Exemple #1
0
func (alg *AesGcm) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) {

	cekSizeBits := len(cek) << 3

	if cekSizeBits != alg.keySizeBits {
		return nil, nil, nil, errors.New(fmt.Sprintf("AesGcm.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits))
	}

	if iv, err = arrays.Random(12); err != nil {
		return nil, nil, nil, err
	}

	var block cipher.Block

	if block, err = aes.NewCipher(cek); err != nil {
		return nil, nil, nil, err
	}

	var aesgcm cipher.AEAD

	if aesgcm, err = cipher.NewGCM(block); err != nil {
		return nil, nil, nil, err
	}

	cipherWithTag := aesgcm.Seal(nil, iv, plainText, aad)

	cipherText = cipherWithTag[:len(cipherWithTag)-aesgcm.Overhead()]
	authTag = cipherWithTag[len(cipherWithTag)-aesgcm.Overhead():]

	return iv, cipherText, authTag, nil
}
Exemple #2
0
func (alg *AesCbcHmac) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) {

	cekSizeBits := len(cek) << 3
	if cekSizeBits != alg.keySizeBits {
		return nil, nil, nil, errors.New(fmt.Sprintf("AesCbcHmac.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits))
	}

	hmacKey := cek[0 : len(cek)/2]
	aesKey := cek[len(cek)/2:]

	if iv, err = arrays.Random(16); err != nil {
		return nil, nil, nil, err
	}

	var block cipher.Block

	if block, err = aes.NewCipher(aesKey); err != nil {
		return nil, nil, nil, err
	}

	padded := padding.AddPkcs7(plainText, 16)

	cipherText = make([]byte, len(padded), cap(padded))
	mode := cipher.NewCBCEncrypter(block, iv)
	mode.CryptBlocks(cipherText, padded)

	authTag = alg.computeAuthTag(aad, iv, cipherText, hmacKey)

	return iv, cipherText, authTag, nil
}
Exemple #3
0
func (alg *AesGcmKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) {
	if kek, ok := key.([]byte); ok {

		kekSizeBits := len(kek) << 3

		if kekSizeBits != alg.keySizeBits {
			return nil, nil, errors.New(fmt.Sprintf("AesGcmKW.WrapNewKey(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, kekSizeBits))
		}

		if cek, err = arrays.Random(cekSizeBits >> 3); err != nil {
			return nil, nil, err
		}

		var iv []byte

		if iv, err = arrays.Random(12); err != nil {
			return nil, nil, err
		}

		var block cipher.Block

		if block, err = aes.NewCipher(kek); err != nil {
			return nil, nil, err
		}

		var aesgcm cipher.AEAD

		if aesgcm, err = cipher.NewGCM(block); err != nil {
			return nil, nil, err
		}

		cipherWithTag := aesgcm.Seal(nil, iv, cek, nil)

		cipherText := cipherWithTag[:len(cipherWithTag)-aesgcm.Overhead()]
		authTag := cipherWithTag[len(cipherWithTag)-aesgcm.Overhead():]

		header["iv"] = base64url.Encode(iv)
		header["tag"] = base64url.Encode(authTag)

		return cek, cipherText, nil
	}

	return nil, nil, errors.New("AesGcmKW.WrapNewKey(): expected key to be '[]byte' array")
}
Exemple #4
0
func (alg *RsaOaep) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) {
	if pubKey, ok := key.(*rsa.PublicKey); ok {
		if cek, err = arrays.Random(cekSizeBits >> 3); err == nil {
			encryptedCek, err = rsa.EncryptOAEP(alg.sha(), rand.Reader, pubKey, cek, nil)
			return
		}

		return nil, nil, err
	}

	return nil, nil, errors.New("RsaOaep.WrapNewKey(): expected key to be '*rsa.PublicKey'")
}
Exemple #5
0
func (alg *AesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) {
	if kek, ok := key.([]byte); ok {

		kekSizeBits := len(kek) << 3

		if kekSizeBits != alg.keySizeBits {
			return nil, nil, errors.New(fmt.Sprintf("AesKW.WrapNewKey(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, kekSizeBits))
		}

		if cek, err = arrays.Random(cekSizeBits >> 3); err == nil {
			encryptedCek, err = aes.KeyWrap(cek, kek)
			return
		}

		return nil, nil, err

	}

	return nil, nil, errors.New("AesKW.WrapNewKey(): expected key to be '[]byte' array")
}
Exemple #6
0
func (alg *Pbse2HmacAesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) {
	if passphrase, ok := key.(string); ok {

		algId := []byte(header["alg"].(string))

		iterationCount := 8192
		var saltInput []byte

		if saltInput, err = arrays.Random(12); err != nil {
			return nil, nil, err
		}

		header["p2c"] = iterationCount
		header["p2s"] = base64url.Encode(saltInput)

		salt := arrays.Concat(algId, []byte{0}, saltInput)

		kek := kdf.DerivePBKDF2([]byte(passphrase), salt, iterationCount, alg.keySizeBits, alg.prf())
		return alg.aesKW.WrapNewKey(cekSizeBits, kek, header)
	}

	return nil, nil, errors.New("Pbse2HmacAesKW.WrapNewKey(): expected key to be 'string' array")
}