github.com/trustbloc/kms-go@v1.1.2/spi/crypto/wrapkey_opts.go (about) 1 /* 2 Copyright SecureKey Technologies Inc. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package crypto 8 9 type wrapKeyOpts struct { 10 senderKey interface{} 11 useXC20PKW bool 12 tag []byte 13 epk *PrivateKey 14 } 15 16 // NewOpt creates a new empty wrap key option. 17 // Not to be used directly. It's intended for implementations of Crypto interface 18 // Use WithSender() option function below instead. 19 func NewOpt() *wrapKeyOpts { // nolint // unexported type doesn't need to be used outside of crypto package 20 return &wrapKeyOpts{} 21 } 22 23 // SenderKey gets the Sender key to be used for key wrapping using a sender key (authcrypt). 24 // Not to be used directly. It's intended for implementations of Crypto interface. 25 // Use WithSender() option function below instead. 26 func (pk *wrapKeyOpts) SenderKey() interface{} { 27 return pk.senderKey 28 } 29 30 // UseXC20PKW instructs to use XC20P key wrapping as apposed to the default A256KW. 31 func (pk *wrapKeyOpts) UseXC20PKW() bool { 32 return pk.useXC20PKW 33 } 34 35 // Tag used to authenticate the sender. 36 func (pk *wrapKeyOpts) Tag() []byte { 37 return pk.tag 38 } 39 40 // EPK predefined ephemeral key to be used in key wrapping. 41 func (pk *wrapKeyOpts) EPK() *PrivateKey { 42 return pk.epk 43 } 44 45 // WrapKeyOpts are the crypto.Wrap key options. 46 type WrapKeyOpts func(opts *wrapKeyOpts) 47 48 // WithSender option is for setting a sender key with crypto wrapping (eg: AuthCrypt). For Anoncrypt, 49 // this option must not be set. 50 // Sender is a key used for ECDH-1PU key agreement for authenticating the sender. 51 // senderkey can be of the following there types: 52 // - *keyset.Handle (requires private key handle for crypto.WrapKey()) 53 // - *crypto.PublicKey (available for UnwrapKey() only) 54 // - *ecdsa.PublicKey (available for UnwrapKey() only) 55 func WithSender(senderKey interface{}) WrapKeyOpts { 56 return func(opts *wrapKeyOpts) { 57 opts.senderKey = senderKey 58 } 59 } 60 61 // WithXC20PKW option is a flag option for crypto wrapping. When used, key wrapping will use XChacha20Poly1305 62 // encryption as key wrapping. The absence of this option (default) uses AES256-GCM encryption as key wrapping. The KDF 63 // used in the crypto wrapping function is selected based on the type of recipient key argument of KeyWrap(), it is 64 // independent of this option. 65 func WithXC20PKW() WrapKeyOpts { 66 return func(opts *wrapKeyOpts) { 67 opts.useXC20PKW = true 68 } 69 } 70 71 // WithTag option is to instruct the key wrapping function of the authentication tag to be used in the wrapping process. 72 // It is mainly used with CBC+HMAC content encryption to authenticate the sender of an encrypted JWE message (ie 73 // authcrypt/ECDH-1PU). The absence of this option means the sender's identity is not revealed (ie anoncrypt/ECDH-ES). 74 func WithTag(tag []byte) WrapKeyOpts { 75 return func(opts *wrapKeyOpts) { 76 opts.tag = tag 77 } 78 } 79 80 // WithEPK option is to instruct the key wrapping function of the ephemeral key to be used in the wrapping process. 81 // It is mainly used for ECDH-1PU during KDF. This option allows passing a predefined EPK instead of generating a new 82 // one when wrapping. It is useful for Wrap() call only since Unwrap() already uses a predefined EPK. The absence of 83 // this option means a new EPK will be generated internally. 84 func WithEPK(epk *PrivateKey) WrapKeyOpts { 85 return func(opts *wrapKeyOpts) { 86 opts.epk = epk 87 } 88 }