suite

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 14 Imported by: 7

Documentation

Overview

Package suite provides the algorithm suites.

See AWS Encryption SDK algorithms reference for more information.

Index

Constants

View Source 
const (
	MinFrameSize = int(128)      // Minimum allowed frame size
	MaxFrameSize = math.MaxInt32 // Maximum allowed frame size which is math.MaxInt32
	BlockSize    = int(128)      // BlockSize is aes.BlockSize in bits (16 * 8)
)

Variables

View Source 
var (
	AES_128_GCM_IV12_TAG16                        = newAlgorithmSuite(0x0014, aes_128_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE)                // Algorithm ID: 00 14
	AES_192_GCM_IV12_TAG16                        = newAlgorithmSuite(0x0046, aes_192_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE)                // Algorithm ID: 00 46
	AES_256_GCM_IV12_TAG16                        = newAlgorithmSuite(0x0078, aes_256_GCM_IV12_TAG16, V1, hkdf_NONE, authSuite_NONE)                // Algorithm ID: 00 78
	AES_128_GCM_IV12_TAG16_HKDF_SHA256            = newAlgorithmSuite(0x0114, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE)              // Algorithm ID: 01 14
	AES_192_GCM_IV12_TAG16_HKDF_SHA256            = newAlgorithmSuite(0x0146, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE)              // Algorithm ID: 01 46
	AES_256_GCM_IV12_TAG16_HKDF_SHA256            = newAlgorithmSuite(0x0178, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_NONE)              // Algorithm ID: 01 78
	AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 = newAlgorithmSuite(0x0214, aes_128_GCM_IV12_TAG16, V1, hkdf_SHA256, authSuite_SHA256_ECDSA_P256) // Algorithm ID: 02 14
	AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0346, aes_192_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 03 46
	AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 = newAlgorithmSuite(0x0378, aes_256_GCM_IV12_TAG16, V1, hkdf_SHA384, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 03 78

	AES_256_GCM_HKDF_SHA512_COMMIT_KEY            = newAlgorithmSuite(0x0478, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_NONE)              // Algorithm ID: 04 78
	AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 = newAlgorithmSuite(0x0578, aes_256_GCM_IV12_TAG16, V2, hkdf_SHA512, authSuite_SHA256_ECDSA_P384) // Algorithm ID: 05 78
)

Supported AlgorithmSuite by AWS Encryption SDK.

See AWS Encryption SDK algorithms reference for more information.

View Source 
var ErrAlgorithmSuite = errors.New("algorithm suite error")

ErrAlgorithmSuite is returned when algorithm suite is invalid or not supported.

Functions

func NewEncryptionSuite 

func NewEncryptionSuite(algorithm encAlgorithm, mode cipherMode, dataKeyLen, ivLen, authLen int) encryptionSuite

func NewKdfSuite 

func NewKdfSuite(KDFFunc func(hash func() hash.Hash, secret, salt, info []byte) io.Reader, hashFunc func() hash.Hash) kdfSuite

func ValidateCommitmentPolicy added in v0.2.0 

func ValidateCommitmentPolicy(p CommitmentPolicy) error

ValidateCommitmentPolicy validates the commitment policy values.

func ValidateContentType added in v0.2.0 

func ValidateContentType(t ContentType) error

ValidateContentType validates the content type values.

The only supported content type is FramedContent.

func ValidateFrameLength added in v0.2.0 

func ValidateFrameLength(frameLength int) error

ValidateFrameLength validates the length of a frame. It checks if the frame length is within the allowed range and if it is a multiple of the block size of the crypto algorithm.

If the frame length is out of range or not a multiple of the BlockSize (128), an error is returned. The allowed minimum frame size is MinFrameSize (128).

The allowed maximum frame size is MaxFrameSize the maximum value of a signed 32-bit integer.

The block size of the crypto algorithm is BlockSize 128.

func ValidateMessageVersion added in v0.2.0 

func ValidateMessageVersion(v uint8) error

ValidateMessageVersion validates the message format version values.

The only supported message format versions are V1 and V2.

Types

type AlgorithmSuite 

type AlgorithmSuite struct {
	AlgorithmID          uint16               // An identifier for the algorithm. It is a 2-byte value interpreted as a 16-bit unsigned integer.
	EncryptionSuite      encryptionSuite      // Encryption of the algorithm suite
	MessageFormatVersion MessageFormatVersion // Message format version
	KDFSuite             kdfSuite             // Key Derivation Suite of the algorithm suite
	Authentication       authenticationSuite  // Authentication Suite of the algorithm suite
	// contains filtered or unexported fields
}

AlgorithmSuite represents the algorithm suite used for encryption and decryption.

func ByID added in v0.4.0 

func ByID(algorithmID uint16) (*AlgorithmSuite, error)

ByID returns AlgorithmSuite by its algorithmID 16-bit unsigned integer.

func FromBytes added in v0.4.0 

func FromBytes(b []byte) (*AlgorithmSuite, error)

FromBytes returns AlgorithmSuite from slice of bytes, slice must have a length of 2 bytes.

func (*AlgorithmSuite) AlgorithmSuiteDataLen 

func (as *AlgorithmSuite) AlgorithmSuiteDataLen() int

AlgorithmSuiteDataLen returns the length of the Algorithm Suite Data field.

func (*AlgorithmSuite) GoString 

func (as *AlgorithmSuite) GoString() string

func (*AlgorithmSuite) IDBytes 

func (as *AlgorithmSuite) IDBytes() []byte

IDBytes returns the ID of AlgorithmSuite as a slice of bytes.

func (*AlgorithmSuite) IDString added in v0.2.0 

func (as *AlgorithmSuite) IDString() string

IDString returns the ID of AlgorithmSuite as a string.

Example: 

0578

func (*AlgorithmSuite) IsCommitting 

func (as *AlgorithmSuite) IsCommitting() bool

IsCommitting indicates whether the AlgorithmSuite is using key commitment. Only V2 message format version supports key commitment.

func (*AlgorithmSuite) IsKDFSupported added in v0.2.0 

func (as *AlgorithmSuite) IsKDFSupported() bool

IsKDFSupported indicates whether the AlgorithmSuite is using key derivation to derive the data encryption key.

func (*AlgorithmSuite) IsSigning 

func (as *AlgorithmSuite) IsSigning() bool

IsSigning indicates whether the AlgorithmSuite is using ECDSA for signing over the ciphertext header and body.

func (*AlgorithmSuite) MessageIDLen 

func (as *AlgorithmSuite) MessageIDLen() int

MessageIDLen returns the length of the message ID.

func (*AlgorithmSuite) Name 

func (as *AlgorithmSuite) Name() string

Name returns the name of AlgorithmSuite.

Example: 

AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384

func (*AlgorithmSuite) String 

func (as *AlgorithmSuite) String() string

String returns a string representation of AlgorithmSuite.

Example: 

AlgID 0x0578: AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384

type CommitmentPolicy 

type CommitmentPolicy int8

CommitmentPolicy is a configuration setting that determines whether your application encrypts and decrypts with key commitment.

See Commitment policy for more information. 

const (
	CommitmentPolicyForbidEncryptAllowDecrypt    CommitmentPolicy // 1 - FORBID_ENCRYPT_ALLOW_DECRYPT
	CommitmentPolicyRequireEncryptAllowDecrypt                    // 2 - REQUIRE_ENCRYPT_ALLOW_DECRYPT
	CommitmentPolicyRequireEncryptRequireDecrypt                  // 3 - REQUIRE_ENCRYPT_REQUIRE_DECRYPT
)

Supported commitment policies.

func (CommitmentPolicy) GoString 

func (cp CommitmentPolicy) GoString() string

GoString returns the same as String().

func (CommitmentPolicy) String 

func (cp CommitmentPolicy) String() string

String returns the string representation of the CommitmentPolicy.

type ContentType 

type ContentType uint8

ContentType is the type of encrypted data, either non-framed or framed. 

const (
	NonFramedContent ContentType = 0x01 // Non-framed content is type 1, encoded as the byte 01 in hexadecimal notation.
	FramedContent    ContentType = 0x02 // Framed content is type 2, encoded as the byte 02 in hexadecimal notation.
)

Supported content types.

type EncryptionContext 

type EncryptionContext map[string]string

EncryptionContext represents a map of string key-value pairs that are used to store contextual information for encryption operations.

func (EncryptionContext) Serialize 

func (ec EncryptionContext) Serialize() []byte

Serialize transforms the EncryptionContext into a byte slice. The serialized format prepends the length of each key and value as a 2-byte big-endian integer. Keys are sorted to ensure deterministic output. The function accounts for the additional keyValueBytes for each key-value pair when estimating the buffer size to minimize reallocations.

The serialization format is as follows for each key-value pair: 

[keyLength][key][valueLength][value]
 - keyLength: 2 bytes representing the length of the key as a big-endian integer
 - key: actual bytes of the key
 - valueLength: 2 bytes representing the length of the value as a big-endian integer
 - value: actual bytes of the value

Serialization ensures that keys are sorted and the output is consistent for the same EncryptionContext content.

Returns: 

[]byte: A byte slice representing the serialized EncryptionContext.

Example: 

ec := EncryptionContext{"user": "Alice", "purpose": "encryption"}
serialized := ec.Serialize()
The output will be a byte slice with each key-value pair preceded by their lengths.

type MessageFormatVersion added in v0.2.0 

type MessageFormatVersion uint8

MessageFormatVersion is the version of the message format. 

const (
	V1 MessageFormatVersion = iota + 1 // Version 1 encoded as the byte 01 in hexadecimal notation.
	V2                                 // Version 2 encoded as the byte 02 in hexadecimal notation.
)

Supported message format versions.

  • Algorithm suites without key commitment use message format version 1.
  • Algorithm suites with key commitment use message format version 2.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.