crypto

package
v0.28.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2017 License: BSD-3-Clause Imports: 23 Imported by: 0

Documentation

Overview

Package crypto provides access to secure encryption and signing methods

Index

Constants

View Source
const (
	Triplesec  = "triplesec-v3"
	EdDSA      = "eddsa"
	Curve25519 = "curve25519"
	EasyBox    = "easybox"
	SecretBox  = "secretbox"
	Scrypt     = "scrypt"
)

Crypto Algorithm name constants.

Variables

View Source
var ErrMissingPassphrase = errors.New("Missing passphrase; cannot unseal master key")

ErrMissingPassphrase occurs when a session does not have a passphrase

Functions

func CreateMasterKeyObject added in v0.15.0

func CreateMasterKeyObject(ctx context.Context, password []byte, masterKey *[]byte) (*primitive.MasterKey, error)

CreateMasterKeyObject generates a 256 byte master key which is then encrypted using TripleSec-v3 using the given password.

func DeriveLoginHMAC

func DeriveLoginHMAC(ctx context.Context, password []byte, salt, token string) (string, error)

DeriveLoginHMAC HMACs the provided token with a key derived from password and the provided base64 encoded salt.

func EncryptPasswordObject

func EncryptPasswordObject(ctx context.Context, password string, currentMasterKey *[]byte) (*primitive.UserPassword, *primitive.MasterKey, error)

EncryptPasswordObject derives the master key (if necessary) and password hash from password and salt, returning the master and password objects

func GenerateSalt added in v0.15.0

func GenerateSalt(ctx context.Context) (*base64url.Value, error)

GenerateSalt returns a 16-byte (128 bit) salt used in password and secret key derivation.

Types

type EncryptionKeyPair

type EncryptionKeyPair struct {
	Public  [32]byte
	Private []byte
	PNonce  []byte
}

EncryptionKeyPair is a curve25519 encryption keypair. The private portion of the keypair is encrypted with triplesec.

PNonce contains the nonce used when deriving the password used to encrypt the private portion.

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine exposes methods to encrypt, unencrypt and sign values, using the logged in user's credentials.

func NewEngine

func NewEngine(sess session.Session, g *secure.Guard) *Engine

NewEngine returns a new Engine

func (*Engine) Box

func (e *Engine) Box(ctx context.Context, pt *secure.Secret, privKP *EncryptionKeyPair,
	pubKey []byte) ([]byte, []byte, error)

Box encrypts the plaintext pt bytes with Box, using the private key found in privKP, first decrypted with the user's master key, and encrypted for the public key pubKey.

It returns the ciphertext, the nonce used for encrypting the plaintext, and an optional error.

func (*Engine) BoxCredential

func (e *Engine) BoxCredential(ctx context.Context, pt, encMec, mecNonce []byte,
	privKP *EncryptionKeyPair, pubKey []byte) ([]byte, []byte, []byte, error)

BoxCredential encrypts the credential value pt via symmetric secretbox encryption.

Doing so is a multistep process. First we use the user's session data to unseal their private encryption key. With their encryption key and the public encryption key provided, we can decrypt the keyring master key (mek). Using mek and a generated nonce, we derive the credential encryption key (cek) via blake2b. Finally, we use the cek and a generated nonce to encrypt the credential.

BoxCredential returns the nonce generated to derive the credential encryption key, the nonce generated for encrypting the credential, and the encrypted credential.

func (*Engine) ChangePassword added in v0.17.0

func (e *Engine) ChangePassword(ctx context.Context, newPassword string) (*primitive.UserPassword, *primitive.MasterKey, *primitive.LoginPublicKey, error)

ChangePassword creates a password object and re-encrypts the master key

func (*Engine) CloneMembership

func (e *Engine) CloneMembership(ctx context.Context, encMec, mecNonce []byte, privKP *EncryptionKeyPair, encPubKey, targetPubKey []byte) ([]byte, []byte, error)

CloneMembership decrypts the given KeyringMember object, and creates another for the targeted user.

func (*Engine) GenerateKeyPairs

func (e *Engine) GenerateKeyPairs(ctx context.Context) (*KeyPairs, error)

GenerateKeyPairs generates and ed25519 signing key pair, and a curve25519 encryption key pair for the user, encrypting the private keys in triplesec-v3 with the user's master key.

func (*Engine) Seal

func (e *Engine) Seal(ctx context.Context, pt []byte) ([]byte, []byte, error)

Seal encrypts the plaintext pt bytes with triplesec-v3 using a key derived via blake2b from the user's master key and a nonce (returned).

func (*Engine) Sign

func (e *Engine) Sign(ctx context.Context, s SignatureKeyPair, b []byte) ([]byte, error)

Sign signs b bytes using the provided Sealed ed25519 keypair.

func (*Engine) SignedClaim added in v0.23.0

func (e *Engine) SignedClaim(ctx context.Context, body *primitive.Claim,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.Claim, error)

SignedClaim returns a ClaimEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedCredential added in v0.23.0

func (e *Engine) SignedCredential(ctx context.Context, body *primitive.Credential,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.Credential, error)

SignedCredential returns a CredentialEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedCredentialV1 added in v0.23.0

func (e *Engine) SignedCredentialV1(ctx context.Context, body *primitive.CredentialV1,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.CredentialV1, error)

SignedCredentialV1 returns a CredentialV1Envelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedKeyring added in v0.23.0

func (e *Engine) SignedKeyring(ctx context.Context, body *primitive.Keyring,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.Keyring, error)

SignedKeyring returns a KeyringEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedKeyringMember added in v0.23.0

func (e *Engine) SignedKeyringMember(ctx context.Context, body *primitive.KeyringMember,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.KeyringMember, error)

SignedKeyringMember returns a KeyringMemberEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedKeyringMemberClaim added in v0.23.0

func (e *Engine) SignedKeyringMemberClaim(ctx context.Context, body *primitive.KeyringMemberClaim,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.KeyringMemberClaim, error)

SignedKeyringMemberClaim returns a KeyringMemberClaimEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedKeyringMemberV1 added in v0.23.0

func (e *Engine) SignedKeyringMemberV1(ctx context.Context, body *primitive.KeyringMemberV1,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.KeyringMemberV1, error)

SignedKeyringMemberV1 returns a KeyringMemberV1Envelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedKeyringV1 added in v0.23.0

func (e *Engine) SignedKeyringV1(ctx context.Context, body *primitive.KeyringV1,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.KeyringV1, error)

SignedKeyringV1 returns a KeyringV1Envelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedMEKShare added in v0.23.0

func (e *Engine) SignedMEKShare(ctx context.Context, body *primitive.MEKShare,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.MEKShare, error)

SignedMEKShare returns a MEKShareEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedPrivateKey added in v0.23.0

func (e *Engine) SignedPrivateKey(ctx context.Context, body *primitive.PrivateKey,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.PrivateKey, error)

SignedPrivateKey returns a PrivateKeyEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) SignedPublicKey added in v0.23.0

func (e *Engine) SignedPublicKey(ctx context.Context, body *primitive.PublicKey,
	sigID *identity.ID, sigKP *SignatureKeyPair) (*envelope.PublicKey, error)

SignedPublicKey returns a PublicKeyEnvelope that is signed, and includes a tamper-proof ID.

func (*Engine) Unbox

func (e *Engine) Unbox(ctx context.Context, ct, nonce []byte,
	privKP *EncryptionKeyPair, pubKey []byte) (*secure.Secret, error)

Unbox Decrypts and verifies ciphertext ct that was previously encrypted using the provided nonce, and the inverse parts of the provided keypairs.

func (*Engine) UnboxCredential

func (e *Engine) UnboxCredential(ctx context.Context, ct, encMec, mecNonce,
	cekNonce, ctNonce []byte, privKP *EncryptionKeyPair, pubKey []byte) ([]byte, error)

UnboxCredential does the inverse of BoxCredential to retrieve the plaintext version of a credential.

func (*Engine) Unseal

func (e *Engine) Unseal(ctx context.Context, ct, nonce []byte) (*secure.Secret, error)

Unseal decrypts the ciphertext ct, encrypted with triplesec-v3, using the a key derived via blake2b from the user's master key and the provided nonce.

func (*Engine) Verify

func (e *Engine) Verify(ctx context.Context, s SignatureKeyPair, b, sig []byte) (bool, error)

Verify verifies that sig is the correct signature for b given SignatureKeyPair s.

func (*Engine) WithUnboxer

func (e *Engine) WithUnboxer(ctx context.Context, encMec, mecNonce []byte,
	privKP *EncryptionKeyPair, pubKey []byte, fn func(Unboxer) error) error

WithUnboxer returns an Unboxer for unboxing credentials within the context of the provided keypairs.

func (*Engine) WithUnsealer added in v0.27.0

func (e *Engine) WithUnsealer(ctx context.Context, privKP *EncryptionKeyPair,
	pubKey []byte, fn func(Unsealer) error) error

WithUnsealer returns an Unsealer to unseal keypairs which can subsequentently perform crypto operations through the Unsealer interface.

type KeyPairs

type KeyPairs struct {
	Signature  SignatureKeyPair
	Encryption EncryptionKeyPair
}

KeyPairs contains a signature and an encryption keypair for a user.

type LoginKeypair added in v0.15.0

type LoginKeypair struct {
	// contains filtered or unexported fields
}

LoginKeypair represents an Ed25519 Keypair used for generating a login token signature for Passphrase-Dervied Public Key Authentication.

func DeriveLoginKeypair added in v0.15.0

func DeriveLoginKeypair(ctx context.Context, secret []byte, salt *base64url.Value) (
	*LoginKeypair, error)

DeriveLoginKeypair dervies the ed25519 login keypair used for machine authentication from the given salt and secret values.

func (*LoginKeypair) PublicKey added in v0.15.0

func (k *LoginKeypair) PublicKey() *base64url.Value

PublicKey returns the base64 value of the public key

func (*LoginKeypair) Salt added in v0.15.0

func (k *LoginKeypair) Salt() *base64url.Value

Salt returns the base64 representation of the salt used to derive the LoginKeypair

func (*LoginKeypair) Sign added in v0.15.0

func (k *LoginKeypair) Sign(token []byte) *base64url.Value

Sign returns a signature of the given token as a base64 string

type SignatureKeyPair

type SignatureKeyPair struct {
	Public  ed25519.PublicKey
	Private []byte
	PNonce  []byte
}

SignatureKeyPair is an ed25519/eddsa digital signature keypair. The private portion of the keypair is encrypted with triplesec.

PNonce contains the nonce used when deriving the password used to encrypt the private portion.

type Unboxer

type Unboxer interface {
	Unbox(context.Context, []byte, []byte, []byte) ([]byte, error)
}

Unboxer provides an interface to unbox credentials, within the context

type Unsealer added in v0.27.0

type Unsealer interface {
	WithUnboxer(context.Context, []byte, []byte, func(Unboxer) error) error
}

Unsealer providers an interface to unbox public encryption keypairs using the users master encryption key

Directories

Path Synopsis
Package secure is a wrapper package around memguard for managing data which must not be swapped to disk or easily read via a memory scanner.
Package secure is a wrapper package around memguard for managing data which must not be swapped to disk or easily read via a memory scanner.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL