encryptedconfigvalue

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 11, 2022 License: BSD-3-Clause Imports: 7 Imported by: 4

Documentation

Index

Constants

View Source
const (
	AES = AlgorithmType("AES")
	RSA = AlgorithmType("RSA")
)
View Source
const (
	AESKey     = KeyType("AES")
	RSAPubKey  = KeyType("RSA-PUB")
	RSAPrivKey = KeyType("RSA-PRIV")
)

Variables

This section is empty.

Functions

func ContainsEncryptedConfigValueStringVars

func ContainsEncryptedConfigValueStringVars(input []byte) bool

ContainsEncryptedConfigValueStringVars returns true if the provided input contains any occurrences of string variables that consist of encrypted values. These are of the form "${enc:...}".

func CopyWithEncryptedStringVariablesDecrypted

func CopyWithEncryptedStringVariablesDecrypted(in interface{}, key KeyWithType) interface{}

CopyWithEncryptedStringVariablesDecrypted copies the provided input and returns the result of calling DecryptEncryptedStringVariables on the copy. The input value is left unmodified (however, if the input value is a pointer or contains pointers, those values may be modified, as the initial copy of the input that is made is a shallow copy rather than a deep one). The returned value will be the same type as the value that was provided.

func DecryptAllEncryptedValueStringVars

func DecryptAllEncryptedValueStringVars(input []byte, key KeyWithType) []byte

DecryptAllEncryptedValueStringVars returns a new byte slice that is based on the input but where all occurrences of string variables that consist of encrypted values are replaced with the value obtained when decrypting the encrypted value using the provided key.

func DecryptEncryptedStringVariables

func DecryptEncryptedStringVariables(in interface{}, key KeyWithType)

DecryptEncryptedStringVariables decrypts any encrypted string variables (strings of the form "${enc:<...>}" in the provided object in-place using the provided key. The input value should be a pointer so that the modifications are visible to the caller.

This function recursively examines all string values in the exported fields of the provided input, searches for encrypted string variables within them, and replaces all such variables with their decrypted values if decryption is successful using the provided key. String values are string fields, string pointers and strings in slices, arrays, or values of maps. Map keys are specifically not included.

func DecryptSingleEncryptedValueStringVar

func DecryptSingleEncryptedValueStringVar(input StringVar, key KeyWithType) (string, error)

DecryptSingleEncryptedValueStringVar takes the content of a string variable, interprets it as an EncryptedValue and returns the result of decrypting that value using the provided key. Returns an error if the input string variable is not a valid string variable, if the contents of the string variable is not a valid EncryptedValue, or if the decryption fails.

func DecryptSingleEncryptedValueStringVarString

func DecryptSingleEncryptedValueStringVarString(input string, key KeyWithType) (string, error)

DecryptSingleEncryptedValueStringVarString takes the content of a string variable, interprets it as an EncryptedValue and returns the result of decrypting that value using the provided key. Returns an error if the input string variable is not a valid string variable, if the contents of the string variable is not a valid EncryptedValue, or if the decryption fails.

func NewRSAKeys

func NewRSAKeys(keySizeBits int) (pubKey KeyWithType, privKey KeyWithType, err error)

NewRSAKeys creates a new RSA public/private key pair of the specified size and returns new KeyWithType objects that is typed as an RSA public key and RSA private key and contains the corresponding key material.

func NormalizeEncryptedValueStringVars

func NormalizeEncryptedValueStringVars(input []byte, key KeyWithType, normalized map[string]EncryptedValue) []byte

NormalizeEncryptedValueStringVars returns a new byte slice in which all of the string variables in the input that consist of encrypted values that have the same decrypted plaintext representation when decrypted using the provided key will be normalized such that their encrypted values are the same. The replacement is performed on the content of the string variables, so the returned slice will still contain string variables.

If the decrypted plaintext exists as a key in the "normalized" map, then it is substituted with the value in that map. If the map does not contain an entry for the plaintext, the first time it is encountered it is added to the map with its corresponding EncryptedValue, and every subsequent occurrence in the input will use the normalized value. On completion of the function, the "normalized" map will contain a key for every plaintext value in the input where the value will be the EncryptedValue that was used for all occurrences.

WARNING: after this function has been executed, the keys of the "normalized" map will contain all of the decrypted values in the input -- its use should be tracked carefully. The "normalized" version of the input is also less cryptographically secure because it makes the output more predictable -- for example, it makes it possible to determine that multiple different encrypted values have the same underlying plaintext value.

The intended usage of this function is limited to very specific cases in which there is a requirement that the same plaintext must render to the same encrypted value for a specific key. Ensure that you fully understand the ramifications of this and only use this function if it is absolutely necessary.

Types

type AlgorithmType

type AlgorithmType string

AlgorithmType represents the algorithm used to encrypt a value.

func ToAlgorithmType

func ToAlgorithmType(val string) (AlgorithmType, error)

ToAlgorithmType returns the AlgorithmType that matches the provided string. Returns an error if the provided string does not match a known algorithm.

func (AlgorithmType) Encrypter

func (a AlgorithmType) Encrypter() Encrypter

Encrypter returns a new Encrypter that uses the default encryption parameters specified by encrypted-config-value that can be used to create EncryptedValue objects for the receiver algorithm.

func (AlgorithmType) GenerateKeyPair

func (a AlgorithmType) GenerateKeyPair() (KeyPair, error)

GenerateKeyPair generates a new KeyPair using the default size/parameters specified by encrypted-config-value that can be used to encrypt and decrypt values for the receiver algorithm.

type EncryptedValue

type EncryptedValue interface {
	// Decrypt decrypts this value using the provided key and returns the decrypted string. The provided key must be
	// a decryption key that supports decrypting the stored encrypted value and is compatible with the encryption
	// algorithm. Returns an error if the provided decryption key is not a valid key for decrypting this value or if
	// an error is encountered during decryption.
	Decrypt(key KeyWithType) (string, error)

	// ToSerializable returns the string that can be used to serialize this EncryptedValue. The returned string can
	// be used as input to the "NewEncryptedValue" function to recreate the value. The serialized string is of the
	// form "enc:<base64-encoded-content>". The exact content that is base64-encoded is dependent on the concrete
	// implementation. A valid EncryptedValue must be able to successfully generate a serializable form of itself --
	// that is, for any valid EncryptedValue, this call must succeed and produce valid output.
	ToSerializable() SerializedEncryptedValue
}

EncryptedValue represents a value that has been encrypted using encrypted-config-value. The value can be decrypted when provided with a key (the type of the key should be a decryption key that can decrypt the value) and supports returning a string representation that can be used to serialize the EncryptedValue.

func MustNewEncryptedValue

func MustNewEncryptedValue(evStr string) EncryptedValue

MustNewEncryptedValue returns the result of calling NewEncryptedValue with the provided arguments. Panics if the call returns an error. This function should only be used when instantiating values that are known to be formatted correctly.

func MustNewEncryptedValueFromSerialized

func MustNewEncryptedValueFromSerialized(evStr SerializedEncryptedValue) EncryptedValue

MustNewEncryptedValueFromSerialized returns the result of calling NewEncryptedValueFromSerialized with the provided arguments. Panics if the call returns an error. This function should only be used when instantiating values that are known to be formatted correctly.

func NewEncryptedValue

func NewEncryptedValue(evStr string) (EncryptedValue, error)

NewEncryptedValue creates a new encrypted value from its string representation. The string representation of an EncryptedValue is of the form "enc:<base64-text>".

EncryptedValue has a legacy format (values generated by implementations up to version 1.0.2) and a new format (values generated by implementations after 1.0.2). In the legacy format, the <base64-text> encodes the bytes of the ciphertext. In the new format, the <base64-text> encodes the JSON string representation of the EncryptedValue.

If the decoded <base64-text> is valid JSON, this function treats it as a new format value; otherwise, it decodes it as a legacy format value.

func NewEncryptedValueFromSerialized

func NewEncryptedValueFromSerialized(evStr SerializedEncryptedValue) (EncryptedValue, error)

NewEncryptedValueFromSerialized creates a new encrypted value from its string serialized representation.

type Encrypter

type Encrypter interface {
	// Encrypt returns a new EncryptedValue that is the result of encrypting the provided plaintext using the
	// provided key. The provided key must be a valid encryption key. The returned EncryptedValue will be encrypted
	// using the algorithm that is appropriate for the specified key. Returns an error if the provided key is not
	// a valid encryption key or if an error is encountered during encryption.
	Encrypt(input string, key KeyWithType) (EncryptedValue, error)
}

func LegacyAESGCMEncrypter

func LegacyAESGCMEncrypter() Encrypter

LegacyAESGCMEncrypter returns an encrypter that encrypts values using the legacy AES parameters (256-bit nonce and 128-bit tag). The returned EncryptedValue will also be serialized in the legacy format of "AES:<base64-encoded-(nonce+ciphertext+tag)>".

func LegacyRSAOAEPEncrypter

func LegacyRSAOAEPEncrypter() Encrypter

LegacyRSAOAEPEncrypter returns an encrypter that encrypts values using the legacy RSA parameters (SHA-256 for the OAEP hash algorithm, SHA-1 for the MDF1 hash algorithm). The returned EncryptedValue will also be serialized in the legacy format of "RSA:<base64-encoded-ciphertext>".

func NewAESGCMEncrypter

func NewAESGCMEncrypter() Encrypter

NewAESGCMEncrypter returns an encrypter that encrypts values using encrypted-config-value's standard AES parameters (96-bit nonce and 128-bit tag). The returned EncryptedValue will be serialized in the new format of "AES:<base64-encoded-JSON>", where the JSON is the JSON representation of the aesGCMEncryptedValueJSON struct.

func NewRSAOAEPEncrypter

func NewRSAOAEPEncrypter() Encrypter

NewRSAOAEPEncrypter returns an encrypter that encrypts values using encrypted-config-value's standard RSA parameters (SHA-256 for the OAEP hash algorithm, SHA-256 for the MDF1 hash algorithm). The returned EncryptedValue will be serialized in the new format of "RSA:<base64-encoded-JSON>", where the JSON is the JSON representation of the rsaOAEPEncryptedValueJSON struct.

type KeyGenerator

type KeyGenerator func([]byte) (KeyWithType, error)

KeyGenerator defines a function which, given the byte representation of a key, returns a KeyWithType. The provided bytes are typically the raw or encoded bytes for the key itself. It is typically the responsibility of the generator function to provide the KeyType information required for the returned KeyWithType.

type KeyPair

type KeyPair struct {
	EncryptionKey KeyWithType
	DecryptionKey KeyWithType
}

KeyPair stores a key pair that can be used to encrypt and decrypt values. For symmetric-key algorithms, the encryption key and decryption key will be the same.

func NewAESKeyPair

func NewAESKeyPair() (KeyPair, error)

NewAESKeyPair creates a new KeyPair that contains a newly generated AES key of the default size for encrypted-config-value (256 bits). The encryption key and decryption key of the key pair are both the same newly generated key.

func NewRSAKeyPair

func NewRSAKeyPair() (KeyPair, error)

NewRSAKeyPair creates a new KeyPair that contains a newly generated RSA key pair of the default size for encrypted-config-value (2048 bits). The encryption key of the key pair is the public key and the decryption key is the private key.

type KeyType

type KeyType string

KeyType represents a specific type of key.

func ToKeyType

func ToKeyType(val string) (KeyType, error)

ToKeyType returns the KeyType that matches the provided string. Returns an error if the provided string does not match a known key type.

func (KeyType) AlgorithmType

func (kt KeyType) AlgorithmType() AlgorithmType

AlgorithmType returns the encryption algorithm that corresponds the the key type of the receiver.

func (KeyType) Generator

func (kt KeyType) Generator() KeyGenerator

Generator returns a new KeyGenerator which, given the byte representation for the content of a key of the receiver type, returns a new KeyWithType for a key of the receiver type.

type KeyWithType

type KeyWithType struct {
	Type KeyType
	Key  encryption.Key
}

KeyWithType stores a typed key.

func AESKeyFromBytes

func AESKeyFromBytes(key []byte) KeyWithType

AESKeyFromBytes creates a new AES key that uses the provided bytes as its key material and returns a new KeyWithType that is typed as an AES key and contains the generated key.

func AESKeyFromKey

func AESKeyFromKey(key *encryption.AESKey) KeyWithType

AESKeyFromKey returns a new KeyWithType that wraps the provided AESKey.

func MustNewKeyWithType

func MustNewKeyWithType(input string) KeyWithType

MustNewKeyWithType returns the result of calling NewKeyWithType with the provided arguments. Panics if the call returns an error. This function should only be used when instantiating keys that are known to be formatted correctly.

func MustNewKeyWithTypeFromSerialized

func MustNewKeyWithTypeFromSerialized(input SerializedKeyWithType) KeyWithType

MustNewKeyWithTypeFromSerialized returns the result of calling NewKeyWithTypeFromSerialized with the provided arguments. Panics if the call returns an error. This function should only be used when instantiating keys that are known to be formatted correctly.

func NewAESKey

func NewAESKey(keySizeBits int) (KeyWithType, error)

NewAESKey creates a new AES key of the specified size and returns a new KeyWithType that is typed as an AES key and contains the newly generated key.

func NewKeyWithType

func NewKeyWithType(input string) (KeyWithType, error)

NewKeyWithType returns a new KeyWithType based on the provided string, which must be the serialized form of the key compatible with the format generated by ToSerializable. Returns an error if the provided input cannot be parsed as a KeyWithType.

For backwards-compatibility, this function also supports deserializing RSA key values that were serialized using the "legacy" format. The legacy format for RSA keys was "RSA:<base64-encoded-public-or-private-key>". If the provided input is of this form, it will be attempted to be parsed as a private key and then as a public key. If either of these operations succeeds, the proper KeyWithType is returned. Otherwise, an error is returned. Note that, although legacy values can be read, the returned KeyWithType will be of the new form, and calling "ToSerializable" on the returned KeyWithType will return the new form. Serializing RSA keys in the old form is not supported.

func NewKeyWithTypeFromSerialized

func NewKeyWithTypeFromSerialized(input SerializedKeyWithType) (KeyWithType, error)

NewKeyWithTypeFromSerialized returns a new KeyWithType based on the provided SerializedKeyWithType.

func RSAPrivateKeyFromBytes

func RSAPrivateKeyFromBytes(key []byte) (KeyWithType, error)

RSAPrivateKeyFromBytes creates a new KeyWithType that contains an RSA private key constructed using the provided bytes. The input bytes must be the bytes for an X.509 PKCS-8 private key.

func RSAPrivateKeyFromKey

func RSAPrivateKeyFromKey(key *encryption.RSAPrivateKey) KeyWithType

RSAPrivateKeyFromKey returns a new KeyWithType that wraps the provided RSAPrivateKey.

func RSAPublicKeyFromBytes

func RSAPublicKeyFromBytes(key []byte) (KeyWithType, error)

RSAPublicKeyFromBytes creates a new KeyWithType that contains an RSA public key constructed using the provided bytes. The input bytes must be the bytes for an X.509 PEM PKIX public key.

func RSAPublicKeyFromKey

func RSAPublicKeyFromKey(key *encryption.RSAPublicKey) KeyWithType

RSAPublicKeyFromKey returns a new KeyWithType that wraps the provided RSAPublicKey.

func (KeyWithType) ToSerializable

func (kwt KeyWithType) ToSerializable() SerializedKeyWithType

ToSerializable returns the string that can be used to serialize this KeyWithType. The returned string can be used as input to the "NewKeyWithType" function to recreate the value. The serialized string is of the form "<key-type>:<base64-encoded-key-bytes>".

type SerializedEncryptedValue

type SerializedEncryptedValue string

SerializedEncryptedValue is the serialized string representation of an EncryptedValue. It is a string of the form "enc:<base64-encoded-encrypted-value>".

type SerializedKeyWithType

type SerializedKeyWithType string

SerializedKeyWithType is the serialized string representation of a KeyWithType. It is a string of the form "<key-type>:<base64-encoded-key-bytes>".

type StringVar

type StringVar string

StringVar represents a string variable. It is a string of the form "${...}", where the content of the string variable is the text that occurs between the braces.

func NewStringVar

func NewStringVar(input string) StringVar

NewStringVar returns a new string variable that consists of wrapping the provided string within a string variable format. It does so by prepending "${" and appending "}" to the input. This string variable form is compatible with the default string variable form used by the org.apache.commons.lang3.text.StrSubstitutor library.

func (StringVar) Contents

func (sv StringVar) Contents() (string, error)

Contents returns contents of the string variable. Returns an error if the provided input is not a valid string variable (if it does not start with "${" and end with "}").

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL