Documentation
¶
Index ¶
- Constants
- Variables
- func AddS3CryptoUserAgent(options *s3.Options)
- func GetWriterStore(path string, useTempFile bool) (*writerStore, error)
- func NewContentLengthReader(f io.Reader) *contentLengthReader
- type CEKEntry
- type Cipher
- type ContentCipher
- type ContentCipherBuilder
- type ContentCipherBuilderWithContext
- type CryptoReadCloser
- type Decrypter
- type DefaultLoadStrategy
- type Encrypter
- type GetObjectAPIClient
- type LoadStrategy
- type LoadStrategyRequest
- type ObjectMetadata
- type ObjectMetadataSaveStrategy
- type Padder
- type SaveStrategyRequest
Constants ¶
const ( GcmTagSizeBits = "128" AESGCMNoPadding = "AES/GCM/NoPadding" )
const ( CekAlgorithmHeader = "x-amz-cek-alg" KeyringAlgorithmHeader = "x-amz-wrap-alg" )
const (
AESCBCPKCS5Padding = "AES/CBC/PKCS5Padding"
)
const DefaultInstructionKeySuffix = ".instruction"
DefaultInstructionKeySuffix is appended to the end of the instruction file key when grabbing or saving to S3
Variables ¶
var AESCBCPadder = Padder(AesCbcPadding)
AESCBCPadder is used to pad AES encrypted and decrypted data. Although it uses the pkcs5Padder, it isn't following the RFC for PKCS5. The only reason why it is called pkcs5Padder is due to the Name returning PKCS5Padding.
var AesCbcPadding = aescbcPadder{pkcs7Padder{16}}
var NoPadder = Padder(noPadder{})
NoPadder does not pad anything
Functions ¶
func AddS3CryptoUserAgent ¶
append to user agent (will be ft/s3-encrypt)
func GetWriterStore ¶
func NewContentLengthReader ¶
Types ¶
type CEKEntry ¶
type CEKEntry func(materials.CryptographicMaterials) (ContentCipher, error)
CEKEntry is a builder that returns a proper content decrypter and error
type ContentCipher ¶
type ContentCipher interface {
EncryptContents(io.Reader) (io.Reader, error)
DecryptContents(io.ReadCloser) (io.ReadCloser, error)
GetCipherData() materials.CryptographicMaterials
}
ContentCipher deals with encrypting and decrypting content
func NewAESCBCContentCipher ¶
func NewAESCBCContentCipher(materials materials.CryptographicMaterials) (ContentCipher, error)
NewAESCBCContentCipher will create a new aes cbc content cipher. If the cipher data's will set the cek algorithm if it hasn't been set.
func NewAESGCMContentCipher ¶
func NewAESGCMContentCipher(materials materials.CryptographicMaterials) (ContentCipher, error)
NewAESGCMContentCipher returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.
Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this, objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.
type ContentCipherBuilder ¶
type ContentCipherBuilder interface {
ContentCipher() (ContentCipher, error)
}
ContentCipherBuilder is a builder interface that builds ciphers for each request.
type ContentCipherBuilderWithContext ¶
type ContentCipherBuilderWithContext interface {
ContentCipherWithContext(context.Context) (ContentCipher, error)
}
ContentCipherBuilderWithContext is a builder interface that builds ciphers for each request.
type CryptoReadCloser ¶
type CryptoReadCloser struct {
Body io.ReadCloser
Decrypter io.Reader
// contains filtered or unexported fields
}
CryptoReadCloser handles closing of the body and allowing reads from the decrypted content.
func (*CryptoReadCloser) Close ¶
func (rc *CryptoReadCloser) Close() error
Close lets the CryptoReadCloser satisfy io.ReadCloser interface
type DefaultLoadStrategy ¶
type DefaultLoadStrategy struct {
// contains filtered or unexported fields
}
DefaultLoadStrategy This is the only exported LoadStrategy since cx are no longer able to configure their client with a specific load strategy. Instead, we figure out which strategy to use based on the response header on decrypt.
func (DefaultLoadStrategy) Load ¶
func (load DefaultLoadStrategy) Load(ctx context.Context, req *LoadStrategyRequest) (ObjectMetadata, error)
type GetObjectAPIClient ¶
type GetObjectAPIClient interface {
GetObject(context.Context, *s3.GetObjectInput, ...func(*s3.Options)) (*s3.GetObjectOutput, error)
}
GetObjectAPIClient is a client that implements the GetObject operation
type LoadStrategy ¶
type LoadStrategy interface {
Load(context.Context, *LoadStrategyRequest) (ObjectMetadata, error)
}
LoadStrategy ...
type LoadStrategyRequest ¶
type LoadStrategyRequest struct {
// The HTTP response
HTTPResponse *http.Response
// The operation Input type
Input interface{}
}
LoadStrategyRequest represents a request sent to a LoadStrategy to load the contents of an ObjectMetadata
type ObjectMetadata ¶
type ObjectMetadata struct {
// IV is the randomly generated IV base64 encoded.
IV string `json:"x-amz-iv"`
// CipherKey is the randomly generated cipher key.
CipherKey string `json:"x-amz-key-v2"`
// MaterialDesc is a description to distinguish from other envelopes.
MatDesc string `json:"x-amz-matdesc"`
KeyringAlg string `json:"x-amz-wrap-alg"`
CEKAlg string `json:"x-amz-cek-alg"`
TagLen string `json:"x-amz-tag-len"`
UnencryptedContentLen string `json:"x-amz-unencrypted-content-length"`
}
ObjectMetadata encryption starts off by generating a random symmetric key using AES GCM. The SDK generates a random IV based off the encryption cipher chosen. The master key that was provided, whether by the user or KMS, will be used to encrypt the randomly generated symmetric key and base64 encode the iv. This will allow for decryption of that same data later.
func EncodeMeta ¶
func EncodeMeta(reader lengthReader, cryptographicMaterials materials.CryptographicMaterials) (ObjectMetadata, error)
func (*ObjectMetadata) GetDecodedIV ¶
func (e *ObjectMetadata) GetDecodedIV() ([]byte, error)
func (*ObjectMetadata) GetDecodedKey ¶
func (e *ObjectMetadata) GetDecodedKey() ([]byte, error)
func (*ObjectMetadata) GetMatDesc ¶
func (e *ObjectMetadata) GetMatDesc() (string, error)
func (*ObjectMetadata) UnmarshalJSON ¶
func (e *ObjectMetadata) UnmarshalJSON(value []byte) error
UnmarshalJSON unmarshalls the given JSON bytes into ObjectMetadata
type ObjectMetadataSaveStrategy ¶
type ObjectMetadataSaveStrategy struct{}
ObjectMetadataSaveStrategy will save the metadata of the crypto contents to the header of the object.
func (ObjectMetadataSaveStrategy) Save ¶
func (strat ObjectMetadataSaveStrategy) Save(ctx context.Context, saveReq *SaveStrategyRequest) error
Save will save the envelope to the request's header.
type Padder ¶
type Padder interface {
// Pad will pad the byte array.
// The second parameter is NOT how many
// bytes to pad by, but how many bytes
// have been read prior to the padding.
// This allows for streamable padding.
Pad([]byte, int) ([]byte, error)
// Unpad will unpad the byte bytes. Unpad
// methods must be constant time.
Unpad([]byte) ([]byte, error)
// Name returns the name of the padder.
// This is used when decrypting on
// instantiating new padders.
Name() string
}
Padder handles padding of crypto data
func NewPKCS7Padder ¶
NewPKCS7Padder follows the RFC 2315: https://www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks. For the most secure data, use an authenticated crypto algorithm.
type SaveStrategyRequest ¶
type SaveStrategyRequest struct {
// The envelope to save
Envelope *ObjectMetadata
// The HTTP request being built
HTTPRequest *http.Request
// The operation Input type
Input interface{}
}
SaveStrategyRequest represents a request sent to a SaveStrategy to save the contents of an ObjectMetadata
Source Files
Directories