awskmscrypto

package

v0.2.0 Latest Latest Go to latest Published: Jul 20, 2022 License: Apache-2.0 Imports: 18 Imported by: 2

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/effective-security/xpki

Documentation ¶

Index ¶

Constants
Variables
func KmsLoader(tc cryptoprov.TokenConfig) (cryptoprov.Provider, error)
func NewSigner(keyID string, label string, signingAlgorithms []string, ...) crypto.Signer
type KmsClient
type Provider
- func Init(tc cryptoprov.TokenConfig) (*Provider, error)
type Signer

Constants ¶

View Source

const (
	SignRsaPssSha256   = "RSASSA_PSS_SHA_256"
	SignRsaPssSha384   = "RSASSA_PSS_SHA_384"
	SignRsaPssSha512   = "RSASSA_PSS_SHA_512"
	SignRsaPkcs1Sha256 = "RSASSA_PKCS1_V1_5_SHA_256"
	SignRsaPkcs1Sha384 = "RSASSA_PKCS1_V1_5_SHA_384"
	SignRsaPkcs1Sha512 = "RSASSA_PKCS1_V1_5_SHA_512"
)

Supported signature types by AWS KMS

View Source

const ProviderName = "AWSKMS"

ProviderName specifies a provider name

Variables ¶

View Source

var KmsClientFactory = func(p client.ConfigProvider, cfgs ...*aws.Config) (KmsClient, error) {
	return kms.New(p, cfgs...), nil
}

KmsClientFactory override for unittest

Functions ¶

func KmsLoader ¶

func KmsLoader(tc cryptoprov.TokenConfig) (cryptoprov.Provider, error)

KmsLoader provides loader for KMS provider

func NewSigner ¶

func NewSigner(keyID string, label string, signingAlgorithms []string, publicKey crypto.PublicKey, kmsClient KmsClient) crypto.Signer

NewSigner creates new signer

Types ¶

type KmsClient ¶

type KmsClient interface {
	CreateKey(input *kms.CreateKeyInput) (*kms.CreateKeyOutput, error)
	//IdentifyKey(priv crypto.PrivateKey) (keyID, label string, err error)
	ListKeys(options *kms.ListKeysInput) (*kms.ListKeysOutput, error)
	ScheduleKeyDeletion(input *kms.ScheduleKeyDeletionInput) (*kms.ScheduleKeyDeletionOutput, error)
	DescribeKey(input *kms.DescribeKeyInput) (*kms.DescribeKeyOutput, error)
	GetPublicKey(input *kms.GetPublicKeyInput) (*kms.GetPublicKeyOutput, error)
	Sign(input *kms.SignInput) (*kms.SignOutput, error)
}

KmsClient interface

type Provider ¶

type Provider struct {
	// contains filtered or unexported fields
}

Provider implements Provider interface for KMS

func Init ¶

func Init(tc cryptoprov.TokenConfig) (*Provider, error)

Init configures Kms based hsm impl

func (*Provider) Close ¶

func (p *Provider) Close() error

Close allocated resources and file reloader

func (*Provider) CurrentSlotID ¶

func (p *Provider) CurrentSlotID() uint

CurrentSlotID returns current slot id. For KMS only one slot is assumed to be available.

func (*Provider) DestroyKeyPairOnSlot ¶

func (p *Provider) DestroyKeyPairOnSlot(slotID uint, keyID string) error

DestroyKeyPairOnSlot destroys key pair on slot. For KMS slotID is ignored and KMS retire API is used to destroy the key.

func (*Provider) EnumKeys ¶

func (p *Provider) EnumKeys(slotID uint, prefix string) ([]cryptoprov.KeyInfo, error)

EnumKeys returns list of keys on the slot. For KMS slotID is ignored.

func (*Provider) EnumTokens ¶

func (p *Provider) EnumTokens(currentSlotOnly bool) ([]cryptoprov.TokenInfo, error)

EnumTokens lists tokens. For KMS currentSlotOnly is ignored and only one slot is assumed to be available.

func (*Provider) ExportKey ¶

func (p *Provider) ExportKey(keyID string) (string, []byte, error)

ExportKey returns PKCS#11 URI for specified key ID. It does not return key bytes

func (*Provider) FindKeyPairOnSlot ¶

func (p *Provider) FindKeyPairOnSlot(slotID uint, keyID, label string) (crypto.PrivateKey, error)

FindKeyPairOnSlot retrieves a previously created asymmetric key, using a specified slot.

func (*Provider) GenerateECDSAKey ¶

func (p *Provider) GenerateECDSAKey(label string, curve elliptic.Curve) (crypto.PrivateKey, error)

GenerateECDSAKey creates signer using randomly generated ECDSA key

func (*Provider) GenerateRSAKey ¶

func (p *Provider) GenerateRSAKey(label string, bits int, purpose int) (crypto.PrivateKey, error)

GenerateRSAKey creates signer using randomly generated RSA key

func (*Provider) GetKey ¶

func (p *Provider) GetKey(keyID string) (crypto.PrivateKey, error)

GetKey returns pkcs11 uri for the given key id

func (*Provider) IdentifyKey ¶

func (p *Provider) IdentifyKey(priv crypto.PrivateKey) (keyID, label string, err error)

IdentifyKey returns key id and label for the given private key

func (*Provider) KeyInfo ¶

func (p *Provider) KeyInfo(slotID uint, keyID string, includePublic bool) (*cryptoprov.KeyInfo, error)

KeyInfo retrieves info about key with the specified id

func (*Provider) Manufacturer ¶

func (p *Provider) Manufacturer() string

Manufacturer returns manufacturer for the provider

func (*Provider) Model ¶

func (p *Provider) Model() string

Model returns model for the provider

type Signer ¶

type Signer struct {
	// contains filtered or unexported fields
}

Signer implements crypto.Signer interface

func (*Signer) KeyID ¶

func (s *Signer) KeyID() string

KeyID returns key id of the signer

func (*Signer) Label ¶

func (s *Signer) Label() string

Label returns key label of the signer

func (*Signer) Public ¶

func (s *Signer) Public() crypto.PublicKey

Public returns public key for the signer

func (*Signer) Sign ¶

func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign implements signing operation

func (*Signer) String ¶

func (s *Signer) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL