Documentation
¶
Overview ¶
Package crypto provides access to secure encryption and signing methods
Index ¶
- Constants
- func CreateMasterKeyObject(ctx context.Context, password []byte, masterKey *[]byte) (*primitive.MasterKey, error)
- func DeriveLoginHMAC(ctx context.Context, password []byte, salt, token string) (string, error)
- func EncryptPasswordObject(ctx context.Context, password string, currentMasterKey *[]byte) (*primitive.UserPassword, *primitive.MasterKey, error)
- func GenerateSalt(ctx context.Context) (*base64url.Value, error)
- type EncryptionKeyPair
- type Engine
- func (e *Engine) Box(ctx context.Context, pt []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, []byte, error)
- func (e *Engine) BoxCredential(ctx context.Context, pt, encMec, mecNonce []byte, privKP *EncryptionKeyPair, ...) ([]byte, []byte, []byte, error)
- func (e *Engine) ChangePassword(ctx context.Context, newPassword string) (*primitive.UserPassword, *primitive.MasterKey, error)
- func (e *Engine) CloneMembership(ctx context.Context, encMec, mecNonce []byte, privKP *EncryptionKeyPair, ...) ([]byte, []byte, error)
- func (e *Engine) GenerateKeyPairs(ctx context.Context) (*KeyPairs, error)
- func (e *Engine) Seal(ctx context.Context, pt []byte) ([]byte, []byte, error)
- func (e *Engine) Sign(ctx context.Context, s SignatureKeyPair, b []byte) ([]byte, error)
- func (e *Engine) SignedEnvelope(ctx context.Context, body identity.Immutable, sigID *identity.ID, ...) (*envelope.Signed, error)
- func (e *Engine) Unbox(ctx context.Context, ct, nonce []byte, privKP *EncryptionKeyPair, ...) ([]byte, error)
- func (e *Engine) UnboxCredential(ctx context.Context, ct, encMec, mecNonce, cekNonce, ctNonce []byte, ...) ([]byte, error)
- func (e *Engine) Unseal(ctx context.Context, ct, nonce []byte) ([]byte, error)
- func (e *Engine) Verify(ctx context.Context, s SignatureKeyPair, b, sig []byte) (bool, error)
- func (e *Engine) WithUnboxer(ctx context.Context, encMec, mecNonce []byte, privKP *EncryptionKeyPair, ...) error
- type KeyPairs
- type LoginKeypair
- type SignatureKeyPair
- type Unboxer
Constants ¶
const ( Triplesec = "triplesec-v3" EdDSA = "eddsa" Curve25519 = "curve25519" EasyBox = "easybox" SecretBox = "secretbox" Scrypt = "scrypt" )
Crypto Algorithm name constants.
Variables ¶
This section is empty.
Functions ¶
func CreateMasterKeyObject ¶ added in v0.15.0
func CreateMasterKeyObject(ctx context.Context, password []byte, masterKey *[]byte) (*primitive.MasterKey, error)
CreateMasterKeyObject generates a 256 byte master key which is then encrypted using TripleSec-v3 using the given password.
func DeriveLoginHMAC ¶
DeriveLoginHMAC HMACs the provided token with a key derived from password and the provided base64 encoded salt.
func EncryptPasswordObject ¶
func EncryptPasswordObject(ctx context.Context, password string, currentMasterKey *[]byte) (*primitive.UserPassword, *primitive.MasterKey, error)
EncryptPasswordObject derives the master key (if necessary) and password hash from password and salt, returning the master and password objects
Types ¶
type EncryptionKeyPair ¶
EncryptionKeyPair is a curve25519 encryption keypair. The private portion of the keypair is encrypted with triplesec.
PNonce contains the nonce used when deriving the password used to encrypt the private portion.
type Engine ¶
type Engine struct {
// contains filtered or unexported fields
}
Engine exposes methods to encrypt, unencrypt and sign values, using the logged in user's credentials.
func (*Engine) Box ¶
func (e *Engine) Box(ctx context.Context, pt []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, []byte, error)
Box encrypts the plaintext pt bytes with Box, using the private key found in privKP, first decrypted with the user's master key, and encrypted for the public key pubKey.
It returns the ciphertext, the nonce used for encrypting the plaintext, and an optional error.
func (*Engine) BoxCredential ¶
func (e *Engine) BoxCredential(ctx context.Context, pt, encMec, mecNonce []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, []byte, []byte, error)
BoxCredential encrypts the credential value pt via symmetric secretbox encryption.
Doing so is a multistep process. First we use the user's session data to unseal their private encryption key. With their encryption key and the public encryption key provided, we can decrypt the keyring master key (mek). Using mek and a generated nonce, we derive the credential encryption key (cek) via blake2b. Finally, we use the cek and a generated nonce to encrypt the credential.
BoxCredential returns the nonce generated to derive the credential encryption key, the nonce generated for encrypting the credential, and the encrypted credential.
func (*Engine) ChangePassword ¶ added in v0.17.0
func (e *Engine) ChangePassword(ctx context.Context, newPassword string) (*primitive.UserPassword, *primitive.MasterKey, error)
ChangePassword creates a password object and re-encrypts the master key
func (*Engine) CloneMembership ¶
func (e *Engine) CloneMembership(ctx context.Context, encMec, mecNonce []byte, privKP *EncryptionKeyPair, encPubKey, targetPubKey []byte) ([]byte, []byte, error)
CloneMembership decrypts the given KeyringMember object, and creates another for the targeted user.
func (*Engine) GenerateKeyPairs ¶
GenerateKeyPairs generates and ed25519 signing key pair, and a curve25519 encryption key pair for the user, encrypting the private keys in triplesec-v3 with the user's master key.
func (*Engine) Seal ¶
Seal encrypts the plaintext pt bytes with triplesec-v3 using a key derived via blake2b from the user's master key and a nonce (returned).
func (*Engine) SignedEnvelope ¶
func (e *Engine) SignedEnvelope(ctx context.Context, body identity.Immutable, sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.Signed, error)
SignedEnvelope returns a new SignedEnvelope containing body
func (*Engine) Unbox ¶
func (e *Engine) Unbox(ctx context.Context, ct, nonce []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, error)
Unbox Decrypts and verifies ciphertext ct that was previously encrypted using the provided nonce, and the inverse parts of the provided keypairs.
func (*Engine) UnboxCredential ¶
func (e *Engine) UnboxCredential(ctx context.Context, ct, encMec, mecNonce, cekNonce, ctNonce []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, error)
UnboxCredential does the inverse of BoxCredential to retrieve the plaintext version of a credential.
func (*Engine) Unseal ¶
Unseal decrypts the ciphertext ct, encrypted with triplesec-v3, using the a key derived via blake2b from the user's master key and the provided nonce.
type KeyPairs ¶
type KeyPairs struct {
Signature SignatureKeyPair
Encryption EncryptionKeyPair
}
KeyPairs contains a signature and an encryption keypair for a user.
type LoginKeypair ¶ added in v0.15.0
type LoginKeypair struct {
// contains filtered or unexported fields
}
LoginKeypair represents an Ed25519 Keypair used for generating a login token signature for Passphrase-Dervied Public Key Authentication.
func DeriveLoginKeypair ¶ added in v0.15.0
DeriveLoginKeypair dervies the ed25519 login keypair used for machine authentication from the given salt and secret values.
func (*LoginKeypair) PublicKey ¶ added in v0.15.0
func (k *LoginKeypair) PublicKey() *base64url.Value
PublicKey returns the base64 value of the public key
func (*LoginKeypair) Salt ¶ added in v0.15.0
func (k *LoginKeypair) Salt() *base64url.Value
Salt returns the base64 representation of the salt used to derive the LoginKeypair
type SignatureKeyPair ¶
SignatureKeyPair is an ed25519/eddsa digital signature keypair. The private portion of the keypair is encrypted with triplesec.
PNonce contains the nonce used when deriving the password used to encrypt the private portion.
Source Files