func (alg *AesGcm) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) { cekSizeBits := len(cek) << 3 if cekSizeBits != alg.keySizeBits { return nil, nil, nil, errors.New(fmt.Sprintf("AesGcm.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits)) } if iv, err = arrays.Random(12); err != nil { return nil, nil, nil, err } var block cipher.Block if block, err = aes.NewCipher(cek); err != nil { return nil, nil, nil, err } var aesgcm cipher.AEAD if aesgcm, err = cipher.NewGCM(block); err != nil { return nil, nil, nil, err } cipherWithTag := aesgcm.Seal(nil, iv, plainText, aad) cipherText = cipherWithTag[:len(cipherWithTag)-aesgcm.Overhead()] authTag = cipherWithTag[len(cipherWithTag)-aesgcm.Overhead():] return iv, cipherText, authTag, nil }
func (alg *AesCbcHmac) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) { cekSizeBits := len(cek) << 3 if cekSizeBits != alg.keySizeBits { return nil, nil, nil, errors.New(fmt.Sprintf("AesCbcHmac.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits)) } hmacKey := cek[0 : len(cek)/2] aesKey := cek[len(cek)/2:] if iv, err = arrays.Random(16); err != nil { return nil, nil, nil, err } var block cipher.Block if block, err = aes.NewCipher(aesKey); err != nil { return nil, nil, nil, err } padded := padding.AddPkcs7(plainText, 16) cipherText = make([]byte, len(padded), cap(padded)) mode := cipher.NewCBCEncrypter(block, iv) mode.CryptBlocks(cipherText, padded) authTag = alg.computeAuthTag(aad, iv, cipherText, hmacKey) return iv, cipherText, authTag, nil }
func (alg *AesGcmKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) { if kek, ok := key.([]byte); ok { kekSizeBits := len(kek) << 3 if kekSizeBits != alg.keySizeBits { return nil, nil, errors.New(fmt.Sprintf("AesGcmKW.WrapNewKey(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, kekSizeBits)) } if cek, err = arrays.Random(cekSizeBits >> 3); err != nil { return nil, nil, err } var iv []byte if iv, err = arrays.Random(12); err != nil { return nil, nil, err } var block cipher.Block if block, err = aes.NewCipher(kek); err != nil { return nil, nil, err } var aesgcm cipher.AEAD if aesgcm, err = cipher.NewGCM(block); err != nil { return nil, nil, err } cipherWithTag := aesgcm.Seal(nil, iv, cek, nil) cipherText := cipherWithTag[:len(cipherWithTag)-aesgcm.Overhead()] authTag := cipherWithTag[len(cipherWithTag)-aesgcm.Overhead():] header["iv"] = base64url.Encode(iv) header["tag"] = base64url.Encode(authTag) return cek, cipherText, nil } return nil, nil, errors.New("AesGcmKW.WrapNewKey(): expected key to be '[]byte' array") }
func (alg *RsaOaep) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) { if pubKey, ok := key.(*rsa.PublicKey); ok { if cek, err = arrays.Random(cekSizeBits >> 3); err == nil { encryptedCek, err = rsa.EncryptOAEP(alg.sha(), rand.Reader, pubKey, cek, nil) return } return nil, nil, err } return nil, nil, errors.New("RsaOaep.WrapNewKey(): expected key to be '*rsa.PublicKey'") }
func (alg *AesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) { if kek, ok := key.([]byte); ok { kekSizeBits := len(kek) << 3 if kekSizeBits != alg.keySizeBits { return nil, nil, errors.New(fmt.Sprintf("AesKW.WrapNewKey(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, kekSizeBits)) } if cek, err = arrays.Random(cekSizeBits >> 3); err == nil { encryptedCek, err = aes.KeyWrap(cek, kek) return } return nil, nil, err } return nil, nil, errors.New("AesKW.WrapNewKey(): expected key to be '[]byte' array") }
func (alg *Pbse2HmacAesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) { if passphrase, ok := key.(string); ok { algId := []byte(header["alg"].(string)) iterationCount := 8192 var saltInput []byte if saltInput, err = arrays.Random(12); err != nil { return nil, nil, err } header["p2c"] = iterationCount header["p2s"] = base64url.Encode(saltInput) salt := arrays.Concat(algId, []byte{0}, saltInput) kek := kdf.DerivePBKDF2([]byte(passphrase), salt, iterationCount, alg.keySizeBits, alg.prf()) return alg.aesKW.WrapNewKey(cekSizeBits, kek, header) } return nil, nil, errors.New("Pbse2HmacAesKW.WrapNewKey(): expected key to be 'string' array") }