Documentation ¶
Index ¶
- Constants
- func BytesToInt(b []byte) int
- func EscapeStringJSON(dst *bytes.Buffer, s string)
- func FileExist(filepath string) (bool, error)
- func FsOpenFile(ctx context.Context, readPath string, offset int64) (io.ReadCloser, int64, error)
- func GenerateIV(random io.Reader) (iv [32]byte)
- func GetKmsKeys(filepath string) (map[string]string, error)
- func IsETagSealed(etag []byte) bool
- func MarshalText(kmsCtx map[string]string) ([]byte, error)
- func MkdirAll(path string) error
- func Unseal(reader io.Reader, metadata map[string]string, secretKey string) (io.Reader, error)
- func WriteFile(reader io.Reader, dest string) error
- type Algorithm
- type Identity
- type IdentityInfo
- type IdentityIterator
- func (i *IdentityIterator) Close() error
- func (i *IdentityIterator) CreatedAt() time.Time
- func (i *IdentityIterator) CreatedBy() Identity
- func (i *IdentityIterator) Identity() Identity
- func (i *IdentityIterator) Next() bool
- func (i *IdentityIterator) Policy() string
- func (i *IdentityIterator) Value() IdentityInfo
- type Key
- func (k *Key) Algorithm() Algorithm
- func (k *Key) Clone() Key
- func (k *Key) CreatedAt() time.Time
- func (k *Key) CreatedBy() Identity
- func (k *Key) Equal(other Key) bool
- func (k *Key) ID() string
- func (k *Key) UnMarshalText(text []byte) error
- func (k *Key) Unwrap(ciphertext, associatedData []byte) ([]byte, error)
- type ObjectKey
- func (key ObjectKey) DerivePartKey(id uint32) (partKey [32]byte)
- func (key ObjectKey) Seal(extKey []byte, iv [32]byte, domain, bucket, object string) SealedKey
- func (key ObjectKey) SealETag(etag []byte) []byte
- func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket, object string) error
- func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error)
- type SealedKey
Constants ¶
const ( // MetaBucket is the s3 bucket name MetaBucket = "X-FrogHub-Internal-Bucket" // MetaObject is the s3 object name MetaObject = "X-FrogHub-Internal-Object" // MetaIV is the random initialization vector (IV) used for // the FrogHub-internal key derivation. MetaIV = "X-FrogHub-Internal-Server-Side-Encryption-Iv" // MetaAlgorithm is the algorithm used to derive internal keys // and encrypt the objects. MetaAlgorithm = "X-FrogHub-Internal-Server-Side-Encryption-Seal-Algorithm" // MetaSealedKeyKMS is the sealed object encryption key in case of SSE-KMS MetaSealedKeyKMS = "X-FrogHub-Internal-Server-Side-Encryption-Kms-Sealed-Key" // MetaKeyID is the KMS master key ID used to generate/encrypt the data // encryption key (DEK). MetaKeyID = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Key-Id" // MetaDataEncryptionKey is the sealed data encryption key (DEK) received from // the KMS. MetaDataEncryptionKey = "X-FrogHub-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key" // ErrDecrypt is returned by a KES server when it fails to decrypt // a ciphertext. It may occur when a client uses the wrong key or // the ciphertext has been (maliciously) modified. KesErrDecrypt = "decryption failed: ciphertext is not authentic" )
const ( // MaxSize is the maximum byte size of an encoded key. MaxSize = 1 << 20 // Size is the byte size of a cryptographic key. Size = 256 / 8 // If FIPS-140 is enabled no non-NIST/FIPS approved // primitives must be used. Enabled = 0 == 1 )
const ( // SealAlgorithm is the encryption/sealing algorithm used to derive & seal // the key-encryption-key and to en/decrypt the object data. SealAlgorithm = "DAREv2-HMAC-SHA256" // InsecureSealAlgorithm is the legacy encryption/sealing algorithm used // to derive & seal the key-encryption-key and to en/decrypt the object data. // This algorithm should not be used for new objects because its key derivation InsecureSealAlgorithm = "DARE-SHA256" )
const KMSConfig = "kms-config.json"
Variables ¶
This section is empty.
Functions ¶
func BytesToInt ¶
func EscapeStringJSON ¶
EscapeStringJSON will escape a string for JSON and write it to dst.
func FsOpenFile ¶
Opens the file at given path, optionally from an offset. Upon success returns a readable stream and the size of the readable stream.
func GenerateIV ¶
GenerateIV generates a new random 256 bit IV from the provided source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.
func IsETagSealed ¶
IsETagSealed returns true if the etag seems to be encrypted.
func MarshalText ¶
MarshalText sorts the context keys and writes the sorted key-value pairs as canonical JSON object. The sort order is based on the un-escaped keys. It never returns an error.
Types ¶
type Algorithm ¶
type Algorithm string
Algorithm is a cryptographic algorithm that requires a cryptographic key.
const ( // AlgorithmGeneric is a generic value that indicates // that the key can be used with multiple algorithms. AlgorithmGeneric Algorithm = "" // AES256_GCM_SHA256 is an algorithm that uses HMAC-SHA256 // for key derivation and AES256-GCM for en/decryption. AES256_GCM_SHA256 Algorithm = "AES256-GCM_SHA256" // XCHACHA20_POLY1305 is an algorithm that uses HChaCha20 // for key derivation and ChaCha20-Poly1305 for en/decryption. XCHACHA20_POLY1305 Algorithm = "XCHACHA20-POLY1305" )
type Identity ¶
type Identity string
An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc.
const IdentityUnknown Identity = ""
IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.
type IdentityInfo ¶
type IdentityInfo struct { Identity Identity IsAdmin bool // Indicates whether the identity has admin privileges Policy string // Name of the associated policy CreatedAt time.Time // Point in time when the identity was created CreatedBy Identity // Identity that created the identity }
IdentityInfo describes a KES identity.
type IdentityIterator ¶
type IdentityIterator struct {
// contains filtered or unexported fields
}
IdentityIterator iterates over a stream of IdentityInfo objects. Close the IdentityIterator to release associated resources.
func (*IdentityIterator) Close ¶
func (i *IdentityIterator) Close() error
Close closes the IdentityIterator and releases any associated resources
func (*IdentityIterator) CreatedAt ¶
func (i *IdentityIterator) CreatedAt() time.Time
CreatedAt returns the created-at timestamp of the current identity. It is a short-hand for Value().CreatedAt.
func (*IdentityIterator) CreatedBy ¶
func (i *IdentityIterator) CreatedBy() Identity
CreatedBy returns the identiy that created the current identity. It is a short-hand for Value().CreatedBy.
func (*IdentityIterator) Identity ¶
func (i *IdentityIterator) Identity() Identity
Identity returns the current identity. It is a short-hand for Value().Identity.
func (*IdentityIterator) Next ¶
func (i *IdentityIterator) Next() bool
Next returns true if there is another IdentityInfo. It returns false if there are no more IdentityInfo objects or when the IdentityIterator encounters an error.
func (*IdentityIterator) Policy ¶
func (i *IdentityIterator) Policy() string
Policy returns the policy assigned to the current identity. It is a short-hand for Value().Policy.
func (*IdentityIterator) Value ¶
func (i *IdentityIterator) Value() IdentityInfo
Value returns the current IdentityInfo. It remains valid until Next is called again.
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
Key is a symmetric cryptographic key.
func New ¶
New returns an new Key for the given cryptographic algorithm. The key len must match algorithm's key size. The returned key is owned to the specified identity.
func Random ¶
Random generates a new random Key for the cryptographic algorithm. The returned key is owned to the specified identity.
func (*Key) Algorithm ¶
Algorithm returns the cryptographic algorithm for which the key can be used.
func (*Key) UnMarshalText ¶
UnMarshalText parses and decodes text as encoded key.
type ObjectKey ¶
type ObjectKey [32]byte
ObjectKey is a 256 bit secret key used to encrypt the object. It must never be stored in plaintext.
func GenerateKey ¶
GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness. If random is nil the default PRNG of the system (crypto/rand) is used.
func (ObjectKey) DerivePartKey ¶
DerivePartKey derives an unique 256 bit key from an ObjectKey and the part index.
func (ObjectKey) Seal ¶
Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed key is also cryptographically bound to the object's path (bucket/object) and the domain (SSE-C or SSE-S3).
func (ObjectKey) SealETag ¶
SealETag seals the etag using the object key. It does not encrypt empty ETags because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend can pick an ETag value.
func (*ObjectKey) Unseal ¶
func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket, object string) error
Unseal decrypts a sealed key using the 256 bit external key. Since the sealed key may be cryptographically bound to the object's path the same bucket/object as during sealing must be provided. On success the ObjectKey contains the decrypted sealed key.
func (ObjectKey) UnsealETag ¶
UnsealETag unseals the etag using the provided object key. It does not try to decrypt the ETag if len(etag) == 16 because such ETags indicate that the S3 client hasn't sent an ETag = MD5(object) and the backend has picked an ETag value.
type SealedKey ¶
type SealedKey struct { Key [64]byte // The encrypted and authenticted object-key. IV [32]byte // The random IV used to encrypt the object-key. Algorithm string // The sealing algorithm used to encrypt the object key. }
SealedKey represents a sealed object key. It can be stored at an untrusted location.