Affected by GO-2022-0783 and 4 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

cryptutil

package

v0.6.4 Latest Latest Go to latest Published: Apr 8, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CertPoolFromBase64(encPemCerts string) (*x509.CertPool, error)
func CertPoolFromFile(pemFile string) (*x509.CertPool, error)
func CertifcateFromBase64(cert, key string) (*tls.Certificate, error)
func CertificateFromFile(certFile, keyFile string) (*tls.Certificate, error)
func CheckHMAC(data, suppliedMAC []byte, key string) bool
func CheckPasswordHash(hash, password []byte) error
func DecodePrivateKey(encodedKey []byte) (*ecdsa.PrivateKey, error)
func DecodePublicKey(encodedKey []byte) (*ecdsa.PublicKey, error)
func Decrypt(a cipher.AEAD, data, ad []byte) ([]byte, error)
func EncodePrivateKey(key *ecdsa.PrivateKey) ([]byte, error)
func EncodePublicKey(key *ecdsa.PublicKey) ([]byte, error)
func Encrypt(a cipher.AEAD, data, ad []byte) []byte
func GenerateHMAC(data []byte, key string) []byte
func Hash(tag string, data []byte) []byte
func HashPassword(password []byte) ([]byte, error)
func NewAEADCipher(secret []byte) (cipher.AEAD, error)
func NewAEADCipherFromBase64(s string) (cipher.AEAD, error)
func NewBase64Key() string
func NewKey() []byte
func NewRandomStringN(c int) string
func ValidTimestamp(ts string) error

Examples ¶

Hash

Constants ¶

View Source

const DefaultKeySize = 32

DefaultKeySize is the default key size in bytes.

View Source

const (
	// DefaultLeeway defines the default leeway for matching NotBefore/Expiry claims.
	DefaultLeeway = 5.0 * time.Minute
)

Variables ¶

This section is empty.

Functions ¶

func CertPoolFromBase64 ¶ added in v0.3.0

func CertPoolFromBase64(encPemCerts string) (*x509.CertPool, error)

func CertPoolFromFile ¶ added in v0.3.0

func CertPoolFromFile(pemFile string) (*x509.CertPool, error)

func CertifcateFromBase64 ¶ added in v0.3.0

func CertifcateFromBase64(cert, key string) (*tls.Certificate, error)

func CertificateFromFile ¶ added in v0.3.0

func CertificateFromFile(certFile, keyFile string) (*tls.Certificate, error)

func CheckHMAC ¶ added in v0.4.0

func CheckHMAC(data, suppliedMAC []byte, key string) bool

CheckHMAC securely checks the supplied MAC against a message using the shared secret key.

func CheckPasswordHash ¶

func CheckPasswordHash(hash, password []byte) error

CheckPasswordHash securely compares a bcrypt hashed password with its possible plaintext equivalent. Returns nil on success, or an error on failure.

func DecodePrivateKey ¶ added in v0.0.2

func DecodePrivateKey(encodedKey []byte) (*ecdsa.PrivateKey, error)

DecodePrivateKey decodes a PEM-encoded ECDSA private key.

func DecodePublicKey ¶ added in v0.0.2

func DecodePublicKey(encodedKey []byte) (*ecdsa.PublicKey, error)

DecodePublicKey decodes a PEM-encoded ECDSA public key.

func Decrypt ¶ added in v0.4.0

func Decrypt(a cipher.AEAD, data, ad []byte) ([]byte, error)

Decrypt a value with optional associated data

func EncodePrivateKey ¶ added in v0.0.2

func EncodePrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

EncodePrivateKey encodes an ECDSA private key to PEM format.

func EncodePublicKey ¶ added in v0.0.2

func EncodePublicKey(key *ecdsa.PublicKey) ([]byte, error)

EncodePublicKey encodes an ECDSA public key to PEM format.

func Encrypt ¶ added in v0.4.0

func Encrypt(a cipher.AEAD, data, ad []byte) []byte

Encrypt encrypts a value with optional associated data

Panics if source of randomness fails.

func GenerateHMAC ¶ added in v0.4.0

func GenerateHMAC(data []byte, key string) []byte

GenerateHMAC produces a symmetric signature using a shared secret key.

func Hash ¶

func Hash(tag string, data []byte) []byte

Hash generates a hash of data using HMAC-SHA-512/256. The tag is intended to be a natural-language string describing the purpose of the hash, such as "hash file for lookup key" or "master secret to client secret". It serves as an HMAC "key" and ensures that different purposes will have different hash output. This function is NOT suitable for hashing passwords.

Example ¶

tag := "hashing file for lookup key"
contents, err := ioutil.ReadFile("testdata/random")
if err != nil {
	fmt.Printf("could not read file: %v\n", err)
	os.Exit(1)
}
digest := Hash(tag, contents)
fmt.Println(hex.EncodeToString(digest))

Output:

9f4c795d8ae5c207f19184ccebee6a606c1fdfe509c793614066d613580f03e1

func HashPassword ¶

func HashPassword(password []byte) ([]byte, error)

HashPassword generates a bcrypt hash of the password using work factor 14.

func NewAEADCipher ¶ added in v0.4.0

func NewAEADCipher(secret []byte) (cipher.AEAD, error)

NewAEADCipher takes secret key and returns a new XChacha20poly1305 cipher.

func NewAEADCipherFromBase64 ¶ added in v0.4.0

func NewAEADCipherFromBase64(s string) (cipher.AEAD, error)

NewAEADCipherFromBase64 takes a base64 encoded secret key and returns a new XChacha20poly1305 cipher.

func NewBase64Key ¶ added in v0.4.0

func NewBase64Key() string

NewBase64Key generates a random base64 encoded 32-byte key.

Panics if source of randomness fails.

func NewKey ¶ added in v0.4.0

func NewKey() []byte

NewKey generates a random 32-byte (256 bit) key.

Panics if source of randomness fails.

func NewRandomStringN ¶ added in v0.4.0

func NewRandomStringN(c int) string

NewRandomStringN returns base64 encoded random string of a given num of bytes.

Panics if source of randomness fails.

func ValidTimestamp ¶ added in v0.4.0

func ValidTimestamp(ts string) error

ValidTimestamp is a helper function often used in conjunction with an HMAC function to verify that the timestamp (in unix seconds) is within leeway period.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL