README
¶
Secure Data Serialization for Go
XBin25
XBin25 is a Go package designed for secure data serialization, combining state-of-the-art encryption, digital signatures, and multi-layer compression. It ensures confidentiality, integrity, and authenticity for sensitive data in transit or at rest.
Features
- Military-Grade Encryption: AES-256-GCM encryption with unique per-message keys
- Secure Key Exchange: RSA-OAEP for AES key encryption (3072-bit or stronger)
- Tamper Evidence: RSA-PSS digital signatures for data authenticity
- Compression Layers: Parallelized zstd (inner) and pgzip (outer) compression
- Replay Protection: Configurable timestamp validity windows
- Memory Hardening: Sensitive keys guarded by
memguardagainst memory leaks - Modern Serialization: Efficient MessagePack encoding for structured data
Installation
go get github.com/nthnn/xbin25
Dependencies
- Go 1.20+
memguard(secure memory)msgpack/v5(serialization)pgzip/zstd(compression)rsa/aes(crypto primitives)
Usage
Basic Usage
import "github.com/nthnn/xbin25"
func main() {
// Initialize configuration
config := xbin25.NewConfig(
"encrypt-cert.pem", // RSA public key for encryption
"encrypt-key.pem", // RSA private key for decryption
"sign-cert.pem", // RSA public key for signature verification
"sign-key.pem", // RSA private key for signing
"user-auth-system", // Context label
30*time.Minute, // Max message age
1024*1024, // 1MB compression blocks
)
// Marshall sensitive data
data := map[string]interface{}{
"session_id": "7a4e3b1c-89f2-4d65-9128-cc9a4b1d0e7f",
"permissions": []string{"read:logs", "write:config"},
}
encryptedData, err := config.Marshall(data)
if err != nil {
panic(err)
}
// Unmarshall securely
decrypted, err := config.Unmarshall(encryptedData)
if err != nil {
panic(err)
}
restored := decrypted.(map[string]interface{})
}
Configuration Guide
XBin25Config Parameters
| Parameter | Description |
|---|---|
| EncryptCertFile | Path to PEM-encoded X.509 certificate with RSA public key for encryption |
| EncryptKeyFile | Path to PEM-encoded RSA private key for decryption |
| SignCertFile | Path to PEM-encoded X.509 certificate for signature verification |
| SignKeyFile | Path to PEM-encoded RSA private key for signing |
| BlockSize | Compression block size (typically 1MB-4MB) |
| Label | Auto-derived from label string (SHA-256 hash of provided label) |
| Duration | Maximum allowed message age (e.g., 30*time.Minute) |
Security Architecture
Marshalling Process
- MessagePack serialization
- AES-256-GCM encryption with random key
- RSA-OAEP encryption of AES key
- zstd compression
- RSA-PSS signing
- Timestamp embedding
- pgzip outer compression
Unmarshalling Process
- pgzip decompression
- Timestamp validation
- RSA-PSS signature verification
- zstd decompression
- RSA-OAEP decryption
- AES-GCM decryption
- MessagePack deserialization
Best Practices
-
Key Management
- Use 4096-bit RSA keys minimum
- Store private keys in hardware security modules (HSMs) where possible
- Rotate signing keys quarterly
-
Operational Security
- Keep system clocks synchronized (NTP)
- Use unique labels for different data contexts
- Set conservative duration windows (15-60 minutes)
-
Performance Tuning
- Adjust BlockSize based on payload characteristics
- Balance between zstd compression level and CPU usage
- Utilize hardware-accelerated AES (AES-NI)
License
Apache 2.0 - See LICENSE for details.
Copyright 2025 Nathanne Isip
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type XBin25Config ¶
type XBin25Config struct {
// EncryptCertFile is the path to the certificate file containing the public key used for encryption.
EncryptCertFile string
// EncryptKeyFile is the path to the private key file used for decryption.
EncryptKeyFile string
// SignCertFile is the path to the certificate file containing the public key used for signature verification.
SignCertFile string
// SignKeyFile is the path to the private key file used for signing.
SignKeyFile string
// BlockSize specifies the block size for parallel compression algorithms.
// Larger values can improve compression speed on multi-core systems at the cost of memory usage.
BlockSize int
// Label is a context parameter for RSA-OAEP encryption.
// This is automatically derived from the labelStr parameter in NewConfig.
Label string
// Duration specifies the maximum allowed age for messages.
// Messages older than this duration will be rejected, protecting against replay attacks.
Duration time.Duration
}
XBin25Config holds all configuration parameters for encryption and decryption. A single configuration can be used for multiple Marshall/Unmarshall operations.
func NewConfig ¶
func NewConfig( encryptCertFile, encryptKeyFile, signCertFile, signKeyFile, labelStr string, duration time.Duration, blockSize int, ) *XBin25Config
NewConfig creates a new XBin25Config with the provided parameters.
Parameters:
- encryptCertFile: Path to the certificate file containing the public key used for encryption
- encryptKeyFile: Path to the private key file used for decryption
- signCertFile: Path to the certificate file containing the public key used for signature verification
- signKeyFile: Path to the private key file used for signing
- labelStr: A string label that is hashed and used as context for RSA-OAEP encryption
- duration: Maximum allowed age for messages (for replay protection)
- blockSize: Block size for parallel compression algorithms
The function initializes memguard to protect sensitive cryptographic material in memory.
func (*XBin25Config) Marshall ¶
func (config *XBin25Config) Marshall(data interface{}) ([]byte, error)
Marshall converts any serializable Go data structure into a secure binary format.
The process involves:
- MessagePack encoding of the input data
- AES-256-GCM encryption with a random key
- RSA-OAEP encryption of the AES key
- zstd compression of the encrypted package
- RSA-PSS signature of the compressed data
- Timestamping for replay protection
- Final compression with parallel gzip
Parameters:
- data: Any Go value that can be serialized by MessagePack
Returns:
- []byte: The marshalled, encrypted, signed, and compressed data
- error: An error if any step in the process fails
func (*XBin25Config) Unmarshall ¶
func (config *XBin25Config) Unmarshall(data []byte) (interface{}, error)
Unmarshall decrypts, verifies, and deserializes binary data produced by the Marshall function.
The process involves:
- Decompression of the outer pgzip layer
- Deserialization of the envelope structure
- Timestamp verification for replay protection
- RSA-PSS signature verification
- Decompression of the zstd layer
- RSA-OAEP decryption of the AES key
- AES-GCM decryption of the data
- MessagePack deserialization of the plaintext
Parameters:
- data: Binary data previously produced by Marshall
Returns:
- interface{}: The unmarshalled Go value
- error: An error if any step in the process fails
Source Files
Click to show internal directories.
Click to hide internal directories.