Documentation ¶
Index ¶
- Constants
- func P256Sign(privateKey *ecdsa.PrivateKey, msg []byte) ([]byte, error)
- func P256Verify(publicKey *ecdsa.PublicKey, msg []byte, signature []byte) bool
- func ToEcdsaPublic(publicBytes []byte) (*ecdsa.PublicKey, error)
- func ValidateChecksum(payload []byte) error
- type Bytes
- type ClientSendMsg
- type EnclaveEncryptClient
- func (c *EnclaveEncryptClient) AuthDecrypt(payload string) (plaintext []byte, err error)
- func (c *EnclaveEncryptClient) Decrypt(bundleBytes Bytes, organizationId string) (plaintext []byte, err error)
- func (c *EnclaveEncryptClient) Encrypt(plaintext Bytes, bundleBytes Bytes, organizationId string, userId string) (*ClientSendMsg, error)
- func (c *EnclaveEncryptClient) TargetPublic() ([]byte, error)
- type EnclaveEncryptServer
- func (s *EnclaveEncryptServer) AuthEncrypt(clientTarget []byte, plaintext []byte) (string, error)
- func (s *EnclaveEncryptServer) Encrypt(clientTarget []byte, plaintext []byte) (*ServerSendMsgV1, error)
- func (s *EnclaveEncryptServer) IntoEnclaveServerRecv() EnclaveEncryptServerRecv
- func (s *EnclaveEncryptServer) PublishTarget() (*ServerTargetMsgV1, error)
- type EnclaveEncryptServerRecv
- type ServerMsg
- type ServerSendData
- type ServerSendMsgV0
- type ServerSendMsgV1
- type ServerTargetData
- type ServerTargetMsgV0
- type ServerTargetMsgV1
Constants ¶
const ( // Consult the rust implementations README for how these should be configured. // See [here](../../../rust/enclave_encrypt/README.md#hpke-configuration) KemId hpke.KEM = hpke.KEM_P256_HKDF_SHA256 KdfId hpke.KDF = hpke.KDF_HKDF_SHA256 AeadId hpke.AEAD = hpke.AEAD_AES256GCM TurnkeyHpkeInfo string = "turnkey_hpke" DataVersion string = "v1.0.0" )
Variables ¶
This section is empty.
Functions ¶
func P256Sign ¶
func P256Sign(privateKey *ecdsa.PrivateKey, msg []byte) ([]byte, error)
Sign the given `msg`.
func P256Verify ¶
Verify the given signature over `msg` with `publicKey`.
func ToEcdsaPublic ¶
Takes a byte slice and returns a ECDSA public key
func ValidateChecksum ¶
Validates that a payload has a valid checksum in the last four bytes.
Types ¶
type ClientSendMsg ¶
type ClientSendMsg struct { // We assume this public key can be trusted because the request went through // checks in the policy engine. EncappedPublic *Bytes `json:"encappedPublic,omitempty"` // The encrypted message. Ciphertext *Bytes `json:"ciphertext,omitempty"` }
Message from the client with encapsulated key and ciphertext.
type EnclaveEncryptClient ¶
type EnclaveEncryptClient struct {
// contains filtered or unexported fields
}
An instance of the client side for enclave encrypt protocol. This should only be used for either a SINGLE send or a single receive.
func NewEnclaveEncryptClient ¶
func NewEnclaveEncryptClient(enclaveAuthKey *ecdsa.PublicKey) (*EnclaveEncryptClient, error)
Create a client from the quorum public key.
func NewEnclaveEncryptClientFromTargetKey ¶
func NewEnclaveEncryptClientFromTargetKey(enclaveAuthKey *ecdsa.PublicKey, targetPrivateKey kem.PrivateKey) (*EnclaveEncryptClient, error)
Create a client from the quorum public key and target key pair.
func (*EnclaveEncryptClient) AuthDecrypt ¶
func (c *EnclaveEncryptClient) AuthDecrypt(payload string) (plaintext []byte, err error)
Decrypt a base58-encoded payload from the server. This is used in email authentication and email recovery flows.
func (*EnclaveEncryptClient) Decrypt ¶
func (c *EnclaveEncryptClient) Decrypt(bundleBytes Bytes, organizationId string) (plaintext []byte, err error)
Decrypts a bundle. This is used in private key and wallet export flows. In the export flow for example, `bundleBytes` represents the bytes of the received bundle and contains the ciphertext of the exported wallet or private key. Note: for v1 bundles this function extracts the organizationId fields from the signed data bytes, verifies its integrity, and verifies that its match with the (user-) provided `organizationId`. For v0 bundles, `organizationId` is irrelevant.
func (*EnclaveEncryptClient) Encrypt ¶
func (c *EnclaveEncryptClient) Encrypt(plaintext Bytes, bundleBytes Bytes, organizationId string, userId string) (*ClientSendMsg, error)
Encrypt some plaintext to the given server, using `enclaveMsgBytes`. In the import flow for example, `bundleBytes` represents the bytes of the received bundle. Note: for v1 bundles this function extracts organizationId and userId fields from the signed data bytes, verifies their integrity, and verifies that they match with the (user-) provided `organizationId` and `userId` params. To decrypt v0 bundles, `organizationId` and `userId` are irrelevant and can be set to empty strings.
func (*EnclaveEncryptClient) TargetPublic ¶
func (c *EnclaveEncryptClient) TargetPublic() ([]byte, error)
Get this clients target public key.
type EnclaveEncryptServer ¶
type EnclaveEncryptServer struct {
// contains filtered or unexported fields
}
func NewEnclaveEncryptServer ¶
func NewEnclaveEncryptServer(enclaveAuthKey *ecdsa.PrivateKey, organizationId string, userId *string) (EnclaveEncryptServer, error)
This should be the quorum signing secret derived from the quorum master seed.
func NewEnclaveEncryptServerFromTargetKey ¶
func NewEnclaveEncryptServerFromTargetKey(enclaveAuthKey *ecdsa.PrivateKey, targetPrivateKey *kem.PrivateKey, organizationId string, userId *string) (EnclaveEncryptServer, error)
Create a server from the enclave quorum public key and the target key.
func (*EnclaveEncryptServer) AuthEncrypt ¶
func (s *EnclaveEncryptServer) AuthEncrypt(clientTarget []byte, plaintext []byte) (string, error)
Relevant for usage with auth activities: Email Auth, Email Recovery.
func (*EnclaveEncryptServer) Encrypt ¶
func (s *EnclaveEncryptServer) Encrypt(clientTarget []byte, plaintext []byte) (*ServerSendMsgV1, error)
Encrypt `plaintext` to the `clientTarget` key.
func (*EnclaveEncryptServer) IntoEnclaveServerRecv ¶
func (s *EnclaveEncryptServer) IntoEnclaveServerRecv() EnclaveEncryptServerRecv
Get the server receiving type.
func (*EnclaveEncryptServer) PublishTarget ¶
func (s *EnclaveEncryptServer) PublishTarget() (*ServerTargetMsgV1, error)
Return the servers encryption target key and a signature over it from the quorum key.
type EnclaveEncryptServerRecv ¶
type EnclaveEncryptServerRecv struct {
// contains filtered or unexported fields
}
func (*EnclaveEncryptServerRecv) Decrypt ¶
func (s *EnclaveEncryptServerRecv) Decrypt(msg ClientSendMsg) ([]byte, error)
Decrypt a message from a client that encrypted to this server instance target key. Relevant for usage with auth activities: Email Auth, Email Recovery.
type ServerMsg ¶
type ServerMsg struct { // Version of the data. Version *string `json:"version,omitempty"` }
type ServerSendData ¶
type ServerSendData struct { // Encapsulation key used to generate the ciphertext. EncappedPublic Bytes `json:"encappedPublic"` // Ciphertext from the server. Ciphertext Bytes `json:"ciphertext"` // Organization making the request. OrganizationId string `json:"organizationId"` }
Data object from the server with the encapsulated public key, ciphertext, and organization ID.
type ServerSendMsgV0 ¶
type ServerSendMsgV0 struct { // Encapsulation key used to generate the ciphertext. EncappedPublic *Bytes `json:"encappedPublic,omitempty"` // Quorum key signature over the encapsulation key. EncappedPublicSignature *Bytes `json:"encappedPublicSignature,omitempty"` // Ciphertext from the server. Ciphertext *Bytes `json:"ciphertext,omitempty"` }
Message from the server with encapsulated key, quorum key signature over encapsulated key and ciphertext.
type ServerSendMsgV1 ¶
type ServerSendMsgV1 struct { // Version of the data. Version string `json:"version"` // Data sent by the enclave Data Bytes `json:"data"` // Enclave quorum key signature over the data. DataSignature Bytes `json:"dataSignature"` // Enclave quorum key public key. EnclaveQuorumPublic Bytes `json:"enclaveQuorumPublic"` }
Message from the server with data, the data's version, enclave quorum key, and the enclave quorum key signature over the data.
type ServerTargetData ¶
type ServerTargetData struct { // Target public key for client to encrypt to. TargetPublic Bytes `json:"targetPublic"` // Organization making the request. OrganizationId string `json:"organizationId"` // User making the request. UserId string `json:"userId"` }
Data object from the server with the target public key, organization ID, and an optional user ID field.
type ServerTargetMsgV0 ¶
type ServerTargetMsgV0 struct { // Target public key for client to encrypt to. TargetPublic Bytes `json:"targetPublic"` // Signature over the servers public target key. TargetPublicSignature Bytes `json:"targetPublicSignature"` }
Message from the server with a encryption target key and a quorum key signature over it.
type ServerTargetMsgV1 ¶
type ServerTargetMsgV1 struct { // Version of the data. Version string `json:"version"` // Data sent and signed by the enclave. Data Bytes `json:"data"` // Enclave quorum key signature over the data. DataSignature Bytes `json:"dataSignature"` // Enclave quorum key public key. EnclaveQuorumPublic Bytes `json:"enclaveQuorumPublic"` }
Message from the server with data, the data's version, enclave quorum key, and the enclave quorum key signature over the data.