kbcmf

package
v1.0.0-46 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 10, 2015 License: BSD-3-Clause, BSD-3-Clause Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const EncryptionBlockSize int = 1048576

EncryptionBlockSize is by default 1MB and can't currently be tweaked.

Variables

View Source
var (
	// ErrNoDecryptionKey is an error indicating no decryption key was found for the
	// incoming message. You'll get one of these if you respond to a Keyring.LookupSecretBoxKey
	// request with a (-1,nil) return value.
	ErrNoDecryptionKey = errors.New("no decryption key found for message")

	// ErrNoSenderKey indicates that on decryption we couldn't find a public key
	// for the sender.
	ErrNoSenderKey = errors.New("no sender key found for message")

	// ErrTrailingGarbage indicates that additional msgpack packets were found after the
	// end of the encryption stream.
	ErrTrailingGarbage = errors.New("trailing garbage found at end of message")

	// ErrPacketOverflow indicates that more than (2^64-2) packets were found in an encryption
	// stream.  This would indicate a very big message, and results in an error here.
	ErrPacketOverflow = errors.New("no more than 2^32 packets in a message are supported")

	// ErrBadFrame indiciates improper msgpack framing
	ErrBadFrame = errors.New("bad msgpack framing byte")

	// ErrUnexpectedEOF is produced when an EOF happens unexpectedly when parsing an
	// incoming encryption. Usually it means a message was truncated, but could indicate
	// malicious truncation
	ErrUnexpectedEOF = errors.New("unexpected EOF; the message was truncated")

	// ErrInsufficientRandomness is generated when the encryption fails to collect
	// enough randomness to proceed.  We're using the standard crypto/rand source
	// of randomness, so this should never happen
	ErrInsufficientRandomness = errors.New("could not collect enough randomness")

	// ErrNoGroupMACKey is produced when we lack a group MAC key but the authenticated
	// ciphertexts indicated that one was required.
	ErrNoGroupMACKey = errors.New("no group MAC key, but we needed one")
)

Functions

func NewPublicDecryptStream

func NewPublicDecryptStream(plaintext io.Writer, keyring Keyring) (ciphertext io.WriteCloser, err error)

NewPublicDecryptStream starts a streaming decryption. You should give it an io.Writer to write plaintext output to, and also a Keyring to lookup private and public keys as necessary. The stream will only ever write validated data. It returns an io.Writer that you can write the ciphertext stream to, and an error if anything goes wrong in the construction process.

func NewPublicEncryptStream

func NewPublicEncryptStream(ciphertext io.Writer, sender BoxSecretKey, receivers [][]BoxPublicKey) (plaintext io.WriteCloser, err error)

NewPublicEncryptStream creates a stream that consumes plaintext data. It will write out encrypted data to the io.Writer passed in as ciphertext. The encryption is from the specified sender, and is encrypted for the given receivers. Note that receivers as specified as two-dimensional array. Each inner group of receivers shares the same pairwise MAC-key, so should represent a logic receiver split across multiple devices. Each group of receivers represents a mutually distrustful set of receivers, and will each get their own pairwise-MAC keys.

Returns an io.WriteClose that accepts plaintext data to be encrypted; and also returns an error if initialization failed.

func Open

func Open(ciphertext []byte, keyring Keyring) (plaintext []byte, err error)

Open simply opens a ciphertext given the set of keys in the specified keyring. It return a plaintext on sucess, and an error on failure.

func Seal

func Seal(plaintext []byte, sender BoxSecretKey, receivers [][]BoxPublicKey) (out []byte, err error)

Seal a plaintext from the given sender, for the specified receiver groups. Returns a ciphertext, or an error if something bad happened.

Types

type BoxPublicKey

type BoxPublicKey interface {

	// ToKID outputs the "key ID" that corresponds to this BoxPublicKey.
	// You can do whatever you'd like here, but probably it makes sense just
	// to output the public key as is.
	ToKID() []byte

	// ToRawBoxKeyPointer returns this public key as a *[32]byte,
	// for use with nacl.box.Seal
	ToRawBoxKeyPointer() *RawBoxKey
}

BoxPublicKey is an generic interface to NaCl's public key Box function.

type BoxSecretKey

type BoxSecretKey interface {

	// Box boxes up data, sent from this secret key, and to the receiver
	// specified.
	Box(receiver BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error)

	// Unobx opens up the box, using this secret key as the receiver key
	// abd the give public key as the sender key.
	Unbox(sender BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error)

	// GetPublicKey gets the public key associated with this secret key
	GetPublicKey() BoxPublicKey
}

BoxSecretKey is the secret key corresponding to a BoxPublicKey

type EncryptionBlock

type EncryptionBlock struct {
	Version    PacketVersion `codec:"vers"`
	Tag        PacketTag     `codec:"tag"`
	Ciphertext []byte        `codec:"ctext"`
	MACs       [][]byte      `codec:"macs"`
	// contains filtered or unexported fields
}

EncryptionBlock contains a block of encrypted data. It cointains the ciphertext, and any necessary MACs.

type EncryptionHeader

type EncryptionHeader struct {
	Version   PacketVersion            `codec:"vers"`
	Tag       PacketTag                `codec:"tag"`
	Nonce     []byte                   `codec:"nonce"`
	Receivers []receiverKeysCiphertext `codec:"rcvrs"`
	Sender    []byte                   `codec:"sender"`
	// contains filtered or unexported fields
}

EncryptionHeader is the first packet in an encrypted message. It contains the encryptions of the session keys, and various message metadata.

type ErrBadCiphertext

type ErrBadCiphertext PacketSeqno

ErrBadCiphertext is generated when decryption fails due to improper authentication. It specifies which Packet sequence number the bad packet was in.

func (ErrBadCiphertext) Error

func (e ErrBadCiphertext) Error() string

type ErrBadGroupID

type ErrBadGroupID int

ErrBadGroupID is produced if a GroupID is encountered that out-of-range

func (ErrBadGroupID) Error

func (e ErrBadGroupID) Error() string

type ErrBadNonce

type ErrBadNonce struct {
	// contains filtered or unexported fields
}

ErrBadNonce is produced when a header nonce is of the wrong size; it should be 20 bytes.

func (ErrBadNonce) Error

func (e ErrBadNonce) Error() string

type ErrBadVersion

type ErrBadVersion struct {
	// contains filtered or unexported fields
}

ErrBadVersion is returned if a packet of an unsupported version is found. Current, only Version1 is supported.

func (ErrBadVersion) Error

func (e ErrBadVersion) Error() string

type ErrMACMismatch

type ErrMACMismatch PacketSeqno

ErrMACMismatch is generated when a MAC fails to check properly. It specifies which Packet sequence number the bad packet was in.

func (ErrMACMismatch) Error

func (e ErrMACMismatch) Error() string

type ErrRepeatedKey

type ErrRepeatedKey []byte

ErrRepeatedKey is produced during encryption if a key is repeated; keys must be unique.

func (ErrRepeatedKey) Error

func (e ErrRepeatedKey) Error() string

type ErrUnexpectedMAC

type ErrUnexpectedMAC PacketSeqno

ErrUnexpectedMAC is produced when an encryption includes an additional MAC but none was needed.

func (ErrUnexpectedMAC) Error

func (e ErrUnexpectedMAC) Error() string

type ErrWrongPacketTag

type ErrWrongPacketTag struct {
	// contains filtered or unexported fields
}

ErrWrongPacketTag is produced if one packet tag was expected, but a packet of another tag was found.

func (ErrWrongPacketTag) Error

func (e ErrWrongPacketTag) Error() string

type Keyring

type Keyring interface {
	// LookupBoxSecretKey looks in the Keyring for the secret key corresponding
	// to one of the given Key IDs.  Returns the index and the key on success,
	// or -1 and nil on failure.
	LookupBoxSecretKey(kids [][]byte) (int, BoxSecretKey)

	// LookupBoxPublicKey returns a public key given the specified key ID.
	// For most cases, the key ID will be the key itself.
	LookupBoxPublicKey(kid []byte) BoxPublicKey
}

Keyring is an interface used with decryption; it is call to recover public or private keys during the decryption process. Calls can block on network action.

type Nonce

type Nonce [24]byte

Nonce is a NaCl-style nonce, with 24 bytes of data, some of which can be counter values, and some of which can be truly random values.

type PacketSeqno

type PacketSeqno int

PacketSeqno is a special int type used to describe which packet in the sequence we're dealing with. The header is always at seqno=0. Other packets follow. Note that there is a distinction between PacketSeqno and EncryptionBlockNumber. In general, the former is one more than the latter.

type PacketTag

type PacketTag int

PacketTag is an int used to describe what "tag" or "type" of packet it is.

const PacketTagEncryptionBlock PacketTag = 2

PacketTagEncryptionBlock is a packet tag to describe the body of an encryption.

const PacketTagEncryptionHeader PacketTag = 1

PacketTagEncryptionHeader is a packet tag to describe the first packet in an encryption message.

const PacketTagSignature PacketTag = 3

PacketTagSignature is a packet tag for describing a signature packet

type PacketVersion

type PacketVersion int

PacketVersion is an int used to capture the packet version. Right now, only Version=1 is supported

const PacketVersion1 PacketVersion = 1

PacketVersion1 is currently the only supported packet version

type RawBoxKey

type RawBoxKey [32]byte

RawBoxKey is the raw byte-representation of what a box key should look like --- a static 32-byte buffer

type SymmetricKey

type SymmetricKey [32]byte

SymmetricKey is a template for a symmetric key, a 32-byte static buffer. Used for both NaCl SecretBox and also HMAC keys.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL