github.com/zebozhuang/go@v0.0.0-20200207033046-f8a98f6f5c5d/src/crypto/cipher/example_test.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package cipher_test 6 7 import ( 8 "crypto/aes" 9 "crypto/cipher" 10 "crypto/rand" 11 "encoding/hex" 12 "fmt" 13 "io" 14 "os" 15 ) 16 17 func ExampleNewGCM_encrypt() { 18 // The key argument should be the AES key, either 16 or 32 bytes 19 // to select AES-128 or AES-256. 20 key := []byte("AES256Key-32Characters1234567890") 21 plaintext := []byte("exampleplaintext") 22 23 block, err := aes.NewCipher(key) 24 if err != nil { 25 panic(err.Error()) 26 } 27 28 // Never use more than 2^32 random nonces with a given key because of the risk of a repeat. 29 nonce := make([]byte, 12) 30 if _, err := io.ReadFull(rand.Reader, nonce); err != nil { 31 panic(err.Error()) 32 } 33 34 aesgcm, err := cipher.NewGCM(block) 35 if err != nil { 36 panic(err.Error()) 37 } 38 39 ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil) 40 fmt.Printf("%x\n", ciphertext) 41 } 42 43 func ExampleNewGCM_decrypt() { 44 // The key argument should be the AES key, either 16 or 32 bytes 45 // to select AES-128 or AES-256. 46 key := []byte("AES256Key-32Characters1234567890") 47 ciphertext, _ := hex.DecodeString("1019aa66cd7c024f9efd0038899dae1973ee69427f5a6579eba292ffe1b5a260") 48 49 nonce, _ := hex.DecodeString("37b8e8a308c354048d245f6d") 50 51 block, err := aes.NewCipher(key) 52 if err != nil { 53 panic(err.Error()) 54 } 55 56 aesgcm, err := cipher.NewGCM(block) 57 if err != nil { 58 panic(err.Error()) 59 } 60 61 plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil) 62 if err != nil { 63 panic(err.Error()) 64 } 65 66 fmt.Printf("%s\n", plaintext) 67 // Output: exampleplaintext 68 } 69 70 func ExampleNewCBCDecrypter() { 71 key := []byte("example key 1234") 72 ciphertext, _ := hex.DecodeString("f363f3ccdcb12bb883abf484ba77d9cd7d32b5baecb3d4b1b3e0e4beffdb3ded") 73 74 block, err := aes.NewCipher(key) 75 if err != nil { 76 panic(err) 77 } 78 79 // The IV needs to be unique, but not secure. Therefore it's common to 80 // include it at the beginning of the ciphertext. 81 if len(ciphertext) < aes.BlockSize { 82 panic("ciphertext too short") 83 } 84 iv := ciphertext[:aes.BlockSize] 85 ciphertext = ciphertext[aes.BlockSize:] 86 87 // CBC mode always works in whole blocks. 88 if len(ciphertext)%aes.BlockSize != 0 { 89 panic("ciphertext is not a multiple of the block size") 90 } 91 92 mode := cipher.NewCBCDecrypter(block, iv) 93 94 // CryptBlocks can work in-place if the two arguments are the same. 95 mode.CryptBlocks(ciphertext, ciphertext) 96 97 // If the original plaintext lengths are not a multiple of the block 98 // size, padding would have to be added when encrypting, which would be 99 // removed at this point. For an example, see 100 // https://tools.ietf.org/html/rfc5246#section-6.2.3.2. However, it's 101 // critical to note that ciphertexts must be authenticated (i.e. by 102 // using crypto/hmac) before being decrypted in order to avoid creating 103 // a padding oracle. 104 105 fmt.Printf("%s\n", ciphertext) 106 // Output: exampleplaintext 107 } 108 109 func ExampleNewCBCEncrypter() { 110 key := []byte("example key 1234") 111 plaintext := []byte("exampleplaintext") 112 113 // CBC mode works on blocks so plaintexts may need to be padded to the 114 // next whole block. For an example of such padding, see 115 // https://tools.ietf.org/html/rfc5246#section-6.2.3.2. Here we'll 116 // assume that the plaintext is already of the correct length. 117 if len(plaintext)%aes.BlockSize != 0 { 118 panic("plaintext is not a multiple of the block size") 119 } 120 121 block, err := aes.NewCipher(key) 122 if err != nil { 123 panic(err) 124 } 125 126 // The IV needs to be unique, but not secure. Therefore it's common to 127 // include it at the beginning of the ciphertext. 128 ciphertext := make([]byte, aes.BlockSize+len(plaintext)) 129 iv := ciphertext[:aes.BlockSize] 130 if _, err := io.ReadFull(rand.Reader, iv); err != nil { 131 panic(err) 132 } 133 134 mode := cipher.NewCBCEncrypter(block, iv) 135 mode.CryptBlocks(ciphertext[aes.BlockSize:], plaintext) 136 137 // It's important to remember that ciphertexts must be authenticated 138 // (i.e. by using crypto/hmac) as well as being encrypted in order to 139 // be secure. 140 141 fmt.Printf("%x\n", ciphertext) 142 } 143 144 func ExampleNewCFBDecrypter() { 145 key := []byte("example key 1234") 146 ciphertext, _ := hex.DecodeString("22277966616d9bc47177bd02603d08c9a67d5380d0fe8cf3b44438dff7b9") 147 148 block, err := aes.NewCipher(key) 149 if err != nil { 150 panic(err) 151 } 152 153 // The IV needs to be unique, but not secure. Therefore it's common to 154 // include it at the beginning of the ciphertext. 155 if len(ciphertext) < aes.BlockSize { 156 panic("ciphertext too short") 157 } 158 iv := ciphertext[:aes.BlockSize] 159 ciphertext = ciphertext[aes.BlockSize:] 160 161 stream := cipher.NewCFBDecrypter(block, iv) 162 163 // XORKeyStream can work in-place if the two arguments are the same. 164 stream.XORKeyStream(ciphertext, ciphertext) 165 fmt.Printf("%s", ciphertext) 166 // Output: some plaintext 167 } 168 169 func ExampleNewCFBEncrypter() { 170 key := []byte("example key 1234") 171 plaintext := []byte("some plaintext") 172 173 block, err := aes.NewCipher(key) 174 if err != nil { 175 panic(err) 176 } 177 178 // The IV needs to be unique, but not secure. Therefore it's common to 179 // include it at the beginning of the ciphertext. 180 ciphertext := make([]byte, aes.BlockSize+len(plaintext)) 181 iv := ciphertext[:aes.BlockSize] 182 if _, err := io.ReadFull(rand.Reader, iv); err != nil { 183 panic(err) 184 } 185 186 stream := cipher.NewCFBEncrypter(block, iv) 187 stream.XORKeyStream(ciphertext[aes.BlockSize:], plaintext) 188 189 // It's important to remember that ciphertexts must be authenticated 190 // (i.e. by using crypto/hmac) as well as being encrypted in order to 191 // be secure. 192 } 193 194 func ExampleNewCTR() { 195 key := []byte("example key 1234") 196 plaintext := []byte("some plaintext") 197 198 block, err := aes.NewCipher(key) 199 if err != nil { 200 panic(err) 201 } 202 203 // The IV needs to be unique, but not secure. Therefore it's common to 204 // include it at the beginning of the ciphertext. 205 ciphertext := make([]byte, aes.BlockSize+len(plaintext)) 206 iv := ciphertext[:aes.BlockSize] 207 if _, err := io.ReadFull(rand.Reader, iv); err != nil { 208 panic(err) 209 } 210 211 stream := cipher.NewCTR(block, iv) 212 stream.XORKeyStream(ciphertext[aes.BlockSize:], plaintext) 213 214 // It's important to remember that ciphertexts must be authenticated 215 // (i.e. by using crypto/hmac) as well as being encrypted in order to 216 // be secure. 217 218 // CTR mode is the same for both encryption and decryption, so we can 219 // also decrypt that ciphertext with NewCTR. 220 221 plaintext2 := make([]byte, len(plaintext)) 222 stream = cipher.NewCTR(block, iv) 223 stream.XORKeyStream(plaintext2, ciphertext[aes.BlockSize:]) 224 225 fmt.Printf("%s\n", plaintext2) 226 // Output: some plaintext 227 } 228 229 func ExampleNewOFB() { 230 key := []byte("example key 1234") 231 plaintext := []byte("some plaintext") 232 233 block, err := aes.NewCipher(key) 234 if err != nil { 235 panic(err) 236 } 237 238 // The IV needs to be unique, but not secure. Therefore it's common to 239 // include it at the beginning of the ciphertext. 240 ciphertext := make([]byte, aes.BlockSize+len(plaintext)) 241 iv := ciphertext[:aes.BlockSize] 242 if _, err := io.ReadFull(rand.Reader, iv); err != nil { 243 panic(err) 244 } 245 246 stream := cipher.NewOFB(block, iv) 247 stream.XORKeyStream(ciphertext[aes.BlockSize:], plaintext) 248 249 // It's important to remember that ciphertexts must be authenticated 250 // (i.e. by using crypto/hmac) as well as being encrypted in order to 251 // be secure. 252 253 // OFB mode is the same for both encryption and decryption, so we can 254 // also decrypt that ciphertext with NewOFB. 255 256 plaintext2 := make([]byte, len(plaintext)) 257 stream = cipher.NewOFB(block, iv) 258 stream.XORKeyStream(plaintext2, ciphertext[aes.BlockSize:]) 259 260 fmt.Printf("%s\n", plaintext2) 261 // Output: some plaintext 262 } 263 264 func ExampleStreamReader() { 265 key := []byte("example key 1234") 266 267 inFile, err := os.Open("encrypted-file") 268 if err != nil { 269 panic(err) 270 } 271 defer inFile.Close() 272 273 block, err := aes.NewCipher(key) 274 if err != nil { 275 panic(err) 276 } 277 278 // If the key is unique for each ciphertext, then it's ok to use a zero 279 // IV. 280 var iv [aes.BlockSize]byte 281 stream := cipher.NewOFB(block, iv[:]) 282 283 outFile, err := os.OpenFile("decrypted-file", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) 284 if err != nil { 285 panic(err) 286 } 287 defer outFile.Close() 288 289 reader := &cipher.StreamReader{S: stream, R: inFile} 290 // Copy the input file to the output file, decrypting as we go. 291 if _, err := io.Copy(outFile, reader); err != nil { 292 panic(err) 293 } 294 295 // Note that this example is simplistic in that it omits any 296 // authentication of the encrypted data. If you were actually to use 297 // StreamReader in this manner, an attacker could flip arbitrary bits in 298 // the output. 299 } 300 301 func ExampleStreamWriter() { 302 key := []byte("example key 1234") 303 304 inFile, err := os.Open("plaintext-file") 305 if err != nil { 306 panic(err) 307 } 308 defer inFile.Close() 309 310 block, err := aes.NewCipher(key) 311 if err != nil { 312 panic(err) 313 } 314 315 // If the key is unique for each ciphertext, then it's ok to use a zero 316 // IV. 317 var iv [aes.BlockSize]byte 318 stream := cipher.NewOFB(block, iv[:]) 319 320 outFile, err := os.OpenFile("encrypted-file", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) 321 if err != nil { 322 panic(err) 323 } 324 defer outFile.Close() 325 326 writer := &cipher.StreamWriter{S: stream, W: outFile} 327 // Copy the input file to the output file, encrypting as we go. 328 if _, err := io.Copy(writer, inFile); err != nil { 329 panic(err) 330 } 331 332 // Note that this example is simplistic in that it omits any 333 // authentication of the encrypted data. If you were actually to use 334 // StreamReader in this manner, an attacker could flip arbitrary bits in 335 // the decrypted result. 336 }