Documentation ¶
Index ¶
- Constants
- Variables
- func IsDueForRotation(nextRotation time.Time, now time.Time) bool
- func IsExpiryTooLong(expiry time.Time, now time.Time) bool
- func IsOverdueForRotation(nextRotation time.Time, now time.Time) bool
- func NextExpiryTime(now time.Time) time.Time
- func NextRotation(expiry time.Time) time.Time
Constants ¶
View Source
const ( // Use Mozilla infosec team's recommendation for long lived keys: // https://infosec.mozilla.org/guidelines/key_management#recommended---generally-valid-for-up-to-10-years-default PrimaryKeyRsaKeyBits = 4096 // EncryptionSubkeyRsaKeyBits is the number of bits to use for an // encryption subkey. These are short-lived so don't need to be as // large as the primary key. EncryptionSubkeyRsaKeyBits = 2048 )
Variables ¶
View Source
var ( AdvertiseCipherPreferences = []uint8{ symmetric.AES256, symmetric.AES192, symmetric.AES128, symmetric.CAST5, } // AcceptablePreferredSymmetricAlgorithms defines what combinations of // symmetric key ciphers we consider OK (e.g. we don't warn about). // Note that the order of algorithms matters, e.g. {AES256, CAST5} is // different from {CAST5, AES256} AcceptablePreferredSymmetricAlgorithms = [][]uint8{ []uint8{symmetric.AES256, symmetric.AES192, symmetric.AES128, symmetric.CAST5}, []uint8{symmetric.AES256, symmetric.AES192, symmetric.AES128}, } // SupportedSymmetricKeyAlgorithms defines what algorithms we can // technically decrypt (but doesn't mean they're encouraged.) SupportedSymmetricKeyAlgorithms = []uint8{ symmetric.AES128, symmetric.AES192, symmetric.AES256, symmetric.CAST5, symmetric.TripleDES, } // AdvertiseCompressionPreferences is added to the self signature to tell others // which compression (in order) that we prefer to use. Note that Golang // doesn't support BZIP, so we don't specify that. // // Riseup's OpenPGP best practice settings specify: // // > default-preference-list [...] ZLIB BZIP2 ZIP Uncompressed // // https://tools.ietf.org/html/rfc4880#section-9.3 AdvertiseCompressionPreferences = []uint8{ compression.ZLIB, compression.ZIP, compression.Uncompressed, } // AdvertiseHashPreferences is added to the self signature to tell // others which hashes (in order) that we prefer to use. // // Note that clients implicity support SHA1 if no other digest is // available. // // Riseup's OpenPGP best practice settings specify: // // > personal-digest-preferences SHA512 SHA384 SHA256 SHA224 // // https://tools.ietf.org/html/rfc4880#section-9.4 AdvertiseHashPreferences = []uint8{ hash.Sha512, hash.Sha384, hash.Sha256, hash.Sha224, } // AcceptablePreferredHashAlgorithms defines what combinations of // hash algorithms we consider OK (e.g. we don't warn about). // Note that the order of algorithms matters, e.g. {SHA256, RIPEMD160} // is different from {RIPEMD160, SHA256} AcceptablePreferredHashAlgorithms = [][]uint8{ []uint8{hash.Sha512, hash.Sha384, hash.Sha256, hash.Sha224}, []uint8{hash.Sha512, hash.Sha384, hash.Sha256, hash.Sha224, hash.Ripemd160}, } // SupportedHashAlgorithms defines what hash algorithms we can // technically support (but doesn't mean they're encouraged.) SupportedHashAlgorithms = []uint8{ hash.Md5, hash.Sha1, hash.Ripemd160, hash.Sha224, hash.Sha256, hash.Sha384, hash.Sha512, } // AcceptableSignatureHashes defines the hash functions we consider // acceptable for self signatures (on UIDs) and subkey binding // signatures. AcceptableSignatureHashes = []crypto.Hash{ crypto.SHA512, crypto.SHA256, crypto.SHA384, crypto.SHA224, } // SignatureHashFunction is the hash algorithm used for generating // subkey binding signatures and self signatures. SignatureHashFunction = crypto.SHA512 )
Functions ¶
func IsDueForRotation ¶
IsDueForRotation returns true if `now` is any time after the key's next rotation time
func IsExpiryTooLong ¶
IsExpiryTooLong returns true if the expiry is too far in the future.
It's important not to raise this warning for expiries that we've set ourselves. We use `NextExpiryTime` such that when we set an expiry date it's *exactly* on the cusp of being too long, and can only get shorter after that point.
func IsOverdueForRotation ¶
IsOverdueForRotation returns true if `now` is more than 10 days after nextRotation
func NextExpiryTime ¶
NextExpiryTime returns the expiry time in UTC, according to the policy:
"30 days after the 1st of the next month"
for example, if today is 15th September, nextExpiryTime would return 1st October + 30 days
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.