Documentation ¶
Overview ¶
kms package 提供统一加密服务。
Index ¶
- Constants
- Variables
- func CheckKeyForCreate(keyInfo KeyInfo) error
- func RegisterPlugin(kind PluginKind, create PluginCreateFn) error
- func RegisterStore(kind StoreKind, create StoreCreateFn) error
- type AsymmetricDecryptRequest
- type AsymmetricDecryptResponse
- type AsymmetricPlugin
- type BasePlugin
- type CreateKeyRequest
- type CreateKeyResponse
- type CustomerMasterKeySpec
- type DecryptRequest
- type DecryptResponse
- type DescribeKeyRequest
- type DescribeKeyResponse
- type EncryptRequest
- type EncryptResponse
- type GenerateDataKeyRequest
- type GenerateDataKeyResponse
- type GetPublicKeyRequest
- type Key
- func (k *Key) GetCreatedAt() *time.Time
- func (k *Key) GetDescription() string
- func (k *Key) GetKeyID() string
- func (k *Key) GetKeySpec() CustomerMasterKeySpec
- func (k *Key) GetKeyState() KeyState
- func (k *Key) GetKeyUsage() KeyUsage
- func (k *Key) GetPluginKind() PluginKind
- func (k *Key) GetPrimaryKeyVersion() KeyVersionInfo
- func (k *Key) GetUpdatedAt() *time.Time
- func (k *Key) New() KeyInfo
- func (k *Key) SetCreatedAt(t time.Time)
- func (k *Key) SetDescription(desc string)
- func (k *Key) SetKeyID(keyID string)
- func (k *Key) SetKeySpec(spec CustomerMasterKeySpec)
- func (k *Key) SetKeyState(state KeyState)
- func (k *Key) SetKeyUsage(usage KeyUsage)
- func (k *Key) SetPluginKind(pluginKind PluginKind)
- func (k *Key) SetPrimaryKeyVersion(version KeyVersionInfo)
- func (k *Key) SetUpdatedAt(t time.Time)
- type KeyInfo
- type KeyListEntry
- type KeyMetadata
- type KeyState
- type KeyUsage
- type KeyVersion
- func (k *KeyVersion) GetCreatedAt() *time.Time
- func (k *KeyVersion) GetSymmetricKeyBase64() string
- func (k *KeyVersion) GetUpdatedAt() *time.Time
- func (k *KeyVersion) GetVersionID() string
- func (k *KeyVersion) New() KeyVersionInfo
- func (k *KeyVersion) SetCreatedAt(t time.Time)
- func (k *KeyVersion) SetSymmetricKeyBase64(s string)
- func (k *KeyVersion) SetUpdatedAt(t time.Time)
- func (k *KeyVersion) SetVersionID(s string)
- type KeyVersionInfo
- type ListKeysRequest
- type ListKeysResponse
- type Plugin
- type PluginCreateFn
- type PluginKind
- type PublicKey
- type RequestValidator
- type RotateKeyVersionRequest
- type RotateKeyVersionResponse
- type Store
- type StoreCreateFn
- type StoreKind
- type SymmetricPlugin
Constants ¶
View Source
const ( PluginKind_DICE_KMS PluginKind = "DICE_KMS" PluginKind_ERDA_KMS PluginKind = "DICE_KMS" PluginKind_AWS_KMS PluginKind = "AWS_KMS" PluginKind_ALIYUN_KMS PluginKind = "ALIYUN_KMS" StoreKind_ETCD StoreKind = "ETCD" StoreKind_MYSQL StoreKind = "MYSQL" CustomerMasterKeySpec_SYMMETRIC_DEFAULT CustomerMasterKeySpec = "SYMMETRIC_DEFAULT" // AES-256-GCM ; default CustomerMasterKeySpec_ASYMMETRIC_RSA_2048 CustomerMasterKeySpec = "RSA_2048" CustomerMasterKeySpec_ASYMMETRIC_RSA_3072 CustomerMasterKeySpec = "RSA_3072" CustomerMasterKeySpec_ASYMMETRIC_RSA_4096 CustomerMasterKeySpec = "RSA_4096" KeyUsage_ENCRYPT_DECRYPT KeyUsage = "ENCRYPT_DECRYPT" KeyUsage_SIGN_VERIFY KeyUsage = "SIGN_VERIFY" KeyStateEnabled KeyState = "Enabled" KeyStateDisabled KeyState = "Disabled" KeyStatePendingDeletion KeyState = "PendingDeletion" KeyStatePendingImport KeyState = "PendingImport" )
View Source
const (
CtxKeyConfigMap = "configMap"
)
View Source
const (
CtxKeyKmsRequestID = "KmsRequestID"
)
Variables ¶
View Source
var PluginFactory = map[PluginKind]PluginCreateFn{}
View Source
var StoreFactory = map[StoreKind]StoreCreateFn{}
Functions ¶
func CheckKeyForCreate ¶
func RegisterPlugin ¶
func RegisterPlugin(kind PluginKind, create PluginCreateFn) error
func RegisterStore ¶
func RegisterStore(kind StoreKind, create StoreCreateFn) error
Types ¶
type AsymmetricDecryptResponse ¶
type AsymmetricDecryptResponse struct {
PlaintextBase64 []byte `json:"plaintextBase64,omitempty"`
}
type AsymmetricPlugin ¶
type AsymmetricPlugin interface { GetPublicKey(ctx context.Context, req *GetPublicKeyRequest) (*PublicKey, error) // AsymmetricDecrypt decrypts data that was encrypted with a public key retrieved from GetPublicKey // corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT. AsymmetricDecrypt(ctx context.Context, req *AsymmetricDecryptRequest) (*AsymmetricDecryptResponse, error) }
AsymmetricPlugin 非对称加密插件 加密流程: 1. GetPublicKey 获取公钥 2. 使用公钥加密数据 3. 存储加密后的数据以及密钥版本 解密流程: 1. 调用 AsymmetricDecrypt,传入密文和 解密
type BasePlugin ¶
type BasePlugin interface { // CreateKey create symmetric or asymmetric CMK CreateKey(ctx context.Context, req *CreateKeyRequest) (*CreateKeyResponse, error) DescribeKey(ctx context.Context, req *DescribeKeyRequest) (*DescribeKeyResponse, error) ListKeys(ctx context.Context, req *ListKeysRequest) (*ListKeysResponse, error) }
type CreateKeyRequest ¶
type CreateKeyRequest struct { PluginKind PluginKind `json:"pluginKind,omitempty"` CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"` KeyUsage KeyUsage `json:"keyUsage,omitempty"` Description string `json:"description,omitempty"` }
func (*CreateKeyRequest) ValidateRequest ¶
func (req *CreateKeyRequest) ValidateRequest() error
type CreateKeyResponse ¶
type CreateKeyResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type CustomerMasterKeySpec ¶
type CustomerMasterKeySpec string
type DecryptRequest ¶
type DecryptRequest struct { KeyID string `json:"keyID,omitempty"` // The encrypted data. // A base64-encoded string. CiphertextBase64 string `json:"ciphertextBase64,omitempty"` }
func (*DecryptRequest) ValidateRequest ¶
func (req *DecryptRequest) ValidateRequest() error
type DecryptResponse ¶
type DecryptResponse struct {
PlaintextBase64 string `json:"plaintextBase64,omitempty"`
}
type DescribeKeyRequest ¶
type DescribeKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*DescribeKeyRequest) ValidateRequest ¶
func (req *DescribeKeyRequest) ValidateRequest() error
type DescribeKeyResponse ¶
type DescribeKeyResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type EncryptRequest ¶
type EncryptRequest struct { KeyID string `json:"keyID,omitempty"` // Required. The data to encrypt. Must be no larger than 64KiB. // A base64-encoded string. PlaintextBase64 string `json:"plaintextBase64,omitempty"` }
func (*EncryptRequest) ValidateRequest ¶
func (req *EncryptRequest) ValidateRequest() error
type EncryptResponse ¶
type GenerateDataKeyRequest ¶
type GenerateDataKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*GenerateDataKeyRequest) ValidateRequest ¶
func (req *GenerateDataKeyRequest) ValidateRequest() error
type GenerateDataKeyResponse ¶
type GetPublicKeyRequest ¶
type GetPublicKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
type Key ¶
type Key struct { PluginKind PluginKind `json:"pluginKind,omitempty"` KeyID string `json:"keyID,omitempty"` PrimaryKeyVersion KeyVersion `json:"primaryKeyVersion,omitempty"` KeySpec CustomerMasterKeySpec `json:"keySpec,omitempty"` KeyUsage KeyUsage `json:"keyUsage,omitempty"` KeyState KeyState `json:"keyState,omitempty"` Description string `json:"description,omitempty"` CreatedAt *time.Time `json:"createdAt,omitempty"` UpdatedAt *time.Time `json:"updatedAt,omitempty"` }
func (*Key) GetCreatedAt ¶
func (*Key) GetDescription ¶
func (*Key) GetKeySpec ¶
func (k *Key) GetKeySpec() CustomerMasterKeySpec
func (*Key) GetKeyState ¶
func (*Key) GetKeyUsage ¶
func (*Key) GetPluginKind ¶
func (k *Key) GetPluginKind() PluginKind
func (*Key) GetPrimaryKeyVersion ¶
func (k *Key) GetPrimaryKeyVersion() KeyVersionInfo
func (*Key) GetUpdatedAt ¶
func (*Key) SetCreatedAt ¶
func (*Key) SetDescription ¶
func (*Key) SetKeySpec ¶
func (k *Key) SetKeySpec(spec CustomerMasterKeySpec)
func (*Key) SetKeyState ¶
func (*Key) SetKeyUsage ¶
func (*Key) SetPluginKind ¶
func (k *Key) SetPluginKind(pluginKind PluginKind)
func (*Key) SetPrimaryKeyVersion ¶
func (k *Key) SetPrimaryKeyVersion(version KeyVersionInfo)
func (*Key) SetUpdatedAt ¶
type KeyInfo ¶
type KeyInfo interface { New() KeyInfo GetPluginKind() PluginKind SetPluginKind(PluginKind) GetKeyID() string SetKeyID(string) GetPrimaryKeyVersion() KeyVersionInfo SetPrimaryKeyVersion(KeyVersionInfo) GetKeySpec() CustomerMasterKeySpec SetKeySpec(CustomerMasterKeySpec) GetKeyUsage() KeyUsage SetKeyUsage(KeyUsage) GetKeyState() KeyState SetKeyState(KeyState) GetDescription() string SetDescription(string) GetCreatedAt() *time.Time SetCreatedAt(time.Time) GetUpdatedAt() *time.Time SetUpdatedAt(time.Time) }
type KeyListEntry ¶
type KeyListEntry struct {
KeyID string `json:"keyID,omitempty"`
}
type KeyMetadata ¶
type KeyMetadata struct { KeyID string `json:"keyID,omitempty"` PrimaryKeyVersionID string `json:"primaryKeyVersionID,omitempty"` CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"` KeyUsage KeyUsage `json:"keyUsage,omitempty"` KeyState KeyState `json:"keyState,omitempty"` Description string `json:"description,omitempty"` }
func GetKeyMetadata ¶
func GetKeyMetadata(keyInfo KeyInfo) KeyMetadata
type KeyVersion ¶
type KeyVersion struct { VersionID string `json:"versionID,omitempty"` // base64 encoded SymmetricKeyBase64 string `json:"symmetricKeyBase64,omitempty"` CreatedAt *time.Time `json:"createdAt,omitempty"` UpdatedAt *time.Time `json:"updatedAt,omitempty"` }
func (*KeyVersion) GetCreatedAt ¶
func (k *KeyVersion) GetCreatedAt() *time.Time
func (*KeyVersion) GetSymmetricKeyBase64 ¶
func (k *KeyVersion) GetSymmetricKeyBase64() string
func (*KeyVersion) GetUpdatedAt ¶
func (k *KeyVersion) GetUpdatedAt() *time.Time
func (*KeyVersion) GetVersionID ¶
func (k *KeyVersion) GetVersionID() string
func (*KeyVersion) New ¶
func (k *KeyVersion) New() KeyVersionInfo
func (*KeyVersion) SetCreatedAt ¶
func (k *KeyVersion) SetCreatedAt(t time.Time)
func (*KeyVersion) SetSymmetricKeyBase64 ¶
func (k *KeyVersion) SetSymmetricKeyBase64(s string)
func (*KeyVersion) SetUpdatedAt ¶
func (k *KeyVersion) SetUpdatedAt(t time.Time)
func (*KeyVersion) SetVersionID ¶
func (k *KeyVersion) SetVersionID(s string)
type KeyVersionInfo ¶
type ListKeysRequest ¶
type ListKeysRequest struct { }
type ListKeysResponse ¶
type ListKeysResponse struct {
Keys []KeyListEntry `json:"keys,omitempty"`
}
type Plugin ¶
type Plugin interface { Kind() PluginKind SetStore(Store) BasePlugin SymmetricPlugin AsymmetricPlugin }
type PluginCreateFn ¶
PluginCreateFn be used to create a kms plugin instance
type PluginKind ¶
type PluginKind string
func (PluginKind) String ¶
func (s PluginKind) String() string
func (PluginKind) Validate ¶
func (s PluginKind) Validate() bool
type RequestValidator ¶
type RequestValidator interface {
ValidateRequest() error
}
type RotateKeyVersionRequest ¶
type RotateKeyVersionRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*RotateKeyVersionRequest) ValidateRequest ¶
func (req *RotateKeyVersionRequest) ValidateRequest() error
type RotateKeyVersionResponse ¶
type RotateKeyVersionResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type Store ¶
type Store interface { // PluginKind is key store type GetKind() StoreKind // Create create and store new CMK CreateKey(info KeyInfo) error // GetKey use keyID to find CMK GetKey(keyID string) (KeyInfo, error) // ListByKind use plugin type to list CMKs ListKeysByKind(kind PluginKind) ([]string, error) // DeleteByKeyID use keyID to delete CMK DeleteByKeyID(keyID string) error // GetKeyVersion use keyID and keyVersionID to find keyVersion GetKeyVersion(keyID, keyVersionID string) (KeyVersionInfo, error) // RotateKeyVersion rotate key version RotateKeyVersion(keyID string, newKeyVersionInfo KeyVersionInfo) (KeyVersionInfo, error) }
Store the key information storage interface
type StoreCreateFn ¶
StoreCreateFn be used to create a kms plugin instance
type SymmetricPlugin ¶
type SymmetricPlugin interface { Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) // GenerateDataKey generate AES 256 DEK, encrypted by CMK // 典型使用场景(信封加密): // 在本地进行数据加密: // 1. 调用 GenerateDataKey 获取 DEK(数据加密密钥) // 2. 使用 DEK 的明文,在本地完成离线数据加密,随后清除内存中的 DEK 明文 // 3. 将 DEK 的密文,和本地离线加密后的数据一并进行存储 // 在本地进行数据解密: // 1. 调用 Decrypt 解密本地存储的 DEK 密文,获取 DEK 明文 // 2. 使用 DEK 明文,在本地完成离线数据解密,随后清除内存中的 DEK 明文 GenerateDataKey(ctx context.Context, req *GenerateDataKeyRequest) (*GenerateDataKeyResponse, error) // RotateKeyVersion rotate key version for CMK manually, old key version still can be used to decrypt old data RotateKeyVersion(ctx context.Context, req *RotateKeyVersionRequest) (*RotateKeyVersionResponse, error) }
SymmetricPlugin 对称加密插件 加密流程: 1. 调用 Encrypt 进行加密 解密流程: 1. 调用 Decrypt 进行解密
Click to show internal directories.
Click to hide internal directories.