Documentation
¶
Index ¶
- Constants
- func DecryptObjectDeterministic(ct []byte, context string, dek []byte) ([]byte, error)
- func DecryptObjectLinearOPE(ct []byte, dek []byte) (uint64, error)
- func DecryptObjectProbabilistic(ct []byte, dek []byte) ([]byte, error)
- func EncryptObjectDeterministic(pt []byte, context string, dek []byte) ([]byte, error)
- func EncryptObjectLinearOPE(plaintext uint64, dek []byte) ([]byte, error)
- func EncryptObjectProbabilistic(pt []byte, dek []byte) ([]byte, error)
- func GenerateEphemeralKeypair() (clientPriv [32]byte, clientPub [32]byte, clientPubB64 string, err error)
- func UnwrapSingleDEK(ctx context.Context, endpoint string, wrappedDEKB64 string, nonceB64 string, ...) ([]byte, error)
- type EnclaveSecureSession
- func (ess *EnclaveSecureSession) Close()
- func (ess *EnclaveSecureSession) GenerateDEK(ctx context.Context, keyID string, count int) (generatedDEKs []GeneratedDEK, err error)
- func (ess *EnclaveSecureSession) GetAttestationInfo() map[string]any
- func (ess *EnclaveSecureSession) SessionUnwrap(ctx context.Context, items []enclaveproto.SessionUnwrapItem, keyID string) (enclaveproto.SessionUnwrapResponse, error)
- func (ess *EnclaveSecureSession) UnsealDEK(ctx context.Context, encryptedDEKB64 string, nonceB64 string, objectID string) ([]byte, error)
- type GeneratedDEK
- type SessionConfig
Constants ¶
View Source
const ( AESKeySize = 32 // 256-bit AES key size GMCNonceSize = 12 // GCM standard nonce size )
Variables ¶
This section is empty.
Functions ¶
func DecryptObjectLinearOPE ¶
DecryptObjectLinearOPE decrypts data encrypted with EncryptObjectLinearOPE. Performs inverse linear transformation: pt = (ct - b) / a
func EncryptObjectLinearOPE ¶
WARNING: This is trivially breakable with known plaintext attacks TODO: Replace with a more secure OPE scheme
ct format: encrypted value (8 bytes)
Types ¶
type EnclaveSecureSession ¶
type EnclaveSecureSession struct {
SessionId string // Base64-encoded
ClientPriv [32]byte // x25519 private key
ClientPub [32]byte // x25519 public key
EnclavePubRaw []byte // enclave's ephemeral public key (decoded)
SessionKey []byte // derived session key
ExpiresAt time.Time
AttestationB64 string // Base64-encoded attestation document
ExpectedNonceB64 string // Base64-encoded expected nonce for attestation
AttestationVerified bool
AttestationResult *verificationResult
// contains filtered or unexported fields
}
func InitEnclaveSecureSession ¶ added in v0.0.2
func InitEnclaveSecureSession(ctx context.Context, config SessionConfig) (*EnclaveSecureSession, error)
func (*EnclaveSecureSession) Close ¶
func (ess *EnclaveSecureSession) Close()
Close zeros out sensitive data
func (*EnclaveSecureSession) GenerateDEK ¶
func (ess *EnclaveSecureSession) GenerateDEK(ctx context.Context, keyID string, count int) (generatedDEKs []GeneratedDEK, err error)
func (*EnclaveSecureSession) GetAttestationInfo ¶
func (ess *EnclaveSecureSession) GetAttestationInfo() map[string]any
func (*EnclaveSecureSession) SessionUnwrap ¶
func (ess *EnclaveSecureSession) SessionUnwrap(ctx context.Context, items []enclaveproto.SessionUnwrapItem, keyID string) (enclaveproto.SessionUnwrapResponse, error)
type GeneratedDEK ¶ added in v0.0.2
type SessionConfig ¶
type SessionConfig struct {
// base URL of the proxy server
Endpoint string
// PCR values you expect from the enclave
// Key: PCR index; Value: hex-encoded PCR hash
// Note: use "nitro-cli describe-eif --eif-path enclave.eif" to get these
ExpectedPCRs map[uint]string
// AWS Nitro Root CA certificate (optional)
RootCA *x509.Certificate
// Maximum age of the attestation document
MaxAttestationAge time.Duration
// Whether to verify PCR values
// Set to false during development, true in production
VerifyPCRs bool
// HTTPTimeout for requests
HTTPTimeout time.Duration
}
Source Files
Click to show internal directories.
Click to hide internal directories.