Documentation ¶
Overview ¶
Package kmip is a general purpose KMIP library for implementing KMIP services and clients.
The ttlv sub package contains the core logic for parsing the KMIP TTLV encoding formats, and marshaling them to and from golang structs.
This package defines structs for many of the structures defined in the KMIP Spec, such as the different types of managed objects, request and response bodies, etc. Not all Structures are represented here yet, but the ones that are can be used as examples.
There is also a partial implementation of a server, and an example of a client. There is currently no Client type for KMIP, but it is simple to open a socket overwhich you send and receive raw KMIP requests and responses.
Example (Client) ¶
conn, err := net.DialTimeout("tcp", "localhost:5696", 3*time.Second) if err != nil { panic(err) } biID := uuid.New() msg := kmip.RequestMessage{ RequestHeader: kmip.RequestHeader{ ProtocolVersion: kmip.ProtocolVersion{ ProtocolVersionMajor: 1, ProtocolVersionMinor: 2, }, BatchCount: 1, }, BatchItem: []kmip.RequestBatchItem{ { UniqueBatchItemID: biID[:], Operation: kmip14.OperationDiscoverVersions, RequestPayload: kmip.DiscoverVersionsRequestPayload{ ProtocolVersion: []kmip.ProtocolVersion{ {ProtocolVersionMajor: 1, ProtocolVersionMinor: 2}, }, }, }, }, } req, err := ttlv.Marshal(msg) if err != nil { panic(err) } fmt.Println(req) _, err = conn.Write(req) if err != nil { panic(err) } buf := make([]byte, 5000) _, err = bufio.NewReader(conn).Read(buf) if err != nil { panic(err) } resp := ttlv.TTLV(buf) fmt.Println(resp)
Output:
Index ¶
- Variables
- func Details(err error) string
- func GetResultReason(err error) kmip14.ResultReason
- func WithResultReason(err error, rr kmip14.ResultReason) error
- type ActivateHandler
- type ActivateRequestPayload
- type ActivateResponsePayload
- type AttestationCredentialValue
- type Attribute
- type Attributes
- type Authentication
- type Certificate
- type CreateHandler
- type CreateKeyPairRequestPayload
- type CreateKeyPairResponsePayload
- type CreateRequestPayload
- type CreateResponsePayload
- type Credential
- type CryptographicParameters
- type DestroyHandler
- type DestroyRequestPayload
- type DestroyResponsePayload
- type DeviceCredentialValue
- type DiscoverVersionsHandler
- type DiscoverVersionsRequestPayload
- type DiscoverVersionsResponsePayload
- type EncryptionKeyInformation
- type ErrorHandler
- type ErrorHandlerFunc
- type GetHandler
- type GetRequestPayload
- type GetResponsePayload
- type ItemHandler
- type ItemHandlerFunc
- type KeyBlock
- type KeyValue
- type KeyWrappingData
- type LocateHandler
- type LocateRequestPayload
- type LocateResponsePayload
- type MACSignatureKeyInformation
- type MessageExtension
- type MessageHandler
- type MessageHandlerFunc
- type Name
- type Nonce
- type OpaqueObject
- type OperationMux
- type PGPKey
- type PrivateKey
- type ProtocolHandler
- type ProtocolHandlerFunc
- type ProtocolVersion
- type PublicKey
- type QueryHandler
- type QueryRequestPayload
- type QueryResponsePayload
- type ReKeyHandler
- type ReKeyRequestPayload
- type ReKeyResponsePayload
- type RegisterHandler
- type RegisterRequestPayload
- type RegisterResponsePayload
- type Request
- type RequestBatchItem
- type RequestHeader
- type RequestMessage
- type Response
- type ResponseBatchItem
- type ResponseHeader
- type ResponseMessage
- type ResponseWriter
- type RevocationReasonStruct
- type RevokeHandler
- type RevokeRequestPayload
- type RevokeResponsePayload
- type SecretData
- type Server
- type SplitKey
- type StandardProtocolHandler
- type SymmetricKey
- type Template
- type TemplateAttribute
- func (t *TemplateAttribute) Append(tag ttlv.Tag, value interface{})
- func (t *TemplateAttribute) Get(s string) *Attribute
- func (t *TemplateAttribute) GetAll(s string) []Attribute
- func (t *TemplateAttribute) GetAllTag(tag ttlv.Tag) []Attribute
- func (t *TemplateAttribute) GetIdx(s string, idx int) *Attribute
- func (t *TemplateAttribute) GetTag(tag ttlv.Tag) *Attribute
- func (t *TemplateAttribute) GetTagIdx(tag ttlv.Tag, idx int) *Attribute
- type TransparentDHPrivateKey
- type TransparentDHPublicKey
- type TransparentDSAPrivateKey
- type TransparentDSAPublicKey
- type TransparentECDHPrivateKey
- type TransparentECDHPublicKey
- type TransparentECDSAPrivateKey
- type TransparentECDSAPublicKey
- type TransparentECMQVPrivateKey
- type TransparentECMQVPublicKey
- type TransparentECPrivateKey
- type TransparentECPublicKey
- type TransparentRSAPrivateKey
- type TransparentRSAPublicKey
- type TransparentSymmetricKey
- type UsernameAndPasswordCredentialValue
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var DefaultErrorHandler = ErrorHandlerFunc(func(err error) *ResponseBatchItem { reason := GetResultReason(err) if reason == kmip14.ResultReason(0) { return nil } msg := merry.UserMessage(err) if msg == "" { msg = merry.Message(err) } return newFailedResponseBatchItem(reason, msg) })
DefaultErrorHandler tries to map errors to ResultReasons.
var DefaultOperationMux = &OperationMux{}
var DefaultProtocolHandler = &StandardProtocolHandler{ MessageHandler: DefaultOperationMux, ProtocolVersion: ProtocolVersion{ ProtocolVersionMajor: 1, ProtocolVersionMinor: 4, }, }
var ErrInvalidTag = errors.New("invalid tag")
var ErrServerClosed = errors.New("http: Server closed")
ErrServerClosed is returned by the Server's Serve, ServeTLS, ListenAndServe, and ListenAndServeTLS methods after a call to Shutdown or Close.
Functions ¶
func GetResultReason ¶
func GetResultReason(err error) kmip14.ResultReason
func WithResultReason ¶
func WithResultReason(err error, rr kmip14.ResultReason) error
Types ¶
type ActivateHandler ¶ added in v0.0.11
type ActivateHandler struct {
Activate func(ctx context.Context, payload *ActivateRequestPayload) (*ActivateResponsePayload, error)
}
func (*ActivateHandler) HandleItem ¶ added in v0.0.11
func (h *ActivateHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type ActivateRequestPayload ¶ added in v0.0.11
type ActivateRequestPayload struct {
UniqueIdentifier string // Required: No
}
type ActivateResponsePayload ¶ added in v0.0.11
type ActivateResponsePayload struct {
UniqueIdentifier string // Required: Yes
}
type AttestationCredentialValue ¶
type AttestationCredentialValue struct { Nonce Nonce AttestationType kmip14.AttestationType AttestationMeasurement []byte `ttlv:",omitempty"` AttestationAssertion []byte `ttlv:",omitempty"` }
AttestationCredentialValue 2.1.2 Table 6
If the Credential Type in the Credential is Attestation, then Credential Value is a structure as shown in Table 6. The Nonce Value is obtained from the key management server in a Nonce Object. The Attestation Credential Object can contain a measurement from the client or an assertion from a third party if the server is not capable or willing to verify the attestation data from the client. Neither type of attestation data (Attestation Measurement or Attestation Assertion) is necessary to allow the server to accept either. However, the client SHALL provide attestation data in either the Attestation Measurement or Attestation Assertion fields.
type Attribute ¶
type Attribute struct { // AttributeName should contain the canonical name of a tag, e.g. "Cryptographic Algorithm" AttributeName string // AttributeIndex is typically 0 when clients use this struct to create objects or add attributes. Clients // only need to set this if modifying or deleting an existing attribute. AttributeIndex int `ttlv:",omitempty"` AttributeValue interface{} }
Attribute 2.1.1 Table 2
An Attribute object is a structure (see Table 2) used for sending and receiving Managed Object attributes. The Attribute Name is a text-string that is used to identify the attribute. The Attribute Index is an index number assigned by the key management server. The Attribute Index is used to identify the particular instance. Attribute Indices SHALL start with 0. The Attribute Index of an attribute SHALL NOT change when other instances are added or deleted. Single-instance Attributes (attributes which an object MAY only have at most one instance thereof) SHALL have an Attribute Index of 0. The Attribute Value is either a primitive data type or structured object, depending on the attribute.
When an Attribute structure is used to specify or return a particular instance of an Attribute and the Attribute Index is not specified it SHALL be assumed to be 0.
type Attributes ¶
type Attributes struct {
Attributes []Attribute
}
type Authentication ¶
type Authentication struct {
Credential []Credential
}
type Certificate ¶
type Certificate struct { CertificateType kmip14.CertificateType CertificateValue []byte }
type CreateHandler ¶
type CreateHandler struct {
Create func(ctx context.Context, payload *CreateRequestPayload) (*CreateResponsePayload, error)
}
func (*CreateHandler) HandleItem ¶
func (h *CreateHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type CreateKeyPairRequestPayload ¶
type CreateKeyPairRequestPayload struct { CommonTemplateAttribute *TemplateAttribute PrivateKeyTemplateAttribute *TemplateAttribute PublicKeyTemplateAttribute *TemplateAttribute }
CreateKeyPairRequestPayload 4.2 Create Key Pair This operation requests the server to generate a new public/private key pair and register the two corresponding new Managed Cryptographic Objects.
The request contains attributes to be assigned to the objects (e.g., Cryptographic Algorithm, Cryptographic Length, etc.). Attributes and Template Names MAY be specified for both keys at the same time by specifying a Common Template-Attribute object in the request. Attributes not common to both keys (e.g., Name, Cryptographic Usage Mask) MAY be specified using the Private Key Template-Attribute and Public Key Template-Attribute objects in the request, which take precedence over the Common Template-Attribute object.
The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
For the Private Key, the server SHALL create a Link attribute of Link Type Public Key pointing to the Public Key. For the Public Key, the server SHALL create a Link attribute of Link Type Private Key pointing to the Private Key. The response contains the Unique Identifiers of both created objects. The ID Placeholder value SHALL be set to the Unique Identifier of the Private Key.
type CreateKeyPairResponsePayload ¶
type CreateKeyPairResponsePayload struct { PrivateKeyUniqueIdentifier string PublicKeyUniqueIdentifier string PrivateKeyTemplateAttribute *TemplateAttribute PublicKeyTemplateAttribute *TemplateAttribute }
type CreateRequestPayload ¶
type CreateRequestPayload struct { ObjectType kmip14.ObjectType TemplateAttribute TemplateAttribute }
CreateRequestPayload 4.1 Table 163
TemplateAttribute MUST include CryptographicAlgorithm (3.4) and CryptographicUsageMask (3.19).
type CreateResponsePayload ¶
type CreateResponsePayload struct { ObjectType kmip14.ObjectType UniqueIdentifier string TemplateAttribute *TemplateAttribute }
CreateResponsePayload 4.1 Table 164
type Credential ¶
type Credential struct { CredentialType kmip14.CredentialType CredentialValue interface{} }
Credential 2.1.2 Table 3
A Credential is a structure (see Table 3) used for client identification purposes and is not managed by the key management system (e.g., user id/password pairs, Kerberos tokens, etc.). It MAY be used for authentication purposes as indicated in [KMIP-Prof].
TODO: add an unmarshal impl to Credential to handle decoding the right kind of credential based on the credential type value
type CryptographicParameters ¶
type CryptographicParameters struct { BlockCipherMode kmip14.BlockCipherMode `ttlv:",omitempty"` PaddingMethod kmip14.PaddingMethod `ttlv:",omitempty"` HashingAlgorithm kmip14.HashingAlgorithm `ttlv:",omitempty"` KeyRoleType kmip14.KeyRoleType `ttlv:",omitempty"` DigitalSignatureAlgorithm kmip14.DigitalSignatureAlgorithm `ttlv:",omitempty"` CryptographicAlgorithm kmip14.CryptographicAlgorithm `ttlv:",omitempty"` RandomIV bool `ttlv:",omitempty"` IVLength int `ttlv:",omitempty"` TagLength int `ttlv:",omitempty"` FixedFieldLength int `ttlv:",omitempty"` InvocationFieldLength int `ttlv:",omitempty"` CounterLength int `ttlv:",omitempty"` InitialCounterValue int `ttlv:",omitempty"` SaltLength int `ttlv:",omitempty"` MaskGenerator kmip14.MaskGenerator `ttlv:",omitempty" default:"1"` // defaults to MGF1 MaskGeneratorHashingAlgorithm kmip14.HashingAlgorithm `ttlv:",omitempty" default:"4"` // defaults to SHA-1 PSource []byte `ttlv:",omitempty"` TrailerField int `ttlv:",omitempty"` }
Cryptographic Parameters 3.6 Table 65
The Cryptographic Parameters attribute is a structure (see Table 65) that contains a set of OPTIONAL fields that describe certain cryptographic parameters to be used when performing cryptographic operations using the object. Specific fields MAY pertain only to certain types of Managed Cryptographic Objects. The Cryptographic Parameters attribute of a Certificate object identifies the cryptographic parameters of the public key contained within the Certificate.
The Cryptographic Algorithm is also used to specify the parameters for cryptographic operations. For operations involving digital signatures, either the Digital Signature Algorithm can be specified or the Cryptographic Algorithm and Hashing Algorithm combination can be specified.
Random IV can be used to request that the KMIP server generate an appropriate IV for a cryptographic operation that uses an IV. The generated Random IV is returned in the response to the cryptographic operation.
IV Length is the length of the Initialization Vector in bits. This parameter SHALL be provided when the specified Block Cipher Mode supports variable IV lengths such as CTR or GCM.
Tag Length is the length of the authentication tag in bytes. This parameter SHALL be provided when the Block Cipher Mode is GCM or CCM.
The IV used with counter modes of operation (e.g., CTR and GCM) cannot repeat for a given cryptographic key. To prevent an IV/key reuse, the IV is often constructed of three parts: a fixed field, an invocation field, and a counter as described in [SP800-38A] and [SP800-38D]. The Fixed Field Length is the length of the fixed field portion of the IV in bits. The Invocation Field Length is the length of the invocation field portion of the IV in bits. The Counter Length is the length of the counter portion of the IV in bits.
Initial Counter Value is the starting counter value for CTR mode (for [RFC3686] it is 1).
type DestroyHandler ¶
type DestroyHandler struct {
Destroy func(ctx context.Context, payload *DestroyRequestPayload) (*DestroyResponsePayload, error)
}
func (*DestroyHandler) HandleItem ¶
func (h *DestroyHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type DestroyRequestPayload ¶
type DestroyRequestPayload struct {
UniqueIdentifier string
}
DestroyRequestPayload ////////////////////////////////////////
type DestroyResponsePayload ¶
type DestroyResponsePayload struct {
UniqueIdentifier string
}
DestroyResponsePayload
type DeviceCredentialValue ¶
type DeviceCredentialValue struct { DeviceSerialNumber string `ttlv:",omitempty"` Password string `ttlv:",omitempty"` DeviceIdentifier string `ttlv:",omitempty"` NetworkIdentifier string `ttlv:",omitempty"` MachineIdentifier string `ttlv:",omitempty"` MediaIdentifier string `ttlv:",omitempty"` }
DeviceCredentialValue 2.1.2 Table 5
If the Credential Type in the Credential is Device, then Credential Value is a structure as shown in Table 5. One or a combination of the Device Serial Number, Network Identifier, Machine Identifier, and Media Identifier SHALL be unique. Server implementations MAY enforce policies on uniqueness for individual fields. A shared secret or password MAY also be used to authenticate the client. The client SHALL provide at least one field.
type DiscoverVersionsHandler ¶
type DiscoverVersionsHandler struct {
SupportedVersions []ProtocolVersion
}
func (*DiscoverVersionsHandler) HandleItem ¶
func (h *DiscoverVersionsHandler) HandleItem(ctx context.Context, req *Request) (item *ResponseBatchItem, err error)
type DiscoverVersionsRequestPayload ¶
type DiscoverVersionsRequestPayload struct {
ProtocolVersion []ProtocolVersion
}
type DiscoverVersionsResponsePayload ¶
type DiscoverVersionsResponsePayload struct {
ProtocolVersion []ProtocolVersion
}
type EncryptionKeyInformation ¶
type EncryptionKeyInformation struct { UniqueIdentifier string CryptographicParameters *CryptographicParameters }
EncryptionKeyInformation 2.1.5 Table 10
type ErrorHandler ¶
type ErrorHandler interface {
HandleError(err error) *ResponseBatchItem
}
ErrorHandler converts a golang error into a *ResponseBatchItem (which should hold information about the error to convey back to the client).
type ErrorHandlerFunc ¶
type ErrorHandlerFunc func(err error) *ResponseBatchItem
func (ErrorHandlerFunc) HandleError ¶
func (f ErrorHandlerFunc) HandleError(err error) *ResponseBatchItem
type GetHandler ¶
type GetHandler struct {
Get func(ctx context.Context, payload *GetRequestPayload) (*GetResponsePayload, error)
}
func (*GetHandler) HandleItem ¶
func (h *GetHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type GetRequestPayload ¶
type GetRequestPayload struct {
UniqueIdentifier string
}
GetRequestPayload ////////////////////////////////////////
type GetResponsePayload ¶
type GetResponsePayload struct { ObjectType kmip14.ObjectType UniqueIdentifier string Certificate *Certificate SymmetricKey *SymmetricKey PrivateKey *PrivateKey PublicKey *PublicKey SplitKey *SplitKey Template *Template SecretData *SecretData OpaqueObject *OpaqueObject }
GetResponsePayload
type ItemHandler ¶
type ItemHandler interface {
HandleItem(ctx context.Context, req *Request) (item *ResponseBatchItem, err error)
}
ItemHandler handles a single batch item in a KMIP request. The *Request object's CurrentItem field will be populated with item to be handled.
type ItemHandlerFunc ¶
type ItemHandlerFunc func(context.Context, *Request) (*ResponseBatchItem, error)
func (ItemHandlerFunc) HandleItem ¶
func (f ItemHandlerFunc) HandleItem(ctx context.Context, req *Request) (item *ResponseBatchItem, err error)
type KeyBlock ¶
type KeyBlock struct { KeyFormatType kmip14.KeyFormatType KeyCompressionType kmip14.KeyCompressionType `ttlv:",omitempty"` KeyValue *KeyValue `ttlv:",omitempty"` CryptographicAlgorithm kmip14.CryptographicAlgorithm `ttlv:",omitempty"` CryptographicLength int `ttlv:",omitempty"` KeyWrappingData *KeyWrappingData }
KeyBlock 2.1.3 Table 7
A Key Block object is a structure (see Table 7) used to encapsulate all of the information that is closely associated with a cryptographic key. It contains a Key Value of one of the following Key Format Types:
- Raw – This is a key that contains only cryptographic key material, encoded as a string of bytes.
- Opaque – This is an encoded key for which the encoding is unknown to the key management system. It is encoded as a string of bytes.
- PKCS1 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#1 object.
- PKCS8 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#8 object, supporting both the RSAPrivateKey syntax and EncryptedPrivateKey.
- X.509 – This is an encoded object, expressed as a DER-encoded ASN.1 X.509 object.
- ECPrivateKey – This is an ASN.1 encoded elliptic curve private key.
- Several Transparent Key types – These are algorithm-specific structures containing defined values for the various key types, as defined in Section 2.1.7.
- Extensions – These are vendor-specific extensions to allow for proprietary or legacy key formats.
The Key Block MAY contain the Key Compression Type, which indicates the format of the elliptic curve public key. By default, the public key is uncompressed.
The Key Block also has the Cryptographic Algorithm and the Cryptographic Length of the key contained in the Key Value field. Some example values are:
- RSA keys are typically 1024, 2048 or 3072 bits in length.
- 3DES keys are typically from 112 to 192 bits (depending upon key length and the presence of parity bits).
- AES keys are 128, 192 or 256 bits in length.
The Key Block SHALL contain a Key Wrapping Data structure if the key in the Key Value field is wrapped (i.e., encrypted, or MACed/signed, or both).
type KeyValue ¶
type KeyValue struct { // KeyMaterial should be []byte, one of the Transparent*Key structs, or a custom struct if KeyFormatType is // an extension. KeyMaterial interface{} Attribute []Attribute }
KeyValue 2.1.4 Table 8
The Key Value is used only inside a Key Block and is either a Byte String or a structure (see Table 8):
- The Key Value structure contains the key material, either as a byte string or as a Transparent Key structure (see Section 2.1.7), and OPTIONAL attribute information that is associated and encapsulated with the key material. This attribute information differs from the attributes associated with Managed Objects, and is obtained via the Get Attributes operation, only by the fact that it is encapsulated with (and possibly wrapped with) the key material itself.
- The Key Value Byte String is either the wrapped TTLV-encoded (see Section 9.1) Key Value structure, or the wrapped un-encoded value of the Byte String Key Material field.
TODO: Unmarshaler impl which unmarshals correct KeyMaterial type.
type KeyWrappingData ¶
type KeyWrappingData struct { WrappingMethod kmip14.WrappingMethod EncryptionKeyInformation *EncryptionKeyInformation MACSignatureKeyInformation *MACSignatureKeyInformation MACSignature []byte IVCounterNonce []byte EncodingOption kmip14.EncodingOption `ttlv:",omitempty" default:"TTLVEncoding"` }
KeyWrappingData 2.1.5 Table 9
The Key Block MAY also supply OPTIONAL information about a cryptographic key wrapping mechanism used to wrap the Key Value. This consists of a Key Wrapping Data structure (see Table 9). It is only used inside a Key Block.
This structure contains fields for:
- A Wrapping Method, which indicates the method used to wrap the Key Value.
- Encryption Key Information, which contains the Unique Identifier (see 3.1) value of the encryption key and associated cryptographic parameters.
- MAC/Signature Key Information, which contains the Unique Identifier value of the MAC/signature key and associated cryptographic parameters.
- A MAC/Signature, which contains a MAC or signature of the Key Value.
- An IV/Counter/Nonce, if REQUIRED by the wrapping method.
- An Encoding Option, specifying the encoding of the Key Material within the Key Value structure of the Key Block that has been wrapped. If No Encoding is specified, then the Key Value structure SHALL NOT contain any attributes.
If wrapping is used, then the whole Key Value structure is wrapped unless otherwise specified by the Wrapping Method. The algorithms used for wrapping are given by the Cryptographic Algorithm attributes of the encryption key and/or MAC/signature key; the block-cipher mode, padding method, and hashing algorithm used for wrapping are given by the Cryptographic Parameters in the Encryption Key Information and/or MAC/Signature Key Information, or, if not present, from the Cryptographic Parameters attribute of the respective key(s). Either the Encryption Key Information or the MAC/Signature Key Information (or both) in the Key Wrapping Data structure SHALL be specified.
The following wrapping methods are currently defined:
- Encrypt only (i.e., encryption using a symmetric key or public key, or authenticated encryption algorithms that use a single key).
- MAC/sign only (i.e., either MACing the Key Value with a symmetric key, or signing the Key Value with a private key).
- Encrypt then MAC/sign.
- MAC/sign then encrypt.
- TR-31.
- Extensions.
The following encoding options are currently defined:
- No Encoding (i.e., the wrapped un-encoded value of the Byte String Key Material field in the Key Value structure).
- TTLV Encoding (i.e., the wrapped TTLV-encoded Key Value structure).
type LocateHandler ¶ added in v0.0.11
type LocateHandler struct {
Locate func(ctx context.Context, payload *LocateRequestPayload) (*LocateResponsePayload, error)
}
func (*LocateHandler) HandleItem ¶ added in v0.0.11
func (h *LocateHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type LocateRequestPayload ¶ added in v0.0.11
type LocateRequestPayload struct { MaximumItems uint32 // Required: No OffsetItems uint32 // Required: No StorageStatusMask kmip14.StorageStatusMask // Required: No ObjectGroupMember kmip14.ObjectGroupMember // Required: No Attributes []Attribute // Required: No }
type LocateResponsePayload ¶ added in v0.0.11
type MACSignatureKeyInformation ¶
type MACSignatureKeyInformation struct { UniqueIdentifier string CryptographicParameters *CryptographicParameters }
MACSignatureKeyInformation 2.1.5 Table 11
type MessageExtension ¶
type MessageHandler ¶
MessageHandler handles KMIP requests which have already be decoded. The *Request object's Message field will be populated from the decoded TTLV. The *Response object will always be non-nil, and its ResponseHeader will be populated. The MessageHandler usually shouldn't modify the ResponseHeader: the ProtocolHandler is responsible for the header. The MessageHandler just needs to populate the response batch items.
The default implementation of MessageHandler is OperationMux.
type MessageHandlerFunc ¶
func (MessageHandlerFunc) HandleMessage ¶
func (f MessageHandlerFunc) HandleMessage(ctx context.Context, req *Request, resp *Response)
type Name ¶
Name 3.2 Table 57
The Name attribute is a structure (see Table 57) used to identify and locate an object. This attribute is assigned by the client, and the Name Value is intended to be in a form that humans are able to interpret. The key management system MAY specify rules by which the client creates valid names. Clients are informed of such rules by a mechanism that is not specified by this standard. Names SHALL be unique within a given key management domain, but are NOT REQUIRED to be globally unique.
type OpaqueObject ¶
type OpaqueObject struct { OpaqueDataType kmip14.OpaqueDataType OpaqueDataValue []byte }
type OperationMux ¶
type OperationMux struct { // ErrorHandler defaults to the DefaultErrorHandler. ErrorHandler ErrorHandler // contains filtered or unexported fields }
OperationMux is an implementation of MessageHandler which handles each batch item in the request by routing the operation to an ItemHandler. The ItemHandler performs the operation, and returns either a *ResponseBatchItem, or an error. If it returns an error, the error is passed to ErrorHandler, which converts it into a error *ResponseBatchItem. OperationMux handles correlating items in the request to items in the response.
func (*OperationMux) Handle ¶
func (m *OperationMux) Handle(op kmip14.Operation, handler ItemHandler)
func (*OperationMux) HandleMessage ¶
func (m *OperationMux) HandleMessage(ctx context.Context, req *Request, resp *Response)
type PrivateKey ¶
type PrivateKey struct {
KeyBlock KeyBlock
}
type ProtocolHandler ¶
type ProtocolHandler interface {
ServeKMIP(ctx context.Context, req *Request, resp ResponseWriter)
}
ProtocolHandler is responsible for handling raw requests read off the wire. The *Request object will only have TTLV field populated. The response should be written directly to the ResponseWriter.
The default implemention of ProtocolHandler is StandardProtocolHandler.
type ProtocolHandlerFunc ¶
type ProtocolHandlerFunc func(context.Context, *Request, ResponseWriter)
func (ProtocolHandlerFunc) ServeKMIP ¶
func (f ProtocolHandlerFunc) ServeKMIP(ctx context.Context, r *Request, w ResponseWriter)
type ProtocolVersion ¶
type QueryHandler ¶ added in v0.0.12
type QueryHandler struct {
Query func(ctx context.Context, payload *QueryRequestPayload) (*QueryResponsePayload, error)
}
func (*QueryHandler) HandleItem ¶ added in v0.0.12
func (h *QueryHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type QueryRequestPayload ¶ added in v0.0.12
type QueryRequestPayload struct {
QueryFunction kmip14.QueryFunction
}
type QueryResponsePayload ¶ added in v0.0.12
type QueryResponsePayload struct { Operation []kmip14.Operation ObjectType kmip14.ObjectType VendorIdentification string ServerInformation string ApplicationNamespace string ExtensionInformation string AttestationType kmip14.AttestationType RNGParameters string ProfileInformation []kmip14.ProfileName ValidationInformation []kmip14.ValidationAuthorityType CapabilityInformation []string ClientRegistrationMethod kmip14.ClientRegistrationMethod DefaultsInformation string ProtectionStorageMasks string }
type ReKeyHandler ¶ added in v0.0.12
type ReKeyHandler struct {
ReKey func(ctx context.Context, payload *ReKeyRequestPayload) (*ReKeyResponsePayload, error)
}
func (*ReKeyHandler) HandleItem ¶ added in v0.0.12
func (h *ReKeyHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type ReKeyRequestPayload ¶ added in v0.0.12
type ReKeyRequestPayload struct {
UniqueIdentifier string
}
ReKeyRequestPayload ////////////////////////////////////////
type ReKeyResponsePayload ¶ added in v0.0.12
type ReKeyResponsePayload struct {
UniqueIdentifier string
}
ReKeyResponsePayload
type RegisterHandler ¶
type RegisterHandler struct { SkipValidation bool RegisterFunc func(context.Context, *RegisterRequestPayload) (*RegisterResponsePayload, error) }
func (*RegisterHandler) HandleItem ¶
func (h *RegisterHandler) HandleItem(ctx context.Context, req *Request) (item *ResponseBatchItem, err error)
type RegisterRequestPayload ¶
type RegisterRequestPayload struct { ObjectType kmip14.ObjectType TemplateAttribute TemplateAttribute Certificate *Certificate SymmetricKey *SymmetricKey PrivateKey *PrivateKey PublicKey *PublicKey SplitKey *SplitKey Template *Template SecretData *SecretData OpaqueObject *OpaqueObject }
type RegisterResponsePayload ¶
type RegisterResponsePayload struct { UniqueIdentifier string TemplateAttribute TemplateAttribute }
type Request ¶
type Request struct { // TTLV will hold the entire body of the request. TTLV ttlv.TTLV Message *RequestMessage CurrentItem *RequestBatchItem DisallowExtraValues bool // TLS holds the TLS state of the connection this request was received on. TLS *tls.ConnectionState RemoteAddr string LocalAddr string IDPlaceholder string // contains filtered or unexported fields }
Request represents a KMIP request.
func (*Request) DecodePayload ¶
type RequestBatchItem ¶
type RequestBatchItem struct { Operation kmip14.Operation UniqueBatchItemID []byte `ttlv:",omitempty"` RequestPayload interface{} MessageExtension *MessageExtension `ttlv:",omitempty"` }
type RequestHeader ¶
type RequestHeader struct { ProtocolVersion ProtocolVersion MaximumResponseSize int `ttlv:",omitempty"` ClientCorrelationValue string `ttlv:",omitempty"` ServerCorrelationValue string `ttlv:",omitempty"` AsynchronousIndicator bool `ttlv:",omitempty"` AttestationCapableIndicator bool `ttlv:",omitempty"` AttestationType []kmip14.AttestationType Authentication *Authentication BatchErrorContinuationOption kmip14.BatchErrorContinuationOption `ttlv:",omitempty"` BatchOrderOption bool `ttlv:",omitempty"` TimeStamp *time.Time BatchCount int }
type RequestMessage ¶
type RequestMessage struct { RequestHeader RequestHeader BatchItem []RequestBatchItem }
type Response ¶
type Response struct { ResponseMessage // contains filtered or unexported fields }
type ResponseBatchItem ¶
type ResponseBatchItem struct { Operation kmip14.Operation `ttlv:",omitempty"` UniqueBatchItemID []byte `ttlv:",omitempty"` ResultStatus kmip14.ResultStatus ResultReason kmip14.ResultReason `ttlv:",omitempty"` ResultMessage string `ttlv:",omitempty"` AsynchronousCorrelationValue []byte `ttlv:",omitempty"` ResponsePayload interface{} `ttlv:",omitempty"` MessageExtension *MessageExtension }
type ResponseHeader ¶
type ResponseHeader struct { ProtocolVersion ProtocolVersion TimeStamp time.Time Nonce *Nonce AttestationType []kmip14.AttestationType ClientCorrelationValue string `ttlv:",omitempty"` ServerCorrelationValue string `ttlv:",omitempty"` BatchCount int }
type ResponseMessage ¶
type ResponseMessage struct { ResponseHeader ResponseHeader BatchItem []ResponseBatchItem }
type ResponseWriter ¶
type RevocationReasonStruct ¶ added in v0.0.11
type RevocationReasonStruct struct { RevocationReasonCode kmip14.RevocationReasonCode // Required: Yes RevocationMessage string // Required: No }
type RevokeHandler ¶ added in v0.0.11
type RevokeHandler struct {
Revoke func(ctx context.Context, payload *RevokeRequestPayload) (*RevokeResponsePayload, error)
}
func (*RevokeHandler) HandleItem ¶ added in v0.0.11
func (h *RevokeHandler) HandleItem(ctx context.Context, req *Request) (*ResponseBatchItem, error)
type RevokeRequestPayload ¶ added in v0.0.11
type RevokeRequestPayload struct { UniqueIdentifier string // Required: No RevocationReason RevocationReasonStruct // Required: Yes CompromiseOccurrenceDate []byte // Required: No }
type RevokeResponsePayload ¶ added in v0.0.11
type RevokeResponsePayload struct {
UniqueIdentifier string // Required: Yes
}
type SecretData ¶
type SecretData struct { SecretDataType kmip14.SecretDataType KeyBlock KeyBlock }
type Server ¶
type Server struct { Handler ProtocolHandler // contains filtered or unexported fields }
Server serves KMIP protocol connections from a net.Listener. Because KMIP is a connection-oriented protocol, unlike HTTP, each connection ends up being serviced by a dedicated goroutine (rather than each request). For each KMIP connection, requests are processed serially. The handling of the request is delegated to the ProtocolHandler.
Limitations:
This implementation is functional (it can respond to KMIP requests), but incomplete. Some of the connection management features of the http package haven't been ported over, and also, there is currently no connection-context in which to store things like an authentication or session management. Since HTTP is an intrinsically stateless model, it makes sense for the http package to delegate session management to third party packages, but for KMIP, it would makes sense for there to be some first class support for a connection context.
This package also only handles the binary TTLV encoding for now. It may make sense for this server to detect or support the XML and JSON encodings as well. It may also makes sense to support KMIP requests over HTTP, perhaps by adapting ProtocolHandler to an http.Handler or something.
Example ¶
listener, err := net.Listen("tcp", "0.0.0.0:5696") if err != nil { panic(err) } kmip.DefaultProtocolHandler.LogTraffic = true kmip.DefaultOperationMux.Handle(kmip14.OperationDiscoverVersions, &kmip.DiscoverVersionsHandler{ SupportedVersions: []kmip.ProtocolVersion{ { ProtocolVersionMajor: 1, ProtocolVersionMinor: 4, }, { ProtocolVersionMajor: 1, ProtocolVersionMinor: 3, }, { ProtocolVersionMajor: 1, ProtocolVersionMinor: 2, }, }, }) srv := kmip.Server{} panic(srv.Serve(listener))
Output:
func (*Server) Close ¶
Close immediately closes all active net.Listeners and any connections in state StateNew, StateActive, or StateIdle. For a graceful shutdown, use Shutdown.
Close does not attempt to close (and does not even know about) any hijacked connections, such as WebSockets.
Close returns any error returned from closing the Server's underlying Listener(s).
func (*Server) Serve ¶
Serve accepts incoming connections on the Listener l, creating a new service goroutine for each. The service goroutines read requests and then call srv.MessageHandler to reply to them.
Serve always returns a non-nil error and closes l. After Shutdown or Close, the returned error is ErrServerClosed.
func (*Server) Shutdown ¶
Shutdown gracefully shuts down the server without interrupting any active connections. Shutdown works by first closing all open listeners, then closing all idle connections, and then waiting indefinitely for connections to return to idle and then shut down. If the provided context expires before the shutdown is complete, Shutdown returns the context's error, otherwise it returns any error returned from closing the Server's underlying Listener(s).
When Shutdown is called, Serve, ListenAndServe, and ListenAndServeTLS immediately return ErrServerClosed. Make sure the program doesn't exit and waits instead for Shutdown to return.
Shutdown does not attempt to close nor wait for hijacked connections such as WebSockets. The caller of Shutdown should separately notify such long-lived connections of shutdown and wait for them to close, if desired. See RegisterOnShutdown for a way to register shutdown notification functions.
Once Shutdown has been called on a server, it may not be reused; future calls to methods such as Serve will return ErrServerClosed.
type StandardProtocolHandler ¶
type StandardProtocolHandler struct { ProtocolVersion ProtocolVersion MessageHandler MessageHandler LogTraffic bool }
StandardProtocolHandler is the default ProtocolHandler implementation. It handles decoding the request and encoding the response, as well as protocol level tasks like version negotiation and correlation values.
It delegates handling of the request to a MessageHandler.
func (*StandardProtocolHandler) ServeKMIP ¶
func (h *StandardProtocolHandler) ServeKMIP(ctx context.Context, req *Request, writer ResponseWriter)
type SymmetricKey ¶
type SymmetricKey struct {
KeyBlock KeyBlock
}
type TemplateAttribute ¶
TemplateAttribute 2.1.8 Table 29
The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
These structures are used in various operations to provide the desired attribute values and/or template names in the request and to return the actual attribute values in the response.
The Template-Attribute, Common Template-Attribute, Private Key Template-Attribute, and Public Key Template-Attribute structures are defined identically as follows:
type TemplateAttribute struct { Attribute []Attribute }
func (*TemplateAttribute) Append ¶
func (t *TemplateAttribute) Append(tag ttlv.Tag, value interface{})
func (*TemplateAttribute) Get ¶
func (t *TemplateAttribute) Get(s string) *Attribute
Get returns a reference to the first Attribute in the list matching the name. Returns nil if not found.
func (*TemplateAttribute) GetAll ¶
func (t *TemplateAttribute) GetAll(s string) []Attribute
func (*TemplateAttribute) GetAllTag ¶
func (t *TemplateAttribute) GetAllTag(tag ttlv.Tag) []Attribute
func (*TemplateAttribute) GetIdx ¶
func (t *TemplateAttribute) GetIdx(s string, idx int) *Attribute
GetIdx returns a reference to the Attribute in the list matching the name and index. Returns nil if not found.
type TransparentDHPrivateKey ¶
type TransparentDHPrivateKey struct { P *big.Int `validate:"required"` Q *big.Int G *big.Int `validate:"required"` J *big.Int X *big.Int `validate:"required"` }
TransparentDHPrivateKey 2.1.7.6 Table 19
If the Key Format Type in the Key Block is Transparent DH Private Key, then Key Material is a structure as shown in Table 19.
type TransparentDHPublicKey ¶
type TransparentDHPublicKey struct { P *big.Int `validate:"required"` Q *big.Int G *big.Int `validate:"required"` J *big.Int Y *big.Int `validate:"required"` }
TransparentDHPublicKey 2.1.7.7 Table 20
If the Key Format Type in the Key Block is Transparent DH Public Key, then Key Material is a structure as shown in Table 20.
P, G, and Y are required.
type TransparentDSAPrivateKey ¶
type TransparentDSAPrivateKey struct { // TODO: should these be pointers? big package deals entirely with pointers, but these are not optional values. P *big.Int `validate:"required"` Q *big.Int `validate:"required"` G *big.Int `validate:"required"` X *big.Int `validate:"required"` }
TransparentDSAPrivateKey 2.1.7.2 Table 15
If the Key Format Type in the Key Block is Transparent DSA Private Key, then Key Material is a structure as shown in Table 15.
type TransparentDSAPublicKey ¶
type TransparentDSAPublicKey struct { P *big.Int `validate:"required"` Q *big.Int `validate:"required"` G *big.Int `validate:"required"` Y *big.Int `validate:"required"` }
TransparentDSAPublicKey 2.1.7.3 Table 16
If the Key Format Type in the Key Block is Transparent DSA Public Key, then Key Material is a structure as shown in Table 16.
type TransparentECDHPrivateKey ¶
type TransparentECDHPrivateKey TransparentECPrivateKey
TransparentECDHPrivateKey 2.1.7.10 Table 23
The Transparent ECDH Private Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Private Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECDH Private Key, then Key Material is a structure as shown in Table 23.
type TransparentECDHPublicKey ¶
type TransparentECDHPublicKey TransparentECPublicKey
TransparentECDHPublicKey 2.1.7.11 Table 24
The Transparent ECDH Public Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Public Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECDH Public Key, then Key Material is a structure as shown in Table 24.
type TransparentECDSAPrivateKey ¶
type TransparentECDSAPrivateKey struct { RecommendedCurve kmip14.RecommendedCurve D *big.Int `validate:"required"` }
TransparentECDSAPrivateKey 2.1.7.8 Table 21
The Transparent ECDSA Private Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Private Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECDSA Private Key, then Key Material is a structure as shown in Table 21.
type TransparentECDSAPublicKey ¶
type TransparentECDSAPublicKey struct { RecommendedCurve kmip14.RecommendedCurve QString []byte `validate:"required"` }
TransparentECDSAPublicKey 2.1.7.9 Table 22
The Transparent ECDSA Public Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Public Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECDSA Public Key, then Key Material is a structure as shown in Table 22.
type TransparentECMQVPrivateKey ¶
type TransparentECMQVPrivateKey TransparentECPrivateKey
TransparentECMQVPrivateKey 2.1.7.12 Table 25
The Transparent ECMQV Private Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Private Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECMQV Private Key, then Key Material is a structure as shown in Table 25.
type TransparentECMQVPublicKey ¶
type TransparentECMQVPublicKey TransparentECPublicKey
TransparentECMQVPublicKey 2.1.7.13 Table 26
The Transparent ECMQV Public Key structure is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. The Transparent EC Public Key structure SHOULD be used as a replacement.
If the Key Format Type in the Key Block is Transparent ECMQV Public Key, then Key Material is a structure as shown in Table 26.
type TransparentECPrivateKey ¶
type TransparentECPrivateKey struct { RecommendedCurve kmip14.RecommendedCurve D *big.Int `validate:"required"` }
TransparentECPrivateKey 2.1.7.14 Table 27
If the Key Format Type in the Key Block is Transparent EC Private Key, then Key Material is a structure as shown in Table 27.
type TransparentECPublicKey ¶
type TransparentECPublicKey struct { RecommendedCurve kmip14.RecommendedCurve QString []byte `validate:"required"` }
TransparentECPublicKey 2.1.7.15 Table 28
If the Key Format Type in the Key Block is Transparent EC Public Key, then Key Material is a structure as shown in Table 28.
type TransparentRSAPrivateKey ¶
type TransparentRSAPrivateKey struct { Modulus *big.Int `validate:"required"` PrivateExponent, PublicExponent *big.Int P, Q *big.Int PrimeExponentP, PrimeExponentQ *big.Int CRTCoefficient *big.Int }
TransparentRSAPrivateKey 2.1.7.4 Table 17
If the Key Format Type in the Key Block is Transparent RSA Private Key, then Key Material is a structure as shown in Table 17.
One of the following SHALL be present (refer to [PKCS#1]):
- Private Exponent,
- P and Q (the first two prime factors of Modulus), or
- Prime Exponent P and Prime Exponent Q.
type TransparentRSAPublicKey ¶
type TransparentRSAPublicKey struct { Modulus *big.Int `validate:"required"` PublicExponent *big.Int `validate:"required"` }
TransparentRSAPublicKey 2.1.7.5 Table 18
If the Key Format Type in the Key Block is Transparent RSA Public Key, then Key Material is a structure as shown in Table 18.
type TransparentSymmetricKey ¶
type TransparentSymmetricKey struct {
Key []byte `validate:"required"`
}
TransparentSymmetricKey 2.1.7.1 Table 14
If the Key Format Type in the Key Block is Transparent Symmetric Key, then Key Material is a structure as shown in Table 14.
type UsernameAndPasswordCredentialValue ¶
type UsernameAndPasswordCredentialValue struct { Username string Password string `ttlv:",omitempty"` }
UsernameAndPasswordCredentialValue 2.1.2 Table 4
If the Credential Type in the Credential is Username and Password, then Credential Value is a structure as shown in Table 4. The Username field identifies the client, and the Password field is a secret that authenticates the client.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
internal
|
|
Package kmip14 contains tag and enumeration value definitions from the 1.4 specification.
|
Package kmip14 contains tag and enumeration value definitions from the 1.4 specification. |
Package kmip20 contains definitions from the 2.0 specification.
|
Package kmip20 contains definitions from the 2.0 specification. |
Package ttlv encodes and decodes the 3 wire formats defined in the KMIP specification:
|
Package ttlv encodes and decodes the 3 wire formats defined in the KMIP specification: |