Documentation
¶
Overview ¶
Package cryptoutil implements utility functions for signing, checking, encrypting and decrypting values.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // Tried to encrypt a value without specifying a key. ErrNoEncryptionKey = errors.New("no encryption key specified") // Could not decrypt encrypted value (it was probably tampered with). ErrCouldNotDecrypt = errors.New("could not decrypt value") )
var ( // Tried to sign with an empty key. ErrNoSigningKey = errors.New("no signing key specified") // The value does not seem to be signed. ErrNotSigned = errors.New("value does look like it was signed") // Signature does not match (definitely tampered). ErrTampered = errors.New("the value has been tampered with") )
Functions ¶
This section is empty.
Types ¶
type EncryptSigner ¶
type EncryptSigner struct {
// Encrypter used for encryption/decryption.
Encrypter *Encrypter
// Signer used for signing/unsigning.
Signer *Signer
}
EncryptSigner is a conveniency type which performs encryption with and then signs the encrypted data.
func (*EncryptSigner) EncryptSign ¶
func (e *EncryptSigner) EncryptSign(data []byte) (string, error)
EncryptSign encrypts the data using the EncryptSigner Encrypter and the signs it using its Signer.
func (*EncryptSigner) UnsignDecrypt ¶
func (e *EncryptSigner) UnsignDecrypt(data string) ([]byte, error)
UnsignDecrypt takes an encrypted and signed string, previously returned from EncryptSign, checks its signature and returns the decrypted data. If the signature does not match or the data can't be correctly decrypted an error is returned.
type Encrypter ¶
type Encrypter struct {
// Cipherer returns a cipher.Block initialized with
// the given key. If nil, it defaults to aes.NewCipher
Cipherer Cipherer
// Key is the encryption key. If empty, all public methods
// will return ErrNoEncryptionKey.
Key []byte
}
Encrypter performs symmetrical encryption and decryption using a block cipher in CTR mode and a random IV. It's important to note that the output from Encrypt must also be authenticated in other to be secure. One easy way to the that is using Signer.
type Signer ¶
type Signer struct {
// Hasher is the function used to obtain a hash.Hash from the
// Key.
Hasher Hasher
// Key is the key used for signing the data.
Key []byte
// Salt is prepended to the value to be signed. See the Signer
// documentation for security considerations about the salt.
Salt []byte
}
Signer signs messages using the provided Hasher function, Key and, optionally but highly recommended, a Salt. The data and the signature are base64 encoded, removing any padding ('=') characters, so its output can be safely used in cookies, urls or headers. Note that you MUST use a unique salt in every system of your app which uses a Signer, otherwise you might be exposing yourself to security risks (e.g. if you use signing in your forms and in some authentication system, it's ok to use the same salt for all the forms, but not to use the same salt for the forms and the authentication).
Source Files