crypto

package

v0.1.0-rc Latest Latest Go to latest Published: Aug 10, 2016 License: MIT Imports: 19 Imported by: 13

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/manifoldco/torus-cli

Documentation ¶

Overview ¶

Package crypto provides access to secure encryption and signing methods

Index ¶

Constants
func DeriveLoginHMAC(password, salt, token string) (string, error)
type EncryptionKeyPair
type Engine
- func NewEngine(sess session.Session, db *db.DB) *Engine
type KeyPairs
type SignatureKeyPair

Constants ¶

View Source

const (
	Triplesec  = "triplesec-v3"
	EdDSA      = "eddsa"
	Curve25519 = "curve25519"
	EasyBox    = "easybox"
	SecretBox  = "secretbox"
)

Crypto Algorithm name constants.

Variables ¶

This section is empty.

Functions ¶

func DeriveLoginHMAC ¶

func DeriveLoginHMAC(password, salt, token string) (string, error)

DeriveLoginHMAC HMACs the provided token with a key derived from password and the provided base64 encoded salt.

Types ¶

type EncryptionKeyPair ¶

type EncryptionKeyPair struct {
	Public  [32]byte
	Private []byte
	PNonce  []byte
}

EncryptionKeyPair is a curve25519 encryption keypair. The private portion of the keypair is encrypted with triplesec.

PNonce contains the nonce used when deriving the password used to encrypt the private portion.

type Engine ¶

type Engine struct {
	// contains filtered or unexported fields
}

Engine exposes methods to encrypt, unencrypt and sign values, using the logged in user's credentials.

func (*Engine) Box ¶

func (e *Engine) Box(pt []byte, privKP *EncryptionKeyPair,
	pubKey []byte) ([]byte, []byte, error)

Box encrypts the plaintext pt bytes with Box, using the private key found in privKP, first decrypted with the user's master key, and encrypted for the public key pubKey.

It returns the ciphertext, the nonce used for encrypting the plaintext, and an optional error.

func (*Engine) BoxCredential ¶

func (e *Engine) BoxCredential(pt, encMec, mecNonce []byte,
	privKP *EncryptionKeyPair, pubKey []byte) ([]byte, []byte, []byte, error)

BoxCredential encrypts the credential value pt via symmetric secretbox encryption.

Doing so is a multistep process. First we use the user's session data to unseal their private encryption key. With their encryption key and the public encryption key provided, we can decrypt the keyring master key (mek). Using mek and a generated nonce, we derive the credential encryption key (cek) via blake2b. Finally, we use the cek and a generated nonce to encrypt the credential.

BoxCredential returns the nonce generated to derive the credential encryption key, the nonce generated for encrypting the credential, and the encrypted credential.

func (*Engine) CloneMembership ¶

func (e *Engine) CloneMembership(encMec, mecNonce []byte, privKP *EncryptionKeyPair, encPubKey, targetPubKey []byte) ([]byte, []byte, error)

CloneMembership decrypts the given KeyringMember object, and creates another for the targeted user.

func (*Engine) GenerateKeyPairs ¶

func (e *Engine) GenerateKeyPairs() (*KeyPairs, error)

GenerateKeyPairs generates and ed25519 signing key pair, and a curve25519 encryption key pair for the user, encrypting the private keys in triplesec-v3 with the user's master key.

func (*Engine) Seal ¶

func (e *Engine) Seal(pt []byte) ([]byte, []byte, error)

Seal encrypts the plaintext pt bytes with triplesec-v3 using a key derrived via blake2b from the user's master key and a nonce (returned).

func (*Engine) Sign ¶

func (e *Engine) Sign(s SignatureKeyPair, b []byte) ([]byte, error)

Sign signs b bytes using the provided Sealed ed25519 keypair.

func (*Engine) SignedEnvelope ¶

func (e *Engine) SignedEnvelope(body identity.Identifiable,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.Signed,
	error)

SignedEnvelope returns a new SignedEnvelope containing body

func (*Engine) Unbox ¶

func (e *Engine) Unbox(ct, nonce []byte, privKP *EncryptionKeyPair,
	pubKey []byte) ([]byte, error)

Unbox Decrypts and verifies ciphertext ct that was previously encrypted using the provided nonce, and the inverse parts of the provided keypairs.

func (*Engine) UnboxCredential ¶

func (e *Engine) UnboxCredential(ct, encMec, mecNonce, cekNonce, ctNonce []byte,
	privKP *EncryptionKeyPair, pubKey []byte) ([]byte, error)

UnboxCredential does the inverse of BoxCredential to retrieve the plaintext version of a credential.

func (*Engine) Unseal ¶

func (e *Engine) Unseal(ct, nonce []byte) ([]byte, error)

Unseal decrypts the ciphertext ct, encrypted with triplesec-v3, using the a key derrived via blake2b from the user's master key and the provided nonce.

func (*Engine) Verify ¶

func (e *Engine) Verify(s SignatureKeyPair, b, sig []byte) bool

Verify verifies that sig is the correct signature for b given SignatureKeyPair s.

type KeyPairs ¶

type KeyPairs struct {
	Signature  SignatureKeyPair
	Encryption EncryptionKeyPair
}

KeyPairs contains a signature and an encryption keypair for a user.

type SignatureKeyPair ¶

type SignatureKeyPair struct {
	Public  ed25519.PublicKey
	Private []byte
	PNonce  []byte
}

SignatureKeyPair is an ed25519/eddsa digital signature keypair. The private portion of the keypair is encrypted with triplesec.