tink

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 9, 2017 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. //////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

*

  • Interface for MACs (Message Authentication Codes).
  • This interface should be used for authentication only, and not for other purposes
  • (for example, it should not be used to generate pseudorandom bytes).

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Copyright 2017 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

//////////////////////////////////////////////////////////////////////////////

Index

Constants

View Source 
const (
	// Prefix size of Tink and Legacy key types.
	NON_RAW_PREFIX_SIZE = 5

	// Legacy or Crunchy prefix starts with \x00 and followed by a 4-byte key id.
	LEGACY_PREFIX_SIZE = NON_RAW_PREFIX_SIZE
	LEGACY_START_BYTE  = byte(0)

	// Tink prefix starts with \x01 and followed by a 4-byte key id.
	TINK_PREFIX_SIZE = NON_RAW_PREFIX_SIZE
	TINK_START_BYTE  = byte(1)

	// Raw prefix is empty.
	RAW_PREFIX_SIZE = 0
	RAW_PREFIX      = ""
)

*

  • Constants and convenience methods that deal with crypto format.

Variables

This section is empty.

Functions

func CleartextKeysetHandle 

func CleartextKeysetHandle() *cleartextKeysetHandle

CleartextKeysetHandle returns the single instance of cleartextKeysetHandle.

func DecryptKeyset 

func DecryptKeyset(encryptedKeyset *tinkpb.EncryptedKeyset,
	masterKey Aead) (*tinkpb.Keyset, error)

DecryptKeyset decrypts the given keyset using the given master key

func EncryptKeyset 

func EncryptKeyset(keyset *tinkpb.Keyset,
	masterKey Aead) (*tinkpb.EncryptedKeyset, error)

EncryptKeyset encrypts the given keyset using the given master key.

func EncryptedKeysetHandle 

func EncryptedKeysetHandle() *encryptedKeysetHandle

EncryptedKeysetHandle returns the single instance of encryptedKeysetHandle.

func GetOutputPrefix 

func GetOutputPrefix(key *tinkpb.Keyset_Key) (string, error)

*

  • Generates the prefix of all cryptographic outputs (ciphertexts,
  • signatures, MACs, ...) produced by the specified {@code key}.
  • The prefix can be either empty (for RAW-type prefix), or consists
  • of a 1-byte indicator of the type of the prefix, followed by 4
  • bytes of {@code key.KeyId} in Big Endian encoding. *
  • @throws error if the prefix type of {@code key} is unknown.
  • @return a prefix.

func NewKeyManagerMap 

func NewKeyManagerMap() *keyManagerMap

NewKeyManagerMap creates a new instance of keyManagerMap.

func Registry 

func Registry() *registry

Registry creates an instance of registry if there isn't and returns the instance.

Types

type Aead 

type Aead interface {
	/**
	 * Encrypts {@code plaintext} with {@code additionalData} as additional
	 * authenticated data. The resulting ciphertext allows for checking
	 * authenticity and integrity of additional data ({@code additionalData}),
	 * but does not guarantee its secrecy.
	 *
	 * @return resulting ciphertext.
	 */
	Encrypt(plaintext []byte, additionalData []byte) ([]byte, error)

	/**
	 * Decrypts {@code ciphertext} with {@code additionalData} as additional
	 * authenticated data. The decryption verifies the authenticity and integrity
	 * of the additional data, but there are no guarantees wrt. secrecy of that data.
	 *
	 * @return resulting plaintext.
	 */
	Decrypt(ciphertext []byte, additionalData []byte) ([]byte, error)
}

*

  • The interface for authenticated encryption with additional authenticated data.
  • Implementations of this interface are secure against adaptive chosen ciphertext attacks.
  • Encryption with additional data ensures authenticity and integrity of that data,
  • but not its secrecy. (see RFC 5116, https://tools.ietf.org/html/rfc5116)

type Entry 

type Entry struct {
	// contains filtered or unexported fields
}

Entry represents a single entry in the keyset. In addition to the actual primitive, it holds the identifier and status of the primitive.

func NewEntry 

func NewEntry(p interface{}, id string, stt tinkpb.KeyStatusType,
	outputPrefixType tinkpb.OutputPrefixType) *Entry

NewEntry creates a new instance of Entry using the given information.

func (*Entry) Identifier 

func (e *Entry) Identifier() string

func (*Entry) OutputPrefixType 

func (e *Entry) OutputPrefixType() tinkpb.OutputPrefixType

func (*Entry) Primitive 

func (e *Entry) Primitive() interface{}

func (*Entry) Status 

func (e *Entry) Status() tinkpb.KeyStatusType

type KeyManager 

type KeyManager interface {
	/**
	 * Constructs a primitive instance for the key given in {@code serializedKey},
	 * which must be a serialized key protocol buffer handled by this manager.
	 *
	 * @return the new constructed primitive instance.
	 */
	GetPrimitiveFromSerializedKey(serializedKey []byte) (interface{}, error)

	/**
	 * Constructs a primitive instance for the key given in {@code key}.
	 *
	 * @return the new constructed primitive instance.
	 */
	GetPrimitiveFromKey(key proto.Message) (interface{}, error)

	/**
	 * Generates a new key according to specification in {@code serializedKeyFormat},
	 * which must be a serialized key format protocol buffer handled by this manager.
	 *
	 * @return the new generated key.
	 */
	NewKeyFromSerializedKeyFormat(serializedKeyFormat []byte) (proto.Message, error)

	/**
	 * Generates a new key according to specification in {@code keyFormat}.
	 *
	 * @return the new generated key.
	 */
	NewKeyFromKeyFormat(keyFormat proto.Message) (proto.Message, error)

	/**
	 * @return true iff this KeyManager supports key type identified by {@code typeUrl}.
	 */
	DoesSupport(typeUrl string) bool

	/**
	 * @return the type URL that identifes the key type of keys managed by this KeyManager.
	 */
	GetKeyType() string

	/**
	 * Generates a new {@code KeyData} according to specification in {@code serializedkeyFormat}.
	 * This should be used solely by the key management API.
	 *
	 * @return the new generated key.
	 */
	NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error)
}

*

  • KeyManager "understands" keys of a specific key types: it can
  • generate keys of a supported type and create primitives for
  • supported keys. A key type is identified by the global name of the
  • protocol buffer that holds the corresponding key material, and is
  • given by type_url-field of KeyData-protocol buffer.

type KeysetHandle 

type KeysetHandle struct {
	// contains filtered or unexported fields
}

KeysetHandle provides abstracted access to Keysets, to limit the exposure of actual protocol buffers that hold sensitive key material.

func (*KeysetHandle) EncryptedKeyset 

func (h *KeysetHandle) EncryptedKeyset() *tinkpb.EncryptedKeyset

EncryptedKeyset returns the encrypted keyset component of the keyset handle.

func (*KeysetHandle) GetPublicKeysetHandle 

func (h *KeysetHandle) GetPublicKeysetHandle() (*KeysetHandle, error)

GetPublicKeysetHandle returns a KeysetHandle of the public keys if the managed keyset contains private keys.

func (*KeysetHandle) Keyset 

func (h *KeysetHandle) Keyset() *tinkpb.Keyset

Ketset returns the keyset component of the keyset handle.

func (*KeysetHandle) KeysetInfo 

func (h *KeysetHandle) KeysetInfo() (*tinkpb.KeysetInfo, error)

KeysetInfo returns a KeysetInfo object that doesn't contain actual key material.

func (*KeysetHandle) String 

func (h *KeysetHandle) String() string

String returns the string representation of the KeysetInfo.

type KeysetManager 

type KeysetManager struct {
	// contains filtered or unexported fields
}

KeysetManager manages a Keyset-proto, with convenience methods that rotate, disable, enable or destroy keys. Note: It is not thread-safe.

func NewKeysetManager 

func NewKeysetManager(keyTemplate *tinkpb.KeyTemplate,
	masterKey Aead,
	keyset *tinkpb.Keyset) *KeysetManager

NewKeysetManager creates a new instance of keyset manager.

func (*KeysetManager) GetKeysetHandle 

func (km *KeysetManager) GetKeysetHandle() (*KeysetHandle, error)

GetKeysetHandle creates a new KeysetHandle for the managed keyset.

func (*KeysetManager) KeyTemplate 

func (km *KeysetManager) KeyTemplate() *tinkpb.KeyTemplate

KeyTemplate returns the key template of the manager.

func (*KeysetManager) Keyset 

func (km *KeysetManager) Keyset() *tinkpb.Keyset

Keyset returns the keyset of the manager.

func (*KeysetManager) MasterKey 

func (km *KeysetManager) MasterKey() Aead

MasterKey returns the master key of the manager.

func (*KeysetManager) Rotate 

func (km *KeysetManager) Rotate() error

Rotate generates a fresh key using the key template of the current keyset manager and sets the new key as the primary key.

func (*KeysetManager) RotateWithTemplate 

func (km *KeysetManager) RotateWithTemplate(keyTemplate *tinkpb.KeyTemplate) error

RotateWithTemplate generates a fresh key using the given key template and sets the new key as the primary key.

func (*KeysetManager) SetKeyTemplate 

func (km *KeysetManager) SetKeyTemplate(template *tinkpb.KeyTemplate)

SetKeyTemplate sets the key template of the manager.

func (*KeysetManager) SetKeyset 

func (km *KeysetManager) SetKeyset(keyset *tinkpb.Keyset)

SetKeyset sets the keyset of the manager. If the input is nil, it will use an empty keyset as the input instead.

