandle *KeysetHandle, customManager KeyManager) (*PrimitiveSet, error)

GetPrimitivesWithCustomManager creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keysetHandle, using the given customManager (instead of registered key managers) for keys supported by it. Keys not supported by the customManager are handled by matching registered key managers (if present), and keys with status!=ENABLED are skipped. <p>

This enables custom treatment of keys, for example providing extra context (e.g. credentials for accessing keys managed by a KMS), or gathering custom monitoring/profiling information.

The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.

func NewPrimitiveSet 

func NewPrimitiveSet() *PrimitiveSet

NewPrimitiveSet returns an empty instance of PrimitiveSet.

func (*PrimitiveSet) AddPrimitive 

func (ps *PrimitiveSet) AddPrimitive(primitive interface{},
	key *tinkpb.Keyset_Key) (*Entry, error)

AddPrimitive creates a new entry in the primitive set using the given information and returns the added entry.

func (*PrimitiveSet) GetPrimitivesWithByteIdentifier 

func (ps *PrimitiveSet) GetPrimitivesWithByteIdentifier(id []byte) ([]*Entry, error)

GetPrimitivesWithByteIdentifier returns all primitives in the set that have the given prefix.

func (*PrimitiveSet) GetPrimitivesWithKey 

func (ps *PrimitiveSet) GetPrimitivesWithKey(key *tinkpb.Keyset_Key) ([]*Entry, error)

GetPrimitivesWithKey returns all primitives in the set that have prefix equal to that of the given key.

func (*PrimitiveSet) GetPrimitivesWithStringIdentifier 

func (ps *PrimitiveSet) GetPrimitivesWithStringIdentifier(id string) ([]*Entry, error)

GetPrimitivesWithStringIdentifier returns all primitives in the set that have the given prefix.

func (*PrimitiveSet) GetRawPrimitives 

func (ps *PrimitiveSet) GetRawPrimitives() ([]*Entry, error)

GetRawPrimitives returns all primitives in the set that have RAW prefix.

func (*PrimitiveSet) Primary 

func (ps *PrimitiveSet) Primary() *Entry

Primary returns the entry with the primary primitive.

func (*PrimitiveSet) Primitives 

func (ps *PrimitiveSet) Primitives() map[string][]*Entry

Primitives returns all primitives of the set.

func (*PrimitiveSet) SetPrimary 

func (ps *PrimitiveSet) SetPrimary(e *Entry)

SetPrimary sets the primary entry of the set to the given entry.

type PrivateKeyManager 

type PrivateKeyManager interface {
	KeyManager

	// GetPublicKeyData extracts the public key data from the private key.
	GetPublicKeyData(serializedKey []byte) (*tinkpb.KeyData, error)
}

PrivateKeyManager is a special type of KeyManager that understands private key types.

type PublicKeySign 

type PublicKeySign interface {
	/**
	 * Computes the signature for {@code data}.
	 *
	 * @return the signature of {$code data}.
	 */
	Sign(data []byte) ([]byte, error)
}

PublicKeySign is the signing interface for digital signature. Implementations of this interface are secure against adaptive chosen-message attacks. Signing data ensures authenticity and integrity of that data, but not its secrecy.

type PublicKeyVerify 

type PublicKeyVerify interface {
	/**
	 * Verifies whether {@code signature} is a valid signature for {@code data}.
	 *
	 * @return an error if {@code signature} is not a valid signature for
	 * {@code data}; nil otherwise.
	 */
	Verify(signature []byte, data []byte) error
}

PublicKeyVerify is the verifying interface for digital signature. Implementations of this interface are secure against adaptive chosen-message attacks. Signing data ensures authenticity and integrity of that data, but not its secrecy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.