Documentation
¶
Index ¶
- func FormatJWKString(wks []*ECDSAKey) (string, error)
- func GetLatestKeyVersion(ctx context.Context, kms *kms.KeyManagementClient, keyName string) (*kmspb.CryptoKeyVersion, error)
- func PublicKey(ctx context.Context, kms *kms.KeyManagementClient, keyName string) ([]byte, error)
- func SetPrimary(ctx context.Context, kms *kms.KeyManagementClient, key, versionName string) error
- func SignToken(token *jwt.Token, signer crypto.Signer) (string, error)
- func ValidateJWT(keySet jwk.Set, jwtStr string) (*jwt2.Token, error)
- func VerifyJWTString(ctx context.Context, kms *kms.KeyManagementClient, keyName string, ...) error
- type Action
- type CertificateActionService
- type ECDSAKey
- type JWKS
- type KeyServer
- type RotationHandler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FormatJWKString ¶
FormatJWKString creates a JWK Set converted to string. https://datatracker.ietf.org/doc/html/rfc7517#section-5 .
func GetLatestKeyVersion ¶
func GetLatestKeyVersion(ctx context.Context, kms *kms.KeyManagementClient, keyName string) (*kmspb.CryptoKeyVersion, error)
GetLatestKeyVersion looks up the newest enabled key version. If there is no enabled version, this returns nil.
func SetPrimary ¶
SetPrimary sets the key version name as primary in the key labels.
func SignToken ¶
SignToken signs a jwt token. Much of this is taken from here: https://github.com/google/exposure-notifications-verification-server/blob/main/pkg/jwthelper/jwthelper.go
func ValidateJWT ¶
ValidateJWT takes a jwt string, converts it to a JWT, and validates the signature.
func VerifyJWTString ¶
func VerifyJWTString(ctx context.Context, kms *kms.KeyManagementClient, keyName string, jwtStr string) error
VerifyJWTString verifies that a JWT string is signed correctly and is valid.
Types ¶
type Action ¶
type Action int8
const ( ActionCreateNew Action = iota // New version should be created. Will be marked as new in StateStore (SS). ActionCreateNewAndPromote // New version should be created. Will be marked as primary in SS. ActionPromote // Mark version as primary in SS. ActionDisable // Disable version. Will be removed from SS. ActionDestroy // Destroy version. )
type CertificateActionService ¶
type CertificateActionService struct { jvspb.CertificateActionServiceServer Handler *RotationHandler KMSClient *kms.KeyManagementClient }
CertificateActionService allows for performing manual actions on certificate versions.
func (*CertificateActionService) CertificateAction ¶
func (p *CertificateActionService) CertificateAction(ctx context.Context, request *jvspb.CertificateActionRequest) (*jvspb.CertificateActionResponse, error)
CertificateAction implements the certificate action API which performs manual actions on cert versions. this wraps certificateAction and adds a blank response.
type ECDSAKey ¶
type ECDSAKey struct { Curve string `json:"crv"` ID string `json:"kid"` Type string `json:"kty"` X string `json:"x"` Y string `json:"y"` }
ECDSAKey is the public key information for a Elliptic Curve Digital Signature Algorithm Key. used to serialize the public key into JWK format. https://datatracker.ietf.org/doc/html/rfc7517#section-4 .
func JWKList ¶
func JWKList(ctx context.Context, kms *kms.KeyManagementClient, keyName string) ([]*ECDSAKey, error)
JWKList creates a list of public keys in JWK format. https://datatracker.ietf.org/doc/html/rfc7517#section-4 .
type JWKS ¶
type JWKS struct {
Keys []*ECDSAKey `json:"keys"`
}
JWKS represents a JWK Set, used to convert to json representation. https://datatracker.ietf.org/doc/html/rfc7517#section-5 .
type KeyServer ¶
type KeyServer struct { KMSClient *kms.KeyManagementClient PublicKeyConfig *config.PublicKeyConfig Cache *cache.Cache[string] }
KeyServer provides all valid and active public keys in a JWKS format.
type RotationHandler ¶
type RotationHandler struct { KMSClient *kms.KeyManagementClient CryptoConfig *config.CryptoConfig }
RotationHandler handles all necessary rotation actions for asymmetric keys based off a provided configuration.
func (*RotationHandler) RotateKey ¶
func (h *RotationHandler) RotateKey(ctx context.Context, key string) error
RotateKey is called to determine and perform rotation actions on versions for a key. key is the full resource name: `projects/*/locations/*/keyRings/*/cryptoKeys/*` https://pkg.go.dev/google.golang.org/genproto/googleapis/cloud/kms/v1#CryptoKey