package cryptor

import "github.com/cloudflare/redoctober/cryptor"

Package cryptor encrypts and decrypts files using the Red October vault and key cache.

Copyright (c) 2013 CloudFlare, Inc.

Index

Constants 

const (
	DEFAULT_VERSION = 1
)

Variables 

var ErrNotEnoughDelegations = errors.New("need more delegated keys")

ErrNotEnoughDelegations is a error returned by Decrypt. 

var ErrRestoreDelegations = errors.New("cryptor: need more delegations")

ErrRestoreDelegations is a sentinal value returned when more delegations are needed for the restore to continue.

Types

type AccessStructure 

type AccessStructure struct {
	Minimum int
	Names   []string

	LeftNames  []string
	RightNames []string

	Predicate string
}

AccessStructure represents different possible access structures for encrypted data. If len(Names) > 0, then at least 2 of the users in the list must be delegated to decrypt. If len(LeftNames) > 0 & len(RightNames) > 0, then at least one from each list must be delegated (if the same user is in both, then he can decrypt it alone). If a predicate is present, it must be satisfied to decrypt.

type Cryptor 

type Cryptor struct {
	// contains filtered or unexported fields
}

func New 

func New(records *passvault.Records, cache *keycache.Cache, config *config.Config) (*Cryptor, error)

func (*Cryptor) Decrypt 

func (c *Cryptor) Decrypt(in []byte, user string) (resp []byte, labels, names []string, usages []string, secure bool, err error)

Decrypt decrypts a file using the keys in the key cache.

func (*Cryptor) Delegate 

func (c *Cryptor) Delegate(record passvault.PasswordRecord, name, password string, users, labels []string, uses int, slot, durationString string) (err error)

Delegate attempts to decrypt a key for the specified user and add the key to the key cache.

func (*Cryptor) DelegateStatus 

func (c *Cryptor) DelegateStatus(name string, labels, admins []string) (adminsDelegated []string, hasDelegated int)

DelegateStatus will return a list of admins who have delegated to a particular user, for a particular label. This is useful information to have when determining the status of an order and conveying order progress.

func (*Cryptor) Encrypt 

func (c *Cryptor) Encrypt(in []byte, labels []string, usages []string, access AccessStructure) (resp []byte, err error)

Encrypt encrypts data with the keys associated with names. This requires a minimum of min keys to decrypt. NOTE: as currently implemented, the maximum value for min is 2.

func (*Cryptor) Flush 

func (c *Cryptor) Flush() error

Flush removes all delegations.

func (*Cryptor) GetOwners 

func (c *Cryptor) GetOwners(in []byte) (names, labels []string, predicate string, err error)

GetOwners returns the list of users that can delegate their passwords to decrypt the given encrypted secret.

func (*Cryptor) LiveSummary 

func (c *Cryptor) LiveSummary() map[string]keycache.ActiveUser

LiveSummary returns a list of the users currently delegated.

func (*Cryptor) Refresh 

func (c *Cryptor) Refresh() error

Refresh purges all expired or fully-used delegations in the crypto's key cache. It returns an error if the delegations should have been stored, but couldn't be.

func (*Cryptor) ResetPersisted 

func (c *Cryptor) ResetPersisted() (*persist.Status, error)

ResetPersisted clears any persisted delegations and returns the vault to an active delegation state if configured.

func (*Cryptor) Restore 

func (c *Cryptor) Restore(name, password string, uses int, slot, durationString string) error

Restore delegates the named user to the persistence key cache. If enough delegations are present to restore the cache, the current Red October key cache is replaced with the persisted one.

func (*Cryptor) Status 

func (c *Cryptor) Status() *persist.Status

Status returns the status of the underlying persistence store.

type EncryptedData 

type EncryptedData struct {
	Version int
	VaultId int      `json:",omitempty"`
	Labels  []string `json:",omitempty"`
	// Usages list the endpoints which may use this data
	// If empty, only decryption in permitted
	Usages    []string                    `json:",omitempty"`
	Predicate string                      `json:",omitempty"`
	KeySet    []MultiWrappedKey           `json:",omitempty"`
	KeySetRSA map[string]SingleWrappedKey `json:",omitempty"`
	ShareSet  map[string][][]byte         `json:",omitempty"`
	IV        []byte                      `json:",omitempty"`
	Data      []byte
	Signature []byte
}

EncryptedData is the format for encrypted data containing all the keys necessary to decrypt it when delegated.

type MultiWrappedKey 

type MultiWrappedKey struct {
	Name []string
	Key  []byte
}

MultiWrappedKey is a structure containing a 16-byte key encrypted once for each of the keys corresponding to the names of the users in Name in order.

type SingleWrappedKey 

type SingleWrappedKey struct {
	Key []byte
	// contains filtered or unexported fields
}

SingleWrappedKey is a structure containing a 16-byte key encrypted by an RSA or EC key.

type UserDatabase 

type UserDatabase struct {
	// contains filtered or unexported fields
}

Implements msp.UserDatabase

func (UserDatabase) CanGetShare 

func (u UserDatabase) CanGetShare(name string) bool

func (UserDatabase) GetShare 

func (u UserDatabase) GetShare(name string) ([][]byte, error)

func (UserDatabase) ValidUser 

func (u UserDatabase) ValidUser(name string) bool

Source Files

cryptor.go

Version
v0.0.0-20241112165158-ce2ad370627b (latest)
Published
Nov 12, 2024
Platform
linux/amd64
Imports
17 packages
Last checked
1 day ago

Tools for package owners.