README
¶
vault-signer 
A Go crypto.Signer that leverages the transit secrets engine in HashiCorp Vault
Usage
To use vault-signer just pass in a Vault API client and key configuration to get a struct that implements the Go crypto.Signer interface.
vaultConfig := api.DefaultConfig()
vaultClient, err := api.NewClient(vaultConfig)
if err != nil {
log.Fatalf("err: %s", err)
}
signerConfig := &vaultsigner.SignerConfig{
MountPath: "transit",
KeyName: "test-key",
}
vaultSigner, err := vaultsigner.NewVaultSigner(vaultClient, signerConfig)
if err != nil {
log.Fatalf("err: %s", err)
}
Examples
Sign JWT
import (
"log"
"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/cryptosigner"
"github.com/go-jose/go-jose/v4/jwt"
)
// using VaultSigner setup above
opaqueSigner := cryptosigner.Opaque(vaultSigner)
signingKey := jose.SigningKey{Algorithm: jose.EdDSA, Key: opaqueSigner}
signer, err := jose.NewSigner(signingKey, nil)
if err != nil {
log.Fatalf("error creating signer: %v", err)
}
builder := jwt.Signed(signer)
pubClaims := jwt.Claims{
Issuer: "issuer1",
Subject: "subject1",
ID: "id1",
Audience: jwt.Audience{"aud1", "aud2"},
IssuedAt: jwt.NewNumericDate(time.Date(2017, 1, 1, 0, 0, 0, 0, time.UTC)),
Expiry: jwt.NewNumericDate(time.Date(2030, 1, 1, 0, 15, 0, 0, time.UTC)),
}
builder = builder.Claims(pubClaims)
rawJWT, err := builder.Serialize()
if err != nil {
log.Fatalf("failed to create JWT: %+v", err)
}
// decode the raw JWT
parsedJWT, err := jwt.ParseSigned(rawJWT, []jose.SignatureAlgorithm{jose.EdDSA})
if err != nil {
log.Fatalf("failed to parse JWT:%+v", err)
}
// verify signature
resultCl := map[string]interface{}{}
if err := parsedJWT.Claims(vaultSigner.Public(), &resultCl); err != nil {
log.Fatalf("Failed to verify JWT: %+v", err)
}
Sign x509 Certificate
import (
"crypto/rand"
"crypto/x509"
"log"
)
// using VaultSigner setup above
template := &x509.Certificate{
Subject: pkix.Name{
CommonName: "Test",
},
SerialNumber: big.NewInt(1),
NotAfter: time.Now().Add(time.Hour).UTC(),
SignatureAlgorithm: x509.SHA256WithRSA,
}
cert, err = x509.CreateCertificate(rand.Reader, template, template, vaultSigner.Public(), vaultSigner)
if err != nil {
log.Fatalf("Error creating certificate: %s", err)
}
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type HashAlgorithm ¶
type HashAlgorithm string
const ( HashAlgorithmSha1 HashAlgorithm = "sha1" HashAlgorithmSha224 HashAlgorithm = "sha2-224" HashAlgorithmSha256 HashAlgorithm = "sha2-256" HashAlgorithmSha384 HashAlgorithm = "sha2-384" HashAlgorithmSha512 HashAlgorithm = "sha2-512" )
type SignatureAlgorithm ¶
type SignatureAlgorithm string
const ( SignatureAlgorithmRSAPSS SignatureAlgorithm = "pss" SignatureAlgorithmRSAPKCS1v15 SignatureAlgorithm = "pkcs1v15" )
type SignerConfig ¶
type SignerConfig struct {
// Namespace for the key. This can be provided in the key config, the vault client,
// or both where they will be combined
Namespace string
// Mountpath is the mount path for transit secrets engine that holds the key
MountPath string
// Keyname is the name of the key in the transit secrets engine
KeyName string
// Context is the context for a derived key and can only be provided when working
// with a derived key
Context []byte
// HashAlgorithm is the hash algorithm used in the signing operation. It is only supported
// for RSA and ECDSA keys. If unset for supported keys, the value will default to sha2-256.
// If the sign request hashes the signing data in the request, this value will be ignored.
HashAlgorithm HashAlgorithm
// SignatureAlgorithm is the signature algorithm used in the signing operation. It is only
// support for RSA keys. If unset for supported keys, the value will default to PKCS#1v15.
SignatureAlgorithm SignatureAlgorithm
}
type VaultSigner ¶
type VaultSigner struct {
// contains filtered or unexported fields
}
func NewVaultSigner ¶
func NewVaultSigner(vaultClient *api.Client, signerConfig *SignerConfig) (*VaultSigner, error)
NewVaultSigner creates a signer the leverages HashiCorp Vault's transit engine to sign using Go's built in crypto.Signer interface.
func (*VaultSigner) CloneWithContext ¶
func (s *VaultSigner) CloneWithContext(context []byte) (*VaultSigner, error)
CloneWithContext copies the signer with a new context. This function will also retrieve the derived public key.
func (*VaultSigner) Public ¶
func (s *VaultSigner) Public() crypto.PublicKey
Public returns the public key for the key stored in transit's secrets engine
func (*VaultSigner) Sign ¶
func (s *VaultSigner) Sign(_ io.Reader, digest []byte, signerOpts crypto.SignerOpts) ([]byte, error)
Sign is part of the crypto.Signer interface and signs a given digest with the configured key in Vault's transit secrets engine
Source Files
Click to show internal directories.
Click to hide internal directories.