Documentation ¶
Overview ¶
cryptography provides functions implementing commonly needed cryptographic operations - symmetric encryption, digital signatures, hashes, time based one time passwords. It presents a compact and ready-to-go cryptographic toolbox for developers.
The package is intended to step on trustworthy cryptographic implementations from the Go standard library and the Google Cloud KMS API offering easy to use and intendedly safe cryptographic utilities for a broad set of development cases.
Note of caution: please do not try to change the internal workings of the functions unless you do know what you are doing. If there is a security concern or a recommendation it would be warmly welcomed and promtly addressed.
Index ¶
- func Checksum(message []byte) uint32
- func DecryptAeadGkms(ciphertextHex string, keyName string) (string, error)
- func DecryptAesGcm(ciphertextHex string, key string) (string, error)
- func DecryptChaCha20(ciphertext string, key string) (string, error)
- func DecryptRsa(ciphertextHex string, privateKeyPem string) (string, error)
- func DecryptRsaGkms(ciphertextHex string, privateKeyName string) (string, error)
- func EcdsaKeyPair() (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)
- func EcdsaKeyPairHex() (string, string, error)
- func EcdsaPrivateKeyFromHex(privateKeyHex string) (*ecdsa.PrivateKey, error)
- func EcdsaPublicKeyFromHex(publicKeyHex string) (*ecdsa.PublicKey, error)
- func EncryptAeadGkms(message string, keyName string) (string, error)
- func EncryptAesGcm(message string, key string) (string, error)
- func EncryptChaCha20(message string, key string) (string, error)
- func EncryptRsa(plainText string, puplicKeyPem string) (string, error)
- func EncryptRsaGkms(ciphertextHex string, privateKeyName string) (string, error)
- func EnvelopeDecryptAes(ciphertext string, encryptedSymmetricKey string, privateKeyPem string) (string, error)
- func EnvelopeEncryptAes(message string, publicKeyPem string) (string, string, error)
- func HashPassword(password string, salt string) (string, error)
- func HashPasswordCustom(password string, salt string, time, memory uint32, threads uint8, ...) (string, error)
- func Key128b() (string, error)
- func Key256b() (string, error)
- func Key512b() (string, error)
- func KeyChaCha20() (string, error)
- func PublicKeyPemFromPrivateKeyPem(privateKeyPem string) (string, error)
- func PublicRsaKeyFromPrivateKeyName(privateKeyName string) (*rsa.PublicKey, error)
- func RandomHex(nBytes int) (string, error)
- func RsaKeyPair() (*rsa.PrivateKey, *rsa.PublicKey, error)
- func RsaKeyPairBase64() (string, string, error)
- func RsaKeyPairPem() (string, string, error)
- func RsaPrivateKeyAsPemStr(privatekey *rsa.PrivateKey) string
- func RsaPrivateKeyFromPemStr(privateKeyPEM string) (*rsa.PrivateKey, error)
- func RsaPublicKeyAsPemStr(publicKey *rsa.PublicKey) (string, error)
- func RsaPublicKeyFromPemStr(publicKeyPem string) (*rsa.PublicKey, error)
- func Sha256Digest(text string) string
- func SignEcdsa(message string, privateKeyHex string) (string, error)
- func SignGkms(message string, privateKeyName string) (string, error)
- func SignRsaPKCS1v15(message string, privateKeyPem string) (string, error)
- func SignRsaPss(message string, privateKeyPem string) (string, error)
- func VerifyEcdsa(message string, signatureHex string, publicKeyHex string) error
- func VerifyRsaPKCS1v15(message string, signatureHex string, publicKeyPem string) error
- func VerifyRsaPss(message string, signatureHex string, publicKeyPem string) error
- func VerifySignatureGkms(message string, signatureHex string, publicKeyPem string) error
- type TotpManager
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptAeadGkms ¶
DecryptAeadGkms decrypts ciphertexts from EncryptAeadGkms with a particular keyName key (specified by keyName), using the Google KMS service (https://cloud.google.com/kms/docs/encrypt-decrypt). keyName: format "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key".
The function uses Google's recommended way of operating with the GCP KMS encryption/decryption service and its inclusion here is intended to provide convenience to the developer from having multiple cryptographic tools in one place.
Using this function has a main advantage that the key value is never exposed and is handled securely by the GCP KMS service. The downside is that it binds you to a particular cloud provider as well as it has a minor but still non-zero cost per key and per an encryption/decryption operation.
func DecryptAesGcm ¶
DecryptAesGcm peforms AES GCM decryption with an explicitly provided encryption/decryption key (as opposed to a pointer/reference to a key). It reverses the result of EncryptAesGcm.
Note: the result of EncryptAesGcm is a string containing hexadecimal digits so that DecryptAesGcm expects a hex encoded input
func DecryptChaCha20 ¶
DecryptChaCha20 performs ChaCha20-poly1305 decryption with an explicitly provided encryption/decryption key (as opposed to a pointer/reference to a key) It reverses the result from EncryptChaCha20
func DecryptRsa ¶
DecryptRsa performs RSA OAEP asymmetric decryption using a key in PEM format. It implements the reverse operation of EncryptRsa
func DecryptRsaGkms ¶
DecryptRsaGkms performs RSA OAEP decryption with the Google Cloud Platform's KMS service (https://cloud.google.com/kms/docs/encrypt-decrypt-rsa). privateKeyName: format "projects/my-project/locations/europe/keyRings/my-keyring/cryptoKeys/my-key-name/cryptoKeyVersions/1".
The function uses Google's recommended way of operating with the GCP KMS encryption service and its inclusion here is intended to provide convenience to the developer from having multiple cryptographic tools in one place.
func EcdsaKeyPair ¶ added in v1.1.0
func EcdsaKeyPair() (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)
EcdsaKeyPair generates privateKey and public key for ECDSA sign/verify purposes
func EcdsaKeyPairHex ¶ added in v1.1.0
EcdsaKeyPairHex generates hex-encoded privateKey and public key for ECDSA sign/verify purposes
func EcdsaPrivateKeyFromHex ¶ added in v1.1.0
func EcdsaPrivateKeyFromHex(privateKeyHex string) (*ecdsa.PrivateKey, error)
EcdsaPrivateKeyFromHex parses a hex-encoded ECDSA private key into *ecdsa.PrivateKey
func EcdsaPublicKeyFromHex ¶ added in v1.1.0
EcdsaPublicKeyFromHex parses a hex-encoded ECDSA public key into *ecdsa.PublicKey
func EncryptAeadGkms ¶
EncryptAeadGkms encrypts (AEAD) specified plaintext message with a particular keyName key (specified by keyName), using the Google KMS service (https://cloud.google.com/kms/docs/encrypt-decrypt). keyName: format "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key".
The function uses Google's recommended way of operating with the GCP KMS encryption service and its inclusion here is intended to provide convenience to the developer from having multiple cryptographic tools in one place.
Using this function has a main advantage that the key value is never exposed and is handled securely by the GCP KMS service. The downside is that it binds you to a particular cloud provider as well as it has a minor but still non-zero cost per key and per an encryption/decryption operation.
func EncryptAesGcm ¶
EncryptAesGcm peforms AES GCM encryption with an explicitly provided encryption/decryption key (as opposed to a pointer/reference to a key) The function expects string-type plaintext and key
Note: Do not use this function more than 2^32 with the same key due to the risk of repetition and its potentially very serious security implications (see https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51288#page=29), rotate the keys accordingly considering the frequency of encryption operations
func EncryptChaCha20 ¶
EncryptyChaCha20 performs ChaCha20-poly1305 encryption with an explicitly provided encryption/decryption key (as opposed to a pointer/reference to a key) This is an authenticated encryption algorithm that is an alternative to AES GCM (for details see Wong, D., 2001, "Real-World Cryptography")
func EncryptRsa ¶
EncryptRsa performs RSA OAEP public key encryption using a key in PEM format
func EncryptRsaGkms ¶
EncryptRsaGkms performs RSA OAEP encryption with the Google Cloud Platform's KMS service (https://cloud.google.com/kms/docs/encrypt-decrypt-rsa). privateKeyName: format "projects/my-project/locations/europe/keyRings/my-keyring/cryptoKeys/my-key-name/cryptoKeyVersions/1".
The function uses Google's recommended way of operating with the GCP KMS encryption service and its inclusion here is intended to provide convenience to the developer from having multiple cryptographic tools in one place.
Notes: - The private key is requested as a parameter because the function will derive the public key from the private one on the fly. Alternatively, you can store the public key (e.g. as an environment variable) and use DecryptRsa instead. This would add an extra variable to manage but would spare an extra call to the GKMS API on each encryption case. - Using this function has a main advantage that the private key value is never exposed and is handled securely by the GCP KMS service. The downside is that it binds you to a particular cloud provider as well as it has a minor but still non-zero cost per key and per an encryption/decryption operation.
func EnvelopeDecryptAes ¶ added in v1.2.0
func EnvelopeDecryptAes(ciphertext string, encryptedSymmetricKey string, privateKeyPem string) (string, error)
EnvelopeDecryptAes performs decryption of ciphertext generated by EnvelopeEncryptAes Note: encryptedSymmetricKey has to be decryptable using privateKeyPem
Note: Asymmetric key is in PEM format
func EnvelopeEncryptAes ¶ added in v1.2.0
EnvelopeEncryptAes performs envelope encryption with one-off symmetric key using AES-GCM as symmetric encryption algorithm and RSA-OAEP as asymmetric one
Note: Asymmetric key is in PEM format
func HashPassword ¶ added in v1.4.0
HashPassword creates a password hash using the Argon2id algorithm (https://www.password-hashing.net/argon2-specs.pdf), generating an output resistant to dictionary and brute-force attacks specific to MD5 and SHA-X hashing algorithms, please check [https://cryptobook.nakov.com/mac-and-key-derivation/password-encryption] for details.
Parameters are selected using 11th Gen Intel® Core™ i9-11900H @ 2.50GHz × 16 / 32 RAM - performance will vary depending on the host system executing the function.
(!) IMPORTANT: Never use vanilla SHA-X or MD5 hashing algorithms for saving passwords because if the risks related to those algorithms, namely using rainbow tables or brute-forcing based on GPUs, FPGAs or ASICs that allow efficient computation of a sheer amount of hashes at high speed.
func HashPasswordCustom ¶ added in v1.4.0
func HashPasswordCustom(password string, salt string, time, memory uint32, threads uint8, keyLen uint32) (string, error)
HashPasswordCustom allows arbitrary tuning of the parameters of the underlying argon2 algorithm
func Key128b ¶
Key128b generates a 128-bit key as HEX-string using a random generator fit for cryptographic purposes
func Key256b ¶
Key256b generates a 256-bit key as HEX-string using a random generator fit for cryptographic purposes
func Key512b ¶
Key512b generates a 512-bit key as HEX-string using a random generator fit for cryptographic purposes
func KeyChaCha20 ¶
KeyChaCha20 generates a 256-bit key as HEX-string using a random generator fit for cryptographic purposes
func PublicKeyPemFromPrivateKeyPem ¶
PublicKeyPemFromPrivateKeyPem gets the PEM formated RSA public key from the respective PEM formated private key
func PublicRsaKeyFromPrivateKeyName ¶
PublicRsaKeyFromPrivateKeyName creates an *rsa.Publickey from an GCP KMS RSA private key referenced by [privateKeyName]
func RsaKeyPair ¶
func RsaKeyPair() (*rsa.PrivateKey, *rsa.PublicKey, error)
RsaKeyPair generates a pair of RSA keys
func RsaKeyPairBase64 ¶ added in v1.3.0
RsaKeyPairBase64 RsaKeyPair generates a pair of RSA keys in Base64 format
func RsaKeyPairPem ¶
RsaKeyPair generates a pair of RSA keys in PEM format
func RsaPrivateKeyAsPemStr ¶
func RsaPrivateKeyAsPemStr(privatekey *rsa.PrivateKey) string
RsaPrivateKeyAsPemStr converts an *rsa.PrivateKey into PEM formatted one
func RsaPrivateKeyFromPemStr ¶
func RsaPrivateKeyFromPemStr(privateKeyPEM string) (*rsa.PrivateKey, error)
RsaPrivateKeyFromPemStr converts a PEM formated RSA private key into an *rsa.PrivateKey
func RsaPublicKeyAsPemStr ¶
RsaPublicKeyAsPemStr converts an *rsa.PublicKey into a PEM formatted one
func RsaPublicKeyFromPemStr ¶
RsaPublicKeyFromPemStr converts a PEM formated RSA public key into *rsa.PublicKey
func Sha256Digest ¶
Sha256Digest generates a HEX-encoded message digest from a string input
func SignEcdsa ¶ added in v1.1.0
SignEcdsa issues hex-encoded ECDSA P256 digital signatures using a hex-encoded private key
func SignGkms ¶
SignGkms issues a hex encoded digitgal signature using the GKMS API.
Supported algorithms are RSA-PSS, RSA PKCS and ECDSA, see details on https://cloud.google.com/kms/docs/algorithms. Which algorithm is used is dictated by the type of the key used for the singing operation.
func SignRsaPKCS1v15 ¶
SingRsa issues RSA PKCS1v15 digital signatures using a PEM formated private key
func SignRsaPss ¶
SingRsaPss issues RSA PSS digital signatures using a PEM formated private key
func VerifyEcdsa ¶ added in v1.1.0
VerifyEcdsa checks the validity of ECDSA P256 digital signatures using a hex-encoded public key
func VerifyRsaPKCS1v15 ¶
VerifyRsaPKCS1v15 checks the validity of RSA PKCS1v15 digital signatures using a PEM formated public key
func VerifyRsaPss ¶
VerifyRsaPss checks the validity of RSA PSS digital signatures using a PEM formated public key
func VerifySignatureGkms ¶
VerifySignatureGkms checks the validity of a digital signature using the GKMS API
Supported algorithms are RSA-PSS, RSA PKCS and ECDSA, see details on https://cloud.google.com/kms/docs/algorithms. Which algorithm is used is dictated by the type of the key used for the signing operation.
Types ¶
type TotpManager ¶
type TotpManager struct { Issuer string AccountName string Algorithm string Period uint Secret []byte // Note: use a different secret for every client/user }
TotpManager is a an entity encapsulating all necessary data and methods to support the lifecycle of TOTPs (RFC 6238).
Supported hash algorithms are SHA256, SHA512 as well as SHA1. See caveats about SHA1 at https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure and at https://eprint.iacr.org/2006/187.pdf, etc. but please note that RFC 6238 "[...] is based on the HMAC-SHA-1 algorithm (as specified in [RFC2104])" as well as many apps like Microsoft Authenticatior, Google Authenticator and Authy still work only with SHA1, arguably because the collision vulnerabilities of SHA1 are barely exploitable in TOTP generation context where only a small portion of the hash string is used and the rest is truncated.
The public methods necessary to perform the generation and validation actions are attached to this class
func (TotpManager) Key ¶
func (tm TotpManager) Key() (*otp.Key, error)
Key creates a github.com/pquerna/otp *Key object which is subsequently used for creation and validation TOTPs
func (TotpManager) QrCode ¶
func (tm TotpManager) QrCode() (string, error)
QrCode generates a base64 encoded QR code from a particular TotpManager instance
func (TotpManager) TOTP ¶
func (tm TotpManager) TOTP() (string, error)
TOTP creates a 6-digit time based one time password using on the configuration data of a TotpManager instance