Skip to content

Commit

Permalink
[nop] Misc housekeeping
Browse files Browse the repository at this point in the history
  • Loading branch information
ptaoussanis committed Apr 17, 2024
1 parent ab43590 commit f4366a0
Show file tree
Hide file tree
Showing 7 changed files with 67 additions and 50 deletions.
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<a href="https://www.taoensso.com/clojure" title="More stuff by @ptaoussanis at www.taoensso.com"><img src="https://www.taoensso.com/open-source.png" alt="Taoensso open source" width="340"/></a>
[**Documentation**](#documentation) | [Latest releases](#latest-releases) | [Get support][GitHub issues]
[**Documentation**](#documentation) | [Latest releases](#latest-releases) | [Slack channel][]

# Tempel

Expand Down Expand Up @@ -84,18 +84,19 @@ See for intro and usage:
## Documentation

- [Wiki][GitHub wiki] (getting started, usage, etc.)
- API reference: [Codox][Codox docs], [clj-doc][clj-doc docs]
- API reference: [cljdoc][cljdoc docs] or [Codox][Codox docs]
- Support: [Slack channel][] or [GitHub issues][]

## Roadmap

Tempel has a **fixed scope**, and is **fully complete**. I'm happy with its design and implementation, and believe it meets all its objectives in its current form. I'm not anticipating significant changes.

Still, given the sensitivity of the problem domain, I plan to approach Tempel's official stable release as a phased rollout to allow time for feedback before locking things down:

| Phase | Date | Release | Appropriate for
| :-: | :-- | :-- | :--
| ➤ | 2024-02 | `v1.0-RC1` | Staging, with ephemeral or low-value data
| | 2024-05 | `v1.0` final | Production, with real data
| Phase | Date | Release | Appropriate for |
| :---: | :------ | :----------- | :---------------------------------------- |
| | 2024-02 | `v1.0-RC1` | Staging, with ephemeral or low-value data |
| | 2024-05 | `v1.0` final | Production, with real data |

`v1.0` final will be considered "**done**"- the library is expected to need+see only minimal maintance from that point.

Expand Down Expand Up @@ -125,14 +126,15 @@ Licensed under [EPL 1.0](LICENSE.txt) (same as Clojure).
[GitHub releases]: ../../releases
[GitHub issues]: ../../issues
[GitHub wiki]: ../../wiki
[Slack channel]: https://www.taoensso.com/tempel/slack

[Peter Taoussanis]: https://www.taoensso.com
[sponsor]: https://www.taoensso.com/sponsor

<!-- Project -->

[Codox docs]: https://taoensso.github.io/tempel/
[clj-doc docs]: https://cljdoc.org/d/com.taoensso/tempel/
[cljdoc docs]: https://cljdoc.org/d/com.taoensso/tempel/

[Clojars SVG]: https://img.shields.io/clojars/v/com.taoensso/tempel.svg
[Clojars URL]: https://clojars.org/com.taoensso/tempel
Expand Down
2 changes: 1 addition & 1 deletion src/taoensso/tempel/impl.clj
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@
randomness in Tempel.
(instance-fn) should return a `java.security.SecureRandom` instance."
[instance-fn & body] `(binding [*srng* ~instance-fn] ~@body))
[instance-fn & body] `(enc/binding [*srng* ~instance-fn] ~@body))

(defmacro ^:public with-srng-insecure-deterministic!!!
"Evaluates body with *INSECURE* deterministic `java.util.Random` used
Expand Down
8 changes: 4 additions & 4 deletions src/taoensso/tempel/keys.clj
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
(hashCode [this] (impl/cnt-hash key-cnt))
(toString [this]
(let [m (select-keys @this [:key-algo :symmetric? :private? :public? :secret? :length])]
(str "ChainKey[" m " " (enc/ident-hex-str this) "]")))
(str "taoensso.tempel.ChainKey[" m " " (enc/ident-hex-str this) "]")))

clojure.lang.IObj
(meta [_ ] ?meta)
Expand All @@ -88,7 +88,7 @@

(enc/assoc-some {:key-cnt key-cnt} :key-id ?key-id))))

(enc/deftype-print-methods ChainKey)
(enc/def-print-impl [ck ChainKey] (str "#" ck))
(defn ^:public chainkey? [x] (instance? ChainKey x))

(defn- -chainkey [key-type ?key-algo ?needs ?key-id x-key]
Expand Down Expand Up @@ -236,7 +236,7 @@
clojure.lang.IHashEq (hasheq [_] (hash m-keychain))

Object
(toString [this] (str "KeyChain[" @m-info_ " " (enc/ident-hex-str this) "]"))
(toString [this] (str "taoensso.tempel.KeyChain[" @m-info_ " " (enc/ident-hex-str this) "]"))
(hashCode [this] (hash m-keychain))
(equals [this other] (and (instance? KeyChain other) (= m-keychain (.-m-keychain ^KeyChain other))))

Expand All @@ -256,7 +256,7 @@
(when validate? @(.-m-frozen_ ^KeyChain new-kc)) ; Confirm freezable
new-kc)))))

(enc/deftype-print-methods KeyChain)
(enc/def-print-impl [kc KeyChain] (str "#" kc))
(defn ^:public keychain? [x] (instance? KeyChain x))
(defn- -keychain [?meta m-keychain]
(KeyChain. m-keychain
Expand Down
48 changes: 24 additions & 24 deletions wiki/1-Getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Please be **very careful** evaluating Tempel and/or other cryptographic librarie

# Setup

Add the [relevant Tempel dependency](../#latest-releases) to your project:
Add the [relevant dependency](../#latest-releases) to your project:

```clojure
Leiningen: [com.taoensso/tempel "x-y-z"] ; or
Expand Down Expand Up @@ -131,7 +131,7 @@ Note that Alice's `KeyChain` contains:

It's not important to understand yet what any of that means. These are reasonable defaults that'll work well together to support the entire Tempel API. Each key/pair was randomly and securely generated when we called `tempel/keychain`, based on the options present in `tempel/*config*`.

`tempel/*config*` is an important var. Its [default value](https://taoensso.github.io/tempel/taoensso.tempel.html#var-default-config) should be reasonable for most users, but it'd be worth at least familiarizing yourself with what's in there. [Its docstring](https://taoensso.github.io/tempel/taoensso.tempel.html#var-*config*) includes extensive documentation.
`tempel/*config*` is an important var. Its [default value](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#default-config) should be reasonable for most users, but it'd be worth at least familiarizing yourself with what's in there. [Its docstring](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#*config*) includes extensive documentation.

The content of `KeyChain`s can be updated: keys can be added or removed, and key priorities can be adjusted. But for many simple uses you won't need to do any of that under normal circumstances.

Expand Down Expand Up @@ -173,42 +173,42 @@ Tempel's API is small, easy to use, easy to browse, and has extensive beginner-o

`KeyChain`s are the main way you'll interact with the rest of Tempel's API:

Function | Use to
-- | --
[`keychain`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain) | Create a new `KeyChain`, default opts are reasonable.
[`keychain-encrypt`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-encrypt) | Encrypt a `KeyChain` (with password, byte[], or another `KeyChain`).
[`keychain-decrypt`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-decrypt) | Decrypt a `KeyChain` (with password, byte[], or another `KeyChain`).
| Function | Use to |
| ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
| [`keychain`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain) | Create a new `KeyChain`, default opts are reasonable. |
| [`keychain-encrypt`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-encrypt) | Encrypt a `KeyChain` (with password, byte[], or another `KeyChain`). |
| [`keychain-decrypt`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-decrypt) | Decrypt a `KeyChain` (with password, byte[], or another `KeyChain`). |

- You'll usually have 1 `KeyChain` per user: created and encrypted on sign-up, then decrypted on log-in and retained while the user remains logged in.
- Deref a `KeyChain` to see its contents.
- The default `keychain` options will return a `KeyChain` that includes all the keys necessary to fully support Tempel's entire API.

### Data protection

Function | Complement | Use to
---- | ---- | ----
[`encrypt-with-password`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-password) | [`decrypt-with-password`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-decrypt-with-password) | Encrypt & decrypt data with the same password.
[`encrypt-with-symmetric-key`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-symmetric-key) | [`decrypt-with-symmetric-key`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-decrypt-with-symmetric-key) | Encrypt & decrypt data with the same `KeyChain` or byte[].
[`encrypt-with-1-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-1-keypair) | [`decrypt-with-1-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-1-keypair) | Encrypt data with recipient's public `KeyChain`. Only the recipient can decrypt.
[`encrypt-with-2-keypairs`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-2-keypairs) | [`decrypt-with-2-keypairs`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-2-keypairs) | Encrypt data with sender's private `KeyChain` and recipient's public `KeyChain`. Either party can decrypt.
[`sign`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-sign) | [`signed`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-signed) | Sign data, and verify signed data. Useful for proving ownership, detecting tampering, etc.
| Function | Complement | Use to |
| ---- | ---- | ---- |
| [`encrypt-with-password`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-password) | [`decrypt-with-password`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#decrypt-with-password) | Encrypt & decrypt data with the same password.
| [`encrypt-with-symmetric-key`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-symmetric-key) | [`decrypt-with-symmetric-key`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#decrypt-with-symmetric-key) | Encrypt & decrypt data with the same `KeyChain` or byte[].
| [`encrypt-with-1-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-1-keypair) | [`decrypt-with-1-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-1-keypair) | Encrypt data with recipient's public `KeyChain`. Only the recipient can decrypt.
| [`encrypt-with-2-keypairs`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-2-keypairs) | [`decrypt-with-2-keypairs`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-2-keypairs) | Encrypt data with sender's private `KeyChain` and recipient's public `KeyChain`. Either party can decrypt.
| [`sign`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#sign) | [`signed`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#signed) | Sign data, and verify signed data. Useful for proving ownership, detecting tampering, etc.

### Supporting utils

Miscellaneous stuff that's used less frequently:

Function | Use to
-- | --
[`public-data`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-public-data) | Return any public (unencrypted) data associated with encrypted data.
[`keychain-add-symmetric-key`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-add-symmetric-key) | Add symmetric key/s to a `KeyChain`.
[`keychain-add-asymmetric-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-add-asymmetric-keypair) | Add asymmetric keypair/s to a `KeyChain`.
[`keychain-remove`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-remove) | Remove key/s from a `KeyChain`.
[`keychain-update-priority`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-keychain-update-priority) | Update priority of key/s in a `KeyChain`.
| Function | Use to |
| -------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
| [`public-data`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#public-data) | Return any public (unencrypted) data associated with encrypted data.
| [`keychain-add-symmetric-key`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-add-symmetric-key) | Add symmetric key/s to a `KeyChain`.
| [`keychain-add-asymmetric-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-add-asymmetric-keypair) | Add asymmetric keypair/s to a `KeyChain`.
| [`keychain-remove`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-remove) | Remove key/s from a `KeyChain`.
| [`keychain-update-priority`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#keychain-update-priority) | Update priority of key/s in a `KeyChain`.

- Manual keychain management is rarely needed in practice, but useful when you need it!
- See [`help:aad`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-help.3Aaad) for info about Tempel's "Additional Authenticated Data" (AAD) support.
- See [`help:akm`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-help.3Aakm) for info about Tempel's "Additional Keying Material" (AKM) support.
- See [`*config*`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-*config*) for info about Tempel's global config options.
- See [`help:aad`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#help:aad) for info about Tempel's "Additional Authenticated Data" (AAD) support.
- See [`help:akm`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#help:akm) for info about Tempel's "Additional Keying Material" (AKM) support.
- See [`*config*`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#*config*) for info about Tempel's global config options.

## What next

Expand Down
18 changes: 9 additions & 9 deletions wiki/2-Examples.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ This just means that we want it to take about 2 seconds to transform a password

Note that it's a handy feature of Tempel to easily support different work factors like this on a per-item basis.

See the `*config*` [docstring](https://taoensso.github.io/tempel/taoensso.tempel.html#var-*config*) for more info on the `:pbkdf-nwf` option, etc.
See the `*config*` [docstring](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#*config*) for more info on the `:pbkdf-nwf` option, etc.

## Create user account

Expand Down Expand Up @@ -234,7 +234,7 @@ See [here](./1-Getting-started#data-protection) for an overview of Tempel's data

Example use case: allow users to encrypt their data so that only they can view or modify it.

Using [`encrypt-with-password`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-password) and [`decrypt-with-password`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-decrypt-with-password):
Using [`encrypt-with-password`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-password) and [`decrypt-with-password`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#decrypt-with-password):

```clojure
;;; Symmetric encryption with a password
Expand All @@ -244,7 +244,7 @@ Using [`encrypt-with-password`](https://taoensso.github.io/tempel/taoensso.tempe
(= (nippy/thaw ba-decrypted) {:my-secret-data? true}))
```

Using [`encrypt-with-symmetric-key`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-symmetric-key) and [`decrypt-with-symmetric-key`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-decrypt-with-symmetric-key):
Using [`encrypt-with-symmetric-key`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-symmetric-key) and [`decrypt-with-symmetric-key`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#decrypt-with-symmetric-key):

```clojure
;;; Symmetric encryption with `KeyChain`
Expand All @@ -268,7 +268,7 @@ Using [`encrypt-with-symmetric-key`](https://taoensso.github.io/tempel/taoensso.

Example use case: allow users to submit a bug report, ensuring that it's viewable only by the intended recipient (e.g. engineering department).

Using [`encrypt-with-1-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-1-keypair) and [`decrypt-with-1-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-1-keypair):
Using [`encrypt-with-1-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-1-keypair) and [`decrypt-with-1-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-1-keypair):

```clojure
(let [alice-secret-keychain (tempel/keychain {}) ; Only Alice will have this
Expand All @@ -292,7 +292,7 @@ Example use case: allow 2 users to participate in a private conversation viewabl

This is an example of [⧉ end-to-end](https://en.wikipedia.org/wiki/End-to-end_encryption) (E2EE) encryption.

Using [`encrypt-with-2-keypairs`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-2-keypairs) and [`decrypt-with-2-keypairs`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-2-keypairs):
Using [`encrypt-with-2-keypairs`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-2-keypairs) and [`decrypt-with-2-keypairs`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-2-keypairs):

```clojure
(let [alice-secret-keychain (tempel/keychain {}) ; Only Alice will have this
Expand Down Expand Up @@ -328,14 +328,14 @@ This is an advanced version of the last example and would require a custom schem

- Have 1 user act as the group/room owner.
- Have the owner generate a random symmetric key for the group/room.
- Have the owner distribute the shared key to every other user via [`encrypt-with-1-keypair`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-1-keypair) or [`encrypt-with-2-keypairs`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-encrypt-with-2-keypairs), etc.
- Have the owner distribute the shared key to every other user via [`encrypt-with-1-keypair`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-1-keypair) or [`encrypt-with-2-keypairs`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#encrypt-with-2-keypairs), etc.

# Public data

Tempel has extensive support for "**Additional Authenticated Data**" / "**Additional Associated Data**", see [`help:aad`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-help.3Aaad) for details.
Tempel has extensive support for "**Additional Authenticated Data**" / "**Additional Associated Data**", see [`help:aad`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#help:aad) for details.

And see [`public-data`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-public-data) for a util that can help identify Tempel output, and access public (unencrypted) info embedded in Tempel output.
And see [`public-data`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#public-data) for a util that can help identify Tempel output, and access public (unencrypted) info embedded in Tempel output.

# Signing

See [`tempel/sign`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-sign) and [`tempel/signed`](https://taoensso.github.io/tempel/taoensso.tempel.html#var-signed) for details.
See [`tempel/sign`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#sign) and [`tempel/signed`](https://cljdoc.org/d/com.taoensso/tempel/CURRENT/api/taoensso.tempel#signed) for details.
Loading

0 comments on commit f4366a0

Please sign in to comment.