decrypt

package
v0.0.0-...-2a87563 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 22, 2022 License: LGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// MetaBucket is the s3 bucket name
	MetaBucket = "X-FrogHub-Internal-Bucket"

	// MetaObject is the s3 object name
	MetaObject = "X-FrogHub-Internal-Object"

	// MetaIV is the random initialization vector (IV) used for
	// the FrogHub-internal key derivation.
	MetaIV = "X-FrogHub-Internal-Server-Side-Encryption-Iv"

	// MetaAlgorithm is the algorithm used to derive internal keys
	// and encrypt the objects.
	MetaAlgorithm = "X-FrogHub-Internal-Server-Side-Encryption-Seal-Algorithm"

	// MetaSealedKeyKMS is the sealed object encryption key in case of SSE-KMS
	MetaSealedKeyKMS = "X-FrogHub-Internal-Server-Side-Encryption-Kms-Sealed-Key"

	// MetaKeyID is the KMS master key ID used to generate/encrypt the data
	// encryption key (DEK).
	MetaKeyID = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Key-Id"

	// MetaDataEncryptionKey is the sealed data encryption key (DEK) received from
	// the KMS.
	MetaDataEncryptionKey = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key"

	// ErrDecrypt is returned by a KES server when it fails to decrypt
	// a ciphertext. It may occur when a client uses the wrong key or
	// the ciphertext has been (maliciously) modified.
	KesErrDecrypt = "decryption failed: ciphertext is not authentic"
)
View Source
const (
	// MaxSize is the maximum byte size of an encoded key.
	MaxSize = 1 << 20

	// Size is the byte size of a cryptographic key.
	Size = 256 / 8

	// If FIPS-140 is enabled no non-NIST/FIPS approved
	// primitives must be used.
	Enabled = 0 == 1
)
View Source
const (
	// SealAlgorithm is the encryption/sealing algorithm used to derive & seal
	// the key-encryption-key and to en/decrypt the object data.
	SealAlgorithm = "DAREv2-HMAC-SHA256"

	// InsecureSealAlgorithm is the legacy encryption/sealing algorithm used
	// to derive & seal the key-encryption-key and to en/decrypt the object data.
	// This algorithm should not be used for new objects because its key derivation
	InsecureSealAlgorithm = "DARE-SHA256"
)
View Source
const KMSConfig = "kms-config.json"

Variables

This section is empty.

Functions

func BytesToInt

func BytesToInt(b []byte) int

func EscapeStringJSON

func EscapeStringJSON(dst *bytes.Buffer, s string)

EscapeStringJSON will escape a string for JSON and write it to dst.

func FileExist

func FileExist(filepath string) (bool, error)

func FsOpenFile

func FsOpenFile(ctx context.Context, readPath string, offset int64) (io.ReadCloser, int64, error)

Opens the file at given path, optionally from an offset. Upon success returns a readable stream and the size of the readable stream.

func GenerateIV

func GenerateIV(random io.Reader) (iv [32]byte)

GenerateIV generates a new random 256 bit IV from the provided source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.

func GetKmsKeys

func GetKmsKeys(filepath string) (map[string]string, error)

func IsETagSealed

func IsETagSealed(etag []byte) bool

IsETagSealed returns true if the etag seems to be encrypted.

func MarshalText

func MarshalText(kmsCtx map[string]string) ([]byte, error)

MarshalText sorts the context keys and writes the sorted key-value pairs as canonical JSON object. The sort order is based on the un-escaped keys. It never returns an error.

func MkdirAll

func MkdirAll(path string) error

func Unseal

func Unseal(reader io.Reader, metadata map[string]string, secretKey string) (io.Reader, error)

func WriteFile

func WriteFile(reader io.Reader, dest string) error

Types

type Algorithm

type Algorithm string

Algorithm is a cryptographic algorithm that requires a cryptographic key.

const (
	// AlgorithmGeneric is a generic value that indicates
	// that the key can be used with multiple algorithms.
	AlgorithmGeneric Algorithm = ""

	// AES256_GCM_SHA256 is an algorithm that uses HMAC-SHA256
	// for key derivation and AES256-GCM for en/decryption.
	AES256_GCM_SHA256 Algorithm = "AES256-GCM_SHA256"

	// XCHACHA20_POLY1305 is an algorithm that uses HChaCha20
	// for key derivation and ChaCha20-Poly1305 for en/decryption.
	XCHACHA20_POLY1305 Algorithm = "XCHACHA20-POLY1305"
)

func (Algorithm) KeySize

func (a Algorithm) KeySize() int

KeySize returns the Algorithm's key size.

func (Algorithm) String

func (a Algorithm) String() string

String returns the Algorithm's string representation.

type Identity

type Identity string

An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc.

const IdentityUnknown Identity = ""

IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.

func (Identity) IsUnknown

func (id Identity) IsUnknown() bool

IsUnknown returns true if and only if the identity is IdentityUnknown.

func (Identity) String

func (id Identity) String() string

String returns the string representation of the identity.

type IdentityInfo

type IdentityInfo struct {
	Identity  Identity
	IsAdmin   bool      // Indicates whether the identity has admin privileges
	Policy    string    // Name of the associated policy
	CreatedAt time.Time // Point in time when the identity was created
	CreatedBy Identity  // Identity that created the identity
}

IdentityInfo describes a KES identity.

type IdentityIterator

type IdentityIterator struct {
	// contains filtered or unexported fields
}

IdentityIterator iterates over a stream of IdentityInfo objects. Close the IdentityIterator to release associated resources.

func (*IdentityIterator) Close

func (i *IdentityIterator) Close() error

Close closes the IdentityIterator and releases any associated resources

func (*IdentityIterator) CreatedAt

func (i *IdentityIterator) CreatedAt() time.Time

CreatedAt returns the created-at timestamp of the current identity. It is a short-hand for Value().CreatedAt.

func (*IdentityIterator) CreatedBy

func (i *IdentityIterator) CreatedBy() Identity

CreatedBy returns the identiy that created the current identity. It is a short-hand for Value().CreatedBy.

func (*IdentityIterator) Identity

func (i *IdentityIterator) Identity() Identity

Identity returns the current identity. It is a short-hand for Value().Identity.

func (*IdentityIterator) Next

func (i *IdentityIterator) Next() bool

Next returns true if there is another IdentityInfo. It returns false if there are no more IdentityInfo objects or when the IdentityIterator encounters an error.

func (*IdentityIterator) Policy

func (i *IdentityIterator) Policy() string

Policy returns the policy assigned to the current identity. It is a short-hand for Value().Policy.

func (*IdentityIterator) Value

func (i *IdentityIterator) Value() IdentityInfo

Value returns the current IdentityInfo. It remains valid until Next is called again.

type Key

type Key struct {
	// contains filtered or unexported fields
}

Key is a symmetric cryptographic key.

func New

func New(algorithm Algorithm, key []byte, owner Identity) (Key, error)

New returns an new Key for the given cryptographic algorithm. The key len must match algorithm's key size. The returned key is owned to the specified identity.

func Random

func Random(algorithm Algorithm, owner Identity) (Key, error)

Random generates a new random Key for the cryptographic algorithm. The returned key is owned to the specified identity.

func (*Key) Algorithm

func (k *Key) Algorithm() Algorithm

Algorithm returns the cryptographic algorithm for which the key can be used.

func (*Key) Clone

func (k *Key) Clone() Key

Clone returns a deep copy of the key.

func (*Key) CreatedAt

func (k *Key) CreatedAt() time.Time

CreatedAt returns the point in time when the key has been created.

func (*Key) CreatedBy

func (k *Key) CreatedBy() Identity

CreatedBy returns the identity that created the key.

func (*Key) Equal

func (k *Key) Equal(other Key) bool

Equal returns true if and only if both keys are identical.

func (*Key) ID

func (k *Key) ID() string

ID returns the k's key ID.

func (*Key) UnMarshalText

func (k *Key) UnMarshalText(text []byte) error

UnMarshalText parses and decodes text as encoded key.

func (*Key) Unwrap

func (k *Key) Unwrap(ciphertext, associatedData []byte) ([]byte, error)

Unwrap decrypts the ciphertext and returns the resulting plaintext.

It verifies that the associatedData matches the value used when the ciphertext has been generated.

type ObjectKey

type ObjectKey [32]byte

ObjectKey is a 256 bit secret key used to encrypt the object. It must never be stored in plaintext.

func GenerateKey

func GenerateKey(extKey []byte, random io.Reader) (key ObjectKey)

GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.

func (ObjectKey) DerivePartKey

func (key ObjectKey) DerivePartKey(id uint32) (partKey [32]byte)

DerivePartKey derives an unique 256 bit key from an ObjectKey and the part index.

func (ObjectKey) Seal

func (key ObjectKey) Seal(extKey []byte, iv [32]byte, domain, bucket, object string) SealedKey

Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed key is also cryptographically bound to the object's path (bucket/object) and the domain (SSE-C or SSE-S3).

func (ObjectKey) SealETag

func (key ObjectKey) SealETag(etag []byte) []byte

SealETag seals the etag using the object key. It does not encrypt empty ETags because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend can pick an ETag value.

func (*ObjectKey) Unseal

func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket, object string) error

Unseal decrypts a sealed key using the 256 bit external key. Since the sealed key may be cryptographically bound to the object's path the same bucket/object as during sealing must be provided. On success the ObjectKey contains the decrypted sealed key.

func (ObjectKey) UnsealETag

func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error)

UnsealETag unseals the etag using the provided object key. It does not try to decrypt the ETag if len(etag) == 16 because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend has picked an ETag value.

type SealedKey

type SealedKey struct {
	Key       [64]byte // The encrypted and authenticted object-key.
	IV        [32]byte // The random IV used to encrypt the object-key.
	Algorithm string   // The sealing algorithm used to encrypt the object key.
}

SealedKey represents a sealed object key. It can be stored at an untrusted location.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL