Documentation ¶
Index ¶
- Constants
- type KeyEntry
- type KeyType
- type LockManager
- func (lm *LockManager) CacheActive() bool
- func (lm *LockManager) DeletePolicy(storage logical.Storage, name string) error
- func (lm *LockManager) GetPolicyExclusive(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
- func (lm *LockManager) GetPolicyShared(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
- func (lm *LockManager) GetPolicyUpsert(req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)
- func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)
- type Policy
- func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)
- func (p *Policy) DeriveKey(context []byte, ver int) ([]byte, error)
- func (p *Policy) Encrypt(context, nonce []byte, value string) (string, error)
- func (p *Policy) HMACKey(version int) ([]byte, error)
- func (p *Policy) LoadArchive(storage logical.Storage) (*archivedKeys, error)
- func (p *Policy) MigrateKeyToKeysMap()
- func (p *Policy) NeedsUpgrade() bool
- func (p *Policy) Persist(storage logical.Storage) error
- func (p *Policy) Rotate(storage logical.Storage) error
- func (p *Policy) Serialize() ([]byte, error)
- func (p *Policy) Sign(hashedInput []byte) (string, error)
- func (p *Policy) Upgrade(storage logical.Storage) error
- func (p *Policy) VerifySignature(hashedInput []byte, sig string) (bool, error)
- type PolicyRequest
Constants ¶
const ( Kdf_hmac_sha256_counter = iota // built-in helper Kdf_hkdf_sha256 // golang.org/x/crypto/hkdf )
Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF
const ( KeyType_AES256_GCM96 = iota KeyType_ECDSA_P256 )
Or this one...we need the default of zero to be the original AES256-GCM96
const ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KeyEntry ¶
type KeyEntry struct { AESKey []byte `json:"key"` HMACKey []byte `json:"hmac_key"` CreationTime int64 `json:"creation_time"` EC_X *big.Int `json:"ec_x"` EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` FormattedPublicKey string `json:"public_key"` }
KeyEntry stores the key and metadata
type KeyType ¶
type KeyType int
func (KeyType) DecryptionSupported ¶
func (KeyType) DerivationSupported ¶
func (KeyType) EncryptionSupported ¶
func (KeyType) SigningSupported ¶
type LockManager ¶
type LockManager struct {
// contains filtered or unexported fields
}
func NewLockManager ¶
func NewLockManager(cacheDisabled bool) *LockManager
func (*LockManager) CacheActive ¶
func (lm *LockManager) CacheActive() bool
func (*LockManager) DeletePolicy ¶
func (lm *LockManager) DeletePolicy(storage logical.Storage, name string) error
func (*LockManager) GetPolicyExclusive ¶
func (lm *LockManager) GetPolicyExclusive(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
Get the policy with an exclusive lock
func (*LockManager) GetPolicyShared ¶
func (lm *LockManager) GetPolicyShared(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
Get the policy with a read lock. If we get an error saying an exclusive lock is needed (for instance, for an upgrade/migration), give up the read lock, call again with an exclusive lock, then swap back out for a read lock.
func (*LockManager) GetPolicyUpsert ¶
func (lm *LockManager) GetPolicyUpsert(req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)
Get the policy with a read lock; if it returns that an exclusive lock is needed, retry. If successful, call one more time to get a read lock and return the value.
func (*LockManager) UnlockPolicy ¶
func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)
type Policy ¶
type Policy struct { Name string `json:"name"` Key []byte `json:"key,omitempty"` //DEPRECATED Keys keyEntryMap `json:"keys"` // Derived keys MUST provide a context and the master underlying key is // never used. If convergent encryption is true, the context will be used // as the nonce as well. Derived bool `json:"derived"` KDF int `json:"kdf"` ConvergentEncryption bool `json:"convergent_encryption"` // Whether the key is exportable Exportable bool `json:"exportable"` // The minimum version of the key allowed to be used // for decryption MinDecryptionVersion int `json:"min_decryption_version"` // The latest key version in this policy LatestVersion int `json:"latest_version"` // The latest key version in the archive. We never delete these, so this is // a max. ArchiveVersion int `json:"archive_version"` // Whether the key is allowed to be deleted DeletionAllowed bool `json:"deletion_allowed"` // The version of the convergent nonce to use ConvergentVersion int `json:"convergent_version"` // The type of key Type KeyType `json:"type"` }
Policy is the struct used to store metadata
func (*Policy) DeriveKey ¶
DeriveKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.
func (*Policy) LoadArchive ¶
func (*Policy) MigrateKeyToKeysMap ¶
func (p *Policy) MigrateKeyToKeysMap()
func (*Policy) NeedsUpgrade ¶
type PolicyRequest ¶
type PolicyRequest struct { // The storage to use Storage logical.Storage // The name of the policy Name string // The key type KeyType KeyType // Whether it should be derived Derived bool // Whether to enable convergent encryption Convergent bool // Whether to allow export Exportable bool // Whether to upsert Upsert bool }
PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.