secure

package
v0.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 13, 2025 License: MIT Imports: 23 Imported by: 1

Documentation

Overview

Package secure makes encrypted data can only be decrypted by selected recipients. It allows different types of public keys to secretly exchange data.

How It Works

Suppose we have a opponent X, append 0 to the upper cased letter we get X0, it represents X's private key, similarly X1 represents X's public key. Now we have opponents X and Y, they may have different key types, such as X's is rsa, Y's is ecdsa, we want to encrypt data D with X and decrypt it with Y. X has access to Y1.

Encryption steps: 

Generate ephemeral key M that has the same key type and size as Y1.
Use Y1 and M0 to generate the shared secret key K.
Use K to encrypt the D, it generates E.
Only send M1 and E to Y.

Decryption steps: 

Use Y0 and M1 to generate the shared secret key K.
Use K to decrypt E, we get D.

Index

Constants

View Source 
const AES_GUARD = 4
View Source 
const KEY_HASH_SIZE = md5.Size
View Source 
const PUB_KEY_EXT = ".pub"

Variables

View Source 
var ErrAlreadyClosed = errors.New("already closed")
View Source 
var ErrNotRecipient = errors.New("not a recipient, the data is not encrypted for your public key")
View Source 
var ErrNotSupportedKey = errors.New("not an supported key")
View Source 
var ErrSignMismatch = errors.New("sign mismatch")

Functions

func Belongs added in v0.2.0 

func Belongs(pub, prv []byte, passphrase string) (bool, error)

Belongs checks if pub key belongs to prv key.

func DecryptAES 

func DecryptAES(key, data []byte, guard int) ([]byte, error)

func DecryptSharedSecret added in v0.3.0 

func DecryptSharedSecret(sharedKey []byte, prv crypto.PrivateKey) ([]byte, error)

func EncryptAES 

func EncryptAES(key, data []byte, guard int) ([]byte, error)

func EncryptSharedSecret added in v0.3.0 

func EncryptSharedSecret(sharedKey []byte, pub crypto.PublicKey) ([]byte, error)

func GenerateKeyFile added in v0.5.2 

func GenerateKeyFile(deterministic bool, comment, passphrase string) ([]byte, []byte, error)

GenerateKeyFile generates a new ed25519 ssh key pair. The first return value is the private key in PEM format, the second return value is the public key in ssh authorized_key format. If deterministic is true, the key will be generated based on the passphrase itself, so the same passphrase will always generate the same key, this is useful if you don't want to backup the key, but it's less secure, you must use a strong passphrase.

func IsAuthErr added in v0.1.0 

func IsAuthErr(err error) bool

func PublicKeyHash added in v0.3.0 

func PublicKeyHash(pub crypto.PublicKey) ([]byte, error)

func PublicKeyHashByPrivateKey added in v0.3.0 

func PublicKeyHashByPrivateKey(prv crypto.PrivateKey) ([]byte, error)

func SSHPrvKey added in v0.2.0 

func SSHPrvKey(keyData []byte, passphrase string) (crypto.PrivateKey, error)

SSHPrvKey returns a private key from a ssh private key.

func SSHPubKey added in v0.1.0 

func SSHPubKey(publicKey []byte) (crypto.PublicKey, error)

Types

type Cipher added in v0.0.5 

type Cipher struct {
	// Default is 16, it can be 16, 24, 32.
	// 16 is AES-128, 24 is AES-192, 32 is AES-256.
	AESType int
	// contains filtered or unexported fields
}

Cipher to encrypt and decrypt data. The cipher will generate a random AES secret, each public key will be used to encrypt the AES secret into a key. The wire format of the output looks like this: 

[n][key1][key2][key3]...[encrypted-data].

"n" is the number of keys. "key1" is the encrypted key for the first public key. "key2" is the encrypted key for the second public key. ... "encrypted-data" is the encrypted data by the AES secret.

func NewCipher added in v0.3.0 

func NewCipher(prv crypto.PrivateKey, index int, pubs ...crypto.PublicKey) *Cipher

NewCipher to encrypt or decrypt data. The index indicates which key in the key list is for the prv to decrypt the data.

func NewCipherBytes added in v0.3.0 

func NewCipherBytes(privateKey []byte, passphrase string, index int, publicKeys ...[]byte) (*Cipher, error)

func (*Cipher) Decoder added in v0.0.5 

func (c *Cipher) Decoder(r io.Reader) (io.ReadCloser, error)

func (*Cipher) Encoder added in v0.0.5 

func (c *Cipher) Encoder(w io.Writer) (io.WriteCloser, error)

type Signer added in v0.0.5 

type Signer struct {
	// contains filtered or unexported fields
}

func NewSigner added in v0.3.0 

func NewSigner(prv crypto.PrivateKey, pub crypto.PrivateKey) *Signer

func NewSignerBytes added in v0.3.0 

func NewSignerBytes(privateKey []byte, passphrase string, publicKeys ...[]byte) (*Signer, error)

func (*Signer) Decoder added in v0.0.5 

func (s *Signer) Decoder(r io.Reader) (io.ReadCloser, error)

func (*Signer) Encoder added in v0.0.5 

func (s *Signer) Encoder(w io.Writer) (io.WriteCloser, error)

func (*Signer) SigDigest added in v0.3.0 

func (s *Signer) SigDigest(digest []byte) ([]byte, error)

func (*Signer) Sign added in v0.3.0 

func (s *Signer) Sign(data []byte) ([]byte, error)

func (*Signer) Verify added in v0.3.0 

func (s *Signer) Verify(data []byte) ([]byte, bool)

func (*Signer) VerifyDigest added in v0.3.0 

func (s *Signer) VerifyDigest(digest, sign []byte) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.