security

package
v0.0.0-...-1ac4089 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2024 License: BSD-3-Clause-Clear Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ErrCertNotFound        = Error("not found")
	ErrCertificateEncode   = Error("certificate encode error")
	ErrPublicKeyMarshal    = Error("public key marshal error")
	ErrHSMUnexpected       = Error("hsm unexpected")
	ErrHSMDecrypt          = Error("hsm decrypt error")
	ErrHSMNotFound         = Error("hsm unavailable")
	ErrKeyConfig           = Error("key configuration error")
	ErrUnknownHashFunction = Error("unknown hash function")
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	Type string `yaml:"type" default:"standard"`
	// HSMConfig is the configuration for the HSM
	HSMConfig HSMConfig `yaml:"hsm,omitempty" mapstructure:"hsm"`
	// StandardConfig is the configuration for the standard key provider
	StandardConfig StandardConfig `yaml:"standard,omitempty" mapstructure:"standard"`
}

type CryptoProvider

type CryptoProvider interface {
	RSAPublicKey(keyID string) (string, error)
	RSAPublicKeyAsJSON(keyID string) (string, error)
	RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error)

	ECPublicKey(keyID string) (string, error)
	GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error)
	GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error)
	GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error)
	Close()
}

func NewCryptoProvider

func NewCryptoProvider(cfg Config) (CryptoProvider, error)

type ECKeyPair

type ECKeyPair struct {
	PrivateKey PrivateKeyEC
	*ecdsa.PublicKey
	*x509.Certificate
}

type Error

type Error string

func (Error) Error

func (e Error) Error() string

type HSMConfig

type HSMConfig struct {
	Enabled    bool               `yaml:"enabled"`
	ModulePath string             `yaml:"modulePath,omitempty"`
	PIN        string             `yaml:"pin,omitempty"`
	SlotID     uint               `yaml:"slotId,omitempty"`
	SlotLabel  string             `yaml:"slotLabel,omitempty"`
	Keys       map[string]KeyInfo `yaml:"keys,omitempty"`
}

func (*HSMConfig) WithLabel

func (c *HSMConfig) WithLabel(label string) *HSMConfig

func (*HSMConfig) WithPIN

func (c *HSMConfig) WithPIN(pin string) *HSMConfig

func (*HSMConfig) WithSlot

func (c *HSMConfig) WithSlot(slot uint) *HSMConfig

type HSMSession

type HSMSession struct {
	RSA *RSAKeyPair
	EC  *ECKeyPair
	// contains filtered or unexported fields
}

A session with a security module; useful for abstracting basic cryptographic operations.

HSM Session HAS-A PKCS11 Context HSM Session HAS-A login for a given USER TYPE to a single SLOT When you start this application, you assign a slot and user to the associated security module.

func New

func New(c *HSMConfig) (*HSMSession, error)

func (*HSMSession) Close

func (h *HSMSession) Close()

func (*HSMSession) ECPublicKey

func (h *HSMSession) ECPublicKey(string) (string, error)

func (*HSMSession) GenerateEphemeralKasKeys

func (h *HSMSession) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error)

func (*HSMSession) GenerateNanoTDFSessionKey

func (h *HSMSession) GenerateNanoTDFSessionKey(
	privateKeyHandle PrivateKeyEC,
	ephemeralPublicKey []byte,
) ([]byte, error)

func (*HSMSession) GenerateNanoTDFSymmetricKey

func (h *HSMSession) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error)

func (*HSMSession) LoadECKey

func (h *HSMSession) LoadECKey(info KeyInfo) (*ECKeyPair, error)

func (*HSMSession) LoadRSAKey

func (h *HSMSession) LoadRSAKey(info KeyInfo) (*RSAKeyPair, error)

func (*HSMSession) RSADecrypt

func (h *HSMSession) RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error)

func (*HSMSession) RSAPublicKey

func (h *HSMSession) RSAPublicKey(keyID string) (string, error)

func (*HSMSession) RSAPublicKeyAsJSON

func (h *HSMSession) RSAPublicKeyAsJSON(keyID string) (string, error)

type KeyInfo

type KeyInfo struct {
	Name  string `yaml:"name,omitempty"`
	Label string `yaml:"label,omitempty"`
}

type PrivateKeyEC

type PrivateKeyEC pkcs11.ObjectHandle

type PrivateKeyRSA

type PrivateKeyRSA pkcs11.ObjectHandle

type RSAKeyPair

type RSAKeyPair struct {
	PrivateKey PrivateKeyRSA
	*rsa.PublicKey
	*x509.Certificate
}

type StandardConfig

type StandardConfig struct {
	RSAKeys map[string]StandardKeyInfo `yaml:"rsa,omitempty" mapstructure:"rsa"`
	ECKeys  map[string]StandardKeyInfo `yaml:"ec,omitempty" mapstructure:"ec"`
}

type StandardCrypto

type StandardCrypto struct {
	// contains filtered or unexported fields
}

func NewStandardCrypto

func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error)

NewStandardCrypto Create a new instance of standard crypto

func (StandardCrypto) Close

func (s StandardCrypto) Close()

func (StandardCrypto) ECPublicKey

func (s StandardCrypto) ECPublicKey(string) (string, error)

func (StandardCrypto) GenerateEphemeralKasKeys

func (s StandardCrypto) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error)

func (StandardCrypto) GenerateNanoTDFSessionKey

func (s StandardCrypto) GenerateNanoTDFSessionKey(PrivateKeyEC, []byte) ([]byte, error)

func (StandardCrypto) GenerateNanoTDFSymmetricKey

func (s StandardCrypto) GenerateNanoTDFSymmetricKey([]byte) ([]byte, error)

func (StandardCrypto) RSADecrypt

func (s StandardCrypto) RSADecrypt(_ crypto.Hash, keyID string, _ string, ciphertext []byte) ([]byte, error)

func (StandardCrypto) RSAPublicKey

func (s StandardCrypto) RSAPublicKey(keyID string) (string, error)

func (StandardCrypto) RSAPublicKeyAsJSON

func (s StandardCrypto) RSAPublicKeyAsJSON(keyID string) (string, error)

type StandardECCrypto

type StandardECCrypto struct {
	Identifier string
}

type StandardKeyInfo

type StandardKeyInfo struct {
	PrivateKeyPath string `yaml:"privateKeyPath" mapstructure:"privateKeyPath"`
	PublicKeyPath  string `yaml:"publicKeyPath" mapstructure:"publicKeyPath"`
}

type StandardRSACrypto

type StandardRSACrypto struct {
	Identifier string
	// contains filtered or unexported fields
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL