Go has a number of low-level crypto APIs which check off marketing bullet-points (got FIPS supprt, check!) but is missing an high-level API usable by mere mortal programmers. Imagine you want to create a document, sign it and verify that document later. Now check out Go's crypto APIs and give up in frustration after an hour of Googling.
The API should encapsulate a half-dozen common operations and make them as easy as possible. Avoid choice where possible, just pick something reasonably secure in 2014 for me and use it! I'm speaking specifically of a few basic actions (yes, this API is very naive/non-idiomatic), call it crypto/easy:
- Create me a public/private key pair and save it to the filesystem.
// create and persist a keypair to the current directory.
// this is just a one-time operation, now we have a keypair to use.
easy.CreateKeyPair()- Sign a document:
pair := easy.ReadKeyPair()
sig := easy.Sign(bytes, pair)- Verify a document:
pub := easy.ReadPublicKey(reader)
ok := easy.Verify(bytes, pub, sig)- Encrypt a document
- Decrypt a document
- etc
Ideally with this API I don't need to know anything about x509, asn1, elliptic curves, RSA/DSA, etc. Just as NaCl has tried to provide higher-level secure operations, Go (and most other languages too!) desperately need a simple, high-level API which hides the complexity inherent in most of the crypto/* packages today.
Here's code I came up with to solve my usecase:
https://github.com/mperham/gobox