internal

package
v3.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 16, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	GcmTagSizeBits  = "128"
	AESGCMNoPadding = "AES/GCM/NoPadding"
)
View Source
const (
	CekAlgorithmHeader     = "x-amz-cek-alg"
	KeyringAlgorithmHeader = "x-amz-wrap-alg"
)
View Source
const (
	AESCBCPKCS5Padding = "AES/CBC/PKCS5Padding"
)
View Source
const DefaultInstructionKeySuffix = ".instruction"

DefaultInstructionKeySuffix is appended to the end of the instruction file key when grabbing or saving to S3

Variables

View Source
var AESCBCPadder = Padder(AesCbcPadding)

AESCBCPadder is used to pad AES encrypted and decrypted data. Although it uses the pkcs5Padder, it isn't following the RFC for PKCS5. The only reason why it is called pkcs5Padder is due to the Name returning PKCS5Padding.

View Source
var AesCbcPadding = aescbcPadder{pkcs7Padder{16}}
View Source
var NoPadder = Padder(noPadder{})

NoPadder does not pad anything

Functions

func AddS3CryptoUserAgent

func AddS3CryptoUserAgent(options *s3.Options)

append to user agent (will be ft/s3-encrypt)

func GetWriterStore

func GetWriterStore(path string, useTempFile bool) (*writerStore, error)

func NewContentLengthReader

func NewContentLengthReader(f io.Reader) *contentLengthReader

Types

type CEKEntry

CEKEntry is a builder that returns a proper content decrypter and error

type Cipher

type Cipher interface {
	Encrypter
	Decrypter
}

Cipher interface allows for either encryption and decryption of an object

type ContentCipher

type ContentCipher interface {
	EncryptContents(io.Reader) (io.Reader, error)
	DecryptContents(io.ReadCloser) (io.ReadCloser, error)
	GetCipherData() materials.CryptographicMaterials
}

ContentCipher deals with encrypting and decrypting content

func NewAESCBCContentCipher

func NewAESCBCContentCipher(materials materials.CryptographicMaterials) (ContentCipher, error)

NewAESCBCContentCipher will create a new aes cbc content cipher. If the cipher data's will set the cek algorithm if it hasn't been set.

func NewAESGCMContentCipher

func NewAESGCMContentCipher(materials materials.CryptographicMaterials) (ContentCipher, error)

NewAESGCMContentCipher returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.

Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this, objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.

type ContentCipherBuilder

type ContentCipherBuilder interface {
	ContentCipher() (ContentCipher, error)
}

ContentCipherBuilder is a builder interface that builds ciphers for each request.

type ContentCipherBuilderWithContext

type ContentCipherBuilderWithContext interface {
	ContentCipherWithContext(context.Context) (ContentCipher, error)
}

ContentCipherBuilderWithContext is a builder interface that builds ciphers for each request.

type CryptoReadCloser

type CryptoReadCloser struct {
	Body      io.ReadCloser
	Decrypter io.Reader
	// contains filtered or unexported fields
}

CryptoReadCloser handles closing of the body and allowing reads from the decrypted content.

func (*CryptoReadCloser) Close

func (rc *CryptoReadCloser) Close() error

Close lets the CryptoReadCloser satisfy io.ReadCloser interface

func (*CryptoReadCloser) Read

func (rc *CryptoReadCloser) Read(b []byte) (int, error)

Read lets the CryptoReadCloser satisfy io.ReadCloser interface

type Decrypter

type Decrypter interface {
	Decrypt(io.Reader) io.Reader
}

Decrypter interface with only the decrypt method

type DefaultLoadStrategy

type DefaultLoadStrategy struct {
	// contains filtered or unexported fields
}

DefaultLoadStrategy This is the only exported LoadStrategy since cx are no longer able to configure their client with a specific load strategy. Instead, we figure out which strategy to use based on the response header on decrypt.

func (DefaultLoadStrategy) Load

type Encrypter

type Encrypter interface {
	Encrypt(io.Reader) io.Reader
}

Encrypter interface with only the encrypt method

type GetObjectAPIClient

type GetObjectAPIClient interface {
	GetObject(context.Context, *s3.GetObjectInput, ...func(*s3.Options)) (*s3.GetObjectOutput, error)
}

GetObjectAPIClient is a client that implements the GetObject operation

type LoadStrategy

type LoadStrategy interface {
	Load(context.Context, *LoadStrategyRequest) (ObjectMetadata, error)
}

LoadStrategy ...

type LoadStrategyRequest

type LoadStrategyRequest struct {
	// The HTTP response
	HTTPResponse *http.Response

	// The operation Input type
	Input interface{}
}

LoadStrategyRequest represents a request sent to a LoadStrategy to load the contents of an ObjectMetadata

type ObjectMetadata

type ObjectMetadata struct {
	// IV is the randomly generated IV base64 encoded.
	IV string `json:"x-amz-iv"`
	// CipherKey is the randomly generated cipher key.
	CipherKey string `json:"x-amz-key-v2"`
	// MaterialDesc is a description to distinguish from other envelopes.
	MatDesc               string `json:"x-amz-matdesc"`
	KeyringAlg            string `json:"x-amz-wrap-alg"`
	CEKAlg                string `json:"x-amz-cek-alg"`
	TagLen                string `json:"x-amz-tag-len"`
	UnencryptedContentLen string `json:"x-amz-unencrypted-content-length"`
}

ObjectMetadata encryption starts off by generating a random symmetric key using AES GCM. The SDK generates a random IV based off the encryption cipher chosen. The master key that was provided, whether by the user or KMS, will be used to encrypt the randomly generated symmetric key and base64 encode the iv. This will allow for decryption of that same data later.

func EncodeMeta

func EncodeMeta(reader lengthReader, cryptographicMaterials materials.CryptographicMaterials) (ObjectMetadata, error)

func (*ObjectMetadata) GetDecodedIV

func (e *ObjectMetadata) GetDecodedIV() ([]byte, error)

func (*ObjectMetadata) GetDecodedKey

func (e *ObjectMetadata) GetDecodedKey() ([]byte, error)

func (*ObjectMetadata) GetMatDesc

func (e *ObjectMetadata) GetMatDesc() (string, error)

func (*ObjectMetadata) UnmarshalJSON

func (e *ObjectMetadata) UnmarshalJSON(value []byte) error

UnmarshalJSON unmarshalls the given JSON bytes into ObjectMetadata

type ObjectMetadataSaveStrategy

type ObjectMetadataSaveStrategy struct{}

ObjectMetadataSaveStrategy will save the metadata of the crypto contents to the header of the object.

func (ObjectMetadataSaveStrategy) Save

Save will save the envelope to the request's header.

type Padder

type Padder interface {
	// Pad will pad the byte array.
	// The second parameter is NOT how many
	// bytes to pad by, but how many bytes
	// have been read prior to the padding.
	// This allows for streamable padding.
	Pad([]byte, int) ([]byte, error)
	// Unpad will unpad the byte bytes. Unpad
	// methods must be constant time.
	Unpad([]byte) ([]byte, error)
	// Name returns the name of the padder.
	// This is used when decrypting on
	// instantiating new padders.
	Name() string
}

Padder handles padding of crypto data

func NewPKCS7Padder

func NewPKCS7Padder(blockSize int) Padder

NewPKCS7Padder follows the RFC 2315: https://www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks. For the most secure data, use an authenticated crypto algorithm.

type SaveStrategyRequest

type SaveStrategyRequest struct {
	// The envelope to save
	Envelope *ObjectMetadata

	// The HTTP request being built
	HTTPRequest *http.Request

	// The operation Input type
	Input interface{}
}

SaveStrategyRequest represents a request sent to a SaveStrategy to save the contents of an ObjectMetadata

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL