keys

package module
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 6, 2024 License: MIT Imports: 52 Imported by: 11

README

keys.pub

GoDoc

Unfortunately, this project is not currently being worked on. I may revisit this in the future, if you would like to sponsor development or hire me please reach out at gabriel@keys.pub. (see keys-pub/keys#168 for more info) ⚠

☢ This project is in development and has not been audited or reviewed. Use at your own risk. ☢

Documentation

Visit keys.pub.

Repositories

Repo Description
keys-pub/keys Key management, signing and encryption, including keys/saltpack and keys/keyring.
keys-pub/keys-ext Extensions: Service (gRPC), command line client, DB, Firestore, HTTP API/Client/Server, Git, Wormhole, etc.
keys-pub/app Desktop app.

Documentation

Index

Examples

Constants

View Source
const SGXHSM2KeyHRP = "SGXHSM2"
View Source
const SignOverhead = sign.Overhead

SignOverhead alias for (nacl) sign.Overhead.

Variables

View Source
var ErrVerifyFailed = errors.New("verify failed")

ErrVerifyFailed if key verify failed.

Functions

func BoxOpen

func BoxOpen(encrypted []byte, sender *X25519PublicKey, recipient *X25519Key) ([]byte, error)

BoxOpen uses nacl.box to decrypt.

func BoxSeal

func BoxSeal(b []byte, recipient *X25519PublicKey, sender *X25519Key) []byte

BoxSeal uses nacl.box to encrypt.

Example
ak := keys.GenerateX25519Key()
bk := keys.GenerateX25519Key()

msg := "Hey bob, it's alice. The passcode is 12345."
encrypted := keys.BoxSeal([]byte(msg), bk.PublicKey(), ak)

out, err := keys.BoxOpen(encrypted, ak.PublicKey(), bk)
if err != nil {
	log.Fatal(err)
}

fmt.Printf("%s\n", string(out))
Output:

Hey bob, it's alice. The passcode is 12345.

func Bytes16

func Bytes16(b []byte) *[16]byte

Bytes16 converts byte slice to *[16]byte or panics.

func Bytes24

func Bytes24(b []byte) *[24]byte

Bytes24 converts byte slice to *[24]byte or panics.

func Bytes32

func Bytes32(b []byte) *[32]byte

Bytes32 converts byte slice to *[32]byte or panics.

func Bytes64

func Bytes64(b []byte) *[64]byte

Bytes64 converts byte slice to *[64]byte or panics.

func CreateKeyXXX added in v0.0.2

func CreateKeyXXX(s string, s2 string, s3 string)

func CryptoBoxSeal

func CryptoBoxSeal(b []byte, publicKey *X25519PublicKey) []byte

CryptoBoxSeal implements libsodium crypto_box_seal.

func CryptoBoxSealOpen

func CryptoBoxSealOpen(b []byte, key *X25519Key) ([]byte, error)

CryptoBoxSealOpen implements libsodium crypto_box_seal_open.

func DecryptWithPassword

func DecryptWithPassword(encrypted []byte, password string) ([]byte, error)

DecryptWithPassword decrypts bytes using a password. It assumes a 16 byte salt before the encrypted bytes.

func EncodeSSHKey

func EncodeSSHKey(key Key, password string) (string, error)

EncodeSSHKey encodes key to SSH.

Example
sk := keys.GenerateEdX25519Key()

privateKey, err := keys.EncodeSSHKey(sk, "testpassword")
if err != nil {
	log.Fatal(err)
}
log.Printf("%s\n", privateKey)

publicKey, err := keys.EncodeSSHKey(sk.PublicKey(), "")
if err != nil {
	log.Fatal(err)
}
log.Printf("%s\n", publicKey)
Output:

func EncryptWithPassword

func EncryptWithPassword(b []byte, password string) []byte

EncryptWithPassword encrypts bytes with a password. Uses argon2.IDKey(password, salt, 1, 64*1024, 4, 32) with 16 byte salt. The salt bytes are prepended to the encrypted bytes. This uses nacl.secretbox, so the bytes/message should be small. If you need to encrypt large amounts of data, use Saltpack instead (TODO: More details here).

func GenerateSGXHSM2Key added in v0.0.2

func GenerateSGXHSM2Key() string

GenerateSGXHSM2Key generates a SGXHSM2 key.

func GenerateSGXHSMKey added in v0.0.2

func GenerateSGXHSMKey() string

GenerateSGXHSMKey generates a SGXHSMPublicKey (EdX25519).

func HKDFSHA256

func HKDFSHA256(secret []byte, len int, salt []byte, info []byte) []byte

HKDFSHA256 uses HKDF with SHA256. The `len` for output byte length. The `salt` is non-secret salt, optional (can be nil), recommended: hash-length random value. The `info` is non-secret context info, optional (can be empty).

func HMACSHA256

func HMACSHA256(key []byte, msg []byte) []byte

HMACSHA256 does a HMAC-SHA256 on msg with key.

func IDsToString

func IDsToString(ids []ID, delim string) string

IDsToString returns string for joined Ikeys.

func IDsToStrings

func IDsToStrings(ids []ID) []string

IDsToStrings returns []strings for []ID.

func IsTemporaryError

func IsTemporaryError(err error) bool

IsTemporaryError returns true if the error has Temporary() function and that returns true

func IsValidID

func IsValidID(s string) bool

IsValidID returns true if string is a valid ID.

func KeyForPassword

func KeyForPassword(password string, salt []byte) (*[32]byte, error)

KeyForPassword generates a key from a password and salt.

func NewErrNotFound

func NewErrNotFound(id string) error

NewErrNotFound constructs a ErrNotFound.

func Rand16

func Rand16() *[16]byte

Rand16 generates random 16 bytes.

func Rand24

func Rand24() *[24]byte

Rand24 generates random 24 bytes.

func Rand32

func Rand32() *[32]byte

Rand32 generates random 32 bytes.

func RandBase62

func RandBase62(numBytes int) string

RandBase62 returns random base62.

func RandBytes

func RandBytes(length int) []byte

RandBytes returns random bytes of length.

func RandDigits

func RandDigits(length int) string

RandDigits returns string of random digits of length. RandDigits(6) => "745566"

func RandFileName

func RandFileName() string

RandFileName returns a unique random file name. RandFileName() => CTGMMOLLZCXMGP7VR4BHKAI7PE

func RandHex

func RandHex(numBytes int) string

RandHex returns random hex.

func RandPassword

func RandPassword(length int, opt ...PasswordOption) string

RandPassword returns a random password. It will contain an uppercase (A-Z), lowercase (a-z), number (0-9) and symbol. It will not to repeat characters.

Example
pw := keys.RandPassword(16)
log.Println(pw)

pwNoSymbols := keys.RandPassword(16, keys.NoSymbols())
log.Println(pwNoSymbols)
Output:

func RandPhrase

func RandPhrase() string

RandPhrase creates random phrase (BIP39 encoded random 32 bytes).

func RandTempPath

func RandTempPath() string

RandTempPath returns a unique random file name in os.TempDir. RandTempPath() => "/tmp/CTGMMOLLZCXMGP7VR4BHKAI7PE"

func RandUsername

func RandUsername(length int) string

RandUsername returns random lowercase string of length.

func RandWords

func RandWords(numWords int) string

RandWords returns random (BIP39) words. numWords must be 1 to 24.

func RetryE

func RetryE(fn func() error) error

RetryE will retry the fn (error) if the error is temporary (such as a temporary net.Error)

func RetrySE

func RetrySE(fn func() (string, error)) (string, error)

RetrySE will retry the fn (string, error) if the error is temporary (such as a temporary net.Error)

func SecretBoxOpen

func SecretBoxOpen(encrypted []byte, secretKey *[32]byte) ([]byte, error)

SecretBoxOpen decrypt using a key. It assumes a 24 byte nonce before the encrypted bytes.

func SecretBoxSeal

func SecretBoxSeal(b []byte, secretKey *[32]byte) []byte

SecretBoxSeal encrypts using a key. It prepends a 24 byte nonce to the the encrypted bytes.

func SetLogger

func SetLogger(l Logger)

SetLogger sets logger for the package.

func SigchainHash

func SigchainHash(st *Statement) (*[32]byte, error)

SigchainHash returns hash for Sigchain Statement.

func StatementID

func StatementID(kid ID, seq int) string

StatementID returns and identifier for a Statement as kid-seq. If seq is <= 0, returns kid. The idenfifier looks like "kex1a4yj333g68pvd6hfqvufqkv4vy54jfe6t33ljd3kc9rpfty8xlgsfte2sn-000000000000001".

func X25519Match

func X25519Match(expected ID, kid ID) bool

X25519Match returns true if key IDs are equal or if either key matches their X25519 counterpart.

Types

type Address

type Address struct {
	// contains filtered or unexported fields
}

Address is a canonical list of IDs.

func NewAddress

func NewAddress(ids ...ID) (*Address, error)

NewAddress returns an Address from a list of IDs.

func ParseAddress

func ParseAddress(saddrs ...string) (*Address, error)

ParseAddress returns address from a string.

func (*Address) Contains

func (a *Address) Contains(id ID) bool

Contains returns true if address contains the specified id.

func (*Address) String

func (a *Address) String() string

String returns a canonical string representation of an address. The first address part is less than the second part.

NewAddress("bob", "alice").String() => "alice:bob"

func (*Address) Strings

func (a *Address) Strings() []string

Strings returns IDs as strings.

type CertificateKey

type CertificateKey struct {
	// contains filtered or unexported fields
}

CertificateKey with is a PEM encoded X.509v3 certificate (public key) and a PEM encoded EC private key.

func GenerateCertificateKey

func GenerateCertificateKey(commonName string, isCA bool, parent *x509.Certificate) (*CertificateKey, error)

GenerateCertificateKey creates a certificate key.

func NewCertificateKey

func NewCertificateKey(private string, public string) (*CertificateKey, error)

NewCertificateKey from PEM encoded X.509v3 certificate data and PEM encoded EC private key ASN.1, DER format

func (CertificateKey) Private

func (c CertificateKey) Private() string

Private returns a PEM encoded EC private key ASN.1, DER format.

func (CertificateKey) Public

func (c CertificateKey) Public() string

Public returns a PEM encoded X.509v3 certificate.

func (CertificateKey) TLSCertificate

func (c CertificateKey) TLSCertificate() tls.Certificate

TLSCertificate returns a tls.Certificate.

func (CertificateKey) X509Certificate

func (c CertificateKey) X509Certificate() (*x509.Certificate, error)

X509Certificate returns a x509.Certificate.

type Client added in v0.0.2

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) CreateKey added in v0.0.2

func (c *Client) CreateKey(keyspec, origin, keyusage string) (string, error)

Description: Create a customer master key(CMK) for the user, which can be a symmetric or an asymmetric key, for the symmetric cmk mainly used to wrap the datakey, also can be used to encrypted an arbitrary set of bytes data(<6KB). And for the asymmetric cmk mainly used to sign/verify or asymmetric encrypt/decrypt datas(not for the datakey.) Input: keyspec

-EH_AES_GCM_128,
-EH_AES_GCM_256,
-EH_RSA_2048,
-EH_RSA_3072,
-EH_EC_P256,
-EH_EC_P521,
-EH_SM2,
-EH_SM4_CBC,
-EH_HMAC,

origin

-EH_INTERNAL_KEY (generated from the eHSM inside)
-EH_EXTERNAL_KEY (generated by the customer and want to import into the eHSM),

keyusage

-EH_KEYUSAGE_ENCRYPT_DECRYPT
-EH_KEYUSAGE_SIGN_VERIFY

Output: keyid -- A uinque keyid of the cmk.

type EdX25519Key

type EdX25519Key struct {
	// contains filtered or unexported fields
}

EdX25519Key is a EdX25519 key capable of signing and encryption (converted to a X25519 key).

func GenerateEdX25519Key

func GenerateEdX25519Key() *EdX25519Key

GenerateEdX25519Key generates a EdX25519Key (EdX25519).

Example
alice := keys.GenerateEdX25519Key()
fmt.Printf("Alice: %s\n", alice.ID())
Output:

func NewEdX25519KeyFromPaperKey

func NewEdX25519KeyFromPaperKey(paperKey string) (*EdX25519Key, error)

NewEdX25519KeyFromPaperKey constructs EdX25519Key from a paper key.

func NewEdX25519KeyFromPrivateKey

func NewEdX25519KeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key

NewEdX25519KeyFromPrivateKey constructs EdX25519Key from a private key. The public key is derived from the private key.

func NewEdX25519KeyFromSeed

func NewEdX25519KeyFromSeed(seed *[ed25519.SeedSize]byte) *EdX25519Key

NewEdX25519KeyFromSeed constructs EdX25519Key from an ed25519 seed. The private key is derived from this seed and the public key is derived from the private key.

func NewSGXHSMKeyFromPrivateKey added in v0.0.2

func NewSGXHSMKeyFromPrivateKey(privateKey *[ed25519.PrivateKeySize]byte) *EdX25519Key

NewSGXHSMKeyFromPrivateKey constructs EdX25519Key from a private key. The public key is derived from the private key.

func (*EdX25519Key) EncodeToSSH

func (k *EdX25519Key) EncodeToSSH(password []byte) ([]byte, error)

EncodeToSSH encodes a EdX25519Key for SSH.

func (*EdX25519Key) Equal

func (k *EdX25519Key) Equal(o *EdX25519Key) bool

Equal returns true if equal to key.

func (*EdX25519Key) ID

func (k *EdX25519Key) ID() ID

ID ...

func (*EdX25519Key) MarshalText

func (k *EdX25519Key) MarshalText() ([]byte, error)

MarshalText for encoding.TextMarshaler interface.

func (*EdX25519Key) PaperKey

func (k *EdX25519Key) PaperKey() string

func (*EdX25519Key) Private

func (k *EdX25519Key) Private() []byte

Private ...

func (*EdX25519Key) PrivateKey

func (k *EdX25519Key) PrivateKey() *[ed25519.PrivateKeySize]byte

PrivateKey returns private key part.

func (*EdX25519Key) Public

func (k *EdX25519Key) Public() []byte

Public ...

func (*EdX25519Key) PublicKey

func (k *EdX25519Key) PublicKey() *EdX25519PublicKey

PublicKey returns public part.

func (*EdX25519Key) SSHSigner

func (k *EdX25519Key) SSHSigner() ssh.Signer

SSHSigner interface.

func (*EdX25519Key) Seed

func (k *EdX25519Key) Seed() *[ed25519.SeedSize]byte

Seed returns information on how to generate this key from ed25519 package seed.

func (*EdX25519Key) Sign

func (k *EdX25519Key) Sign(b []byte) []byte

Sign bytes with the (sign) private key.

Example
alice := keys.GenerateEdX25519Key()
msg := "I'm alice 🤓"
sig := alice.Sign([]byte(msg))
out, err := alice.PublicKey().Verify(sig)
if err != nil {
	log.Fatal(err)
}
fmt.Printf("%s\n", string(out))
Output:

I'm alice 🤓

func (*EdX25519Key) SignDetached

func (k *EdX25519Key) SignDetached(b []byte) []byte

SignDetached sign bytes detached.

func (*EdX25519Key) Signer

func (k *EdX25519Key) Signer() crypto.Signer

Signer interface.

func (*EdX25519Key) String

func (k *EdX25519Key) String() string

func (*EdX25519Key) Type

func (k *EdX25519Key) Type() KeyType

Type ...

func (*EdX25519Key) UnmarshalText

func (k *EdX25519Key) UnmarshalText(s []byte) error

UnmarshalText for encoding.TextUnmarshaler interface.

func (*EdX25519Key) X25519Key

func (k *EdX25519Key) X25519Key() *X25519Key

X25519Key converts EdX25519Key to X25519Key.

type EdX25519PublicKey

type EdX25519PublicKey struct {
	// contains filtered or unexported fields
}

EdX25519PublicKey is the public part of EdX25519 key pair.

func NewEdX25519PublicKey

func NewEdX25519PublicKey(b *[ed25519.PublicKeySize]byte) *EdX25519PublicKey

NewEdX25519PublicKey creates a EdX25519PublicKey.

func NewEdX25519PublicKeyFromID

func NewEdX25519PublicKeyFromID(id ID) (*EdX25519PublicKey, error)

NewEdX25519PublicKeyFromID creates a EdX25519PublicKey from an ID.

func (*EdX25519PublicKey) Bytes

func (k *EdX25519PublicKey) Bytes() []byte

Bytes ...

func (*EdX25519PublicKey) EncodeToSSHAuthorized

func (k *EdX25519PublicKey) EncodeToSSHAuthorized() []byte

EncodeToSSHAuthorized encodes a EdX25519PublicKey for SSH.

func (*EdX25519PublicKey) ID

func (k *EdX25519PublicKey) ID() ID

ID for EdX25519Key.

func (*EdX25519PublicKey) Private

func (k *EdX25519PublicKey) Private() []byte

Private returns nil.

func (*EdX25519PublicKey) Public

func (k *EdX25519PublicKey) Public() []byte

Public ...

func (*EdX25519PublicKey) String

func (k *EdX25519PublicKey) String() string

func (*EdX25519PublicKey) Type

func (k *EdX25519PublicKey) Type() KeyType

Type ...

func (*EdX25519PublicKey) Verify

func (k *EdX25519PublicKey) Verify(b []byte) ([]byte, error)

Verify verifies a message and signature with public key and returns the signed bytes without the signature.

func (*EdX25519PublicKey) VerifyDetached

func (k *EdX25519PublicKey) VerifyDetached(sig []byte, b []byte) error

VerifyDetached verifies a detached message.

func (*EdX25519PublicKey) X25519PublicKey

func (k *EdX25519PublicKey) X25519PublicKey() *X25519PublicKey

X25519PublicKey converts the ed25519 public key to a x25519 public key.

type ErrNotFound

type ErrNotFound struct {
	ID string
}

ErrNotFound describes a key not found error when a key is required.

func (ErrNotFound) Error

func (e ErrNotFound) Error() string

type ID

type ID string

ID is a bech32 encoded string.

func MustID

func MustID(hrp string, b []byte) ID

MustID returns a (bech32) ID with HRP (human readable part) and bytes, or panics if invalid.

func NewID

func NewID(hrp string, b []byte) (ID, error)

NewID creates ID from HRP (human readable part) and bytes.

func ParseID

func ParseID(s string) (ID, error)

ParseID parses a string and validates an ID.

func ParseIDs

func ParseIDs(strs []string) ([]ID, error)

ParseIDs returns IDs from strings.

func RandID

func RandID(hrp string) ID

RandID returns a random (bech32) ID.

func (ID) Decode

func (i ID) Decode() (string, []byte, error)

Decode ID into HRP (human readable part) and bytes (data).

func (ID) ID

func (i ID) ID() ID

ID for Keys interface.

func (ID) IsEdX25519

func (i ID) IsEdX25519() bool

IsEdX25519 returns true if ID represents a EdX25519 key.

func (ID) IsX25519

func (i ID) IsX25519() bool

IsX25519 returns true if ID represents a X25519 key.

func (ID) Private

func (i ID) Private() []byte

Private returns nil (for Key interface).

func (ID) Public

func (i ID) Public() []byte

Public key data (for Key interface).

func (ID) String

func (i ID) String() string

func (ID) Type

func (i ID) Type() KeyType

Type of key.

func (ID) UUID

func (i ID) UUID() *[16]byte

UUID returns a 16 byte hash of the public bytes.

func (ID) WithSeq

func (i ID) WithSeq(seq int) string

WithSeq returns string with a sequence value appended to the ID.

type IDSet

type IDSet struct {
	// contains filtered or unexported fields
}

IDSet is a set of strings.

func NewIDSet

func NewIDSet(ids ...ID) *IDSet

NewIDSet creates IDSet.

func NewIDSetWithCapacity

func NewIDSetWithCapacity(capacity int) *IDSet

NewIDSetWithCapacity ..

func (*IDSet) Add

func (s *IDSet) Add(id ID)

Add to set.

func (*IDSet) AddAll

func (s *IDSet) AddAll(ids []ID)

AddAll to set.

func (*IDSet) Clear

func (s *IDSet) Clear()

Clear set.

func (*IDSet) Contains

func (s *IDSet) Contains(id ID) bool

Contains returns true if set contains string.

func (*IDSet) IDs

func (s *IDSet) IDs() []ID

IDs returns IDs in set.

func (*IDSet) Size

func (s *IDSet) Size() int

Size for set.

type Key

type Key interface {
	// ID for the key.
	ID() ID

	// Type of key.
	Type() KeyType

	// Private key data.
	Private() []byte

	// Public key data.
	Public() []byte
}

Key with id, type and private and/or public data.

func DecodeSSHKey

func DecodeSSHKey(s string, password string) (Key, error)

DecodeSSHKey decodes SSH key.

Example
pk, err := keys.DecodeSSHKey("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqI4910CfGV/VLbLTy6XXLKZwm/HZQSG/N0iAG0D29c", "")
if err != nil {
	log.Fatal(err)
}
fmt.Printf("%s\n", pk.ID())
Output:

kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077

func ParseSSHKey

func ParseSSHKey(pemBytes []byte, passphrase []byte, trim bool) (Key, error)

ParseSSHKey parses a SSH private key.

func ParseSSHPublicKey

func ParseSSHPublicKey(s string) (Key, error)

ParseSSHPublicKey parses a SSH public key.

type KeyType

type KeyType string

KeyType ...

const EdX25519 KeyType = "edx25519"

EdX25519 key type.

const RSA KeyType = "rsa"

RSA key type.

const SGXHSM KeyType = "sgxhsm"

EdX25519 key type.

const SGXHSM2 KeyType = "SGXHSM2"

SGXHSM2 key type.

const X25519 KeyType = "x25519"

X25519 key type.

func (KeyType) GenerateKey added in v0.0.2

func (t KeyType) GenerateKey(reader io.Reader, i int) interface{}

type LogLevel

type LogLevel int

LogLevel ...

const (
	// DebugLevel ...
	DebugLevel LogLevel = 3
	// InfoLevel ...
	InfoLevel LogLevel = 2
	// WarnLevel ...
	WarnLevel LogLevel = 1
	// ErrLevel ...
	ErrLevel LogLevel = 0
)

func (LogLevel) String

func (l LogLevel) String() string

type Logger

type Logger interface {
	Debugf(format string, args ...interface{})
	Infof(format string, args ...interface{})
	Warningf(format string, args ...interface{})
	Errorf(format string, args ...interface{})
	Fatalf(format string, args ...interface{})
}

Logger interface used in this package.

func NewLogger

func NewLogger(lev LogLevel) Logger

NewLogger ...

type PasswordOption

type PasswordOption func(*PasswordOptions)

PasswordOption ...

func NoSymbols

func NoSymbols() PasswordOption

NoSymbols password option.

type PasswordOptions

type PasswordOptions struct {
	NoSymbols bool
}

PasswordOptions for RandPassword.

type Post added in v0.0.2

type Post struct {
	APPID      string `json:"appid"`
	APIKEY     string `json:"apikey"`
	TimeStamep string `json:"timestamp"`
	ID         string `json:"id"`
	Keyspec    string `json:"keyspec"`
	Origin     string `json:"origin"`
	KeyUsage   string `json:"keyusage"`
}

type PublicKey added in v0.0.2

type PublicKey struct {
	// contains filtered or unexported fields
}

SGXHSMPublicKey is the public part of SGXHSM key pair.

type RSAKey

type RSAKey struct {
	// contains filtered or unexported fields
}

RSAKey implements Key interface for RSA.

func GenerateRSAKey

func GenerateRSAKey() *RSAKey

GenerateRSAKey generates a RSA key.

func NewRSAKey

func NewRSAKey(k *rsa.PrivateKey) *RSAKey

NewRSAKey from rsa.PrivateKey.

func NewRSAKeyFromBytes

func NewRSAKeyFromBytes(privateKey []byte) (*RSAKey, error)

NewRSAKeyFromBytes constructs RSA from a private key (PKCS1).

func (*RSAKey) ID

func (k *RSAKey) ID() ID

ID for the key.

func (*RSAKey) Private

func (k *RSAKey) Private() []byte

Private key data (PKCS1).

func (*RSAKey) Public

func (k *RSAKey) Public() []byte

Public key data (PKCS1).

func (*RSAKey) PublicKey

func (k *RSAKey) PublicKey() *RSAPublicKey

PublicKey ...

func (*RSAKey) Type

func (k *RSAKey) Type() KeyType

Type of key.

type RSAPublicKey

type RSAPublicKey struct {
	// contains filtered or unexported fields
}

RSAPublicKey is the public part of RSA key pair.

func NewRSAPublicKey

func NewRSAPublicKey(pk *rsa.PublicKey) *RSAPublicKey

NewRSAPublicKey returns RSA public key.

func NewRSAPublicKeyFromBytes

func NewRSAPublicKeyFromBytes(publicKey []byte) (*RSAPublicKey, error)

NewRSAPublicKeyFromBytes returns RSA public key from PKC1 bytes.

func (*RSAPublicKey) Bytes

func (k *RSAPublicKey) Bytes() []byte

Bytes for public key (PKCS1).

func (*RSAPublicKey) ID

func (k *RSAPublicKey) ID() ID

ID is key identifier.

func (*RSAPublicKey) Private

func (k *RSAPublicKey) Private() []byte

Private returns nil.

func (*RSAPublicKey) Public

func (k *RSAPublicKey) Public() []byte

Public key data.

func (*RSAPublicKey) Type

func (k *RSAPublicKey) Type() KeyType

Type of key.

type SGXHSM2Key added in v0.0.2

type SGXHSM2Key struct {
	// contains filtered or unexported fields
}

SGXHSM2Key implements Key interface for SGXHSM2.

func (*SGXHSM2Key) ID added in v0.0.2

func (k *SGXHSM2Key) ID() ID

ID for the key.

func (*SGXHSM2Key) Public added in v0.0.2

func (k *SGXHSM2Key) Public() []byte

Public key data (PKCS1).

func (*SGXHSM2Key) PublicKey added in v0.0.2

func (k *SGXHSM2Key) PublicKey() *SGXHSM2PublicKey

PublicKey ...

func (*SGXHSM2Key) Type added in v0.0.2

func (k *SGXHSM2Key) Type() KeyType

Type of key.

type SGXHSM2PublicKey added in v0.0.2

type SGXHSM2PublicKey struct {
	// contains filtered or unexported fields
}

SGXHSM2PublicKey is the public part of SGXHSM2 key pair.

func NewSGXHSM2PublicKey added in v0.0.2

func NewSGXHSM2PublicKey(pk *rsa.PublicKey) *SGXHSM2PublicKey

func NewSGXHSM2PublicKeyFromBytes added in v0.0.2

func NewSGXHSM2PublicKeyFromBytes(publicKey []byte) (*SGXHSM2PublicKey, error)

NewSGXHSM2PublicKeyFromBytes returns SGXHSM2 public key from PKC1 bytes.

func (*SGXHSM2PublicKey) Bytes added in v0.0.2

func (k *SGXHSM2PublicKey) Bytes() []byte

Bytes for public key (PKCS1).

func (*SGXHSM2PublicKey) ID added in v0.0.2

func (k *SGXHSM2PublicKey) ID() ID

ID is key identifier.

func (*SGXHSM2PublicKey) Private added in v0.0.2

func (k *SGXHSM2PublicKey) Private() []byte

Private returns nil.

func (*SGXHSM2PublicKey) Public added in v0.0.2

func (k *SGXHSM2PublicKey) Public() []byte

Public key data.

func (*SGXHSM2PublicKey) Type added in v0.0.2

func (k *SGXHSM2PublicKey) Type() KeyType

Type of key.

type SGXHSMKey added in v0.0.2

type SGXHSMKey struct {
	// contains filtered or unexported fields
}

SGXHSMKey SGXHSMPublicKey is a SGXHSM key capable of signing and encryption

func (*SGXHSMKey) Equal added in v0.0.2

func (k *SGXHSMKey) Equal(o *EdX25519Key) bool

// UnmarshalText for encoding.TextUnmarshaler interface.

func (k *SGXHSMKey) UnmarshalText(s []byte) error {
	b, err := encoding.Decode(string(s), encoding.Base64)
	if err != nil {
		return err
	}
	var privateKey []byte
	if len(b) == 32 {
		privateKey = ed25519.NewKeyFromSeed(b)
	} else {
		privateKey = b
	}
	if err := k.setPrivateKey(privateKey); err != nil {
		return err
	}
	return nil
}

Equal returns true if equal to key.

func (*SGXHSMKey) ID added in v0.0.2

func (k *SGXHSMKey) ID() ID

ID ...

func (*SGXHSMKey) Private added in v0.0.2

func (k *SGXHSMKey) Private() []byte

Private ...

func (*SGXHSMKey) Public added in v0.0.2

func (k *SGXHSMKey) Public() []byte

func (*SGXHSMKey) SGXHSMKey added in v0.0.2

func (k *SGXHSMKey) SGXHSMKey() *X25519Key
func (k *SGXHSMKey) setPrivateKey(b []byte) error {
	if len(b) != ed25519.PrivateKeySize {
		return errors.Errorf("invalid private key length %d", len(b))
	}
	// Derive public key from private key
	edpk := ed25519.PrivateKey(b)
	publicKey := edpk.Public().(ed25519.PublicKey)
	if len(publicKey) != ed25519.PublicKeySize {
		return errors.Errorf("invalid public key bytes (len=%d)", len(publicKey))
	}

	var privateKeyBytes [ed25519.PrivateKeySize]byte
	copy(privateKeyBytes[:], b[:ed25519.PrivateKeySize])

	var publicKeyBytes [ed25519.PublicKeySize]byte
	copy(publicKeyBytes[:], publicKey[:ed25519.PublicKeySize])

	k.privateKey = &privateKeyBytes
	k.publicKey = NewSGXHSMPublicKey(&publicKeyBytes)
	return nil
}

X25519Key converts EdX25519Key to X25519Key.

func (*SGXHSMKey) Signer added in v0.0.2

func (k *SGXHSMKey) Signer() crypto.Signer

Signer interface.

func (*SGXHSMKey) Type added in v0.0.2

func (k *SGXHSMKey) Type() KeyType

Type ...

type SGXHSMKey2 added in v0.0.2

type SGXHSMKey2 struct {
	// contains filtered or unexported fields
}

SGXHSMKey SGXHSMPublicKey is a SGXHSM key capable of signing and encryption

type SGXHSMPublicKey added in v0.0.2

type SGXHSMPublicKey struct {
	// contains filtered or unexported fields
}

SGXHSMPublicKey is the public part of SGXHSM key pair.

func NewSGXHSMPublicKey added in v0.0.2

func NewSGXHSMPublicKey(b *[ed25519.PublicKeySize]byte) *SGXHSMPublicKey

NewSGXHSMPublicKey creates a EdX25519PublicKey.

func (*SGXHSMPublicKey) Bytes added in v0.0.2

func (k *SGXHSMPublicKey) Bytes() []byte

Bytes ...

func (*SGXHSMPublicKey) ID added in v0.0.2

func (k *SGXHSMPublicKey) ID() ID

ID for EdX25519Key.

func (*SGXHSMPublicKey) Private added in v0.0.2

func (k *SGXHSMPublicKey) Private() []byte

Private returns nil.

func (*SGXHSMPublicKey) Public added in v0.0.2

func (k *SGXHSMPublicKey) Public() []byte

Public ...

func (*SGXHSMPublicKey) String added in v0.0.2

func (k *SGXHSMPublicKey) String() string

func (*SGXHSMPublicKey) Type added in v0.0.2

func (k *SGXHSMPublicKey) Type() KeyType

Type ...

type Sigchain

type Sigchain struct {
	// contains filtered or unexported fields
}

Sigchain is a chain of signed statements by a sign key.

func NewSigchain

func NewSigchain(kid ID) *Sigchain

NewSigchain creates an empty Sigchain.

Example
clock := tsutil.NewTestClock()
alice := keys.GenerateEdX25519Key()
sc := keys.NewSigchain(alice.ID())

// Create root statement
st, err := keys.NewSigchainStatement(sc, []byte("hi! 🤓"), alice, "example", clock.Now())
if err != nil {
	log.Fatal(err)
}
if err := sc.Add(st); err != nil {
	log.Fatal(err)
}

// Add 2nd statement
st2, err := keys.NewSigchainStatement(sc, []byte("2nd message"), alice, "example", clock.Now())
if err != nil {
	log.Fatal(err)
}
if err := sc.Add(st2); err != nil {
	log.Fatal(err)
}

// Revoke 2nd statement
_, err = sc.Revoke(2, alice)
if err != nil {
	log.Fatal(err)
}

// Spew
spew := sc.Spew()
log.Println(spew.String())
Output:

func (*Sigchain) Add

func (s *Sigchain) Add(st *Statement) error

Add signed statement to the Sigchain.

func (*Sigchain) AddAll

func (s *Sigchain) AddAll(statements []*Statement) error

AddAll pushes signed statements to the Sigchain.

func (*Sigchain) FindAll

func (s *Sigchain) FindAll(typ string) []*Statement

FindAll returns statements of type.

func (*Sigchain) FindLast

func (s *Sigchain) FindLast(typ string) *Statement

FindLast search from the last statement to the first, returning after If type is specified, we will search for that statement type. If we found a statement and it was revoked, we return nil.

func (*Sigchain) IsRevoked

func (s *Sigchain) IsRevoked(seq int) bool

IsRevoked returns true if statement was revoked.

func (*Sigchain) KID

func (s *Sigchain) KID() ID

KID ...

func (*Sigchain) Last

func (s *Sigchain) Last() *Statement

Last returns last statement or nil if none.

func (*Sigchain) LastSeq

func (s *Sigchain) LastSeq() int

LastSeq returns last signed statment seq (or 0 if no signed statements exist).

func (*Sigchain) Length

func (s *Sigchain) Length() int

Length of Sigchain.

func (*Sigchain) Revoke

func (s *Sigchain) Revoke(revoke int, sk *EdX25519Key) (*Statement, error)

Revoke a signed statement in the Sigchain.

func (*Sigchain) Spew

func (s *Sigchain) Spew() *bytes.Buffer

Spew shows formatted sigchain output.

func (*Sigchain) Statements

func (s *Sigchain) Statements() []*Statement

Statements returns all the signed statements.

func (*Sigchain) VerifyStatement

func (s *Sigchain) VerifyStatement(st *Statement, prev *Statement) error

VerifyStatement verifies a signed statement against a previous statement (in a Sigchain).

type Sigchains

type Sigchains struct {
	// contains filtered or unexported fields
}

Sigchains stores sigchains.

func NewSigchains

func NewSigchains(ds dstore.Documents) *Sigchains

NewSigchains creates a Sigchains from Documents.

func (*Sigchains) Delete

func (s *Sigchains) Delete(kid ID) (bool, error)

Delete sigchain.

func (*Sigchains) Exists

func (s *Sigchains) Exists(kid ID) (bool, error)

Exists returns true if sigchain exists.

func (*Sigchains) Index

func (s *Sigchains) Index(key Key) error

Index key. Adds reverse key lookup for EdX25519 to X25519 public key.

func (*Sigchains) KIDs

func (s *Sigchains) KIDs() ([]ID, error)

KIDs returns all key ids.

func (*Sigchains) Lookup

func (s *Sigchains) Lookup(kid ID) (ID, error)

Lookup key. Returns key associated with the specified key.

func (*Sigchains) Save

func (s *Sigchains) Save(sc *Sigchain) error

Save sigchain.

func (*Sigchains) SetClock

func (s *Sigchains) SetClock(clock tsutil.Clock)

SetClock to use a custom time.Now.

func (*Sigchains) Sigchain

func (s *Sigchains) Sigchain(kid ID) (*Sigchain, error)

Sigchain returns sigchain for key.

type Statement

type Statement struct {
	// Sig is the signature bytes.
	Sig []byte

	// KID is the key that signed.
	KID ID

	// Data (optional).
	Data []byte

	// Seq in a sigchain (1 is root, optional).
	Seq int
	// Prev is a hash of the previous item in the sigchain (optional).
	Prev []byte
	// Revoke refers to a previous signed seq to revoke (optional).
	Revoke int

	// Type (optional).
	Type string

	// Timestamp (optional).
	Timestamp time.Time

	// Nonce (optional).
	Nonce []byte
}

Statement with signature. Use NewSigchainStatement to create a signed Sigchain Statement.

Example
sk := keys.NewEdX25519KeyFromSeed(testSeed(0x01))

st := &keys.Statement{
	KID:  sk.ID(),
	Data: bytes.Repeat([]byte{0x01}, 16),
	Type: "test",
}
if err := st.Sign(sk); err != nil {
	log.Fatal(err)
}

data := st.BytesToSign()
fmt.Printf("%s\n", string(data))

b, err := st.Bytes()
if err != nil {
	log.Fatal(err)
}
fmt.Printf("%s\n", string(b))

b, err = json.Marshal(st)
if err != nil {
	log.Fatal(err)
}
fmt.Printf("%s\n", string(b))
Output:

{".sig":"","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"}
{".sig":"CFD9cK9gIB3sAEqpDwmZM0JFFO4/+RpX9uoAD25G3F1o8Af+pTk6pI4GPqAZ5FhEw1rUDfL02Qnohtx05LQxAg==","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"}
{".sig":"CFD9cK9gIB3sAEqpDwmZM0JFFO4/+RpX9uoAD25G3F1o8Af+pTk6pI4GPqAZ5FhEw1rUDfL02Qnohtx05LQxAg==","data":"AQEBAQEBAQEBAQEBAQEBAQ==","kid":"kex132yw8ht5p8cetl2jmvknewjawt9xwzdlrk2pyxlnwjyqrdq0dawqqph077","type":"test"}

func NewRevokeStatement

func NewRevokeStatement(sc *Sigchain, revoke int, sk *EdX25519Key) (*Statement, error)

NewRevokeStatement creates a revoke Statement.

func NewSigchainStatement

func NewSigchainStatement(sc *Sigchain, b []byte, sk *EdX25519Key, typ string, ts time.Time) (*Statement, error)

NewSigchainStatement creates a signed Statement to be added to the Sigchain.

func (*Statement) Bytes

func (s *Statement) Bytes() ([]byte, error)

Bytes is the serialized Statement.

func (*Statement) BytesToSign

func (s *Statement) BytesToSign() []byte

BytesToSign returns bytes to sign.

func (*Statement) MarshalJSON

func (s *Statement) MarshalJSON() ([]byte, error)

MarshalJSON marshals statement to JSON.

func (*Statement) Sign

func (s *Statement) Sign(signKey *EdX25519Key) error

Sign the statement. Returns an error if already signed.

func (*Statement) URL

func (s *Statement) URL() string

URL returns path string for a Statement in the HTTP API. If Seq is not set, then there is no path. Path looks like "/kex1a4yj333g68pvd6hfqvufqkv4vy54jfe6t33ljd3kc9rpfty8xlgsfte2sn/1".

func (*Statement) UnmarshalJSON

func (s *Statement) UnmarshalJSON(b []byte) error

UnmarshalJSON unmarshals a statement from JSON.

func (*Statement) Verify

func (s *Statement) Verify() error

Verify statement. If you have the original bytes use VerifySpecific.

func (*Statement) VerifySpecific

func (s *Statement) VerifySpecific(bytesToSign []byte) error

VerifySpecific and check that bytesToSign match the statement's BytesToSign, to verify the original bytes match the specific serialization.

type StatementPublicKey

type StatementPublicKey interface {
	ID() ID
	Verify(b []byte) ([]byte, error)
	VerifyDetached(sig []byte, b []byte) error
}

StatementPublicKey describes a public key for a Statement.

func StatementPublicKeyFromID

func StatementPublicKeyFromID(id ID) (StatementPublicKey, error)

StatementPublicKeyFromID converts ID to StatementPublicKey. TODO: Support other key types.

type X25519Key

type X25519Key struct {
	// contains filtered or unexported fields
}

X25519Key is a X25519 assymmetric encryption key.

func GenerateX25519Key

func GenerateX25519Key() *X25519Key

GenerateX25519Key creates a new X25519Key.

Example
alice := keys.GenerateX25519Key()
fmt.Printf("Alice: %s\n", alice.ID())
Output:

func NewX25519KeyFromPrivateKey

func NewX25519KeyFromPrivateKey(privateKey *[32]byte) *X25519Key

NewX25519KeyFromPrivateKey creates a X25519Key from private key bytes.

func NewX25519KeyFromSeed

func NewX25519KeyFromSeed(seed *[32]byte) *X25519Key

NewX25519KeyFromSeed from seed.

func (*X25519Key) BoxOpen

func (k *X25519Key) BoxOpen(b []byte, nonce *[24]byte, sender *X25519PublicKey) ([]byte, bool)

BoxOpen decrypts message with nacl.box Open.

func (*X25519Key) BoxSeal

func (k *X25519Key) BoxSeal(b []byte, nonce *[24]byte, recipient *X25519PublicKey) []byte

BoxSeal encrypts message with nacl.box Seal.

func (*X25519Key) Bytes32

func (k *X25519Key) Bytes32() *[32]byte

Bytes32 private key bytes.

func (*X25519Key) ID

func (k *X25519Key) ID() ID

ID is key identifer.

func (*X25519Key) Private

func (k *X25519Key) Private() []byte

Private key bytes.

func (*X25519Key) PrivateKey

func (k *X25519Key) PrivateKey() *[32]byte

PrivateKey returns private part of this X25519Key.

func (*X25519Key) Public

func (k *X25519Key) Public() []byte

Public key bytes.

func (*X25519Key) PublicKey

func (k *X25519Key) PublicKey() *X25519PublicKey

PublicKey returns public part of this X25519Key.

func (*X25519Key) Type

func (k *X25519Key) Type() KeyType

Type of key.

type X25519PublicKey

type X25519PublicKey struct {
	// contains filtered or unexported fields
}

X25519PublicKey is the public key part of a x25519 key.

func NewX25519PublicKey

func NewX25519PublicKey(b *[32]byte) *X25519PublicKey

NewX25519PublicKey creates X25519PublicKey. Metadata is optional.

func NewX25519PublicKeyFromID

func NewX25519PublicKeyFromID(id ID) (*X25519PublicKey, error)

NewX25519PublicKeyFromID converts ID to X25519PublicKey.

func (*X25519PublicKey) Bytes

func (k *X25519PublicKey) Bytes() []byte

Bytes ...

func (*X25519PublicKey) Bytes32

func (k *X25519PublicKey) Bytes32() *[32]byte

Bytes32 ...

func (*X25519PublicKey) ID

func (k *X25519PublicKey) ID() ID

ID for box public key.

func (*X25519PublicKey) Private

func (k *X25519PublicKey) Private() []byte

Private returns nil.

func (*X25519PublicKey) Public

func (k *X25519PublicKey) Public() []byte

Public ...

func (*X25519PublicKey) Type

func (k *X25519PublicKey) Type() KeyType

Type of key.

Directories

Path Synopsis
Package api provides a standard key format for serialization to JSON or msgpack, and conversions to and from specific key types.
Package api provides a standard key format for serialization to JSON or msgpack, and conversions to and from specific key types.
Package bech32 is a modified version of the reference implementation of BIP173.
Package bech32 is a modified version of the reference implementation of BIP173.
Package dstore describes a document store.
Package dstore describes a document store.
events
Package events provides an event log.
Package events provides an event log.
Package encoding provides encoding and decoding of different formats like Base62, Saltpack, BIP39.
Package encoding provides encoding and decoding of different formats like Base62, Saltpack, BIP39.
Package env provides paths on different platforms.
Package env provides paths on different platforms.
Package http provides an http client for use with checking remote signed statements.
Package http provides an http client for use with checking remote signed statements.
Package json provides a simpler JSON marshaller for strings and ints only.
Package json provides a simpler JSON marshaller for strings and ints only.
Package keyring provides a cross-platform secure keyring.
Package keyring provides a cross-platform secure keyring.
Package noise integrates keys with the Noise protocol.
Package noise integrates keys with the Noise protocol.
Package saltpack integrates keys with Saltpack (saltpack.org).
Package saltpack integrates keys with Saltpack (saltpack.org).
Package tsutil provides timestamp and time utilities.
Package tsutil provides timestamp and time utilities.
Package user defines user statements, store and search.
Package user defines user statements, store and search.
services
Package services defines services capable of linking a key to a user.
Package services defines services capable of linking a key to a user.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL