Documentation ¶
Index ¶
- Constants
- Variables
- func BoxOpen(encrypted []byte, sender *X25519PublicKey, recipient *X25519Key) ([]byte, error)
- func BoxSeal(b []byte, recipient *X25519PublicKey, sender *X25519Key) []byte
- func Bytes16(b []byte) *[16]byte
- func Bytes24(b []byte) *[24]byte
- func Bytes32(b []byte) *[32]byte
- func Bytes64(b []byte) *[64]byte
- func CreateKeyXXX(s string, s2 string, s3 string)
- func CryptoBoxSeal(b []byte, publicKey *X25519PublicKey) []byte
- func CryptoBoxSealOpen(b []byte, key *X25519Key) ([]byte, error)
- func DecryptWithPassword(encrypted []byte, password string) ([]byte, error)
- func EncodeSSHKey(key Key, password string) (string, error)
- func EncryptWithPassword(b []byte, password string) []byte
- func GenerateSGXHSM2Key() string
- func GenerateSGXHSMKey() string
- func HKDFSHA256(secret []byte, len int, salt []byte, info []byte) []byte
- func HMACSHA256(key []byte, msg []byte) []byte
- func IDsToString(ids []ID, delim string) string
- func IDsToStrings(ids []ID) []string
- func IsTemporaryError(err error) bool
- func IsValidID(s string) bool
- func KeyForPassword(password string, salt []byte) (*[32]byte, error)
- func NewErrNotFound(id string) error
- func Rand16() *[16]byte
- func Rand24() *[24]byte
- func Rand32() *[32]byte
- func RandBase62(numBytes int) string
- func RandBytes(length int) []byte
- func RandDigits(length int) string
- func RandFileName() string
- func RandHex(numBytes int) string
- func RandPassword(length int, opt ...PasswordOption) string
- func RandPhrase() string
- func RandTempPath() string
- func RandUsername(length int) string
- func RandWords(numWords int) string
- func RetryE(fn func() error) error
- func RetrySE(fn func() (string, error)) (string, error)
- func SecretBoxOpen(encrypted []byte, secretKey *[32]byte) ([]byte, error)
- func SecretBoxSeal(b []byte, secretKey *[32]byte) []byte
- func SetLogger(l Logger)
- func SigchainHash(st *Statement) (*[32]byte, error)
- func StatementID(kid ID, seq int) string
- func X25519Match(expected ID, kid ID) bool
- type Address
- type CertificateKey
- type Client
- type EdX25519Key
- func GenerateEdX25519Key() *EdX25519Key
- func NewEdX25519KeyFromPaperKey(paperKey string) (*EdX25519Key, error)
- func NewEdX25519KeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key
- func NewEdX25519KeyFromSeed(seed *[ed25519.SeedSize]byte) *EdX25519Key
- func NewSGXHSMKeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key
- func (k *EdX25519Key) EncodeToSSH(password []byte) ([]byte, error)
- func (k *EdX25519Key) Equal(o *EdX25519Key) bool
- func (k *EdX25519Key) ID() ID
- func (k *EdX25519Key) MarshalText() ([]byte, error)
- func (k *EdX25519Key) PaperKey() string
- func (k *EdX25519Key) Private() []byte
- func (k *EdX25519Key) PrivateKey() *[ed25519.PrivateKeySize]byte
- func (k *EdX25519Key) Public() []byte
- func (k *EdX25519Key) PublicKey() *EdX25519PublicKey
- func (k *EdX25519Key) SSHSigner() ssh.Signer
- func (k *EdX25519Key) Seed() *[ed25519.SeedSize]byte
- func (k *EdX25519Key) Sign(b []byte) []byte
- func (k *EdX25519Key) SignDetached(b []byte) []byte
- func (k *EdX25519Key) Signer() crypto.Signer
- func (k *EdX25519Key) String() string
- func (k *EdX25519Key) Type() KeyType
- func (k *EdX25519Key) UnmarshalText(s []byte) error
- func (k *EdX25519Key) X25519Key() *X25519Key
- type EdX25519PublicKey
- func (k *EdX25519PublicKey) Bytes() []byte
- func (k *EdX25519PublicKey) EncodeToSSHAuthorized() []byte
- func (k *EdX25519PublicKey) ID() ID
- func (k *EdX25519PublicKey) Private() []byte
- func (k *EdX25519PublicKey) Public() []byte
- func (k *EdX25519PublicKey) String() string
- func (k *EdX25519PublicKey) Type() KeyType
- func (k *EdX25519PublicKey) Verify(b []byte) ([]byte, error)
- func (k *EdX25519PublicKey) VerifyDetached(sig []byte, b []byte) error
- func (k *EdX25519PublicKey) X25519PublicKey() *X25519PublicKey
- type ErrNotFound
- type ID
- type IDSet
- type Key
- type KeyType
- type LogLevel
- type Logger
- type PasswordOption
- type PasswordOptions
- type Post
- type PublicKey
- type RSAKey
- type RSAPublicKey
- type SGXHSM2Key
- type SGXHSM2PublicKey
- type SGXHSMKey
- type SGXHSMKey2
- type SGXHSMPublicKey
- type Sigchain
- func (s *Sigchain) Add(st *Statement) error
- func (s *Sigchain) AddAll(statements []*Statement) error
- func (s *Sigchain) FindAll(typ string) []*Statement
- func (s *Sigchain) FindLast(typ string) *Statement
- func (s *Sigchain) IsRevoked(seq int) bool
- func (s *Sigchain) KID() ID
- func (s *Sigchain) Last() *Statement
- func (s *Sigchain) LastSeq() int
- func (s *Sigchain) Length() int
- func (s *Sigchain) Revoke(revoke int, sk *EdX25519Key) (*Statement, error)
- func (s *Sigchain) Spew() *bytes.Buffer
- func (s *Sigchain) Statements() []*Statement
- func (s *Sigchain) VerifyStatement(st *Statement, prev *Statement) error
- type Sigchains
- func (s *Sigchains) Delete(kid ID) (bool, error)
- func (s *Sigchains) Exists(kid ID) (bool, error)
- func (s *Sigchains) Index(key Key) error
- func (s *Sigchains) KIDs() ([]ID, error)
- func (s *Sigchains) Lookup(kid ID) (ID, error)
- func (s *Sigchains) Save(sc *Sigchain) error
- func (s *Sigchains) SetClock(clock tsutil.Clock)
- func (s *Sigchains) Sigchain(kid ID) (*Sigchain, error)
- type Statement
- func (s *Statement) Bytes() ([]byte, error)
- func (s *Statement) BytesToSign() []byte
- func (s *Statement) MarshalJSON() ([]byte, error)
- func (s *Statement) Sign(signKey *EdX25519Key) error
- func (s *Statement) URL() string
- func (s *Statement) UnmarshalJSON(b []byte) error
- func (s *Statement) Verify() error
- func (s *Statement) VerifySpecific(bytesToSign []byte) error
- type StatementPublicKey
- type X25519Key
- func (k *X25519Key) BoxOpen(b []byte, nonce *[24]byte, sender *X25519PublicKey) ([]byte, bool)
- func (k *X25519Key) BoxSeal(b []byte, nonce *[24]byte, recipient *X25519PublicKey) []byte
- func (k *X25519Key) Bytes32() *[32]byte
- func (k *X25519Key) ID() ID
- func (k *X25519Key) Private() []byte
- func (k *X25519Key) PrivateKey() *[32]byte
- func (k *X25519Key) Public() []byte
- func (k *X25519Key) PublicKey() *X25519PublicKey
- func (k *X25519Key) Type() KeyType
- type X25519PublicKey
Examples ¶
Constants ¶
const SGXHSM2KeyHRP = "SGXHSM2"
const SignOverhead = sign.Overhead
SignOverhead alias for (nacl) sign.Overhead.
Variables ¶
var ErrVerifyFailed = errors.New("verify failed")
ErrVerifyFailed if key verify failed.
Functions ¶
func BoxOpen ¶
func BoxOpen(encrypted []byte, sender *X25519PublicKey, recipient *X25519Key) ([]byte, error)
BoxOpen uses nacl.box to decrypt.
func BoxSeal ¶
func BoxSeal(b []byte, recipient *X25519PublicKey, sender *X25519Key) []byte
BoxSeal uses nacl.box to encrypt.
Example ¶
ak := keys.GenerateX25519Key() bk := keys.GenerateX25519Key() msg := "Hey bob, it's alice. The passcode is 12345." encrypted := keys.BoxSeal([]byte(msg), bk.PublicKey(), ak) out, err := keys.BoxOpen(encrypted, ak.PublicKey(), bk) if err != nil { log.Fatal(err) } fmt.Printf("%s\n", string(out))
Output: Hey bob, it's alice. The passcode is 12345.
func CreateKeyXXX ¶ added in v0.0.2
func CryptoBoxSeal ¶
func CryptoBoxSeal(b []byte, publicKey *X25519PublicKey) []byte
CryptoBoxSeal implements libsodium crypto_box_seal.
func CryptoBoxSealOpen ¶
CryptoBoxSealOpen implements libsodium crypto_box_seal_open.
func DecryptWithPassword ¶
DecryptWithPassword decrypts bytes using a password. It assumes a 16 byte salt before the encrypted bytes.
func EncodeSSHKey ¶
EncodeSSHKey encodes key to SSH.
Example ¶
sk := keys.GenerateEdX25519Key() privateKey, err := keys.EncodeSSHKey(sk, "testpassword") if err != nil { log.Fatal(err) } log.Printf("%s\n", privateKey) publicKey, err := keys.EncodeSSHKey(sk.PublicKey(), "") if err != nil { log.Fatal(err) } log.Printf("%s\n", publicKey)
Output:
func EncryptWithPassword ¶
EncryptWithPassword encrypts bytes with a password. Uses argon2.IDKey(password, salt, 1, 64*1024, 4, 32) with 16 byte salt. The salt bytes are prepended to the encrypted bytes. This uses nacl.secretbox, so the bytes/message should be small. If you need to encrypt large amounts of data, use Saltpack instead (TODO: More details here).
func GenerateSGXHSM2Key ¶ added in v0.0.2
func GenerateSGXHSM2Key() string
GenerateSGXHSM2Key generates a SGXHSM2 key.
func GenerateSGXHSMKey ¶ added in v0.0.2
func GenerateSGXHSMKey() string
GenerateSGXHSMKey generates a SGXHSMPublicKey (EdX25519).
func HKDFSHA256 ¶
HKDFSHA256 uses HKDF with SHA256. The `len` for output byte length. The `salt` is non-secret salt, optional (can be nil), recommended: hash-length random value. The `info` is non-secret context info, optional (can be empty).
func HMACSHA256 ¶
HMACSHA256 does a HMAC-SHA256 on msg with key.
func IDsToString ¶
IDsToString returns string for joined Ikeys.
func IsTemporaryError ¶
IsTemporaryError returns true if the error has Temporary() function and that returns true
func KeyForPassword ¶
KeyForPassword generates a key from a password and salt.
func RandDigits ¶
RandDigits returns string of random digits of length. RandDigits(6) => "745566"
func RandFileName ¶
func RandFileName() string
RandFileName returns a unique random file name. RandFileName() => CTGMMOLLZCXMGP7VR4BHKAI7PE
func RandPassword ¶
func RandPassword(length int, opt ...PasswordOption) string
RandPassword returns a random password. It will contain an uppercase (A-Z), lowercase (a-z), number (0-9) and symbol. It will not to repeat characters.
Example ¶
pw := keys.RandPassword(16) log.Println(pw) pwNoSymbols := keys.RandPassword(16, keys.NoSymbols()) log.Println(pwNoSymbols)
Output:
func RandPhrase ¶
func RandPhrase() string
RandPhrase creates random phrase (BIP39 encoded random 32 bytes).
func RandTempPath ¶
func RandTempPath() string
RandTempPath returns a unique random file name in os.TempDir. RandTempPath() => "/tmp/CTGMMOLLZCXMGP7VR4BHKAI7PE"
func RandUsername ¶
RandUsername returns random lowercase string of length.
func RetryE ¶
RetryE will retry the fn (error) if the error is temporary (such as a temporary net.Error)
func RetrySE ¶
RetrySE will retry the fn (string, error) if the error is temporary (such as a temporary net.Error)
func SecretBoxOpen ¶
SecretBoxOpen decrypt using a key. It assumes a 24 byte nonce before the encrypted bytes.
func SecretBoxSeal ¶
SecretBoxSeal encrypts using a key. It prepends a 24 byte nonce to the the encrypted bytes.
func SigchainHash ¶
SigchainHash returns hash for Sigchain Statement.
func StatementID ¶
StatementID returns and identifier for a Statement as kid-seq. If seq is <= 0, returns kid. The idenfifier looks like "kex1a4yj333g68pvd6hfqvufqkv4vy54jfe6t33ljd3kc9rpfty8xlgsfte2sn-000000000000001".
func X25519Match ¶
X25519Match returns true if key IDs are equal or if either key matches their X25519 counterpart.
Types ¶
type Address ¶
type Address struct {
// contains filtered or unexported fields
}
Address is a canonical list of IDs.
func NewAddress ¶
NewAddress returns an Address from a list of IDs.
func ParseAddress ¶
ParseAddress returns address from a string.
type CertificateKey ¶
type CertificateKey struct {
// contains filtered or unexported fields
}
CertificateKey with is a PEM encoded X.509v3 certificate (public key) and a PEM encoded EC private key.
func GenerateCertificateKey ¶
func GenerateCertificateKey(commonName string, isCA bool, parent *x509.Certificate) (*CertificateKey, error)
GenerateCertificateKey creates a certificate key.
func NewCertificateKey ¶
func NewCertificateKey(private string, public string) (*CertificateKey, error)
NewCertificateKey from PEM encoded X.509v3 certificate data and PEM encoded EC private key ASN.1, DER format
func (CertificateKey) Private ¶
func (c CertificateKey) Private() string
Private returns a PEM encoded EC private key ASN.1, DER format.
func (CertificateKey) Public ¶
func (c CertificateKey) Public() string
Public returns a PEM encoded X.509v3 certificate.
func (CertificateKey) TLSCertificate ¶
func (c CertificateKey) TLSCertificate() tls.Certificate
TLSCertificate returns a tls.Certificate.
func (CertificateKey) X509Certificate ¶
func (c CertificateKey) X509Certificate() (*x509.Certificate, error)
X509Certificate returns a x509.Certificate.
type Client ¶ added in v0.0.2
type Client struct {
// contains filtered or unexported fields
}
func (*Client) CreateKey ¶ added in v0.0.2
Description: Create a customer master key(CMK) for the user, which can be a symmetric or an asymmetric key, for the symmetric cmk mainly used to wrap the datakey, also can be used to encrypted an arbitrary set of bytes data(<6KB). And for the asymmetric cmk mainly used to sign/verify or asymmetric encrypt/decrypt datas(not for the datakey.) Input: keyspec
-EH_AES_GCM_128, -EH_AES_GCM_256, -EH_RSA_2048, -EH_RSA_3072, -EH_EC_P256, -EH_EC_P521, -EH_SM2, -EH_SM4_CBC, -EH_HMAC,
origin
-EH_INTERNAL_KEY (generated from the eHSM inside) -EH_EXTERNAL_KEY (generated by the customer and want to import into the eHSM),
keyusage
-EH_KEYUSAGE_ENCRYPT_DECRYPT -EH_KEYUSAGE_SIGN_VERIFY
Output: keyid -- A uinque keyid of the cmk.
type EdX25519Key ¶
type EdX25519Key struct {
// contains filtered or unexported fields
}
EdX25519Key is a EdX25519 key capable of signing and encryption (converted to a X25519 key).
func GenerateEdX25519Key ¶
func GenerateEdX25519Key() *EdX25519Key
GenerateEdX25519Key generates a EdX25519Key (EdX25519).
Example ¶
alice := keys.GenerateEdX25519Key() fmt.Printf("Alice: %s\n", alice.ID())
Output:
func NewEdX25519KeyFromPaperKey ¶
func NewEdX25519KeyFromPaperKey(paperKey string) (*EdX25519Key, error)
NewEdX25519KeyFromPaperKey constructs EdX25519Key from a paper key.
func NewEdX25519KeyFromPrivateKey ¶
func NewEdX25519KeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key
NewEdX25519KeyFromPrivateKey constructs EdX25519Key from a private key. The public key is derived from the private key.
func NewEdX25519KeyFromSeed ¶
func NewEdX25519KeyFromSeed(seed *[ed25519.SeedSize]byte) *EdX25519Key
NewEdX25519KeyFromSeed constructs EdX25519Key from an ed25519 seed. The private key is derived from this seed and the public key is derived from the private key.
func NewSGXHSMKeyFromPrivateKey ¶ added in v0.0.2
func NewSGXHSMKeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key
NewSGXHSMKeyFromPrivateKey constructs EdX25519Key from a private key. The public key is derived from the private key.
func (*EdX25519Key) EncodeToSSH ¶
func (k *EdX25519Key) EncodeToSSH(password []byte) ([]byte, error)
EncodeToSSH encodes a EdX25519Key for SSH.
func (*EdX25519Key) Equal ¶
func (k *EdX25519Key) Equal(o *EdX25519Key) bool
Equal returns true if equal to key.
func (*EdX25519Key) MarshalText ¶
func (k *EdX25519Key) MarshalText() ([]byte, error)
MarshalText for encoding.TextMarshaler interface.
func (*EdX25519Key) PaperKey ¶
func (k *EdX25519Key) PaperKey() string
func (*EdX25519Key) PrivateKey ¶
func (k *EdX25519Key) PrivateKey() *[ed25519.PrivateKeySize]byte
PrivateKey returns private key part.
func (*EdX25519Key) PublicKey ¶
func (k *EdX25519Key) PublicKey() *EdX25519PublicKey
PublicKey returns public part.
func (*EdX25519Key) Seed ¶
func (k *EdX25519Key) Seed() *[ed25519.SeedSize]byte
Seed returns information on how to generate this key from ed25519 package seed.
func (*EdX25519Key) Sign ¶
func (k *EdX25519Key) Sign(b []byte) []byte
Sign bytes with the (sign) private key.
Example ¶
alice := keys.GenerateEdX25519Key() msg := "I'm alice 🤓" sig := alice.Sign([]byte(msg)) out, err := alice.PublicKey().Verify(sig) if err != nil { log.Fatal(err) } fmt.Printf("%s\n", string(out))
Output: I'm alice 🤓
func (*EdX25519Key) SignDetached ¶
func (k *EdX25519Key) SignDetached(b []byte) []byte
SignDetached sign bytes detached.
func (*EdX25519Key) String ¶
func (k *EdX25519Key) String() string
func (*EdX25519Key) UnmarshalText ¶
func (k *EdX25519Key) UnmarshalText(s []byte) error
UnmarshalText for encoding.TextUnmarshaler interface.
func (*EdX25519Key) X25519Key ¶
func (k *EdX25519Key) X25519Key() *X25519Key
X25519Key converts EdX25519Key to X25519Key.
type EdX25519PublicKey ¶
type EdX25519PublicKey struct {
// contains filtered or unexported fields
}
EdX25519PublicKey is the public part of EdX25519 key pair.
func NewEdX25519PublicKey ¶
func NewEdX25519PublicKey(b *[ed25519.PublicKeySize]byte) *EdX25519PublicKey
NewEdX25519PublicKey creates a EdX25519PublicKey.
func NewEdX25519PublicKeyFromID ¶
func NewEdX25519PublicKeyFromID(id ID) (*EdX25519PublicKey, error)
NewEdX25519PublicKeyFromID creates a EdX25519PublicKey from an ID.
func (*EdX25519PublicKey) EncodeToSSHAuthorized ¶
func (k *EdX25519PublicKey) EncodeToSSHAuthorized() []byte
EncodeToSSHAuthorized encodes a EdX25519PublicKey for SSH.
func (*EdX25519PublicKey) Private ¶
func (k *EdX25519PublicKey) Private() []byte
Private returns nil.
func (*EdX25519PublicKey) String ¶
func (k *EdX25519PublicKey) String() string
func (*EdX25519PublicKey) Verify ¶
func (k *EdX25519PublicKey) Verify(b []byte) ([]byte, error)
Verify verifies a message and signature with public key and returns the signed bytes without the signature.
func (*EdX25519PublicKey) VerifyDetached ¶
func (k *EdX25519PublicKey) VerifyDetached(sig []byte, b []byte) error
VerifyDetached verifies a detached message.
func (*EdX25519PublicKey) X25519PublicKey ¶
func (k *EdX25519PublicKey) X25519PublicKey() *X25519PublicKey
X25519PublicKey converts the ed25519 public key to a x25519 public key.
type ErrNotFound ¶
type ErrNotFound struct {
ID string
}
ErrNotFound describes a key not found error when a key is required.
func (ErrNotFound) Error ¶
func (e ErrNotFound) Error() string
type ID ¶
type ID string
ID is a bech32 encoded string.
func MustID ¶
MustID returns a (bech32) ID with HRP (human readable part) and bytes, or panics if invalid.
func (ID) IsEdX25519 ¶
IsEdX25519 returns true if ID represents a EdX25519 key.
type IDSet ¶
type IDSet struct {
// contains filtered or unexported fields
}
IDSet is a set of strings.
type Key ¶
type Key interface { // ID for the key. ID() ID // Type of key. Type() KeyType // Private key data. Private() []byte // Public key data. Public() []byte }
Key with id, type and private and/or public data.
func DecodeSSHKey ¶
DecodeSSHKey decodes SSH key.
Example ¶
pk, err := keys.DecodeSSHKey("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqI4910CfGV/VLbLTy6XXLKZwm/HZQSG/N0iAG0D29c", "") if err != nil { log.Fatal(err) } fmt.Printf("%s\n", pk.ID())
Output: kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077
func ParseSSHKey ¶
ParseSSHKey parses a SSH private key.
func ParseSSHPublicKey ¶
ParseSSHPublicKey parses a SSH public key.
type KeyType ¶
type KeyType string
KeyType ...
const EdX25519 KeyType = "edx25519"
EdX25519 key type.
const RSA KeyType = "rsa"
RSA key type.
const SGXHSM KeyType = "sgxhsm"
EdX25519 key type.
const SGXHSM2 KeyType = "SGXHSM2"
SGXHSM2 key type.
const X25519 KeyType = "x25519"
X25519 key type.
type Logger ¶
type Logger interface { Debugf(format string, args ...interface{}) Infof(format string, args ...interface{}) Warningf(format string, args ...interface{}) Errorf(format string, args ...interface{}) Fatalf(format string, args ...interface{}) }
Logger interface used in this package.
type PasswordOptions ¶
type PasswordOptions struct {
NoSymbols bool
}
PasswordOptions for RandPassword.
type PublicKey ¶ added in v0.0.2
type PublicKey struct {
// contains filtered or unexported fields
}
SGXHSMPublicKey is the public part of SGXHSM key pair.
type RSAKey ¶
type RSAKey struct {
// contains filtered or unexported fields
}
RSAKey implements Key interface for RSA.
func NewRSAKeyFromBytes ¶
NewRSAKeyFromBytes constructs RSA from a private key (PKCS1).
type RSAPublicKey ¶
type RSAPublicKey struct {
// contains filtered or unexported fields
}
RSAPublicKey is the public part of RSA key pair.
func NewRSAPublicKey ¶
func NewRSAPublicKey(pk *rsa.PublicKey) *RSAPublicKey
NewRSAPublicKey returns RSA public key.
func NewRSAPublicKeyFromBytes ¶
func NewRSAPublicKeyFromBytes(publicKey []byte) (*RSAPublicKey, error)
NewRSAPublicKeyFromBytes returns RSA public key from PKC1 bytes.
type SGXHSM2Key ¶ added in v0.0.2
type SGXHSM2Key struct {
// contains filtered or unexported fields
}
SGXHSM2Key implements Key interface for SGXHSM2.
func (*SGXHSM2Key) Public ¶ added in v0.0.2
func (k *SGXHSM2Key) Public() []byte
Public key data (PKCS1).
func (*SGXHSM2Key) PublicKey ¶ added in v0.0.2
func (k *SGXHSM2Key) PublicKey() *SGXHSM2PublicKey
PublicKey ...
type SGXHSM2PublicKey ¶ added in v0.0.2
type SGXHSM2PublicKey struct {
// contains filtered or unexported fields
}
SGXHSM2PublicKey is the public part of SGXHSM2 key pair.
func NewSGXHSM2PublicKey ¶ added in v0.0.2
func NewSGXHSM2PublicKey(pk *rsa.PublicKey) *SGXHSM2PublicKey
func NewSGXHSM2PublicKeyFromBytes ¶ added in v0.0.2
func NewSGXHSM2PublicKeyFromBytes(publicKey []byte) (*SGXHSM2PublicKey, error)
NewSGXHSM2PublicKeyFromBytes returns SGXHSM2 public key from PKC1 bytes.
func (*SGXHSM2PublicKey) Bytes ¶ added in v0.0.2
func (k *SGXHSM2PublicKey) Bytes() []byte
Bytes for public key (PKCS1).
func (*SGXHSM2PublicKey) ID ¶ added in v0.0.2
func (k *SGXHSM2PublicKey) ID() ID
ID is key identifier.
func (*SGXHSM2PublicKey) Private ¶ added in v0.0.2
func (k *SGXHSM2PublicKey) Private() []byte
Private returns nil.
func (*SGXHSM2PublicKey) Public ¶ added in v0.0.2
func (k *SGXHSM2PublicKey) Public() []byte
Public key data.
func (*SGXHSM2PublicKey) Type ¶ added in v0.0.2
func (k *SGXHSM2PublicKey) Type() KeyType
Type of key.
type SGXHSMKey ¶ added in v0.0.2
type SGXHSMKey struct {
// contains filtered or unexported fields
}
SGXHSMKey SGXHSMPublicKey is a SGXHSM key capable of signing and encryption
func (*SGXHSMKey) Equal ¶ added in v0.0.2
func (k *SGXHSMKey) Equal(o *EdX25519Key) bool
// UnmarshalText for encoding.TextUnmarshaler interface.
func (k *SGXHSMKey) UnmarshalText(s []byte) error { b, err := encoding.Decode(string(s), encoding.Base64) if err != nil { return err } var privateKey []byte if len(b) == 32 { privateKey = ed25519.NewKeyFromSeed(b) } else { privateKey = b } if err := k.setPrivateKey(privateKey); err != nil { return err } return nil }
Equal returns true if equal to key.
func (*SGXHSMKey) SGXHSMKey ¶ added in v0.0.2
func (k *SGXHSMKey) setPrivateKey(b []byte) error { if len(b) != ed25519.PrivateKeySize { return errors.Errorf("invalid private key length %d", len(b)) } // Derive public key from private key edpk := ed25519.PrivateKey(b) publicKey := edpk.Public().(ed25519.PublicKey) if len(publicKey) != ed25519.PublicKeySize { return errors.Errorf("invalid public key bytes (len=%d)", len(publicKey)) } var privateKeyBytes [ed25519.PrivateKeySize]byte copy(privateKeyBytes[:], b[:ed25519.PrivateKeySize]) var publicKeyBytes [ed25519.PublicKeySize]byte copy(publicKeyBytes[:], publicKey[:ed25519.PublicKeySize]) k.privateKey = &privateKeyBytes k.publicKey = NewSGXHSMPublicKey(&publicKeyBytes) return nil }
X25519Key converts EdX25519Key to X25519Key.
type SGXHSMKey2 ¶ added in v0.0.2
type SGXHSMKey2 struct {
// contains filtered or unexported fields
}
SGXHSMKey SGXHSMPublicKey is a SGXHSM key capable of signing and encryption
type SGXHSMPublicKey ¶ added in v0.0.2
type SGXHSMPublicKey struct {
// contains filtered or unexported fields
}
SGXHSMPublicKey is the public part of SGXHSM key pair.
func NewSGXHSMPublicKey ¶ added in v0.0.2
func NewSGXHSMPublicKey(b *[ed25519.PublicKeySize]byte) *SGXHSMPublicKey
NewSGXHSMPublicKey creates a EdX25519PublicKey.
func (*SGXHSMPublicKey) Private ¶ added in v0.0.2
func (k *SGXHSMPublicKey) Private() []byte
Private returns nil.
func (*SGXHSMPublicKey) Public ¶ added in v0.0.2
func (k *SGXHSMPublicKey) Public() []byte
Public ...
func (*SGXHSMPublicKey) String ¶ added in v0.0.2
func (k *SGXHSMPublicKey) String() string
type Sigchain ¶
type Sigchain struct {
// contains filtered or unexported fields
}
Sigchain is a chain of signed statements by a sign key.
func NewSigchain ¶
NewSigchain creates an empty Sigchain.
Example ¶
clock := tsutil.NewTestClock() alice := keys.GenerateEdX25519Key() sc := keys.NewSigchain(alice.ID()) // Create root statement st, err := keys.NewSigchainStatement(sc, []byte("hi! 🤓"), alice, "example", clock.Now()) if err != nil { log.Fatal(err) } if err := sc.Add(st); err != nil { log.Fatal(err) } // Add 2nd statement st2, err := keys.NewSigchainStatement(sc, []byte("2nd message"), alice, "example", clock.Now()) if err != nil { log.Fatal(err) } if err := sc.Add(st2); err != nil { log.Fatal(err) } // Revoke 2nd statement _, err = sc.Revoke(2, alice) if err != nil { log.Fatal(err) } // Spew spew := sc.Spew() log.Println(spew.String())
Output:
func (*Sigchain) FindLast ¶
FindLast search from the last statement to the first, returning after If type is specified, we will search for that statement type. If we found a statement and it was revoked, we return nil.
func (*Sigchain) LastSeq ¶
LastSeq returns last signed statment seq (or 0 if no signed statements exist).
func (*Sigchain) Revoke ¶
func (s *Sigchain) Revoke(revoke int, sk *EdX25519Key) (*Statement, error)
Revoke a signed statement in the Sigchain.
func (*Sigchain) Statements ¶
Statements returns all the signed statements.
type Sigchains ¶
type Sigchains struct {
// contains filtered or unexported fields
}
Sigchains stores sigchains.
func NewSigchains ¶
NewSigchains creates a Sigchains from Documents.
type Statement ¶
type Statement struct { // Sig is the signature bytes. Sig []byte // KID is the key that signed. KID ID // Data (optional). Data []byte // Seq in a sigchain (1 is root, optional). Seq int // Prev is a hash of the previous item in the sigchain (optional). Prev []byte // Revoke refers to a previous signed seq to revoke (optional). Revoke int // Type (optional). Type string // Timestamp (optional). Timestamp time.Time // Nonce (optional). Nonce []byte }
Statement with signature. Use NewSigchainStatement to create a signed Sigchain Statement.
Example ¶
sk := keys.NewEdX25519KeyFromSeed(testSeed(0x01)) st := &keys.Statement{ KID: sk.ID(), Data: bytes.Repeat([]byte{0x01}, 16), Type: "test", } if err := st.Sign(sk); err != nil { log.Fatal(err) } data := st.BytesToSign() fmt.Printf("%s\n", string(data)) b, err := st.Bytes() if err != nil { log.Fatal(err) } fmt.Printf("%s\n", string(b)) b, err = json.Marshal(st) if err != nil { log.Fatal(err) } fmt.Printf("%s\n", string(b))
Output: {".sig":"","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"} {".sig":"CFD9cK9gIB3sAEqpDwmZM0JFFO4/+RpX9uoAD25G3F1o8Af+pTk6pI4GPqAZ5FhEw1rUDfL02Qnohtx05LQxAg==","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"} {".sig":"CFD9cK9gIB3sAEqpDwmZM0JFFO4/+RpX9uoAD25G3F1o8Af+pTk6pI4GPqAZ5FhEw1rUDfL02Qnohtx05LQxAg==","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"}
func NewRevokeStatement ¶
func NewRevokeStatement(sc *Sigchain, revoke int, sk *EdX25519Key) (*Statement, error)
NewRevokeStatement creates a revoke Statement.
func NewSigchainStatement ¶
func NewSigchainStatement(sc *Sigchain, b []byte, sk *EdX25519Key, typ string, ts time.Time) (*Statement, error)
NewSigchainStatement creates a signed Statement to be added to the Sigchain.
func (*Statement) BytesToSign ¶
BytesToSign returns bytes to sign.
func (*Statement) MarshalJSON ¶
MarshalJSON marshals statement to JSON.
func (*Statement) Sign ¶
func (s *Statement) Sign(signKey *EdX25519Key) error
Sign the statement. Returns an error if already signed.
func (*Statement) URL ¶
URL returns path string for a Statement in the HTTP API. If Seq is not set, then there is no path. Path looks like "/kex1a4yj333g68pvd6hfqvufqkv4vy54jfe6t33ljd3kc9rpfty8xlgsfte2sn/1".
func (*Statement) UnmarshalJSON ¶
UnmarshalJSON unmarshals a statement from JSON.
func (*Statement) VerifySpecific ¶
VerifySpecific and check that bytesToSign match the statement's BytesToSign, to verify the original bytes match the specific serialization.
type StatementPublicKey ¶
type StatementPublicKey interface { ID() ID Verify(b []byte) ([]byte, error) VerifyDetached(sig []byte, b []byte) error }
StatementPublicKey describes a public key for a Statement.
func StatementPublicKeyFromID ¶
func StatementPublicKeyFromID(id ID) (StatementPublicKey, error)
StatementPublicKeyFromID converts ID to StatementPublicKey. TODO: Support other key types.
type X25519Key ¶
type X25519Key struct {
// contains filtered or unexported fields
}
X25519Key is a X25519 assymmetric encryption key.
func GenerateX25519Key ¶
func GenerateX25519Key() *X25519Key
GenerateX25519Key creates a new X25519Key.
Example ¶
alice := keys.GenerateX25519Key() fmt.Printf("Alice: %s\n", alice.ID())
Output:
func NewX25519KeyFromPrivateKey ¶
NewX25519KeyFromPrivateKey creates a X25519Key from private key bytes.
func NewX25519KeyFromSeed ¶
NewX25519KeyFromSeed from seed.
func (*X25519Key) BoxSeal ¶
func (k *X25519Key) BoxSeal(b []byte, nonce *[24]byte, recipient *X25519PublicKey) []byte
BoxSeal encrypts message with nacl.box Seal.
func (*X25519Key) PrivateKey ¶
PrivateKey returns private part of this X25519Key.
func (*X25519Key) PublicKey ¶
func (k *X25519Key) PublicKey() *X25519PublicKey
PublicKey returns public part of this X25519Key.
type X25519PublicKey ¶
type X25519PublicKey struct {
// contains filtered or unexported fields
}
X25519PublicKey is the public key part of a x25519 key.
func NewX25519PublicKey ¶
func NewX25519PublicKey(b *[32]byte) *X25519PublicKey
NewX25519PublicKey creates X25519PublicKey. Metadata is optional.
func NewX25519PublicKeyFromID ¶
func NewX25519PublicKeyFromID(id ID) (*X25519PublicKey, error)
NewX25519PublicKeyFromID converts ID to X25519PublicKey.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package api provides a standard key format for serialization to JSON or msgpack, and conversions to and from specific key types.
|
Package api provides a standard key format for serialization to JSON or msgpack, and conversions to and from specific key types. |
Package bech32 is a modified version of the reference implementation of BIP173.
|
Package bech32 is a modified version of the reference implementation of BIP173. |
Package dstore describes a document store.
|
Package dstore describes a document store. |
events
Package events provides an event log.
|
Package events provides an event log. |
Package encoding provides encoding and decoding of different formats like Base62, Saltpack, BIP39.
|
Package encoding provides encoding and decoding of different formats like Base62, Saltpack, BIP39. |
Package env provides paths on different platforms.
|
Package env provides paths on different platforms. |
Package http provides an http client for use with checking remote signed statements.
|
Package http provides an http client for use with checking remote signed statements. |
Package json provides a simpler JSON marshaller for strings and ints only.
|
Package json provides a simpler JSON marshaller for strings and ints only. |
Package keyring provides a cross-platform secure keyring.
|
Package keyring provides a cross-platform secure keyring. |
Package noise integrates keys with the Noise protocol.
|
Package noise integrates keys with the Noise protocol. |
Package saltpack integrates keys with Saltpack (saltpack.org).
|
Package saltpack integrates keys with Saltpack (saltpack.org). |
Package tsutil provides timestamp and time utilities.
|
Package tsutil provides timestamp and time utilities. |
Package user defines user statements, store and search.
|
Package user defines user statements, store and search. |
services
Package services defines services capable of linking a key to a user.
|
Package services defines services capable of linking a key to a user. |