osscrypto

package
v3.0.2+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2023 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OssClientSideEncryptionKey                      string = "client-side-encryption-key"
	OssClientSideEncryptionStart                           = "client-side-encryption-start"
	OssClientSideEncryptionCekAlg                          = "client-side-encryption-cek-alg"
	OssClientSideEncryptionWrapAlg                         = "client-side-encryption-wrap-alg"
	OssClientSideEncryptionMatDesc                         = "client-side-encryption-matdesc"
	OssClientSideEncryptionUnencryptedContentLength        = "client-side-encryption-unencrypted-content-length"
	OssClientSideEncryptionUnencryptedContentMD5           = "client-side-encryption-unencrypted-content-md5"
	OssClientSideEncryptionDataSize                        = "client-side-encryption-data-size"
	OssClientSideEncryptionPartSize                        = "client-side-encryption-part-size"
)

for client sider encryption oss meta

View Source 
const (
	RsaCryptoWrap    string = "RSA/NONE/PKCS1Padding"
	KmsAliCryptoWrap string = "KMS/ALICLOUD"
	AesCtrAlgorithm  string = "AES/CTR/NoPadding"
)

encryption Algorithm

View Source 
const (
	EncryptionUaSuffix string = "OssEncryptionClient"
)

user agent tag for client encryption

Variables

This section is empty.

Functions

This section is empty.

Types

type Cipher 

type Cipher interface {
	Encrypter
	Decrypter
}

Cipher is interface for encryption or decryption of an object

type CipherData 

type CipherData struct {
	IV            []byte
	Key           []byte
	MatDesc       string
	WrapAlgorithm string
	CEKAlgorithm  string
	EncryptedIV   []byte
	EncryptedKey  []byte
}

CipherData is secret key information

func (*CipherData) Clone 

func (cd *CipherData) Clone() CipherData

func (*CipherData) GetIV 

func (cd *CipherData) GetIV() uint64

func (*CipherData) RandomKeyIv 

func (cd *CipherData) RandomKeyIv(keyLen int, ivLen int) error

func (*CipherData) SeekIV 

func (cd *CipherData) SeekIV(startPos uint64)

func (*CipherData) SetIV 

func (cd *CipherData) SetIV(iv uint64)

type ContentCipher 

type ContentCipher interface {
	EncryptContent(io.Reader) (io.ReadCloser, error)
	DecryptContent(io.Reader) (io.ReadCloser, error)
	Clone(cd CipherData) (ContentCipher, error)
	GetEncryptedLen(int64) int64
	GetCipherData() *CipherData
	GetAlignLen() int
}

ContentCipher is used to encrypt or decrypt object's data

type ContentCipherBuilder 

type ContentCipherBuilder interface {
	ContentCipher() (ContentCipher, error)
	ContentCipherEnv(Envelope) (ContentCipher, error)
	GetMatDesc() string
}

ContentCipherBuilder is used to create ContentCipher for encryting object's data

func CreateAesCtrCipher 

func CreateAesCtrCipher(cipher MasterCipher) ContentCipherBuilder

CreateAesCtrCipher creates ContentCipherBuilder

type CryptoBucket 

type CryptoBucket struct {
	oss.Bucket
	ContentCipherBuilder ContentCipherBuilder
	ExtraCipherBuilder   ExtraCipherBuilder
	MasterCipherManager  MasterCipherManager
	AliKmsClient         *kms.Client
}

CryptoBucket implements the operations for encrypting and decrypting objects ContentCipherBuilder is used to encrypt and decrypt objects by default when the object's MatDesc which you want to decrypt is emtpy or same to the master key's MatDesc you provided in ContentCipherBuilder, sdk try to use ContentCipherBuilder to decrypt

func GetCryptoBucket 

func GetCryptoBucket(client *oss.Client, bucketName string, builder ContentCipherBuilder,
	options ...CryptoBucketOption) (*CryptoBucket, error)

GetCryptoBucket create a client encyrption bucket

func (CryptoBucket) AddEncryptionUaSuffix 

func (bucket CryptoBucket) AddEncryptionUaSuffix(options []oss.Option) []oss.Option

func (CryptoBucket) AppendObject 

func (bucket CryptoBucket) AppendObject(objectKey string, reader io.Reader, appendPosition int64, options ...oss.Option) (int64, error)

AppendObject please refer to Bucket.AppendObject

func (CryptoBucket) CopyFile 

func (bucket CryptoBucket) CopyFile(srcBucketName, srcObjectKey, destObjectKey string, partSize int64, options ...oss.Option) error

CopyFile with multi part mode, temporarily not supported

func (CryptoBucket) DoAppendObject 

func (bucket CryptoBucket) DoAppendObject(request *oss.AppendObjectRequest, options []oss.Option) (*oss.AppendObjectResult, error)

DoAppendObject please refer to Bucket.DoAppendObject

func (CryptoBucket) DoGetObject 

func (bucket CryptoBucket) DoGetObject(request *oss.GetObjectRequest, options []oss.Option) (*oss.GetObjectResult, error)

DoGetObject is the actual API that gets the encrypted or not encrypted object. It's the internal function called by other public APIs.

func (CryptoBucket) DoGetObjectWithURL 

func (bucket CryptoBucket) DoGetObjectWithURL(signedURL string, options []oss.Option) (*oss.GetObjectResult, error)

DoGetObjectWithURL please refer to Bucket.DoGetObjectWithURL

func (CryptoBucket) DoPutObjectWithURL 

func (bucket CryptoBucket) DoPutObjectWithURL(signedURL string, reader io.Reader, options []oss.Option) (*oss.Response, error)

DoPutObjectWithURL please refer to Bucket.DoPutObjectWithURL

func (CryptoBucket) DownloadFile 

func (bucket CryptoBucket) DownloadFile(objectKey, filePath string, partSize int64, options ...oss.Option) error

DownloadFile with multi part mode, temporarily not supported

func (CryptoBucket) GetObject 

func (bucket CryptoBucket) GetObject(objectKey string, options ...oss.Option) (io.ReadCloser, error)

GetObject downloads the object from oss If the object is encrypted, sdk decrypt it automaticly

func (CryptoBucket) GetObjectToFile 

func (bucket CryptoBucket) GetObjectToFile(objectKey, filePath string, options ...oss.Option) error

GetObjectToFile downloads the object from oss to local file If the object is encrypted, sdk decrypt it automaticly

func (CryptoBucket) GetObjectToFileWithURL 

func (bucket CryptoBucket) GetObjectToFileWithURL(signedURL, filePath string, options ...oss.Option) error

GetObjectToFileWithURL please refer to Bucket.GetObjectToFileWithURL

func (CryptoBucket) GetObjectWithURL 

func (bucket CryptoBucket) GetObjectWithURL(signedURL string, options ...oss.Option) (io.ReadCloser, error)

GetObjectWithURL please refer to Bucket.GetObjectWithURL

func (CryptoBucket) InitiateMultipartUpload 

func (bucket CryptoBucket) InitiateMultipartUpload(objectKey string, cryptoContext *PartCryptoContext, options ...oss.Option) (oss.InitiateMultipartUploadResult, error)

InitiateMultipartUpload initializes multipart upload for client encryption cryptoContext.PartSize and cryptoContext.DataSize are input parameter cryptoContext.PartSize must aligned to the secret iv length cryptoContext.ContentCipher is output parameter cryptoContext will be used in next API

func (CryptoBucket) ProcessObject 

func (bucket CryptoBucket) ProcessObject(objectKey string, process string, options ...oss.Option) (oss.ProcessObjectResult, error)

ProcessObject please refer to Bucket.ProcessObject

func (CryptoBucket) PutObject 

func (bucket CryptoBucket) PutObject(objectKey string, reader io.Reader, options ...oss.Option) error

PutObject creates a new object and encyrpt it on client side when uploading to oss

func (CryptoBucket) PutObjectFromFile 

func (bucket CryptoBucket) PutObjectFromFile(objectKey, filePath string, options ...oss.Option) error

PutObjectFromFile creates a new object from the local file the object will be encrypted automaticly on client side when uploaded to oss

func (CryptoBucket) PutObjectFromFileWithURL 

func (bucket CryptoBucket) PutObjectFromFileWithURL(signedURL, filePath string, options ...oss.Option) error

PutObjectFromFileWithURL please refer to Bucket.PutObjectFromFileWithURL

func (CryptoBucket) PutObjectWithURL 

func (bucket CryptoBucket) PutObjectWithURL(signedURL string, reader io.Reader, options ...oss.Option) error

PutObjectWithURL please refer to Bucket.PutObjectWithURL

func (CryptoBucket) UploadFile 

func (bucket CryptoBucket) UploadFile(objectKey, filePath string, partSize int64, options ...oss.Option) error

UploadFile with multi part mode

func (CryptoBucket) UploadPart 

func (bucket CryptoBucket) UploadPart(imur oss.InitiateMultipartUploadResult, reader io.Reader,
	partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPart uploads parts to oss, the part data are encrypted automaticly on client side cryptoContext is the input parameter

func (CryptoBucket) UploadPartCopy 

func (bucket CryptoBucket) UploadPartCopy(imur oss.InitiateMultipartUploadResult, srcBucketName, srcObjectKey string,
	startPosition, partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPartCopy uploads part copy

func (CryptoBucket) UploadPartFromFile 

func (bucket CryptoBucket) UploadPartFromFile(imur oss.InitiateMultipartUploadResult, filePath string,
	startPosition, partSize int64, partNumber int, cryptoContext PartCryptoContext, options ...oss.Option) (oss.UploadPart, error)

UploadPartFromFile uploads part from the file, the part data are encrypted automaticly on client side cryptoContext is the input parameter

type CryptoBucketOption 

type CryptoBucketOption func(*CryptoBucket)

CryptoBucketOption CryptoBucket option such as SetAliKmsClient, SetMasterCipherManager, SetDecryptCipherManager.

func SetAliKmsClient 

func SetAliKmsClient(client *kms.Client) CryptoBucketOption

SetAliKmsClient set field AliKmsClient of CryptoBucket If the objects you need to decrypt are encrypted with ali kms master key,but not with ContentCipherBuilder you provided, you must provide this interface

func SetExtraCipherBuilder 

func SetExtraCipherBuilder(extraBuilder ExtraCipherBuilder) CryptoBucketOption

SetExtraCipherBuilder set field ExtraCipherBuilder of CryptoBucket

func SetMasterCipherManager 

func SetMasterCipherManager(manager MasterCipherManager) CryptoBucketOption

SetMasterCipherManager set field MasterCipherManager of CryptoBucket

type CryptoDecrypter 

type CryptoDecrypter struct {
	Body      io.Reader
	Decrypter io.Reader
	// contains filtered or unexported fields
}

CryptoDecrypter provides close method for Decrypter

func (*CryptoDecrypter) Close 

func (rc *CryptoDecrypter) Close() error

Close lets the CryptoDecrypter satisfy io.ReadCloser interface

func (*CryptoDecrypter) Read 

func (rc *CryptoDecrypter) Read(b []byte) (int, error)

Read lets the CryptoDecrypter satisfy io.ReadCloser interface

type CryptoEncrypter 

type CryptoEncrypter struct {
	Body      io.Reader
	Encrypter io.Reader
	// contains filtered or unexported fields
}

CryptoEncrypter provides close method for Encrypter

func (*CryptoEncrypter) Close 

func (rc *CryptoEncrypter) Close() error

Close lets the CryptoEncrypter satisfy io.ReadCloser interface

func (*CryptoEncrypter) Read 

func (rc *CryptoEncrypter) Read(b []byte) (int, error)

Read lets the CryptoEncrypter satisfy io.ReadCloser interface

type Decrypter 

type Decrypter interface {
	Decrypt(io.Reader) io.Reader
}

Decrypter is interface with only decrypt method

type DefaultExtraCipherBuilder 

type DefaultExtraCipherBuilder struct {
	AliKmsClient *kms.Client
}

DefaultExtraCipherBuilder is Default implementation of the ExtraCipherBuilder for rsa and kms master keys

func (*DefaultExtraCipherBuilder) GetDecryptCipher 

func (decb *DefaultExtraCipherBuilder) GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error)

GetDecryptCipher is used to get ContentCipher for decrypt object

type Encrypter 

type Encrypter interface {
	Encrypt(io.Reader) io.Reader
}

Encrypter is interface with only encrypt method

type Envelope 

type Envelope struct {
	IV                    string
	CipherKey             string
	MatDesc               string
	WrapAlg               string
	CEKAlg                string
	UnencryptedMD5        string
	UnencryptedContentLen string
}

Envelope is stored in oss object's meta

func (Envelope) IsValid 

func (el Envelope) IsValid() bool

func (Envelope) String 

func (el Envelope) String() string

type ExtraCipherBuilder 

type ExtraCipherBuilder interface {
	GetDecryptCipher(envelope Envelope, cm MasterCipherManager) (ContentCipher, error)
}

ExtraCipherBuilder is interface for creating a decrypt ContentCipher with Envelope If the objects you need to decrypt are neither encrypted with ContentCipherBuilder you provided, nor encrypted with rsa and ali kms master keys, you must provide this interface

ContentCipher the interface used to decrypt objects

type MasterAliKmsCipher 

type MasterAliKmsCipher struct {
	MatDesc   string
	KmsID     string
	KmsClient *kms.Client
}

MasterAliKmsCipher ali kms master key interface

func (MasterAliKmsCipher) Decrypt 

func (mkms MasterAliKmsCipher) Decrypt(cryptoData []byte) ([]byte, error)

Decrypt decrypt data by ali kms Mainly used to decrypt object's symmetric secret key and iv

func (MasterAliKmsCipher) Encrypt 

func (mkms MasterAliKmsCipher) Encrypt(plainData []byte) ([]byte, error)

Encrypt encrypt data by ali kms Mainly used to encrypt object's symmetric secret key and iv

func (MasterAliKmsCipher) GetMatDesc 

func (mkms MasterAliKmsCipher) GetMatDesc() string

GetMatDesc get master key describe

func (MasterAliKmsCipher) GetWrapAlgorithm 

func (mrc MasterAliKmsCipher) GetWrapAlgorithm() string

GetWrapAlgorithm get master key wrap algorithm

type MasterCipher 

type MasterCipher interface {
	Encrypt([]byte) ([]byte, error)
	Decrypt([]byte) ([]byte, error)
	GetWrapAlgorithm() string
	GetMatDesc() string
}

MasterCipher encrypt or decrpt CipherData support master key: rsa && ali kms

func CreateMasterAliKms 

func CreateMasterAliKms(matDesc map[string]string, kmsID string, kmsClient *kms.Client) (MasterCipher, error)

CreateMasterAliKms Create master key interface implemented by ali kms matDesc will be converted to json string

func CreateMasterRsa 

func CreateMasterRsa(matDesc map[string]string, publicKey string, privateKey string) (MasterCipher, error)

CreateMasterRsa Create master key interface implemented by rsa matDesc will be converted to json string

type MasterCipherManager 

type MasterCipherManager interface {
	GetMasterKey(matDesc map[string]string) ([]string, error)
}

MasterCipherManager is interface for getting master key with MatDesc(material desc) If you may use different master keys for encrypting and decrypting objects,each master key must have a unique, non-emtpy, unalterable MatDesc(json string format) and you must provide this interface If you always use the same master key for encrypting and decrypting objects, MatDesc can be empty and you don't need to provide this interface

matDesc map[string]string:is converted by matDesc json string return: []string the secret key information,such as {"rsa-public-key","rsa-private-key"} or {"non-rsa-key"}

type MasterRsaCipher 

type MasterRsaCipher struct {
	MatDesc    string
	PublicKey  string
	PrivateKey string
}

MasterRsaCipher rsa master key interface

func (MasterRsaCipher) Decrypt 

func (mrc MasterRsaCipher) Decrypt(cryptoData []byte) ([]byte, error)

Decrypt Decrypt data by rsa private key Mainly used to decrypt object's symmetric secret key and iv

func (MasterRsaCipher) Encrypt 

func (mrc MasterRsaCipher) Encrypt(plainData []byte) ([]byte, error)

Encrypt encrypt data by rsa public key Mainly used to encrypt object's symmetric secret key and iv

func (MasterRsaCipher) GetMatDesc 

func (mrc MasterRsaCipher) GetMatDesc() string

GetMatDesc get master key describe

func (MasterRsaCipher) GetWrapAlgorithm 

func (mrc MasterRsaCipher) GetWrapAlgorithm() string

GetWrapAlgorithm get master key wrap algorithm

type PartCryptoContext 

type PartCryptoContext struct {
	ContentCipher ContentCipher
	DataSize      int64
	PartSize      int64
}

PartCryptoContext save encryption or decryption information

func (PartCryptoContext) Valid 

func (pcc PartCryptoContext) Valid() bool

Valid judge PartCryptoContext is valid or not

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.