TIL: Asymmetric Cryptography in Go

I’ve been implementing a feature at work that involves asymmetric cryptography. It has been a pretty fun exercise in stitching together Go APIs while reading about best practices.

Here’s a few things I’ve learned over the last couple of days:

  • Go’s cryptography isn’t FIPS compliant.

  • Go has an implementation of ECDSA (Elliptic Curve Digital Signature Algorithm), but it doesn’t have any elliptic curve asymmetric encryption algorithms.

    • The best asymmetric algorithm that Go has is RSA

  • Go has an implementation of PEM (Privacy Enhanced Mail) data encoding which can be used to encode public/private in a familiar format. You’ve probably seen this format with SSH keys:

    -----BEGIN PUBLIC KEY-----
MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----

  • The legacy PEM format has support for plaintext headers like so:

    -----BEGIN PUBLIC KEY-----
Data: Some value I don't mind being plaintext

MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----
    • The newer RFC eplicitly doesn’t support headers, though:

      Unlike legacy PEM encoding RFC1421, OpenPGP ASCII armor, and the OpenSSH key file format, textual encoding does not define or permit headers to be encoded alongside the data.

  • Go’s APIs for encrypting, decrypting, signing, and verifying data are quite pleasant to use!

  • When signing data, Go will first have you run that data through a hash algorithm (e.g. SHA256). This actually makes quite a bit of sense, and it helps me better understand why secure hashing is important for cryptography.

  • OWASP (Open Worldwide Application Security Project) has a great section on encryption algorithms which can help guide those less familiar with the specifics of encryption.

  • There are a few algorithms for signing and encryption data with RSA. Go implements PKCS1v15 and OAEP for encryption, and PKCS1v15 and PSS for signing.

While I’m generally not a huge fan of Go, I do think the standard library has some nice packages, and the encryption library is definitely one of them.

Recent posts from blogs that I like

Video + notes on upgrading a Datasette plugin for the latest 1.0 alpha, with help from uv and OpenAI Codex CLI

via Simon Willison

Reading Visual Art: 233 Sirens

They tried to lure Odysseus and his crew to their deaths, and the same with Jason and his Argonauts. With the head of a beautiful woman and the legs of a bird, their singing was alluring to sailors.

via The Eclectic Light Company

A list of books and essays that I love

I’m purposefully not looking at my bookshelf to make sure I only pick books that I’ve thought about so much that they immediately occur to me.

via Henrik Karlsson
Live in Seattle? Let's grab coffee!
github rss email