pkcs11sec

package
v0.29.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 29, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// CAFile is the file where the trusted CA cert resides
	CAFile string

	// PrivilegedUsers is a list of regular expressions that identity privileged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// PKCS11DriverFile points to the dynamic library file to use (usually a .so file)
	PKCS11DriverFile string

	// PKCS11Slot specifies which slot of the pkcs11 device to use
	PKCS11Slot uint

	// RemoteSigner is the signer used to sign requests using a remote like AAA Service
	RemoteSigner inter.RequestSigner
}

type Option 

type Option func(*Pkcs11Security) error

func WithChoriaConfig 

func WithChoriaConfig(c *config.Config) Option

func WithLog 

func WithLog(l *logrus.Entry) Option

func WithPin 

func WithPin(pin string) Option

func WithSigner added in v0.24.0 

func WithSigner(signer inter.RequestSigner) Option

WithSigner configures a remote request signer

type Pkcs11Security 

type Pkcs11Security struct {
	// contains filtered or unexported fields
}

func New 

func New(opts ...Option) (*Pkcs11Security, error)

func (*Pkcs11Security) BackingTechnology added in v0.26.2 

func (p *Pkcs11Security) BackingTechnology() inter.SecurityTechnology

func (*Pkcs11Security) CallerIdentity 

func (p *Pkcs11Security) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*Pkcs11Security) CallerName 

func (p *Pkcs11Security) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*Pkcs11Security) ChecksumBytes 

func (p *Pkcs11Security) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*Pkcs11Security) ClientTLSConfig added in v0.21.0 

func (p *Pkcs11Security) ClientTLSConfig() (*tls.Config, error)

ClientTLSConfig creates a client TLS configuration

func (*Pkcs11Security) Enroll 

func (p *Pkcs11Security) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error

func (*Pkcs11Security) HTTPClient 

func (p *Pkcs11Security) HTTPClient(secure bool) (*http.Client, error)

func (*Pkcs11Security) Identity 

func (p *Pkcs11Security) Identity() string

Identity determines the choria certname

func (*Pkcs11Security) IsRemoteSigning added in v0.24.0 

func (p *Pkcs11Security) IsRemoteSigning() bool

func (*Pkcs11Security) Logout 

func (p *Pkcs11Security) Logout() error

func (*Pkcs11Security) Provider 

func (p *Pkcs11Security) Provider() string

func (*Pkcs11Security) PublicCert added in v0.23.0 

func (p *Pkcs11Security) PublicCert() (*x509.Certificate, error)

PublicCert is the parsed public certificate

func (*Pkcs11Security) PublicCertBytes added in v0.26.2 

func (p *Pkcs11Security) PublicCertBytes() ([]byte, error)

PublicCertBytes retrieves pem data in textual form for the public certificate of the current identity

func (*Pkcs11Security) RemoteSignRequest 

func (p *Pkcs11Security) RemoteSignRequest(ctx context.Context, str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request against using a remote signer and returns a secure request

func (*Pkcs11Security) SSLContext 

func (p *Pkcs11Security) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*Pkcs11Security) ShouldAllowCaller added in v0.26.2 

func (p *Pkcs11Security) ShouldAllowCaller(name string, callers ...[]byte) (privileged bool, err error)

ShouldAllowCaller verifies the public data

func (*Pkcs11Security) ShouldSignReplies added in v0.27.0 

func (p *Pkcs11Security) ShouldSignReplies() bool

func (*Pkcs11Security) SignBytes 

func (p *Pkcs11Security) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*Pkcs11Security) TLSConfig 

func (p *Pkcs11Security) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*Pkcs11Security) TokenBytes added in v0.27.0 

func (p *Pkcs11Security) TokenBytes() ([]byte, error)

func (*Pkcs11Security) Validate 

func (p *Pkcs11Security) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*Pkcs11Security) VerifyCertificate 

func (p *Pkcs11Security) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*Pkcs11Security) VerifySignatureBytes added in v0.26.2 

func (p *Pkcs11Security) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)

VerifyByteSignature verify that dat matches signature sig made by the key, if pub cert is empty the active public key will be used

type PrivateKey 

type PrivateKey struct {
	PublicKey  crypto.PublicKey
	PrivateKey *p11.PrivateKey
}

func (*PrivateKey) Public 

func (k *PrivateKey) Public() crypto.PublicKey

func (*PrivateKey) Sign 

func (k *PrivateKey) Sign(_ io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign signs any compatible hash that is sent to it (see hashPrefixes for supported hashes) need to handle as many hash types as possible, since this is being used by http/tls driver

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.