encryption

Documentation

Overview

Package encryption provides a way to encrypt and decrypt with AES-GCM.

Index

• Constants
• Variables
• type Gcm
  • func (ge Gcm) ConstructIV(seqNum int) []byte
  • func (ge Gcm) Decrypt(key, iv, ciphertext, tag, aadData []byte) ([]byte, error)
  • func (ge Gcm) Encrypt(key, iv, plaintext, aadData []byte) ([]byte, []byte, error)
  • func (ge Gcm) GenerateHeaderAuth(derivedDataKey, headerBytes []byte) ([]byte, []byte, error)
  • func (ge Gcm) ValidateHeaderAuth(derivedDataKey, headerAuthTag, headerBytes []byte) error

Constants

const (
	IVLen = 12
)

Variables

var (
	ErrGcmDecrypt = errors.New("gcm decrypt error")
	ErrGcmEncrypt = errors.New("gcm encrypt error")
)

Types

type Gcm

type Gcm struct{}

func (Gcm) ConstructIV

func (ge Gcm) ConstructIV(seqNum int) []byte

ConstructIV constructs IV Each 96-bit (12-byte) IV is constructed from two big-endian byte arrays concatenated in the following order:

1. 64 bits: 0 (reserved for future use)
2. 32 bits: Frame sequence number

For the header authentication tag, this value is all zeroes. seqNum will be 0

func (Gcm) Decrypt

func (ge Gcm) Decrypt(key, iv, ciphertext, tag, aadData []byte) ([]byte, error)

Decrypt data with AES-GCM AEAD, IV is nonce

For decryption of the Header only

Specification: https://github.com/awslabs/aws-encryption-sdk-specification/blob/6124516bb8a58d21d61b4bc6dd7d33561fdf2cae/client-apis/decrypt.md#verify-the-header
key: derivedDataKey (32 bytes) per AlgorithmSuite.EncryptionSuite.DataKeyLen
iv: 64-bits (8 bytes of 0x00) value of 0 + 32-bits (4 bytes of 0x00) value of 0 = 12 bytes
ciphertext: []byte(nil) (empty slice of 0 bytes)
tag: header.HeaderAuthentication
aadData - header.SerializeBytes(), all header bytes not including header.HeaderAuthentication

For Header returns if success:

[]byte: []byte(nil)
error: not nil

func (Gcm) Encrypt

func (ge Gcm) Encrypt(key, iv, plaintext, aadData []byte) ([]byte, []byte, error)

func (Gcm) GenerateHeaderAuth

func (ge Gcm) GenerateHeaderAuth(derivedDataKey, headerBytes []byte) ([]byte, []byte, error)

func (Gcm) ValidateHeaderAuth

func (ge Gcm) ValidateHeaderAuth(derivedDataKey, headerAuthTag, headerBytes []byte) error

ValidateHeaderAuth validates header authorization constructs IV per https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/IV-reference.html For decryption of the Header only

Specification: https://github.com/awslabs/aws-encryption-sdk-specification/blob/6124516bb8a58d21d61b4bc6dd7d33561fdf2cae/client-apis/decrypt.md#verify-the-header

derivedDataKey: derivedDataKey (32 bytes) per AlgorithmSuite.EncryptionSuite.DataKeyLen
headerAuthTag: header.HeaderAuthentication
headerBytes: header.SerializeBytes(), all header bytes not including header.HeaderAuthentication