yckms

package module

v1.8.11-yckms.1 Latest Latest Go to latest Published: Oct 26, 2024 License: Apache-2.0 Imports: 20 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/franchb/sigstore

Documentation ¶

Overview ¶

Package yckms implements the interface with Yandex Cloud KMS service

Package yckms contains utilities related to Yandex Cloud KMS.

Index ¶

Constants
func ParseReference(referenceStr string) (endpoint, keyID, folderID, keyName string, err error)
func ValidReference(ref string) error
type SignerVerifier
- func LoadSignerVerifier(ctx context.Context, referenceStr string) (*SignerVerifier, error)

Constants ¶

View Source

const (
	ReferenceScheme            = "yckms://"
	EnvYcIAMToken              = "YC_IAM_TOKEN"
	EnvYcOAuthToken            = "YC_OAUTH_TOKEN"
	EnvYcServiceAccountKeyFile = "YC_SERVICE_ACCOUNT_KEY_FILE"
)

View Source

const (
	Algorithm_ECDSA_NIST_P256_SHA_256   = "ecdsa-nist-p256-sha256"
	Algorithm_ECDSA_NIST_P384_SHA_384   = "ecdsa-nist-p384-sha384"
	Algorithm_ECDSA_NIST_P521_SHA_512   = "ecdsa-nist-p521-sha512"
	Algorithm_RSA_2048_SIGN_PSS_SHA_256 = "rsa-2048-pss-sha256"
	Algorithm_RSA_2048_SIGN_PSS_SHA_384 = "rsa-2048-pss-sha384"
	Algorithm_RSA_2048_SIGN_PSS_SHA_512 = "rsa-2048-pss-sha512"
	Algorithm_RSA_3072_SIGN_PSS_SHA_256 = "rsa-3072-pss-sha256"
	Algorithm_RSA_3072_SIGN_PSS_SHA_384 = "rsa-3072-pss-sha384"
	Algorithm_RSA_3072_SIGN_PSS_SHA_512 = "rsa-3072-pss-sha512"
	Algorithm_RSA_4096_SIGN_PSS_SHA_256 = "rsa-4096-pss-sha256"
	Algorithm_RSA_4096_SIGN_PSS_SHA_384 = "rsa-4096-pss-sha384"
	Algorithm_RSA_4096_SIGN_PSS_SHA_512 = "rsa-4096-pss-sha512"
)

Variables ¶

This section is empty.

Functions ¶

func ParseReference ¶

func ParseReference(referenceStr string) (endpoint, keyID, folderID, keyName string, err error)

ParseReference parses a ycskms-scheme URI into its constituent parts.

func ValidReference ¶

func ValidReference(ref string) error

ValidReference returns a non-nil error if the reference string is invalid

Types ¶

type SignerVerifier ¶

type SignerVerifier struct {
	// contains filtered or unexported fields
}

SignerVerifier is a signature.SignerVerifier that uses the AWS Key Management Service

func LoadSignerVerifier ¶

func LoadSignerVerifier(ctx context.Context, referenceStr string) (*SignerVerifier, error)

LoadSignerVerifier generates signatures using the specified key object in AWS KMS and hash algorithm.

It also can verify signatures locally using the public key. hashFunc must not be crypto.Hash(0).

func (*SignerVerifier) CreateKey ¶

func (y *SignerVerifier) CreateKey(ctx context.Context, algorithm string) (crypto.PublicKey, error)

CreateKey attempts to create a new key in Vault with the specified algorithm.

func (*SignerVerifier) CryptoSigner ¶

func (y *SignerVerifier) CryptoSigner(ctx context.Context, errFunc func(error)) (crypto.Signer, crypto.SignerOpts, error)

CryptoSigner returns a crypto.Signer object that uses the underlying SignerVerifier, along with a crypto.SignerOpts object that allows the KMS to be used in APIs that only accept the standard golang objects

func (*SignerVerifier) DefaultAlgorithm ¶

func (*SignerVerifier) DefaultAlgorithm() string

DefaultAlgorithm returns the default algorithm for the YC KMS service

func (*SignerVerifier) PublicKey ¶

func (y *SignerVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.PublicKey, error)

PublicKey returns the public key that can be used to verify signatures created by this signer. If the caller wishes to specify the context to use to obtain the public key, pass option.WithContext(desiredCtx).

All other options are ignored if specified.

func (*SignerVerifier) SignMessage ¶

func (y *SignerVerifier) SignMessage(message io.Reader, opts ...signature.SignOption) ([]byte, error)

SignMessage signs the provided message using YC KMS. If the message is provided, this method will compute the digest according to the hash function specified when the Signer was created.

func (*SignerVerifier) SupportedAlgorithms ¶

func (*SignerVerifier) SupportedAlgorithms() (result []string)

SupportedAlgorithms returns the list of algorithms supported by Yandex Cloud KMS service

func (*SignerVerifier) VerifySignature ¶

func (y *SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signature.VerifyOption) (err error)

VerifySignature verifies the signature for the given message. Unless provided in an option, the digest of the message will be computed using the hash function specified when the SignerVerifier was created.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL