crypto

package

v0.0.0-...-f6ab670 Latest Latest Go to latest Published: Nov 19, 2024 License: Apache-2.0 Imports: 18 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aws/amazon-ssm-agent

Links

Open Source Insights

Documentation ¶

Overview ¶

crypto package provides methods to encrypt and decrypt data

Index ¶

Constants
type BlockCipher
- func NewBlockCipher(context context.T, kmsKeyId string) (blockCipher *BlockCipher, err error)
- func NewBlockCipherKMS(kmsKeyId string, kmsService IKMSService) (blockCipher *BlockCipher, err error)
type IBlockCipher
type IKMSService
type KMSService
- func NewKMSService(context context.T) (kmsService *KMSService, err error)
- func (kmsService *KMSService) Decrypt(cipherTextBlob []byte, encryptionContext map[string]*string, keyId string) (plainText []byte, err error)
type NonceGenerator
- func (nonce *NonceGenerator) GenerateNonce() ([]byte, error)
- func (nonce *NonceGenerator) InitializeNonce() error

Constants ¶

View Source

const KMSKeySizeInBytes int64 = 64

KMSKeySizeInBytes is the key size that is fetched from KMS. 64 bytes key is split into two halves. First half 32 bytes key is used by agent for encryption and second half 32 bytes by clients like cli/console

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BlockCipher ¶

type BlockCipher struct {
	// contains filtered or unexported fields
}

func NewBlockCipher ¶

func NewBlockCipher(context context.T, kmsKeyId string) (blockCipher *BlockCipher, err error)

NewBlockCipher creates a new block cipher

func NewBlockCipherKMS ¶

func NewBlockCipherKMS(kmsKeyId string, kmsService IKMSService) (blockCipher *BlockCipher, err error)

NewBlockCipherKMS creates a new block cipher with a provided IKMService instance

func (*BlockCipher) DecryptWithAESGCM ¶

func (blockCipher *BlockCipher) DecryptWithAESGCM(cipherText []byte) (plainText []byte, err error)

DecryptWithGCM decrypts cipher text using AES block cipher GCM mode

func (*BlockCipher) EncryptWithAESGCM ¶

func (blockCipher *BlockCipher) EncryptWithAESGCM(plainText []byte) (cipherText []byte, err error)

EncryptWithGCM encrypts plain text using AES block cipher GCM mode

func (*BlockCipher) GetCipherTextKey ¶

func (blockCipher *BlockCipher) GetCipherTextKey() (cipherTextKey []byte)

GetCipherTextKey returns cipherTextKey from BlockCipher

func (*BlockCipher) GetKMSKeyId ¶

func (blockCipher *BlockCipher) GetKMSKeyId() (kmsKey string)

GetKMSKeyId returns kmsKeyId from BlockCipher

func (*BlockCipher) GetRandomChallenge ¶

func (blockCipher *BlockCipher) GetRandomChallenge() (randomChallenge string)

GetRandomChallenge returns randomChallenge from BlockCipher

func (*BlockCipher) UpdateEncryptionKey ¶

func (blockCipher *BlockCipher) UpdateEncryptionKey(log log.T, cipherTextBlob []byte, sessionId string, instanceId string, useRandomChallenge bool) error

UpdateEncryptionKey receives cipherTextBlob and calls kms::Decrypt to receive the encryption data key

type IBlockCipher ¶

type IBlockCipher interface {
	UpdateEncryptionKey(log log.T, cipherTextKey []byte, sessionId string, instanceId string, useRandomChallenge bool) error
	EncryptWithAESGCM(plainText []byte) (cipherText []byte, err error)
	DecryptWithAESGCM(cipherText []byte) (plainText []byte, err error)
	GetCipherTextKey() (cipherTextKey []byte)
	GetKMSKeyId() (kmsKey string)
	GetRandomChallenge() (randomChallenge string)
}

type IKMSService ¶

type IKMSService interface {
	Decrypt(cipherTextBlob []byte, encryptionContext map[string]*string, keyId string) (plainText []byte, err error)
}

type KMSService ¶

type KMSService struct {
	// contains filtered or unexported fields
}

func NewKMSService ¶

func NewKMSService(context context.T) (kmsService *KMSService, err error)

NewKMSService creates a new KMSService instance

func (*KMSService) Decrypt ¶

func (kmsService *KMSService) Decrypt(cipherTextBlob []byte, encryptionContext map[string]*string, keyId string) (plainText []byte, err error)

Decrypt will get the plaintext key from KMS service

type NonceGenerator ¶

type NonceGenerator struct {
	// contains filtered or unexported fields
}

func (*NonceGenerator) GenerateNonce ¶

func (nonce *NonceGenerator) GenerateNonce() ([]byte, error)

Increments the state stored in the byte array, handling carry as if it were a little-endian integer. The previous state is returned. NIST SP 800-38D suggests an incrementing message counter as an appropriate method for generating these nonces. This will give keys a greater lifetime than random generation as it avoids the birthday problem. A mutex is used here as a race condition may otherwise cause the same nonce to be used twice, which could compromise security.

func (*NonceGenerator) InitializeNonce ¶

func (nonce *NonceGenerator) InitializeNonce() error

Allocates a slice and fills it with a random nonce. Technically this does not need to be random - initializing with zeros would still preseve the properties of the cryptosystem. However, this gives us extra protection if accidental key reuse were to occur, as we will very likely get a different keystream regardless.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
mocks Code generated by mockery v1.0.0	Code generated by mockery v1.0.0

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL