Documentation ¶
Index ¶
- type KMS
- func (k *KMS) Connect(parentSegment ...*xray.XRayParentSegment) (err error)
- func (k *KMS) DecryptViaCmkAes256(cipherText string) (plainText string, err error)
- func (k *KMS) DecryptViaCmkRsa2048(cipherText string) (plainText string, err error)
- func (k *KMS) DecryptWithDataKeyAes256(cipherText string, cipherKey string) (plainText string, err error)
- func (k *KMS) Disconnect()
- func (k *KMS) ECDH(keyArn, ephemeralPublicKeyB64 string) (sharedSecret []byte, err error)
- func (k *KMS) EncryptViaCmkAes256(plainText string) (cipherText string, err error)
- func (k *KMS) EncryptViaCmkRsa2048(plainText string) (cipherText string, err error)
- func (k *KMS) EncryptWithDataKeyAes256(plainText string, cipherKey string) (cipherText string, err error)
- func (k *KMS) GenerateDataKeyAes256() (cipherKey string, err error)
- func (k *KMS) GenerateEncryptionDecryptionKeyRsa2048(keyName string, keyPolicyJSON string) (encryptedOutput *kms.CreateKeyOutput, err error)
- func (k *KMS) GenerateSignVerifyKeyRsa2048(keyName string, keyPolicy interface{}) (encryptedOutput *kms.CreateKeyOutput, err error)
- func (k *KMS) GetRSAPublicKey(alias string) (output *kms.GetPublicKeyOutput, err error)
- func (k *KMS) ImportECCP256SignVerifyKey(keyAlias, keyPolicyJson string, eccPvk *ecdsa.PrivateKey) (keyArn string, err error)
- func (k *KMS) KeyDeleteWithAlias(alias string, PendingWindowInDays int64) (output *kms.ScheduleKeyDeletionOutput, err error)
- func (k *KMS) KeyDeleteWithArnID(arn string, PendingWindowInDays int64) (output *kms.ScheduleKeyDeletionOutput, err error)
- func (k *KMS) ReEncryptViaCmkAes256(sourceCipherText string, targetKmsKeyName string) (targetCipherText string, err error)
- func (k *KMS) ReEncryptViaCmkRsa2048(sourceCipherText string, targetKmsKeyName string) (targetCipherText string, err error)
- func (k *KMS) SignViaCmkRsa2048(dataToSign string) (signature string, err error)
- func (k *KMS) UpdateParentSegment(parentSegment *xray.XRayParentSegment)
- func (k *KMS) VerifyViaCmkRsa2048(dataToVerify string, signatureToVerify string) (signatureValid bool, err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KMS ¶
type KMS struct { // define the AWS region that KMS is located at AwsRegion awsregion.AWSRegion // custom http2 client options HttpOptions *awshttp2.HttpClientSettings // define kms key name AesKmsKeyName string RsaKmsKeyName string SignatureKmsKeyName string // contains filtered or unexported fields }
KMS struct encapsulates the AWS KMS access functionality
func (*KMS) Connect ¶
func (k *KMS) Connect(parentSegment ...*xray.XRayParentSegment) (err error)
Connect will establish a connection to the KMS service
func (*KMS) DecryptViaCmkAes256 ¶
DecryptViaCmkAes256 will use kms cmk to decrypt cipherText using symmetric aes 256 kms cmk key, and return plainText string, the cipherText can only be decrypted with the symmetric aes 256 kms cmk key
func (*KMS) DecryptViaCmkRsa2048 ¶
DecryptViaCmkRsa2048 will use kms cmk to decrypt cipherText using asymmetric rsa 2048 kms cmk private key, and return plainText string, the cipherText can only be decrypted with the asymmetric rsa 2048 kms cmk private key
func (*KMS) DecryptWithDataKeyAes256 ¶
func (k *KMS) DecryptWithDataKeyAes256(cipherText string, cipherKey string) (plainText string, err error)
DecryptWithDataKeyAes256 will decrypt cipherText using cipherKey that was generated via GenerateDataKeyAes256()
cipherKey = encrypted data key in hex (must use KMS CMK to decrypt such key)
func (*KMS) Disconnect ¶
func (k *KMS) Disconnect()
Disconnect will disjoin from aws session by clearing it
func (*KMS) EncryptViaCmkAes256 ¶
EncryptViaCmkAes256 will use kms cmk to encrypt plainText using aes 256 symmetric kms cmk key, and return cipherText string, the cipherText can only be decrypted with aes 256 symmetric kms cmk key
func (*KMS) EncryptViaCmkRsa2048 ¶
EncryptViaCmkRsa2048 will use kms cmk to encrypt plainText with asymmetric rsa 2048 kms cmk public key, and return cipherText string, the cipherText can only be decrypted with the paired asymmetric rsa 2048 kms cmk private key
*** To Encrypt using Public Key Outside of KMS ***
- Copy Public Key from AWS KMS for the given RSA CMK
- Using External RSA Public Key Crypto Encrypt Function with the given Public Key to Encrypt
func (*KMS) EncryptWithDataKeyAes256 ¶
func (k *KMS) EncryptWithDataKeyAes256(plainText string, cipherKey string) (cipherText string, err error)
EncryptWithDataKeyAes256 will encrypt plainText using cipherKey that was generated via GenerateDataKeyAes256()
cipherKey = encrypted data key in hex (must use KMS CMK to decrypt such key)
func (*KMS) GenerateDataKeyAes256 ¶
GenerateDataKeyAes256 will return an encrypted data key generated by kms cmk, this data key is encrypted, and able to decrypt only via kms cmk (therefore it is safe to store in memory or at rest)
cipherKey = encrypted data key in hex (must use KMS CMK to decrypt such key)
func (*KMS) GenerateEncryptionDecryptionKeyRsa2048 ¶ added in v1.5.2
func (k *KMS) GenerateEncryptionDecryptionKeyRsa2048(keyName string, keyPolicyJSON string) (encryptedOutput *kms.CreateKeyOutput, err error)
GenerateEncryptionDecryptionKeyRsa2048 will generate a new rsa 2048 key pair using kms cmk, and return the creation output the key pair can only be used for rsa 2048 asymmetric encryption/decryption keyName = the Alias name to create keyPolicy = the key policy json string to apply
keyPolicy := map[string]interface{}{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": []map[string]interface{}{ { "Effect": "Allow", "Principal": map[string]interface{}{"AWS": "arn:aws:iam::***************:user/xxxxxxxxxxxxxxxxxxx"}, // Replace with your account ID "Action": "kms:*", "Resource": "*", }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": map[string]interface{}{"AWS": "arn:aws:iam::***************:user/xxxxxxxxxxxxxxxxxxx"}, // Replace with your account ID "Action": "kms:*", "Resource": "*", }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": map[string]interface{}{"AWS": "arn:aws:iam::***************:user/xxxxxxxxxxxxxxxxxxx"}, "Action": []string{ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", }, "Resource": "*", }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": map[string]interface{}{"AWS": "arn:aws:iam::***************:user/xxxxxxxxxxxxxxxxxxx"}, "Action": []string{ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey", "kms:GetPublicKey", }, "Resource": "*", }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": map[string]interface{}{"AWS": "arn:aws:iam::***************:user/xxxxxxxxxxxxxxxxxxx"}, "Action": []string{ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant", }, "Resource": "*", "Condition": map[string]interface{}{ "Bool": map[string]interface{}{ "kms:GrantIsForAWSResource": "true", }, }, }, }, }
func (*KMS) GenerateSignVerifyKeyRsa2048 ¶ added in v1.5.2
func (k *KMS) GenerateSignVerifyKeyRsa2048(keyName string, keyPolicy interface{}) (encryptedOutput *kms.CreateKeyOutput, err error)
func (*KMS) GetRSAPublicKey ¶ added in v1.5.2
func (k *KMS) GetRSAPublicKey(alias string) (output *kms.GetPublicKeyOutput, err error)
func (*KMS) ImportECCP256SignVerifyKey ¶ added in v1.5.2
func (*KMS) KeyDeleteWithAlias ¶ added in v1.5.2
func (*KMS) KeyDeleteWithArnID ¶ added in v1.5.2
func (*KMS) ReEncryptViaCmkAes256 ¶
func (k *KMS) ReEncryptViaCmkAes256(sourceCipherText string, targetKmsKeyName string) (targetCipherText string, err error)
ReEncryptViaCmkAes256 will re-encrypt sourceCipherText using the new targetKmsKeyName via kms, (must be targeting aes 256 key) the re-encrypted cipherText is then returned
func (*KMS) ReEncryptViaCmkRsa2048 ¶
func (k *KMS) ReEncryptViaCmkRsa2048(sourceCipherText string, targetKmsKeyName string) (targetCipherText string, err error)
ReEncryptViaCmkRsa2048 will re-encrypt sourceCipherText using the new targetKmsKeyName via kms, (must be targeting rsa 2048 key) the re-encrypted cipherText is then returned
func (*KMS) SignViaCmkRsa2048 ¶
SignViaCmkRsa2048 will sign dataToSign using KMS CMK RSA Sign/Verify Key (Private Key on KMS will be used to securely sign)
func (*KMS) UpdateParentSegment ¶ added in v1.1.4
func (k *KMS) UpdateParentSegment(parentSegment *xray.XRayParentSegment)
UpdateParentSegment updates this struct's xray parent segment, if no parent segment, set nil
func (*KMS) VerifyViaCmkRsa2048 ¶
func (k *KMS) VerifyViaCmkRsa2048(dataToVerify string, signatureToVerify string) (signatureValid bool, err error)
VerifyViaCmkRsa2048 will verify dataToVerify with signature using KMS CMK RSA Sign/Verify Key (Public Key on KMS will be used securely to verify)
signatureToVerify = prior signed signature in hex to verify against the dataToVerify parameter
*** To Verify using Public Key Outside of KMS ***
- Copy Public Key from AWS KMS for the given RSA CMK
- Using External RSA Public Key Crypto Verify Function with the given Public Key to Verify