pkcs11sec

package
v0.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// CAFile is the file where the trusted CA cert resides
	CAFile string

	// PrivilegedUsers is a list of regular expressions that identity privileged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// PKCS11DriverFile points to the dynamic library file to use (usually a .so file)
	PKCS11DriverFile string

	// PKCS11Slot specifies which slot of the pkcs11 device to use
	PKCS11Slot uint

	// RemoteSigner is the signer used to sign requests using a remote like AAA Service
	RemoteSigner inter.RequestSigner
}

type Option

type Option func(*Pkcs11Security) error

func WithChoriaConfig

func WithChoriaConfig(c *config.Config) Option

func WithLog

func WithLog(l *logrus.Entry) Option

func WithPin

func WithPin(pin string) Option

func WithSigner added in v0.24.0

func WithSigner(signer inter.RequestSigner) Option

WithSigner configures a remote request signer

type Pkcs11Security

type Pkcs11Security struct {
	// contains filtered or unexported fields
}

func New

func New(opts ...Option) (*Pkcs11Security, error)

func (*Pkcs11Security) BackingTechnology added in v0.26.2

func (p *Pkcs11Security) BackingTechnology() inter.SecurityTechnology

func (*Pkcs11Security) CallerIdentity

func (p *Pkcs11Security) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*Pkcs11Security) CallerName

func (p *Pkcs11Security) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*Pkcs11Security) ChecksumBytes

func (p *Pkcs11Security) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*Pkcs11Security) ClientTLSConfig added in v0.21.0

func (p *Pkcs11Security) ClientTLSConfig() (*tls.Config, error)

ClientTLSConfig creates a client TLS configuration

func (*Pkcs11Security) Enroll

func (p *Pkcs11Security) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error

func (*Pkcs11Security) HTTPClient

func (p *Pkcs11Security) HTTPClient(secure bool) (*http.Client, error)

func (*Pkcs11Security) Identity

func (p *Pkcs11Security) Identity() string

Identity determines the choria certname

func (*Pkcs11Security) IsRemoteSigning added in v0.24.0

func (p *Pkcs11Security) IsRemoteSigning() bool

func (*Pkcs11Security) Logout

func (p *Pkcs11Security) Logout() error

func (*Pkcs11Security) Provider

func (p *Pkcs11Security) Provider() string

func (*Pkcs11Security) PublicCert added in v0.23.0

func (p *Pkcs11Security) PublicCert() (*x509.Certificate, error)

PublicCert is the parsed public certificate

func (*Pkcs11Security) PublicCertBytes added in v0.26.2

func (p *Pkcs11Security) PublicCertBytes() ([]byte, error)

PublicCertBytes retrieves pem data in textual form for the public certificate of the current identity

func (*Pkcs11Security) RemoteSignRequest

func (p *Pkcs11Security) RemoteSignRequest(ctx context.Context, str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request against using a remote signer and returns a secure request

func (*Pkcs11Security) SSLContext

func (p *Pkcs11Security) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*Pkcs11Security) ShouldAllowCaller added in v0.26.2

func (p *Pkcs11Security) ShouldAllowCaller(name string, callers ...[]byte) (privileged bool, err error)

ShouldAllowCaller verifies the public data

func (*Pkcs11Security) ShouldSignReplies added in v0.27.0

func (p *Pkcs11Security) ShouldSignReplies() bool

func (*Pkcs11Security) SignBytes

func (p *Pkcs11Security) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*Pkcs11Security) TLSConfig

func (p *Pkcs11Security) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*Pkcs11Security) TokenBytes added in v0.27.0

func (p *Pkcs11Security) TokenBytes() ([]byte, error)

func (*Pkcs11Security) Validate

func (p *Pkcs11Security) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*Pkcs11Security) VerifyCertificate

func (p *Pkcs11Security) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*Pkcs11Security) VerifySignatureBytes added in v0.26.2

func (p *Pkcs11Security) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)

VerifyByteSignature verify that dat matches signature sig made by the key, if pub cert is empty the active public key will be used

type PrivateKey

type PrivateKey struct {
	PublicKey  crypto.PublicKey
	PrivateKey *p11.PrivateKey
}

func (*PrivateKey) Public

func (k *PrivateKey) Public() crypto.PublicKey

func (*PrivateKey) Sign

func (k *PrivateKey) Sign(_ io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign signs any compatible hash that is sent to it (see hashPrefixes for supported hashes) need to handle as many hash types as possible, since this is being used by http/tls driver

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL