headless

package

v0.1.31 Latest Latest Go to latest Published: Jan 23, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainguard-dev/sdk

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func DecryptIDToken(sess *auth.HeadlessSession, pk *ecdh.PrivateKey) ([]byte, error)
func GenerateKeyPair() (*ecdh.PrivateKey, error)
func VerifyCode(code string) error
type Code
- func NewCode(k *ecdh.PublicKey) Code
- func (h *Code) NewSession(idtoken []byte) (*auth.HeadlessSession, error)

Constants ¶

View Source

const (
	// X25519 keys are 32 bytes long
	ECDHKeyLength = 32
)

Variables ¶

View Source

var URLSafeEncoding = base64.RawURLEncoding // Headless codes must be URL-safe

Functions ¶

func DecryptIDToken ¶

func DecryptIDToken(sess *auth.HeadlessSession, pk *ecdh.PrivateKey) ([]byte, error)

DecryptIDToken decrypts the ID token using the private key.

func GenerateKeyPair ¶

func GenerateKeyPair() (*ecdh.PrivateKey, error)

GenerateKeyPair generates a new ECDSA key pair.

func VerifyCode ¶

func VerifyCode(code string) error

VerifyCode checks if the code is a valid public key.

Types ¶

type Code ¶

type Code string

headless.Code is a serialized public key that we use to exchange a shared symmetric key. This shared symmetric key is used to encrypt the ID token (see Code#NewSession).

After obtaining the shared symmetric key, we throw away our own private key to guarantee that the content of the ID token can only be decrypted by the holder of this code's private key.

func NewCode ¶

func NewCode(k *ecdh.PublicKey) Code

NewCode creates a code by serializing the public key in an url-safe format.

func (*Code) NewSession ¶

func (h *Code) NewSession(idtoken []byte) (*auth.HeadlessSession, error)

NewSession encrypts the idtoken using a shared symmetric key that is only available to us and the holder of the private key corresponding to this headless Code.

It is important to recall how ECDH works:

First, the user generates an EC keypair, and send us their public key as the form of a headless login code.
We generate a new ephemeral EC keypair for this session.
With our private key and their public key, a shared symmetric key is obtained by calling ourPriv.ECDH(theirPub).
When we send our public key to the user, they can generate the same shared symmetric key by calling theirPriv.ECDH(ourPub).

The shared symmetric key obtained by ECDH in this function is used to encrypt the idtoken. After the idtoken is encrypted, we throw away our private key and the shared symmetric key, so that we ourselves cannot decrypt the idtoken ourselves.

We then send the user our public key and the encrypted idtoken. As noted before, ECDH allows the user to generate the same shared symmetric key, which can be used to decrypt the idtoken.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL