securechannel

package

v0.3.0 Latest Latest Go to latest Published: Jan 11, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/certusone/yubihsm-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type KeyChain
type KeyDerivationConstant
type MessageType
type SecureChannel
- func NewSecureChannel(connector connector.Connector, authKeySlot uint16, password string) (*SecureChannel, error)
type SecurityLevel

Constants ¶

View Source

const (
	MACLength        = 8
	ChallengeLength  = 8
	CryptogramLength = 8
	KeyLength        = 16

	DerivationConstantEncKey  KeyDerivationConstant = 0x04
	DerivationConstantMACKey  KeyDerivationConstant = 0x06
	DerivationConstantRMACKey KeyDerivationConstant = 0x07

	DerivationConstantDeviceCryptogram KeyDerivationConstant = 0x00
	DerivationConstantHostCryptogram   KeyDerivationConstant = 0x01

	SecurityLevelUnauthenticated SecurityLevel = 0
	SecurityLevelAuthenticated   SecurityLevel = 1

	MessageTypeCommand  MessageType = 0
	MessageTypeResponse MessageType = 1

	MaxMessagesPerSession = 10000
)

Variables ¶

View Source

var ErrAuthCryptogram = errors.New("authentication failed: device sent wrong cryptogram")

Functions ¶

This section is empty.

Types ¶

type KeyChain ¶

type KeyChain struct {
	EncKey  []byte
	MACKey  []byte
	RMACKey []byte
}

KeyChain holds session keys

type KeyDerivationConstant ¶

type KeyDerivationConstant byte

KeyDerivationConstant used to derive keys using KDF

type MessageType ¶

type MessageType byte

MessageType indicates whether a message is a command or response

type SecureChannel ¶

type SecureChannel struct {

	// ID is the ID of the session with the HSM
	ID uint8
	// Counter of commands performed on the session
	Counter uint32
	// SecurityLevel is the authentication state of the session
	SecurityLevel SecurityLevel

	// HostChallenge is the auth challenge of the host
	HostChallenge []byte
	// DeviceChallenge is the auth challenge of the device
	DeviceChallenge []byte

	// AuthKey to authenticate against the HSM; must match authKeySlot
	AuthKey authkey.AuthKey

	// MACChainValue is the last MAC to allow MAC chaining
	MACChainValue []byte
	// contains filtered or unexported fields
}

SecureChannel implements a communication channel with a YubiHSM2 as specified in the SCP03 standard

func NewSecureChannel ¶

func NewSecureChannel(connector connector.Connector, authKeySlot uint16, password string) (*SecureChannel, error)

NewSecureChannel initiates a new secure channel to communicate with an HSM using the given authKey Call Authenticate next to establish a session.

func (*SecureChannel) Authenticate ¶

func (s *SecureChannel) Authenticate() error

Authenticate establishes an authenticated session with the HSM

func (*SecureChannel) Close ¶

func (s *SecureChannel) Close() error

func (*SecureChannel) SendCommand ¶

func (s *SecureChannel) SendCommand(c *commands.CommandMessage) (commands.Response, error)

SendCommand sends an unauthenticated command to the HSM and returns the parsed response

func (*SecureChannel) SendEncryptedCommand ¶

func (s *SecureChannel) SendEncryptedCommand(c *commands.CommandMessage) (commands.Response, error)

SendEncryptedCommand sends an encrypted & authenticated command to the HSM and returns the decrypted and parsed response.

type SecurityLevel ¶

type SecurityLevel byte

SecurityLevel indicates an auth state of a session/channel

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL