CertificateFromBase64 returns an X509 pair from a base64 encoded blob.

CertificateFromFile given a certificate, and key file path, returns a X509 keypair.

CheckHMAC securely checks the supplied MAC against a message using the shared secret key.

CheckPasswordHash securely compares a bcrypt hashed password with its possible plaintext equivalent.

CRLFromBase64 parses a certificate revocation list from a base64 encoded blob.

CRLFromFile parses a certificate revocation list from a file.

DecodeCRL decodes a PEM-encoded certificate revocation list.

DecodePrivateKey decodes a PEM-encoded ECDSA private key.

DecodePublicKey decodes a PEM-encoded ECDSA public key.

Decrypt a value with optional associated data.

EncodeCertificate encodes a TLS certificate into PEM compatible byte slices.

EncodePrivateKey encodes an ECDSA private key to PEM format.

EncodePublicKey encodes an ECDSA public key to PEM format.

Encrypt encrypts a value with optional associated data Panics if source of randomness fails.

GenerateDataEncryptionKey generates a new random data encryption key.

GenerateHMAC produces a symmetric signature using a shared secret key.

GenerateKeyEncryptionKey generates a new random key encryption key.

GenerateSecureToken generates a SecureToken from the given key, expiry and token.

GenerateSelfSignedCertificate generates a self-signed TLS certificate.

GetCertificateDomains gets all the certificate's matching domain names.

GetCertificateForDomain returns the tls Certificate which matches the given domain name.

GetCertPool gets a cert pool for the given CA or CAFile.

GetKeyEncryptionKeyID derives an id from the key encryption key data itself.

Hash generates a hash of data using HMAC-SHA-512/256.

HashPassword generates a bcrypt hash of the password using work factor 14.

HashProto hashes a protobuf message.

MarshalPKCS8PrivateKey wraps x509.MarshalPKCS8PrivateKey with added support for KeyEncryptionKeys.

MarshalPKIXPublicKey wraps x509.MarshalPKIXPublicKey with added support for KeyEncryptionKeys.

NewAEADCipher takes secret key and returns a new XChacha20poly1305 cipher.

NewAEADCipherFromBase64 takes a base64 encoded secret key and returns a new XChacha20poly1305 cipher.

NewBase64Key generates a random base64 encoded 32-byte key.

NewDataEncryptionKey returns a new DataEncryptionKey from existing bytes.

NewDataEncryptionKeyCache creates a new DataEncryptionKeyCache.

NewKey generates a random 32-byte (256 bit) key.

NewPrivateKeyEncryptionKey creates a new encryption key from existing bytes.

NewPublicKeyEncryptionKey creates a new encryption key from existing bytes.

NewPublicKeyEncryptionKeyWithID creates a new encryption key from an existing id and bytes.

NewRandomStringN returns base64 encoded random string of a given num of bytes.

NewRandomToken returns a new random Token (via a random UUID).

NewRandomUInt32 returns a random uint32.

NewRandomUInt64 returns a random uint64.

NewSigningKey generates a random P-256 ECDSA private key.

ParsePEMCertificate parses a PEM encoded certificate block.

ParsePEMCertificateFromBase64 parses a PEM encoded certificate block from a base64 encoded string.

ParsePEMCertificateFromFile decodes a PEM certificate from a file.

ParsePKCS8PrivateKey wraps x509.ParsePKCS8PrivateKey with added support for KeyEncryptionKeys.

ParsePKIXPublicKey wraps x509.ParsePKIXPublicKey with added support for KeyEncryptionKeys.

PrivateJWKFromBytes returns a jose JSON Web _Private_ Key from bytes.

PublicJWKFromBytes returns a jose JSON Web _Public_ Key from bytes.

SecretTokenFromString parses a base58-encoded string into a secret token.

SecureTokenFromString parses a base58-encoded string into a SecureToken.

Sign signs arbitrary data using ECDSA.

SignatureAlgorithmForKey returns the signature algorithm for the given key.

TokenFromString parses a base58-encoded string into a token.

ValidTimestamp is a helper function often used in conjunction with an HMAC function to verify that the timestamp (in unix seconds) is within leeway period.

Verify checks a raw ECDSA signature.

DataEncryptionKeyCacheSize is the number of DEKs to keep in the LRU cache.

DataEncryptionKeySize is the size of a data encryption key.

DefaultKeySize is the default key size in bytes.

DefaultLeeway defines the default leeway for matching NotBefore/Expiry claims.

KeyEncryptionKeySize is the size of a key encryption key.

SecureTokenHMACLength is the length of the HMAC part of the SecureToken.

SecureTokenLength is the byte length of a SecureToken.

SecureTokenTimeLength is the length of the time part of the SecureToken.

TokenLength is the length of a token.

errors related to the SecureToken.

errors related to the SecureToken.

A DataEncryptionKey is an XChaCha20Poly1305 symmetric encryption key.

A DataEncryptionKeyCache caches recently used data encryption keys based on their encrypted representation.

PrivateKeyEncryptionKey is a Curve25519 asymmetric private encryption key used to decrypt data encryption keys.

PublicKeyEncryptionKey is a Curve25519 asymmetric public encryption key used to encrypt data encryption keys.

A SecretToken is made up of an id and a secret.

A KeyEncryptionKey (KEK) is used to implement *envelope encryption*, similar to how data is stored at rest with AWS or Google Cloud: - AWS: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping - Google Cloud: https://cloud.google.com/kms/docs/envelope-encryption Data is encrypted with a data encryption key (DEK) and that key is stored next to the data encrypted with the KEK.

A KeyEncryptionKeySource gets private key encryption keys based on their id.

A KeyEncryptionKeySourceFunc implements the KeyEncryptionKeySource interface using a function.

A SecureToken is an HMAC'd Token with an expiration time.

A Token is a globally unique identifier.