1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
ns: crypto
preamble: |
A set of crypto-related functions to be able to perform hashing and (simple!)
encryption operations with `gomplate`.
_Note: These functions are mostly wrappers of existing functions in the Go
standard library. The authors of gomplate are not cryptographic experts,
however, and so can not guarantee correctness of implementation. It is
recommended to have your resident security experts inspect gomplate's code
before using gomplate for critical security infrastructure!_
funcs:
- name: crypto.Bcrypt
description: |
Uses the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) password hashing algorithm to generate the hash of a given string. Wraps the [`golang.org/x/crypto/brypt`](https://godoc.org/golang.org/x/crypto/bcrypt) package.
pipeline: true
arguments:
- name: cost
required: false
description: the cost, as a number from `4` to `31` - defaults to `10`
- name: input
required: true
description: the input to hash, usually a password
examples:
- |
$ gomplate -i '{{ "foo" | crypto.Bcrypt }}'
$2a$10$jO8nKZ1etGkKK7I3.vPti.fYDAiBqwazQZLUhaFoMN7MaLhTP0SLy
- |
$ gomplate -i '{{ crypto.Bcrypt 4 "foo" }}
$2a$04$zjba3N38sjyYsw0Y7IRCme1H4gD0MJxH8Ixai0/sgsrf7s1MFUK1C
- name: crypto.PBKDF2
description: |
Run the Password-Based Key Derivation Function #2 as defined in
[RFC 8018 (PKCS #5 v2.1)](https://tools.ietf.org/html/rfc8018#section-5.2).
This function outputs the binary result as a hexadecimal string.
pipeline: false
arguments:
- name: password
required: true
description: the password to use to derive the key
- name: salt
required: true
description: the salt
- name: iter
required: true
description: iteration count
- name: keylen
required: true
description: desired length of derived key
- name: hashfunc
required: false
description: the hash function to use - must be one of the allowed functions (either in the SHA-1 or SHA-2 sets). Defaults to `SHA-1`
examples:
- |
$ gomplate -i '{{ crypto.PBKDF2 "foo" "bar" 1024 8 }}'
32c4907c3c80792b
- name: crypto.RSADecrypt
experimental: true
description: |
Decrypt an RSA-encrypted input and print the output as a string. Note that
this may result in unreadable text if the decrypted payload is binary. See
[`crypto.RSADecryptBytes`](#crypto.RSADecryptBytes) for a safer method.
The private key must be a PEM-encoded RSA private key in PKCS#1, ASN.1 DER
form, which typically begins with `-----BEGIN RSA PRIVATE KEY-----`.
The input text must be plain ciphertext, as a byte array, or safely
convertible to a byte array. To decrypt base64-encoded input, you must
first decode with the [`base64.DecodeBytes`](../base64/#base64.DecodeBytes)
function.
pipeline: true
arguments:
- name: key
required: true
description: the private key to decrypt the input with
- name: input
required: true
description: the encrypted input
examples:
- |
$ gomplate -c pubKey=./testPubKey -c privKey=./testPrivKey \
-i '{{ $enc := "hello" | crypto.RSAEncrypt .pubKey -}}
{{ crypto.RSADecrypt .privKey $enc }}'
hello
- |
$ export ENCRYPTED="ScTcX1NZ6p/EeDIf6R7FKLcDFjvP98YgiBhyhPE4jtehajIyTKP1GL8C72qbAWrgdQ6A2cSVjoyo3viqf/PZxpcBDUUMDJuemTaJqUUjMWaDuPG37mQbmRtcvFTuUhw1qSbKyHorDOgTX5d4DvWV4otycGtBT6dXhnmmb5V72J/w3z68vtTJ21m9wREFD7LrYVHdFFtRZiIyMBAF0ngQ+hcujrxilnmgzPkEAg6E7Ccctn28Ie2c4CojrwRbNNxXNlIWCCkC/8Vq8qlDfZ70a+BsTmJDuScE6BZbTyteo9uGYrLn+bTIHNDj90AeLCKUTyWLUJ5Edi9LhlKVBoJUNQ=="
$ gomplate -c ciphertext=env:///ENCRYPTED -c privKey=./testPrivKey \
-i '{{ base64.DecodeBytes .ciphertext | crypto.RSADecrypt .privKey }}'
hello
- name: crypto.RSADecryptBytes
experimental: true
description: |
Decrypt an RSA-encrypted input and output the decrypted byte array.
The private key must be a PEM-encoded RSA private key in PKCS#1, ASN.1 DER
form, which typically begins with `-----BEGIN RSA PRIVATE KEY-----`.
The input text must be plain ciphertext, as a byte array, or safely
convertible to a byte array. To decrypt base64-encoded input, you must
first decode with the [`base64.DecodeBytes`](../base64/#base64.DecodeBytes)
function.
See [`crypto.RSADecrypt`](#crypto.RSADecrypt) for a function that outputs
a string.
pipeline: true
arguments:
- name: key
required: true
description: the private key to decrypt the input with
- name: input
required: true
description: the encrypted input
examples:
- |
$ gomplate -c pubKey=./testPubKey -c privKey=./testPrivKey \
-i '{{ $enc := "hello" | crypto.RSAEncrypt .pubKey -}}
{{ crypto.RSADecryptBytes .privKey $enc }}'
[104 101 108 108 111]
- |
$ gomplate -c pubKey=./testPubKey -c privKey=./testPrivKey \
-i '{{ $enc := "hello" | crypto.RSAEncrypt .pubKey -}}
{{ crypto.RSADecryptBytes .privKey $enc | conv.ToString }}'
hello
- name: crypto.RSAEncrypt
experimental: true
description: |
Encrypt the input with RSA and the padding scheme from PKCS#1 v1.5.
This function is suitable for encrypting data that will be decrypted by
[Terraform's `rsadecrypt` function](https://www.terraform.io/docs/configuration/functions/rsadecrypt.html).
The key should be a PEM-encoded RSA public key in PKIX ASN.1 DER form,
which typically begins with `BEGIN PUBLIC KEY`. RSA public keys in PKCS#1
ASN.1 DER form are also supported (beginning with `RSA PUBLIC KEY`).
The output will not be encoded, so consider
[base64-encoding](../base64/#base64.Encode) it for display.
_Note:_ Output encrypted with this function will _not_ be deterministic,
so encrypting the same input twice will not result in the same ciphertext.
_Warning:_ Using this function may not be safe. See the warning on Go's
[`rsa.EncryptPKCS1v15`](https://golang.org/pkg/crypto/rsa/#EncryptPKCS1v15)
documentation.
pipeline: true
arguments:
- name: key
required: true
description: the public key to encrypt the input with
- name: input
required: true
description: the encrypted input
examples:
- |
$ gomplate -c pubKey=./testPubKey \
-i '{{ "hello" | crypto.RSAEncrypt .pubKey | base64.Encode }}'
ScTcX1NZ6p/EeDIf6R7FKLcDFjvP98YgiBhyhPE4jtehajIyTKP1GL8C72qbAWrgdQ6A2cSVjoyo3viqf/PZxpcBDUUMDJuemTaJqUUjMWaDuPG37mQbmRtcvFTuUhw1qSbKyHorDOgTX5d4DvWV4otycGtBT6dXhnmmb5V72J/w3z68vtTJ21m9wREFD7LrYVHdFFtRZiIyMBAF0ngQ+hcujrxilnmgzPkEAg6E7Ccctn28Ie2c4CojrwRbNNxXNlIWCCkC/8Vq8qlDfZ70a+BsTmJDuScE6BZbTyteo9uGYrLn+bTIHNDj90AeLCKUTyWLUJ5Edi9LhlKVBoJUNQ==
- |
$ gomplate -c pubKey=./testPubKey \
-i '{{ $enc := "hello" | crypto.RSAEncrypt .pubKey -}}
Ciphertext in hex: {{ printf "%x" $enc }}'
71729b87cccabb248b9e0e5173f0b12c01d9d2a0565bad18aef9d332ce984bde06acb8bb69334a01446f7f6430077f269e6fbf2ccacd972fe5856dd4719252ebddf599948d937d96ea41540dad291b868f6c0cf647dffdb5acb22cd33557f9a1ddd0ee6c1ad2bbafc910ba8f817b66ea0569afc06e5c7858fd9dc2638861fe7c97391b2f190e4c682b4aa2c9b0050081efe18b10aa8c2b2b5f5b68a42dcc06c9da35b37fca9b1509fddc940eb99f516a2e0195405bcb3993f0fa31bc038d53d2e7231dff08cc39448105ed2d0ac52d375cb543ca8a399f807cc5d007e2c44c69876d189667eee66361a393c4916826af77479382838cd4e004b8baa05636805a
- name: crypto.RSAGenerateKey
experimental: true
description: |
Generate a new RSA Private Key and output in PEM-encoded PKCS#1 ASN.1 DER
form.
Default key length is 4096 bits, which should be safe enough for most
uses, but can be overridden with the optional `bits` parameter.
The output is a string, suitable for use with the other `crypto.RSA*`
functions.
pipeline: true
arguments:
- name: bits
required: false
description: bit size of the generated key. Defaults to `4096`
examples:
- |
$ gomplate -i '{{ crypto.RSAGenerateKey }}'
-----BEGIN RSA PRIVATE KEY-----
...
- |
$ gomplate -i '{{ $key := crypto.RSAGenerateKey 2048 -}}
{{ $pub := crypto.RSADerivePublicKey $key -}}
{{ $enc := "hello" | crypto.RSAEncrypt $pub -}}
{{ crypto.RSADecrypt $key $enc }}'
hello
- name: crypto.RSADerivePublicKey
experimental: true
description: |
Derive a public key from an RSA private key and output in PKIX ASN.1 DER
form.
The output is a string, suitable for use with other `crypto.RSA*`
functions.
pipeline: true
arguments:
- name: key
required: true
description: the private key to derive a public key from
examples:
- |
$ gomplate -i '{{ crypto.RSAGenerateKey | crypto.RSADerivePublicKey }}'
-----BEGIN PUBLIC KEY-----
...
- |
$ gomplate -c privKey=./privKey.pem \
-i '{{ $pub := crypto.RSADerivePublicKey .privKey -}}
{{ $enc := "hello" | crypto.RSAEncrypt $pub -}}
{{ crypto.RSADecrypt .privKey $enc }}'
hello
- rawName: '`crypto.SHA1`, `crypto.SHA224`, `crypto.SHA256`, `crypto.SHA384`, `crypto.SHA512`, `crypto.SHA512_224`, `crypto.SHA512_256`'
description: |
Compute a checksum with a SHA-1 or SHA-2 algorithm as defined in [RFC 3174](https://tools.ietf.org/html/rfc3174) (SHA-1) and [FIPS 180-4](http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf) (SHA-2).
These functions output the binary result as a hexadecimal string.
_Warning: SHA-1 is cryptographically broken and should not be used for secure applications._
pipeline: false
rawUsage: |
```
crypto.SHA1 input
crypto.SHA224 input
crypto.SHA256 input
crypto.SHA384 input
crypto.SHA512 input
crypto.SHA512_224 input
crypto.SHA512_256 input
```
arguments:
- name: input
required: true
description: the data to hash - can be binary data or text
examples:
- |
$ gomplate -i '{{ crypto.SHA1 "foo" }}'
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
- |
$ gomplate -i '{{ crypto.SHA512 "bar" }}'
cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063
- name: crypto.WPAPSK
description: |
This is really an alias to [`crypto.PBKDF2`](#crypto.PBKDF2) with the
values necessary to convert ASCII passphrases to the WPA pre-shared keys for use with WiFi networks.
This can be used, for example, to help generate a configuration for [wpa_supplicant](http://w1.fi/wpa_supplicant/).
pipeline: false
arguments:
- name: ssid
required: true
description: the WiFi SSID (network name) - must be less than 32 characters
- name: password
required: true
description: the password - must be between 8 and 63 characters
examples:
- |
$ PW=abcd1234 gomplate -i '{{ crypto.WPAPSK "mynet" (getenv "PW") }}'
2c201d66f01237d17d4a7788051191f31706844ac3ffe7547a66c902f2900d34
|
