Documentation ¶
Overview ¶
Package tink defines interfaces for the crypto primitives that Tink supports.
Index ¶
- Constants
- func CleartextKeysetHandle() *cleartextKeysetHandle
- func CreateEncryptedKeyset(encryptedKeySet []byte, info *tinkpb.KeysetInfo) *tinkpb.EncryptedKeyset
- func CreateKey(keyData *tinkpb.KeyData, status tinkpb.KeyStatusType, keyID uint32, ...) *tinkpb.Keyset_Key
- func CreateKeyData(typeURL string, value []byte, materialType tinkpb.KeyData_KeyMaterialType) *tinkpb.KeyData
- func CreateKeyset(primaryKeyID uint32, keys []*tinkpb.Keyset_Key) *tinkpb.Keyset
- func DecryptKeyset(encryptedKeyset *tinkpb.EncryptedKeyset, masterKey Aead) (*tinkpb.Keyset, error)
- func EncryptKeyset(keyset *tinkpb.Keyset, masterKey Aead) (*tinkpb.EncryptedKeyset, error)
- func GetCurveName(curve commonpb.EllipticCurveType) string
- func GetHashName(hashType commonpb.HashType) string
- func GetKeyInfo(key *tinkpb.Keyset_Key) (*tinkpb.KeysetInfo_KeyInfo, error)
- func GetKeysetInfo(keyset *tinkpb.Keyset) (*tinkpb.KeysetInfo, error)
- func GetOutputPrefix(key *tinkpb.Keyset_Key) (string, error)
- func GetPrimitiveFromKey(typeURL string, key proto.Message) (interface{}, error)
- func GetPrimitiveFromKeyData(keyData *tinkpb.KeyData) (interface{}, error)
- func GetPrimitiveFromSerializedKey(typeURL string, serializedKey []byte) (interface{}, error)
- func NewKeyData(template *tinkpb.KeyTemplate) (*tinkpb.KeyData, error)
- func NewKeyFromKeyFormat(typeURL string, format proto.Message) (proto.Message, error)
- func NewKeyFromKeyTemplate(template *tinkpb.KeyTemplate) (proto.Message, error)
- func RegisterKeyManager(manager KeyManager) (bool, error)
- func ValidateKey(key *tinkpb.Keyset_Key) error
- func ValidateKeyset(keyset *tinkpb.Keyset) error
- func ValidateVersion(version uint32, maxExpected uint32) error
- type Aead
- type Entry
- type KeyManager
- type KeysetHandle
- type KeysetManager
- func (km *KeysetManager) GetKeysetHandle() (*KeysetHandle, error)
- func (km *KeysetManager) KeyTemplate() *tinkpb.KeyTemplate
- func (km *KeysetManager) Keyset() *tinkpb.Keyset
- func (km *KeysetManager) MasterKey() Aead
- func (km *KeysetManager) Rotate() error
- func (km *KeysetManager) RotateWithTemplate(keyTemplate *tinkpb.KeyTemplate) error
- func (km *KeysetManager) SetKeyTemplate(template *tinkpb.KeyTemplate)
- func (km *KeysetManager) SetKeyset(keyset *tinkpb.Keyset)
- func (km *KeysetManager) SetMasterKey(masterKey Aead)
- type Mac
- type PrimitiveSet
- func (ps *PrimitiveSet) AddPrimitive(primitive interface{}, key *tinkpb.Keyset_Key) (*Entry, error)
- func (ps *PrimitiveSet) GetPrimitivesWithByteIdentifier(id []byte) ([]*Entry, error)
- func (ps *PrimitiveSet) GetPrimitivesWithKey(key *tinkpb.Keyset_Key) ([]*Entry, error)
- func (ps *PrimitiveSet) GetPrimitivesWithStringIdentifier(id string) ([]*Entry, error)
- func (ps *PrimitiveSet) GetRawPrimitives() ([]*Entry, error)
- func (ps *PrimitiveSet) Primary() *Entry
- func (ps *PrimitiveSet) Primitives() map[string][]*Entry
- func (ps *PrimitiveSet) SetPrimary(e *Entry)
- type PrivateKeyManager
- type PublicKeySign
- type PublicKeyVerify
Constants ¶
const ( // Prefix size of Tink and Legacy key types. NonRawPrefixSize = 5 // Legacy or Crunchy prefix starts with \x00 and followed by a 4-byte key id. LegacyPrefixSize = NonRawPrefixSize LegacyStartByte = byte(0) // Tink prefix starts with \x01 and followed by a 4-byte key id. TinkPrefixSize = NonRawPrefixSize TinkStartByte = byte(1) // Raw prefix is empty. RawPrefixSize = 0 RawPrefix = "" )
*
- Constants and convenience methods that deal with crypto format.
Variables ¶
This section is empty.
Functions ¶
func CleartextKeysetHandle ¶
func CleartextKeysetHandle() *cleartextKeysetHandle
CleartextKeysetHandle returns the single instance of cleartextKeysetHandle.
func CreateEncryptedKeyset ¶ added in v1.1.1
func CreateEncryptedKeyset(encryptedKeySet []byte, info *tinkpb.KeysetInfo) *tinkpb.EncryptedKeyset
CreateEncryptedKeyset creates a new EncryptedKeyset with a specified parameters.
func CreateKey ¶ added in v1.1.1
func CreateKey(keyData *tinkpb.KeyData, status tinkpb.KeyStatusType, keyID uint32, prefixType tinkpb.OutputPrefixType) *tinkpb.Keyset_Key
CreateKey creates a new Key with the specified parameters.
func CreateKeyData ¶ added in v1.1.1
func CreateKeyData(typeURL string, value []byte, materialType tinkpb.KeyData_KeyMaterialType) *tinkpb.KeyData
CreateKeyData creates a new KeyData with the specified parameters.
func CreateKeyset ¶ added in v1.1.1
func CreateKeyset(primaryKeyID uint32, keys []*tinkpb.Keyset_Key) *tinkpb.Keyset
CreateKeyset creates a new Keyset with the specified parameters.
func DecryptKeyset ¶
DecryptKeyset decrypts the given keyset using the given master key
func EncryptKeyset ¶
EncryptKeyset encrypts the given keyset using the given master key.
func GetCurveName ¶ added in v1.1.0
func GetCurveName(curve commonpb.EllipticCurveType) string
GetCurveName returns the name of the EllipticCurveType.
func GetHashName ¶ added in v1.1.0
GetHashName returns the name of the HashType.
func GetKeyInfo ¶ added in v1.1.0
func GetKeyInfo(key *tinkpb.Keyset_Key) (*tinkpb.KeysetInfo_KeyInfo, error)
GetKeyInfo returns a KeyInfo from a Key protobuf.
func GetKeysetInfo ¶ added in v1.1.0
func GetKeysetInfo(keyset *tinkpb.Keyset) (*tinkpb.KeysetInfo, error)
GetKeysetInfo returns a KeysetInfo from a Keyset protobuf.
func GetOutputPrefix ¶
func GetOutputPrefix(key *tinkpb.Keyset_Key) (string, error)
GetOutputPrefix generates the prefix of all cryptographic outputs (ciphertexts, signatures, MACs, ...) produced by the specified {@code key}. The prefix can be either empty (for RAW-type prefix), or consists of a 1-byte indicator of the type of the prefix, followed by 4 bytes of {@code key.KeyId} in Big Endian encoding. @throws error if the prefix type of {@code key} is unknown. @return a prefix.
func GetPrimitiveFromKey ¶ added in v1.1.1
GetPrimitiveFromKey creates a new primitive for the given key using the KeyManager identified by the given typeURL.
func GetPrimitiveFromKeyData ¶ added in v1.1.1
GetPrimitiveFromKeyData creates a new primitive for the key given in the given KeyData.
func GetPrimitiveFromSerializedKey ¶ added in v1.1.1
GetPrimitiveFromSerializedKey creates a new primitive for the given serialized key using the KeyManager identified by the given typeURL.
func NewKeyData ¶ added in v1.1.0
func NewKeyData(template *tinkpb.KeyTemplate) (*tinkpb.KeyData, error)
NewKeyData generates a new KeyData for the given KeyTemplate.
func NewKeyFromKeyFormat ¶ added in v1.1.1
NewKeyFromKeyFormat generates a new key for the given KeyFormat using the KeyManager identified by the given typeURL.
func NewKeyFromKeyTemplate ¶ added in v1.1.1
func NewKeyFromKeyTemplate(template *tinkpb.KeyTemplate) (proto.Message, error)
NewKeyFromKeyTemplate generates a new key for the given KeyTemplate.
func RegisterKeyManager ¶ added in v1.1.1
func RegisterKeyManager(manager KeyManager) (bool, error)
RegisterKeyManager registers the given key manager. It does nothing if there already exists a key manager with the same type url. It returns true if the key manager is registered; false otherwise.
func ValidateKey ¶ added in v1.1.0
func ValidateKey(key *tinkpb.Keyset_Key) error
ValidateKey validates the given key. Returns nil if it is valid; an error otherwise.
func ValidateKeyset ¶ added in v1.1.0
ValidateKeyset validates the given key set. Returns nil if it is valid; an error otherwise.
func ValidateVersion ¶ added in v1.1.0
ValidateVersion checks whether the given version is valid. The version is valid only if it is the range [0..maxExpected]
Types ¶
type Aead ¶
type Aead interface { // Encrypt encrypts {@code plaintext} with {@code additionalData} as additional // authenticated data. The resulting ciphertext allows for checking // authenticity and integrity of additional data ({@code additionalData}), // but does not guarantee its secrecy. Encrypt(plaintext []byte, additionalData []byte) ([]byte, error) // Decrypt decrypts {@code ciphertext} with {@code additionalData} as additional // authenticated data. The decryption verifies the authenticity and integrity // of the additional data, but there are no guarantees wrt. secrecy of that data. Decrypt(ciphertext []byte, additionalData []byte) ([]byte, error) }
Aead is the interface for authenticated encryption with additional authenticated data. Implementations of this interface are secure against adaptive chosen ciphertext attacks. Encryption with additional data ensures authenticity and integrity of that data, but not its secrecy. (see RFC 5116, https://tools.ietf.org/html/rfc5116)
type Entry ¶
type Entry struct {
// contains filtered or unexported fields
}
Entry represents a single entry in the keyset. In addition to the actual primitive, it holds the identifier and status of the primitive.
func NewEntry ¶
func NewEntry(p interface{}, id string, stt tinkpb.KeyStatusType, outputPrefixType tinkpb.OutputPrefixType) *Entry
NewEntry creates a new instance of Entry using the given information.
func (*Entry) Identifier ¶
Identifier returns the identifier of the key entry.
func (*Entry) OutputPrefixType ¶
func (e *Entry) OutputPrefixType() tinkpb.OutputPrefixType
OutputPrefixType returns the OutputPrefixType of the key entry.
func (*Entry) Primitive ¶
func (e *Entry) Primitive() interface{}
Primitive returns the crypto primitive associated with the key entry.
func (*Entry) Status ¶
func (e *Entry) Status() tinkpb.KeyStatusType
Status returns the status of the key entry.
type KeyManager ¶
type KeyManager interface { // GetPrimitiveFromSerializedKey constructs a primitive instance for the key given in // serializedKey, which must be a serialized key protocol buffer handled by this manager. GetPrimitiveFromSerializedKey(serializedKey []byte) (interface{}, error) // GetPrimitiveFromKey constructs a primitive instance for the key given in {@code key}. GetPrimitiveFromKey(key proto.Message) (interface{}, error) // NewKeyFromSerializedKeyFormat Generates a new key according to specification in {@code serializedKeyFormat}, // which must be a serialized key format protocol buffer handled by this manager. NewKeyFromSerializedKeyFormat(serializedKeyFormat []byte) (proto.Message, error) // NewKeyFromKeyFormat generates a new key according to specification in {@code keyFormat}. NewKeyFromKeyFormat(keyFormat proto.Message) (proto.Message, error) // DoesSupport returns true iff this KeyManager supports key type identified by {@code typeURL}. DoesSupport(typeURL string) bool // GetKeyType returns the type URL that identifes the key type of keys managed by this KeyManager. GetKeyType() string // NewKeyData generates a new {@code KeyData} according to specification in {@code serializedkeyFormat}. // This should be used solely by the key management API. NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error) }
KeyManager "understands" keys of a specific key types: it can generate keys of a supported type and create primitives for supported keys. A key type is identified by the global name of the protocol buffer that holds the corresponding key material, and is given by type_url-field of KeyData-protocol buffer.
func GetKeyManager ¶ added in v1.1.1
func GetKeyManager(typeURL string) (KeyManager, error)
GetKeyManager returns the key manager for the given type url if existed.
type KeysetHandle ¶
type KeysetHandle struct {
// contains filtered or unexported fields
}
KeysetHandle provides abstracted access to Keysets, to limit the exposure of actual protocol buffers that hold sensitive key material.
func (*KeysetHandle) EncryptedKeyset ¶
func (h *KeysetHandle) EncryptedKeyset() *tinkpb.EncryptedKeyset
EncryptedKeyset returns the EncryptedKeyset component of this handle.
func (*KeysetHandle) GetPublicKeysetHandle ¶
func (h *KeysetHandle) GetPublicKeysetHandle() (*KeysetHandle, error)
GetPublicKeysetHandle returns a KeysetHandle of the public keys if the managed keyset contains private keys.
func (*KeysetHandle) Keyset ¶
func (h *KeysetHandle) Keyset() *tinkpb.Keyset
Keyset returns the Keyset component of this handle.
func (*KeysetHandle) KeysetInfo ¶
func (h *KeysetHandle) KeysetInfo() (*tinkpb.KeysetInfo, error)
KeysetInfo returns a KeysetInfo of the Keyset of this handle. KeysetInfo doesn't contain actual key material.
func (*KeysetHandle) String ¶
func (h *KeysetHandle) String() string
String returns the string representation of the KeysetInfo.
type KeysetManager ¶
type KeysetManager struct {
// contains filtered or unexported fields
}
KeysetManager manages a Keyset-proto, with convenience methods that rotate, disable, enable or destroy keys. Note: It is not thread-safe.
func NewKeysetManager ¶
func NewKeysetManager(keyTemplate *tinkpb.KeyTemplate, masterKey Aead, keyset *tinkpb.Keyset) *KeysetManager
NewKeysetManager creates a new instance of keyset manager.
func (*KeysetManager) GetKeysetHandle ¶
func (km *KeysetManager) GetKeysetHandle() (*KeysetHandle, error)
GetKeysetHandle creates a new KeysetHandle for the managed keyset.
func (*KeysetManager) KeyTemplate ¶
func (km *KeysetManager) KeyTemplate() *tinkpb.KeyTemplate
KeyTemplate returns the key template of the manager.
func (*KeysetManager) Keyset ¶
func (km *KeysetManager) Keyset() *tinkpb.Keyset
Keyset returns the keyset of the manager.
func (*KeysetManager) MasterKey ¶
func (km *KeysetManager) MasterKey() Aead
MasterKey returns the master key of the manager.
func (*KeysetManager) Rotate ¶
func (km *KeysetManager) Rotate() error
Rotate generates a fresh key using the key template of the current keyset manager and sets the new key as the primary key.
func (*KeysetManager) RotateWithTemplate ¶
func (km *KeysetManager) RotateWithTemplate(keyTemplate *tinkpb.KeyTemplate) error
RotateWithTemplate generates a fresh key using the given key template and sets the new key as the primary key.
func (*KeysetManager) SetKeyTemplate ¶
func (km *KeysetManager) SetKeyTemplate(template *tinkpb.KeyTemplate)
SetKeyTemplate sets the key template of the manager.
func (*KeysetManager) SetKeyset ¶
func (km *KeysetManager) SetKeyset(keyset *tinkpb.Keyset)
SetKeyset sets the keyset of the manager. If the input is nil, it will use an empty keyset as the input instead.
func (*KeysetManager) SetMasterKey ¶
func (km *KeysetManager) SetMasterKey(masterKey Aead)
SetMasterKey sets the master key of the manager.
type Mac ¶
type Mac interface { // ComputeMac Computes message authentication code (MAC) for {@code data}. ComputeMac(data []byte) ([]byte, error) // VerifyMac verifies whether {@code mac} is a correct authentication code (MAC) for {@code data}. VerifyMac(mac []byte, data []byte) (bool, error) }
Mac is the interface for MACs (Message Authentication Codes). This interface should be used for authentication only, and not for other purposes (for example, it should not be used to generate pseudorandom bytes).
type PrimitiveSet ¶
type PrimitiveSet struct {
// contains filtered or unexported fields
}
PrimitiveSet is a container class for a set of primitives (i.e. implementations of cryptographic primitives offered by Tink). It provides also additional properties for the primitives it holds. In particular, one of the primitives in the set can be distinguished as "the primary" one. <p>
PrimitiveSet is an auxiliary class used for supporting key rotation: primitives in a set correspond to keys in a keyset. Users will usually work with primitive instances, which essentially wrap primitive sets. For example an instance of an Aead-primitive for a given keyset holds a set of Aead-primitives corresponding to the keys in the keyset, and uses the set members to do the actual crypto operations: to encrypt data the primary Aead-primitive from the set is used, and upon decryption the ciphertext's prefix determines the id of the primitive from the set. <p>
PrimitiveSet is a public class to allow its use in implementations of custom primitives.
func GetPrimitives ¶ added in v1.1.1
func GetPrimitives(keysetHandle *KeysetHandle) (*PrimitiveSet, error)
GetPrimitives creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keysetHandle, assuming all the corresponding key managers are present (keys with status!=ENABLED are skipped).
The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.
func GetPrimitivesWithCustomManager ¶ added in v1.1.1
func GetPrimitivesWithCustomManager( keysetHandle *KeysetHandle, customManager KeyManager) (*PrimitiveSet, error)
GetPrimitivesWithCustomManager creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keysetHandle, using the given customManager (instead of registered key managers) for keys supported by it. Keys not supported by the customManager are handled by matching registered key managers (if present), and keys with status!=ENABLED are skipped. <p>
This enables custom treatment of keys, for example providing extra context (e.g. credentials for accessing keys managed by a KMS), or gathering custom monitoring/profiling information.
The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.
func NewPrimitiveSet ¶
func NewPrimitiveSet() *PrimitiveSet
NewPrimitiveSet returns an empty instance of PrimitiveSet.
func (*PrimitiveSet) AddPrimitive ¶
func (ps *PrimitiveSet) AddPrimitive(primitive interface{}, key *tinkpb.Keyset_Key) (*Entry, error)
AddPrimitive creates a new entry in the primitive set using the given information and returns the added entry.
func (*PrimitiveSet) GetPrimitivesWithByteIdentifier ¶
func (ps *PrimitiveSet) GetPrimitivesWithByteIdentifier(id []byte) ([]*Entry, error)
GetPrimitivesWithByteIdentifier returns all primitives in the set that have the given prefix.
func (*PrimitiveSet) GetPrimitivesWithKey ¶
func (ps *PrimitiveSet) GetPrimitivesWithKey(key *tinkpb.Keyset_Key) ([]*Entry, error)
GetPrimitivesWithKey returns all primitives in the set that have prefix equal to that of the given key.
func (*PrimitiveSet) GetPrimitivesWithStringIdentifier ¶
func (ps *PrimitiveSet) GetPrimitivesWithStringIdentifier(id string) ([]*Entry, error)
GetPrimitivesWithStringIdentifier returns all primitives in the set that have the given prefix.
func (*PrimitiveSet) GetRawPrimitives ¶
func (ps *PrimitiveSet) GetRawPrimitives() ([]*Entry, error)
GetRawPrimitives returns all primitives in the set that have RAW prefix.
func (*PrimitiveSet) Primary ¶
func (ps *PrimitiveSet) Primary() *Entry
Primary returns the entry with the primary primitive.
func (*PrimitiveSet) Primitives ¶
func (ps *PrimitiveSet) Primitives() map[string][]*Entry
Primitives returns all primitives of the set.
func (*PrimitiveSet) SetPrimary ¶
func (ps *PrimitiveSet) SetPrimary(e *Entry)
SetPrimary sets the primary entry of the set to the given entry.
type PrivateKeyManager ¶
type PrivateKeyManager interface { KeyManager // GetPublicKeyData extracts the public key data from the private key. GetPublicKeyData(serializedKey []byte) (*tinkpb.KeyData, error) }
PrivateKeyManager is a special type of KeyManager that understands private key types.
type PublicKeySign ¶
type PublicKeySign interface { /** * Computes the signature for {@code data}. * * @return the signature of {$code data}. */ Sign(data []byte) ([]byte, error) }
PublicKeySign is the signing interface for digital signature. Implementations of this interface are secure against adaptive chosen-message attacks. Signing data ensures authenticity and integrity of that data, but not its secrecy.
type PublicKeyVerify ¶
type PublicKeyVerify interface { /** * Verifies whether {@code signature} is a valid signature for {@code data}. * * @return an error if {@code signature} is not a valid signature for * {@code data}; nil otherwise. */ Verify(signature []byte, data []byte) error }
PublicKeyVerify is the verifying interface for digital signature. Implementations of this interface are secure against adaptive chosen-message attacks. Signing data ensures authenticity and integrity of that data, but not its secrecy.