Documentation ¶
Overview ¶
Package hippo provides a uniform encapsulation of basic cryptographic functions and a simple chained certificate.
Index ¶
- Constants
- Variables
- func RegisterCredentialer(credentialer Credentialer) error
- func RegisterPKCipherer(cipherer PKCipherer) error
- func RegisterSKCipherer(cipherer SKCipherer) error
- type AESCipher
- type AESMode
- type Certificate
- type Chain
- type Claims
- type Credentialer
- type Credentials
- type Declaration
- type Decrypter
- type ECDSACredentials
- func (x *ECDSACredentials) PrivateKey() PrivateKey
- func (x *ECDSACredentials) PublicKey() PublicKey
- func (x *ECDSACredentials) SetPrivateKey(privatekey PrivateKey) error
- func (x *ECDSACredentials) SetPublicKey(publickey PublicKey) error
- func (x *ECDSACredentials) Sign(data []byte) (Signature, error)
- func (x *ECDSACredentials) Verify(data []byte, signature Signature) error
- type Ed25519Credentials
- func (x *Ed25519Credentials) PrivateKey() PrivateKey
- func (x *Ed25519Credentials) PublicKey() PublicKey
- func (x *Ed25519Credentials) SetPrivateKey(privatekey PrivateKey) error
- func (x *Ed25519Credentials) SetPublicKey(publickey PublicKey) error
- func (x *Ed25519Credentials) Sign(data []byte) (Signature, error)
- func (x *Ed25519Credentials) Verify(data []byte, signature Signature) error
- type Encrypter
- type PKCipher
- type PKCipherer
- type PrivateKey
- type PublicKey
- type RSAOAEPCipher
- func (x *RSAOAEPCipher) Decrypt(data []byte) ([]byte, error)
- func (x *RSAOAEPCipher) Encrypt(data []byte) ([]byte, error)
- func (x *RSAOAEPCipher) PrivateKey() PrivateKey
- func (x *RSAOAEPCipher) PublicKey() PublicKey
- func (x *RSAOAEPCipher) SetPrivateKey(privatekey PrivateKey) error
- func (x *RSAOAEPCipher) SetPublicKey(publickey PublicKey) error
- type SKCipher
- type SKCipherer
- type Signature
- type Signer
- type Subject
- type Testament
- type Verifier
- type VerifierPool
- func (x VerifierPool) Add(id string, v Verifier) error
- func (x VerifierPool) Verify(cert *Certificate) error
- func (x VerifierPool) VerifyAny(data []byte, signature Signature) error
- func (x VerifierPool) VerifyDeclaration(declaration *Declaration) error
- func (x VerifierPool) VerifySpecific(id string, data []byte, signature Signature) error
Constants ¶
const AlgorithmAES_256_CBC = "aes-256-cbc"
AlgorithmAES_256_CBC is a constant string identifying the AES algorithm with 256 bit key and cipher block chaining mode.
const AlgorithmAES_256_GCM = "aes-256-gcm"
AlgorithmAES_256_CBC is a constant string identifying the AES algorithm with 256 bit key and Galois/counter mode.
const AlgorithmECDSA_P256 = "ecdsa-p256"
AlgorithmECDSA_P256 is a constant string identifying the ECDSA algorithm using the P-256 curve.
const AlgorithmEd25519 = "ed25519"
AlgorithmEd25519 is a constant string identifying the ed25519 algorithm.
const AlgorithmRSA_OAEP_2048 = "rsa-oaep-2048"
AlgorithmRSA_OAEP is a constant string identifying the RSA algorithm with optimal asymmetric encryption padding.
Variables ¶
var ErrBrokenCertificateChain = fmt.Errorf("Broken certificate chain")
ErrBrokenCertificateChain is returned when a declaration's subject doesn't match the previous declarations signer when verifying.
var ErrInvalidCertificate = fmt.Errorf("Invalid certificate")
ErrInvalidCertificate is returned when attempting to verify an invalid certificate.
var ErrInvalidPrivateKeyType = fmt.Errorf("Invalid private key type")
ErrInvalidPrivateKeyType is returned when setting an invalid private key to Credentials or Ciphers.
var ErrInvalidPublicKeyType = fmt.Errorf("Invalid public key type")
ErrInvalidPublicKeyType is returned when setting an invalid public key to Credentials or Ciphers.
var ErrNoDeclarations = fmt.Errorf("No declarations in certificate")
ErrNoDeclarations is returned when loading an empty certificate.
var ErrNoVerifier = fmt.Errorf("Invalid verifier")
ErrNoVerifier is returned when no verifier with a specified ID exists in a pool.
var ErrNotCertificateAuthority = fmt.Errorf("Chained declaration does not confirm certificate authority")
ErrNotCertificateAuthority is returned when a chained declaration does not have the "CertificateAuthority" claim.
var ErrNotDecrypter = fmt.Errorf("Not a decrypter")
ErrNotDecrypter is returned when attempting to decrypt data without a public key, or if a PKCipher does not implement encryption.
var ErrNotEncrypter = fmt.Errorf("Not an encrypter")
ErrNotEncrypter is returned when attempting to encrypt data without a private key, or if a PKCipher does not implement encryption.
var ErrNotSigner = fmt.Errorf("Not a signer")
ErrNotSigner is returned when attempting to sign data without a private key or if the algorithm interface does not implement signing.
var ErrNotVerifier = fmt.Errorf("Not a verifier")
ErrNotVerifier is returned when attempting to verify data without a public key or if the algorithm interface does not implement verification.
var ErrPreviousAlgorithm = fmt.Errorf("Previous algorithm registration")
ErrPreviousAlgorithm is returned by Register calls when registering a duplicate Credentialier or Cipherer.
var ErrPreviousVerifier = fmt.Errorf("Verifier exists")
ErrPreviousVerifier is returned when adding an already added verifier to a pool.
var ErrUnknownAlgorithm = fmt.Errorf("Unknown algorithm")
ErrUnknownAlgorithm is returned when attempting to generate or load keys from an unregistered algorithm.
var ErrUnrecognizedCertificate = fmt.Errorf("Unrecognized certificate")
ErrUnrecognizedCertificate is returned when none of the signers in a certificate are in a verifier pool.
var ErrUnsupportedMode = fmt.Errorf("Unknown mode")
ErrUnsupportedMode is returned if a key is given that indicates a mode with no registered implementation.
var ErrUnverifiedSignature = fmt.Errorf("Unverified signature")
ErrUnverifiedSignature is returned when a signature fails validation.
Functions ¶
func RegisterCredentialer ¶
func RegisterCredentialer(credentialer Credentialer) error
RegisterCredentialer makes a Credentialer for a specific algorithm available through the uniform interface.
func RegisterPKCipherer ¶
func RegisterPKCipherer(cipherer PKCipherer) error
RegisterPKCipherer makes a PKCipherer for a specific algorithm available through the uniform interface.
func RegisterSKCipherer ¶
func RegisterSKCipherer(cipherer SKCipherer) error
RegisterSKCipherer makes a SKCipherer for a specific algorithm available through the uniform interface.
Types ¶
type AESCipher ¶
An AESCipher is an actionable secret key.
func (*AESCipher) Decrypt ¶
Decrypt takes cipherdata and produces plaindata. N.B. that depending on the mode an invalid key or data may or may not generate an error.
func (*AESCipher) SecretKey ¶
func (x *AESCipher) SecretKey() PrivateKey
SecretKey returns a JSON Base64-URL encoded marshaling of the cipher's secret key.
func (*AESCipher) SetKey ¶
func (x *AESCipher) SetKey(key PrivateKey) error
SetKey sets the cipher's secret key from the given PrivateKey containing JSON Base64-URL encoded data.
type Certificate ¶
type Certificate struct {
Declarations Chain // All of the encoded and signed Testaments contained in this certificate.
}
Certificate is simply a Chain. It is encapsulated in the struct to ease some handling for serialization and other tasks, as well as possible future expansion to include other data.
func CertificateFromBytes ¶
func CertificateFromBytes(buf []byte) (*Certificate, error)
CertificateFromBytes parses a Certificate from the given bytes. It does not verify the certificate.
func CertificateFromFile ¶
func CertificateFromFile(fn string) (*Certificate, error)
CertificateFromFile loads and parses a Certificate from the given file. It does not verify the certificate.
func (*Certificate) ToBytes ¶
func (c *Certificate) ToBytes() ([]byte, error)
ToBytes serializes the Certificate to bytes as JSON.
func (*Certificate) ToFile ¶
func (c *Certificate) ToFile(fn string) error
ToFile serializes the Certificate to the given file as JSON.
type Credentialer ¶
type Credentialer interface { // Algorithm returns the label identifying the algorithm and // parameterization of this credentialier. Algorithm() string // Generate creates a new set of Credentials. Generate() (Credentials, error) // New wraps the given keys as Credentials. New(public PublicKey, private PrivateKey) (Credentials, error) // NewVerifier wraps the given PublicKey as Credentials. NewVerifier(key PublicKey) (Credentials, error) // NewSigner wraps the given PublicKey as Credentials. NewSigner(key PrivateKey) (Credentials, error) }
A Credentialer encapsulates key generation for a specific digital signature algorithm and parameterization.
type Credentials ¶
type Credentials interface { Verifier Signer // SetPrivateKey sets the credential's public key from the given // PrivateKey containing JSON Base64-URL encoded data. SetPrivateKey(privatekey PrivateKey) error // SetPublicKey sets the credential's public key from the given // PublicKey containing JSON Base64-URL encoded data. SetPublicKey(publickey PublicKey) error }
Credentials contain matched keys to both sign and verify data.
func GenerateCredentials ¶
func GenerateCredentials(algorithm string) (Credentials, error)
GenerateCredentials produces Credentials with new random keys following the given algorithm.
func NewCredentials ¶
func NewCredentials(public PublicKey, private PrivateKey) (Credentials, error)
NewCredentials creates Credentials wrapping the given public and private key. These must indicate the same algorithm but otherwise no test is made to confirm that they correspond to each other.
func NewSigner ¶
func NewSigner(key PrivateKey) (Credentials, error)
NewSigner wraps the given private key in Credentials for use.
func NewVerifier ¶
func NewVerifier(key PublicKey) (Credentials, error)
NewVerifier wraps the given public key in Credentials for use.
type Declaration ¶
type Declaration struct { Claim string // Encoded Testament. Signer string // Optional identifier of the signer. Signature Signature // Cryptographic signature of the Claim. }
Declaration binds an encoded Testament to a signature.
type Decrypter ¶
type Decrypter interface { // PrivateKey returns a JSON Base64-URL encoded marshaling of the // Decrypter's private key. PrivateKey() PrivateKey // Decrypt takes cipherdata and produces plaindata. N.B.: In // general the absence of an error does NOT indicate that the data // is valid. Under a public key algorithm this question doesn't // even make sense in terms of an attack. A separate mechanism must // be applied to assure integrity and authenticity. Then note that // implementing such a mechanism is not as simple as signing either // the plaindata or cipherdata alone. Decrypt(data []byte) ([]byte, error) }
Decrypter wraps a private key and decrypt datas.
type ECDSACredentials ¶
type ECDSACredentials struct { Algorithm string Curve elliptic.Curve Public *ecdsa.PublicKey Private *ecdsa.PrivateKey }
ECDSACredentials are an actionable ECDSA public/private key or matched pair.
func (*ECDSACredentials) PrivateKey ¶
func (x *ECDSACredentials) PrivateKey() PrivateKey
PrivateKey returns a JSON Base64-URL encoded marshaling of the credential's private key.
func (*ECDSACredentials) PublicKey ¶
func (x *ECDSACredentials) PublicKey() PublicKey
PublicKey returns a JSON Base64-URL encoded marshaling of the credential's public key.
func (*ECDSACredentials) SetPrivateKey ¶
func (x *ECDSACredentials) SetPrivateKey(privatekey PrivateKey) error
SetPrivateKey sets the credential's public key from the given PrivateKey containing JSON Base64-URL encoded data.
func (*ECDSACredentials) SetPublicKey ¶
func (x *ECDSACredentials) SetPublicKey(publickey PublicKey) error
SetPublicKey sets the credential's public key from the given PublicKey containing JSON Base64-URL encoded data.
type Ed25519Credentials ¶
Ed25519Credentials are an actionable Ed25519 public/private key or matched pair.
func (*Ed25519Credentials) PrivateKey ¶
func (x *Ed25519Credentials) PrivateKey() PrivateKey
PrivateKey returns a JSON Base64-URL encoded marshaling of the credential's private key.
func (*Ed25519Credentials) PublicKey ¶
func (x *Ed25519Credentials) PublicKey() PublicKey
PublicKey returns a JSON Base64-URL encoded marshaling of the credential's public key.
func (*Ed25519Credentials) SetPrivateKey ¶
func (x *Ed25519Credentials) SetPrivateKey(privatekey PrivateKey) error
SetPrivateKey sets the credential's public key from the given PrivateKey containing JSON Base64-URL encoded data.
func (*Ed25519Credentials) SetPublicKey ¶
func (x *Ed25519Credentials) SetPublicKey(publickey PublicKey) error
SetPublicKey sets the credential's public key from the given PublicKey containing JSON Base64-URL encoded data.
type Encrypter ¶
type Encrypter interface { // PublicKey returns a JSON Base64-URL encoded marshaling of the // Encrypter's public key. PublicKey() PublicKey // Encrypt produces cipherdata for the given plaindata. Encrypt(data []byte) ([]byte, error) }
Encrypter wraps a public key and encrypts data.
type PKCipher ¶
type PKCipher interface { Encrypter Decrypter // SetPrivateKey sets the PKCipher's public key from the given // PrivateKey containing JSON Base64-URL encoded data. SetPrivateKey(privatekey PrivateKey) error // SetPublicKey sets the PKCipher's public key from the given // PublicKey containing JSON Base64-URL encoded data. SetPublicKey(publickey PublicKey) error }
A PKCipher encapsulates a public key (asymmetric) encryption algorithm, parameterization, and matched keys to encrypt and decrypt data.
func GeneratePKCipher ¶
GeneratePKCipher produces a PKCipher with new random keys following the given algorithm.
func NewDecrypter ¶
func NewDecrypter(key PrivateKey) (PKCipher, error)
NewDecrypter wraps the given private key in a PKCipher for use.
func NewEncrypter ¶
NewEncrypter wraps the given public key in a PKCipher for use.
func NewPKCipher ¶
func NewPKCipher(public PublicKey, private PrivateKey) (PKCipher, error)
NewPKCipher creates a PKCipher wrapping the given public and private key. These must indicate the same algorithm but otherwise no test is made to confirm that they correspond to each other.
type PKCipherer ¶
type PKCipherer interface { // Algorithm returns the label identifying the algorithm and // parameterization of this PKCipherer. Algorithm() string // Generate creates a new PKCipher. Generate() (PKCipher, error) // New wraps the given keys as a PKCipher. New(public PublicKey, private PrivateKey) (PKCipher, error) // NewEncrypter wraps the given PublicKey as a PKCipher. NewEncrypter(key PublicKey) (PKCipher, error) // NewDecrypter wraps the given PublicKey as a PKCipher. NewDecrypter(key PrivateKey) (PKCipher, error) }
A PKCipherer encapsulates key generation for a specific public key encryption algorithm and parameterization.
type PrivateKey ¶
type PrivateKey struct { Algorithm string Private interface{} }
PrivateKey is a structure for importing and exporting private keys. Signing is actually done with Credentials or a Signer. Encryption is done with a Cipher or an Encrypter. The format of the data is defined by the algorithm implementation but should be generic JSON such that it may be parsed directly, i.e., without special knowledge of the value of Private as might be necessary to instantiate a specific class, etc..
func PrivateKeyFromBytes ¶
func PrivateKeyFromBytes(buf []byte) (*PrivateKey, error)
PrivateKeyFromBytes unmarshals a key from the given byte array.
func PrivateKeyFromFile ¶
func PrivateKeyFromFile(fn string) (*PrivateKey, error)
PrivateKeyFromFile reads the entirety of the given file and attempts to parse it into a PrivateKey.
func (PrivateKey) ToBytes ¶
func (k PrivateKey) ToBytes() ([]byte, error)
ToBytes marshals the key to a byte array.
func (PrivateKey) ToFile ¶
func (k PrivateKey) ToFile(fn string) error
ToFile serializes the PrivateKey to the given file as JSON.
type PublicKey ¶
type PublicKey struct { Algorithm string Public interface{} }
PublicKey is a structure for importing and exporting public keys. Verification is actually done with Credentials or a Verifier. Decryption is actually done with a Cipher or a Decrypter. The format of the data is defined by the algorithm implementation but should be generic JSON such that it may be parsed directly, i.e., without special knowledge of the value of Public as might be necessary to instantiate a specific class, etc..
func PublicKeyFromBytes ¶
PublicKeyFromBytes unmarshals a key from the given byte array.
func PublicKeyFromFile ¶
PublicKeyFromFile reads the entirety of the given file and attempts to parse it into a PublicKey.
type RSAOAEPCipher ¶
type RSAOAEPCipher struct { Algorithm string Bits int Public *rsa.PublicKey Private *rsa.PrivateKey }
An RSAOAEPCipher is an actionable RSA public/private key or a matched pair.
func (*RSAOAEPCipher) Decrypt ¶
func (x *RSAOAEPCipher) Decrypt(data []byte) ([]byte, error)
Decrypt takes cipherdata and produces plaindata.
func (*RSAOAEPCipher) Encrypt ¶
func (x *RSAOAEPCipher) Encrypt(data []byte) ([]byte, error)
Encrypt produces cipherdata for the given plaindata.
func (*RSAOAEPCipher) PrivateKey ¶
func (x *RSAOAEPCipher) PrivateKey() PrivateKey
PrivateKey returns a JSON Base64-URL encoded marshaling of the cipher's private key.
func (*RSAOAEPCipher) PublicKey ¶
func (x *RSAOAEPCipher) PublicKey() PublicKey
PublicKey returns a JSON Base64-URL encoded marshaling of the cipher's public key.
func (*RSAOAEPCipher) SetPrivateKey ¶
func (x *RSAOAEPCipher) SetPrivateKey(privatekey PrivateKey) error
SetPrivateKey sets the cipher's public key from the given PrivateKey containing JSON Base64-URL encoded data.
func (*RSAOAEPCipher) SetPublicKey ¶
func (x *RSAOAEPCipher) SetPublicKey(publickey PublicKey) error
SetPublicKey sets the cipher's public key from the given PublicKey containing JSON Base64-URL encoded data.
type SKCipher ¶
type SKCipher interface { // Key returns a JSON Base64-URL encoded marshaling of the // SKCipher's secret key. SecretKey() PrivateKey // SetKey sets the SKCipher's secret key from the given PrivateKey // containing JSON Base64-URL encoded data. SetKey(key PrivateKey) error // Encrypt produces cipherdata for the given plaindata. Encrypt(data []byte) ([]byte, error) // Decrypt takes cipherdata and produces plaindata. N.B.: In // general the absence of an error does NOT indicate that the data // is valid. A separate mechanism must be applied to assure // integrity and authenticity. Then note that implementing such a // mechanism is not as simple as signing either the plaindata or // cipherdata alone. Decrypt(data []byte) ([]byte, error) }
An SKCipher encapsulates a secret key (symmetric) encryption algorithm, parameterization, and an associated key.
func GenerateSKCipher ¶
GenerateSKCipher produces a SKCipher with a new random key following the given algorithm.
func NewSKCipher ¶
func NewSKCipher(key PrivateKey) (SKCipher, error)
NewSKCipher creates a SKCipher wrapping the given secret key.
type SKCipherer ¶
type SKCipherer interface { // Algorithm returns the label identifying the algorithm and // parameterization of this SKCipherer. Algorithm() string // Generate creates a new SKCipher. Generate() (SKCipher, error) // New wraps the given secret key as an SKCipher. New(key PrivateKey) (SKCipher, error) }
An SKCipherer encapsulates key generation for a specific secret key (symmetric) encryption algorithm and parameterization.
type Signer ¶
type Signer interface { // PrivateKey returns a JSON Base64-URL encoded marshaling of the // credential's private key. PrivateKey() PrivateKey // Sign produces a signature for the given data. Sign(data []byte) (Signature, error) }
Signer wraps a private key and can sign data.
type Testament ¶
type Testament struct { ID string // An optional identifier for this particular testament. Subject Subject // The subject of this assertion. Claims Claims // Arbitrary claims made about the subject, other than its identity. Expires string // Timepoint after which this Testament is to be considered invalid. }
Testament captures an assertion about a given subject.
func NewTestament ¶
NewTestament generates a Testament for the subject and claims.
func UnpackTestament ¶
UnpackTestament parses a Testament from a JSON Base64-URL encoded string.
type Verifier ¶
type Verifier interface { // PublicKey returns a JSON Base64-URL encoded marshaling of the // credential's public key. PublicKey() PublicKey // Verify confirms that the given signature was produced from the // given data using the private key associated with this // credential's public key. Any error indicates that it was not. Verify(data []byte, signature Signature) error }
Verifier wraps a public key and can verify data.
type VerifierPool ¶
type VerifierPool struct {
// contains filtered or unexported fields
}
VerifierPool is a collection of verifiers. Typically these are used to group a set of keys for trusted entities that may be used to verify incoming data, etc..
func NewVerifierPool ¶
func NewVerifierPool() *VerifierPool
NewVerifierPool creates an empty VerifierPool.
func (VerifierPool) Add ¶
func (x VerifierPool) Add(id string, v Verifier) error
Add adds to given verifier to the pool under the given identifier.
func (VerifierPool) Verify ¶
func (x VerifierPool) Verify(cert *Certificate) error
Verify confirms that each Declaration in the Certificate Chain was signed by the entitiy associated with the subsequent entry, that each intermediate signer was indicated by its successor to be a certificate authority, and that the chain at some point leads to an entry in the verifier pool.
func (VerifierPool) VerifyAny ¶
func (x VerifierPool) VerifyAny(data []byte, signature Signature) error
VerifyAny checks if any entry in the pool can verify that the signature was created from the data by the private key associated with that verifier's public key.
func (VerifierPool) VerifyDeclaration ¶
func (x VerifierPool) VerifyDeclaration(declaration *Declaration) error
VerifyDeclaration confirms that the declaration can be verified by the entry in the pool under the included signer identity if it is not blank, or by entry in the pool if it is.
func (VerifierPool) VerifySpecific ¶
func (x VerifierPool) VerifySpecific(id string, data []byte, signature Signature) error
VerifySpecific looks up the given identifier in the pool and confirms that the signature was created from the data by the private key associated with that verifier's public key.