func (*KeysetManager) SetMasterKey 

func (km *KeysetManager) SetMasterKey(masterKey Aead)

SetMasterKey sets the master key of the manager.

type Mac 

type Mac interface {
	/**
	 * Computes message authentication code (MAC) for {@code data}.
	 *
	 * @return MAC value.
	 */
	ComputeMac(data []byte) ([]byte, error)

	/**
	 * Verifies whether {@code mac} is a correct authentication code (MAC) for {@code data}.
	 *
	 * @return 0 if {@code mac} is correct; 1 otherwise.
	 */
	VerifyMac(mac []byte, data []byte) (bool, error)
}

type PrimitiveSet 

type PrimitiveSet struct {
	// contains filtered or unexported fields
}

*

  • A container class for a set of primitives (i.e. implementations of cryptographic
  • primitives offered by Tink). It provides also additional properties for the primitives
  • it holds. In particular, one of the primitives in the set can be distinguished as
  • "the primary" one. <p> *
  • PrimitiveSet is an auxiliary class used for supporting key rotation: primitives in a set
  • correspond to keys in a keyset. Users will usually work with primitive instances,
  • which essentially wrap primitive sets. For example an instance of an Aead-primitive
  • for a given keyset holds a set of Aead-primitives corresponding to the keys in the keyset,
  • and uses the set members to do the actual crypto operations: to encrypt data the primary
  • Aead-primitive from the set is used, and upon decryption the ciphertext's prefix
  • determines the id of the primitive from the set. <p> *
  • PrimitiveSet is a public class to allow its use in implementations of custom primitives.

func NewPrimitiveSet 

func NewPrimitiveSet() *PrimitiveSet

NewPrimitiveSet returns an empty instance of PrimitiveSet.

func (*PrimitiveSet) AddPrimitive 

func (ps *PrimitiveSet) AddPrimitive(primitive interface{},
	key *tinkpb.Keyset_Key) (*Entry, error)

AddPrimitive creates a new entry in the primitive set using the given information and returns the added entry.

func (*PrimitiveSet) GetPrimitivesWithByteIdentifier 

func (ps *PrimitiveSet) GetPrimitivesWithByteIdentifier(id []byte) ([]*Entry, error)

GetPrimitivesWithByteIdentifier returns all primitives in the set that have the given prefix.

func (*PrimitiveSet) GetPrimitivesWithKey 

func (ps *PrimitiveSet) GetPrimitivesWithKey(key *tinkpb.Keyset_Key) ([]*Entry, error)

GetPrimitivesWithKey returns all primitives in the set that have prefix equal to that of the given key.

func (*PrimitiveSet) GetPrimitivesWithStringIdentifier 

func (ps *PrimitiveSet) GetPrimitivesWithStringIdentifier(id string) ([]*Entry, error)

GetPrimitivesWithStringIdentifier returns all primitives in the set that have the given prefix.

func (*PrimitiveSet) GetRawPrimitives 

func (ps *PrimitiveSet) GetRawPrimitives() ([]*Entry, error)

GetRawPrimitives returns all primitives in the set that have RAW prefix.

func (*PrimitiveSet) Primary 

func (ps *PrimitiveSet) Primary() *Entry

Primary returns the entry with the primary primitive.

func (*PrimitiveSet) Primitives 

func (ps *PrimitiveSet) Primitives() map[string][]*Entry

GetPrimitives returns all primitives of the set.

func (*PrimitiveSet) SetPrimary 

func (ps *PrimitiveSet) SetPrimary(e *Entry)

SetPrimary sets the primary entry of the set to the given entry.

type PrivateKeyManager 

type PrivateKeyManager interface {
	KeyManager

	// GetPublicKeyData extracts the public key data from the private key.
	GetPublicKeyData(serializedKey []byte) (*tinkpb.KeyData, error)
}

PrivateKeyManager is a special type of KeyManager that understands private key types.

type PublicKeySign 

type PublicKeySign interface {
	/**
	 * Computes the signature for {@code data}.
	 *
	 * @return the signature of {$code data}.
	 */
	Sign(data []byte) ([]byte, error)
}

*

  • Interface for public key signing.
  • Implementations of this interface are secure against adaptive chosen-message attacks.
  • Signing data ensures authenticity and integrity of that data, but not its secrecy.

type PublicKeyVerify 

type PublicKeyVerify interface {
	/**
	 * Verifies whether {@code signature} is a valid signature for {@code data}.
	 *
	 * @return an error if {@code signature} is not a valid signature for
	 * {@code data}; nil otherwise.
	 */
	Verify(signature []byte, data []byte) error
}

*

  • Interface for verification of public key signature.
  • Implementations of this interface are secure against adaptive chosen-message attacks.
  • Signing data ensures authenticity and integrity of that data, but not its secrecy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.