kmstypes

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2021 License: AGPL-3.0 Imports: 6 Imported by: 5

Documentation

Overview

kms package 提供统一加密服务。

Index

Constants

View Source
const (
	PluginKind_DICE_KMS   PluginKind = "DICE_KMS"
	PluginKind_AWS_KMS    PluginKind = "AWS_KMS"
	PluginKind_ALIYUN_KMS PluginKind = "ALIYUN_KMS"

	StoreKind_ETCD  StoreKind = "ETCD"
	StoreKind_MYSQL StoreKind = "MYSQL"

	CustomerMasterKeySpec_SYMMETRIC_DEFAULT   CustomerMasterKeySpec = "SYMMETRIC_DEFAULT" // AES-256-GCM ; default
	CustomerMasterKeySpec_ASYMMETRIC_RSA_2048 CustomerMasterKeySpec = "RSA_2048"
	CustomerMasterKeySpec_ASYMMETRIC_RSA_3072 CustomerMasterKeySpec = "RSA_3072"
	CustomerMasterKeySpec_ASYMMETRIC_RSA_4096 CustomerMasterKeySpec = "RSA_4096"

	KeyUsage_ENCRYPT_DECRYPT KeyUsage = "ENCRYPT_DECRYPT"
	KeyUsage_SIGN_VERIFY     KeyUsage = "SIGN_VERIFY"

	KeyStateEnabled         KeyState = "Enabled"
	KeyStateDisabled        KeyState = "Disabled"
	KeyStatePendingDeletion KeyState = "PendingDeletion"
	KeyStatePendingImport   KeyState = "PendingImport"
	KeyStateUnavailable     KeyState = "Unavailable"
)
View Source
const (
	CtxKeyConfigMap = "configMap"
)
View Source
const (
	CtxKeyKmsRequestID = "KmsRequestID"
)

Variables

View Source
var PluginFactory = map[PluginKind]PluginCreateFn{}
View Source
var StoreFactory = map[StoreKind]StoreCreateFn{}

Functions

func CheckKeyForCreate

func CheckKeyForCreate(keyInfo KeyInfo) error

func RegisterPlugin

func RegisterPlugin(kind PluginKind, create PluginCreateFn) error

func RegisterStore

func RegisterStore(kind StoreKind, create StoreCreateFn) error

Types

type AsymmetricDecryptRequest

type AsymmetricDecryptRequest struct {
	KeyID            string `json:"keyID,omitempty"`
	CiphertextBase64 []byte `json:"ciphertextBase64,omitempty"`
}

type AsymmetricDecryptResponse

type AsymmetricDecryptResponse struct {
	PlaintextBase64 []byte `json:"plaintextBase64,omitempty"`
}

type AsymmetricPlugin

type AsymmetricPlugin interface {
	GetPublicKey(ctx context.Context, req *GetPublicKeyRequest) (*PublicKey, error)
	// AsymmetricDecrypt decrypts data that was encrypted with a public key retrieved from GetPublicKey
	// corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.
	AsymmetricDecrypt(ctx context.Context, req *AsymmetricDecryptRequest) (*AsymmetricDecryptResponse, error)
}

AsymmetricPlugin 非对称加密插件 加密流程: 1. GetPublicKey 获取公钥 2. 使用公钥加密数据 3. 存储加密后的数据以及密钥版本 解密流程: 1. 调用 AsymmetricDecrypt,传入密文和 解密

type BasePlugin

type BasePlugin interface {
	// CreateKey create symmetric or asymmetric CMK
	CreateKey(ctx context.Context, req *CreateKeyRequest) (*CreateKeyResponse, error)
	DescribeKey(ctx context.Context, req *DescribeKeyRequest) (*DescribeKeyResponse, error)
	ListKeys(ctx context.Context, req *ListKeysRequest) (*ListKeysResponse, error)
}

type CreateKeyRequest

type CreateKeyRequest struct {
	PluginKind            PluginKind            `json:"pluginKind,omitempty"`
	CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"`
	KeyUsage              KeyUsage              `json:"keyUsage,omitempty"`
	Description           string                `json:"description,omitempty"`
}

func (*CreateKeyRequest) ValidateRequest

func (req *CreateKeyRequest) ValidateRequest() error

type CreateKeyResponse

type CreateKeyResponse struct {
	KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}

type CustomerMasterKeySpec

type CustomerMasterKeySpec string

type DecryptRequest

type DecryptRequest struct {
	KeyID string `json:"keyID,omitempty"`
	// The encrypted data.
	// A base64-encoded string.
	CiphertextBase64 string `json:"ciphertextBase64,omitempty"`
}

func (*DecryptRequest) ValidateRequest

func (req *DecryptRequest) ValidateRequest() error

type DecryptResponse

type DecryptResponse struct {
	PlaintextBase64 string `json:"plaintextBase64,omitempty"`
}

type DescribeKeyRequest

type DescribeKeyRequest struct {
	KeyID string `json:"keyID,omitempty"`
}

func (*DescribeKeyRequest) ValidateRequest

func (req *DescribeKeyRequest) ValidateRequest() error

type DescribeKeyResponse

type DescribeKeyResponse struct {
	KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}

type EncryptRequest

type EncryptRequest struct {
	KeyID string `json:"keyID,omitempty"`
	// Required. The data to encrypt. Must be no larger than 64KiB.
	// A base64-encoded string.
	PlaintextBase64 string `json:"plaintextBase64,omitempty"`
}

func (*EncryptRequest) ValidateRequest

func (req *EncryptRequest) ValidateRequest() error

type EncryptResponse

type EncryptResponse struct {
	KeyID string `json:"keyID,omitempty"`
	// The encrypted data.
	// A base64-encoded string.
	CiphertextBase64 string `json:"ciphertextBase64,omitempty"`
}

type GenerateDataKeyRequest

type GenerateDataKeyRequest struct {
	KeyID string `json:"keyID,omitempty"`
}

func (*GenerateDataKeyRequest) ValidateRequest

func (req *GenerateDataKeyRequest) ValidateRequest() error

type GenerateDataKeyResponse

type GenerateDataKeyResponse struct {
	KeyID            string `json:"keyID,omitempty"`
	KeyVersionID     string `json:"keyVersionID,omitempty"`
	CiphertextBase64 string `json:"ciphertextBase64,omitempty"`
	PlaintextBase64  string `json:"plaintextBase64,omitempty"`
}

type GetPublicKeyRequest

type GetPublicKeyRequest struct {
	KeyID string `json:"keyID,omitempty"`
}

type Key

type Key struct {
	PluginKind        PluginKind            `json:"pluginKind,omitempty"`
	KeyID             string                `json:"keyID,omitempty"`
	PrimaryKeyVersion KeyVersion            `json:"primaryKeyVersion,omitempty"`
	KeySpec           CustomerMasterKeySpec `json:"keySpec,omitempty"`
	KeyUsage          KeyUsage              `json:"keyUsage,omitempty"`
	KeyState          KeyState              `json:"keyState,omitempty"`
	Description       string                `json:"description,omitempty"`
	CreatedAt         *time.Time            `json:"createdAt,omitempty"`
	UpdatedAt         *time.Time            `json:"updatedAt,omitempty"`
}

func (*Key) GetCreatedAt

func (k *Key) GetCreatedAt() *time.Time

func (*Key) GetDescription

func (k *Key) GetDescription() string

func (*Key) GetKeyID

func (k *Key) GetKeyID() string

func (*Key) GetKeySpec

func (k *Key) GetKeySpec() CustomerMasterKeySpec

func (*Key) GetKeyState

func (k *Key) GetKeyState() KeyState

func (*Key) GetKeyUsage

func (k *Key) GetKeyUsage() KeyUsage

func (*Key) GetPluginKind

func (k *Key) GetPluginKind() PluginKind

func (*Key) GetPrimaryKeyVersion

func (k *Key) GetPrimaryKeyVersion() KeyVersionInfo

func (*Key) GetUpdatedAt

func (k *Key) GetUpdatedAt() *time.Time

func (*Key) New

func (k *Key) New() KeyInfo

func (*Key) SetCreatedAt

func (k *Key) SetCreatedAt(t time.Time)

func (*Key) SetDescription

func (k *Key) SetDescription(desc string)

func (*Key) SetKeyID

func (k *Key) SetKeyID(keyID string)

func (*Key) SetKeySpec

func (k *Key) SetKeySpec(spec CustomerMasterKeySpec)

func (*Key) SetKeyState

func (k *Key) SetKeyState(state KeyState)

func (*Key) SetKeyUsage

func (k *Key) SetKeyUsage(usage KeyUsage)

func (*Key) SetPluginKind

func (k *Key) SetPluginKind(pluginKind PluginKind)

func (*Key) SetPrimaryKeyVersion

func (k *Key) SetPrimaryKeyVersion(version KeyVersionInfo)

func (*Key) SetUpdatedAt

func (k *Key) SetUpdatedAt(t time.Time)

type KeyInfo

type KeyInfo interface {
	New() KeyInfo

	GetPluginKind() PluginKind
	SetPluginKind(PluginKind)

	GetKeyID() string
	SetKeyID(string)

	GetPrimaryKeyVersion() KeyVersionInfo
	SetPrimaryKeyVersion(KeyVersionInfo)

	GetKeySpec() CustomerMasterKeySpec
	SetKeySpec(CustomerMasterKeySpec)
	GetKeyUsage() KeyUsage
	SetKeyUsage(KeyUsage)
	GetKeyState() KeyState
	SetKeyState(KeyState)

	GetDescription() string
	SetDescription(string)

	GetCreatedAt() *time.Time
	SetCreatedAt(time.Time)
	GetUpdatedAt() *time.Time
	SetUpdatedAt(time.Time)
}

type KeyListEntry

type KeyListEntry struct {
	KeyID string `json:"keyID,omitempty"`
}

type KeyMetadata

type KeyMetadata struct {
	KeyID                 string                `json:"keyID,omitempty"`
	PrimaryKeyVersionID   string                `json:"primaryKeyVersionID,omitempty"`
	CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"`
	KeyUsage              KeyUsage              `json:"keyUsage,omitempty"`
	KeyState              KeyState              `json:"keyState,omitempty"`
	Description           string                `json:"description,omitempty"`
}

func GetKeyMetadata

func GetKeyMetadata(keyInfo KeyInfo) KeyMetadata

type KeyState

type KeyState string

type KeyUsage

type KeyUsage string

type KeyVersion

type KeyVersion struct {
	VersionID string `json:"versionID,omitempty"`
	// base64 encoded
	SymmetricKeyBase64 string     `json:"symmetricKeyBase64,omitempty"`
	CreatedAt          *time.Time `json:"createdAt,omitempty"`
	UpdatedAt          *time.Time `json:"updatedAt,omitempty"`
}

func (*KeyVersion) GetCreatedAt

func (k *KeyVersion) GetCreatedAt() *time.Time

func (*KeyVersion) GetSymmetricKeyBase64

func (k *KeyVersion) GetSymmetricKeyBase64() string

func (*KeyVersion) GetUpdatedAt

func (k *KeyVersion) GetUpdatedAt() *time.Time

func (*KeyVersion) GetVersionID

func (k *KeyVersion) GetVersionID() string

func (*KeyVersion) New

func (k *KeyVersion) New() KeyVersionInfo

func (*KeyVersion) SetCreatedAt

func (k *KeyVersion) SetCreatedAt(t time.Time)

func (*KeyVersion) SetSymmetricKeyBase64

func (k *KeyVersion) SetSymmetricKeyBase64(s string)

func (*KeyVersion) SetUpdatedAt

func (k *KeyVersion) SetUpdatedAt(t time.Time)

func (*KeyVersion) SetVersionID

func (k *KeyVersion) SetVersionID(s string)

type KeyVersionInfo

type KeyVersionInfo interface {
	New() KeyVersionInfo

	GetVersionID() string
	SetVersionID(string)

	GetSymmetricKeyBase64() string
	SetSymmetricKeyBase64(string)

	GetCreatedAt() *time.Time
	SetCreatedAt(time.Time)

	GetUpdatedAt() *time.Time
	SetUpdatedAt(time.Time)
}

type ListKeysRequest

type ListKeysRequest struct {
}

type ListKeysResponse

type ListKeysResponse struct {
	Keys []KeyListEntry `json:"keys,omitempty"`
}

type Plugin

type Plugin interface {
	Kind() PluginKind
	SetStore(Store)
	BasePlugin
	SymmetricPlugin
	AsymmetricPlugin
}

type PluginCreateFn

type PluginCreateFn func(ctx context.Context) Plugin

PluginCreateFn be used to create a kms plugin instance

type PluginKind

type PluginKind string

func (PluginKind) String

func (s PluginKind) String() string

func (PluginKind) Validate

func (s PluginKind) Validate() bool

type PublicKey

type PublicKey struct {
	Pem       string `json:"pem,omitempty"`
	Algorithm string `json:"algorithm,omitempty"`
}

type RequestValidator

type RequestValidator interface {
	ValidateRequest() error
}

type RotateKeyVersionRequest

type RotateKeyVersionRequest struct {
	KeyID string `json:"keyID,omitempty"`
}

func (*RotateKeyVersionRequest) ValidateRequest

func (req *RotateKeyVersionRequest) ValidateRequest() error

type RotateKeyVersionResponse

type RotateKeyVersionResponse struct {
	KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}

type Store

type Store interface {
	// PluginKind is key store type
	GetKind() StoreKind

	// Create create and store new CMK
	CreateKey(info KeyInfo) error

	// GetKey use keyID to find CMK
	GetKey(keyID string) (KeyInfo, error)

	// ListByKind use plugin type to list CMKs
	ListKeysByKind(kind PluginKind) ([]string, error)

	// DeleteByKeyID use keyID to delete CMK
	DeleteByKeyID(keyID string) error

	// GetKeyVersion use keyID and keyVersionID to find keyVersion
	GetKeyVersion(keyID, keyVersionID string) (KeyVersionInfo, error)

	// RotateKeyVersion rotate key version
	RotateKeyVersion(keyID string, newKeyVersionInfo KeyVersionInfo) (KeyVersionInfo, error)
}

Store the key information storage interface

type StoreCreateFn

type StoreCreateFn func(ctx context.Context) Store

StoreCreateFn be used to create a kms plugin instance

type StoreKind

type StoreKind string

func (StoreKind) String

func (s StoreKind) String() string

func (StoreKind) Validate

func (s StoreKind) Validate() bool

type SymmetricPlugin

type SymmetricPlugin interface {
	Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error)
	Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error)
	// GenerateDataKey generate AES 256 DEK, encrypted by CMK
	// 典型使用场景(信封加密):
	// 在本地进行数据加密:
	// 1. 调用 GenerateDataKey 获取 DEK(数据加密密钥)
	// 2. 使用 DEK 的明文,在本地完成离线数据加密,随后清除内存中的 DEK 明文
	// 3. 将 DEK 的密文,和本地离线加密后的数据一并进行存储
	// 在本地进行数据解密:
	// 1. 调用 Decrypt 解密本地存储的 DEK 密文,获取 DEK 明文
	// 2. 使用 DEK 明文,在本地完成离线数据解密,随后清除内存中的 DEK 明文
	GenerateDataKey(ctx context.Context, req *GenerateDataKeyRequest) (*GenerateDataKeyResponse, error)
	// RotateKeyVersion rotate key version for CMK manually, old key version still can be used to decrypt old data
	RotateKeyVersion(ctx context.Context, req *RotateKeyVersionRequest) (*RotateKeyVersionResponse, error)
}

SymmetricPlugin 对称加密插件 加密流程: 1. 调用 Encrypt 进行加密 解密流程: 1. 调用 Decrypt 进行解密

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL