Documentation
¶
Index ¶
- Variables
- func GcmDecrypt(ciphertext []byte, key []byte) ([]byte, error)
- func GcmEncrypt(plaintext []byte, key []byte) ([]byte, error)
- func GetPrivateKeyDERFromPEM(in []byte, password []byte) ([]byte, error)
- func ParsePrivateKeyDER(keyDER []byte) (crypto.PrivateKey, error)
- func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.PrivateKey, err error)
- func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.PrivateKey, err error)
- func Register(manufacturer string, loader ProviderLoader) error
- func Registered() []string
- type Crypto
- func (c *Crypto) Add(p Provider) error
- func (c *Crypto) ByManufacturer(manufacturer, model string) (Provider, error)
- func (c *Crypto) Default() Provider
- func (c *Crypto) LoadGPGPrivateKey(creationTime time.Time, key []byte) (*packet.PrivateKey, error)
- func (c *Crypto) LoadPrivateKey(key []byte) (Provider, crypto.PrivateKey, error)
- func (c *Crypto) LoadTLSKeyPair(certFile, keyFile string) (*tls.Certificate, error)
- func (c *Crypto) NewSignerFromFromFile(caKeyFile string) (crypto.Signer, error)
- func (c *Crypto) NewSignerFromPEM(caKey []byte) (crypto.Signer, error)
- func (c *Crypto) TLSKeyPair(certPEMBlock, keyPEMBlock []byte) (*tls.Certificate, error)
- type KeyGenerator
- type KeyInfo
- type KeyManager
- type PrivateKeyURI
- type Provider
- type ProviderLoader
- type TokenConfig
- type TokenInfo
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidPrivateKeyURI = errors.New("invalid URI for private key object")
ErrInvalidPrivateKeyURI is returned if the PKCS #11 URI is invalid for the private key object
var ErrInvalidURI = errors.New("invalid URI")
ErrInvalidURI is returned if the PKCS #11 URI is invalid.
Functions ¶
func GcmDecrypt ¶
GcmDecrypt returns decrypted blob with GCM cipher
func GcmEncrypt ¶
GcmEncrypt returns encrypted blob with GCM cipher
func GetPrivateKeyDERFromPEM ¶
GetPrivateKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes.
func ParsePrivateKeyDER ¶
func ParsePrivateKeyDER(keyDER []byte) (crypto.PrivateKey, error)
ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA DER-encoded private key. The key must not be in PEM format.
func ParsePrivateKeyPEM ¶
func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.PrivateKey, err error)
ParsePrivateKeyPEM parses and returns a PEM-encoded private key. The private key may be either an unencrypted PKCS#8, PKCS#1, or elliptic private key.
func ParsePrivateKeyPEMWithPassword ¶
func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.PrivateKey, err error)
ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private key. The private key may be a potentially encrypted PKCS#8, PKCS#1, or elliptic private key.
func Register ¶
func Register(manufacturer string, loader ProviderLoader) error
Register provider loader by manufacturer
func Registered ¶ added in v0.3.0
func Registered() []string
Registered returns registered providers
Types ¶
type Crypto ¶
type Crypto struct {
// contains filtered or unexported fields
}
Crypto exposes instances of Provider
func (*Crypto) ByManufacturer ¶
ByManufacturer returns a provider by manufacturer
func (*Crypto) LoadGPGPrivateKey ¶
LoadGPGPrivateKey returns GPG private key. The input key can be in PEM encoded format, or PKCS11 URI.
func (*Crypto) LoadPrivateKey ¶
LoadPrivateKey returns crypto.PrivateKey. The input key can be in PEM encoded format, or PKCS11 URI.
func (*Crypto) LoadTLSKeyPair ¶
func (c *Crypto) LoadTLSKeyPair(certFile, keyFile string) (*tls.Certificate, error)
LoadTLSKeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data. The certificate file may contain intermediate certificates following the leaf certificate to form a certificate chain. On successful return, Certificate.Leaf will be nil because the parsed form of the certificate is not retained.
func (*Crypto) NewSignerFromFromFile ¶
NewSignerFromFromFile generates a new signer from a caFile and a caKey file, both PEM encoded or caKey contains PKCS#11 Uri
func (*Crypto) NewSignerFromPEM ¶
NewSignerFromPEM generates a new crypto signer from PEM encoded blocks, or caKey contains PKCS#11 Uri
func (*Crypto) TLSKeyPair ¶
func (c *Crypto) TLSKeyPair(certPEMBlock, keyPEMBlock []byte) (*tls.Certificate, error)
TLSKeyPair parses a public/private key pair from a pair of PEM encoded data. On successful return, Certificate.Leaf will be nil because the parsed form of the certificate is not retained.
type KeyGenerator ¶
type KeyGenerator interface {
// GenerateRSAKey returns RSA key for purpose: 1-signing, 2-encryption
GenerateRSAKey(label string, bits int, purpose int) (crypto.PrivateKey, error)
GenerateECDSAKey(label string, curve elliptic.Curve) (crypto.PrivateKey, error)
IdentifyKey(crypto.PrivateKey) (keyID, label string, err error)
ExportKey(keyID string) (string, []byte, error)
GetKey(keyID string) (crypto.PrivateKey, error)
}
KeyGenerator defines interface for key generation operations
type KeyInfo ¶
type KeyInfo struct {
ID string
Label string
Type string
Class string
CurrentVersionID string
CreationTime *time.Time
PublicKey string
Meta map[string]string
}
KeyInfo provides key information
type KeyManager ¶
type KeyManager interface {
CurrentSlotID() uint
EnumTokens(currentSlotOnly bool) ([]TokenInfo, error)
EnumKeys(slotID uint, prefix string) ([]KeyInfo, error)
DestroyKeyPairOnSlot(slotID uint, keyID string) error
FindKeyPairOnSlot(slotID uint, keyID, label string) (crypto.PrivateKey, error)
KeyInfo(slotID uint, keyID string, includePublic bool) (*KeyInfo, error)
}
KeyManager defines interface for key management operations
type PrivateKeyURI ¶
type PrivateKeyURI interface {
// Token manufacturer
Manufacturer() string
// Model manufacturer
Model() string
// Token serial number
TokenSerial() string
// Token label
TokenLabel() string
// Key ID
ID() string
}
PrivateKeyURI holds PKCS#11 private key information.
A token may be identified either by serial number or label. If both are specified then the first match wins.
func ParsePrivateKeyURI ¶
func ParsePrivateKeyURI(uri string) (PrivateKeyURI, error)
ParsePrivateKeyURI parses a PKCS #11 URI into a key configuration
type Provider ¶
type Provider interface {
KeyGenerator
Manufacturer() string
Model() string
}
Provider defines an interface to work with crypto providers: HSM, SoftHSM, KMS, crytpto
func LoadProvider ¶
LoadProvider load a single provider
type ProviderLoader ¶
type ProviderLoader func(cfg TokenConfig) (Provider, error)
ProviderLoader is interface for loading provider by manufacturer
func Unregister ¶
func Unregister(manufacturer string) (ProviderLoader, error)
Unregister provider loader by manufacturer
type TokenConfig ¶
type TokenConfig interface {
// Manufacturer name of the manufacturer
Manufacturer() string
// Model name of the device
Model() string
// Full path to PKCS#11 library
Path() string
// Token serial number
TokenSerial() string
// Token label
TokenLabel() string
// Pin is a secret to access the token.
// If it's prefixed with `file:`, then it will be loaded from the file.
Pin() string
// Comma separated key=value pair of attributes(e.g. "ServiceName=x,UserName=y")
Attributes() string
}
TokenConfig holds PKCS#11 configuration information.
A token may be identified either by serial number or label. If both are specified then the first match wins.
Supply this to Configure(), or alternatively use ConfigureFromFile().
func LoadTokenConfig ¶
func LoadTokenConfig(filename string) (TokenConfig, error)
LoadTokenConfig loads PKCS#11 token configuration
func ParseTokenURI ¶
func ParseTokenURI(uri string) (TokenConfig, error)
ParseTokenURI parses a PKCS #11 URI into a PKCS #11 configuration. Note that the module path will override the module name if present.
Source Files
Directories