cryptoprov

package
v0.8.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 3, 2021 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrInvalidPrivateKeyURI = errors.New("invalid URI for private key object")

ErrInvalidPrivateKeyURI is returned if the PKCS #11 URI is invalid for the private key object

View Source
var ErrInvalidURI = errors.New("invalid URI")

ErrInvalidURI is returned if the PKCS #11 URI is invalid.

Functions

func GcmDecrypt

func GcmDecrypt(ciphertext []byte, key []byte) ([]byte, error)

GcmDecrypt returns decrypted blob with GCM cipher

func GcmEncrypt

func GcmEncrypt(plaintext []byte, key []byte) ([]byte, error)

GcmEncrypt returns encrypted blob with GCM cipher

func ParsePrivateKeyDER

func ParsePrivateKeyDER(keyDER []byte) (crypto.PrivateKey, error)

ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA DER-encoded private key. The key must not be in PEM format.

func ParsePrivateKeyPEM

func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.PrivateKey, err error)

ParsePrivateKeyPEM parses and returns a PEM-encoded private key. The private key may be either an unencrypted PKCS#8, PKCS#1, or elliptic private key.

func ParsePrivateKeyPEMWithPassword

func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.PrivateKey, err error)

ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private key. The private key may be a potentially encrypted PKCS#8, PKCS#1, or elliptic private key.

func Register

func Register(manufacturer string, loader ProviderLoader) error

Register provider loader by manufacturer

Types

type Crypto

type Crypto struct {
	// contains filtered or unexported fields
}

Crypto exposes instances of Provider

func Load

func Load(defaultConfig string, providersConfigs []string) (*Crypto, error)

Load returns Crypto with loaded providers from the given config locations

func New

func New(defaultProvider Provider, providers []Provider) (*Crypto, error)

New creates an instance of Crypto providers

func (*Crypto) Add

func (c *Crypto) Add(p Provider) error

Add will add new provider

func (*Crypto) ByManufacturer

func (c *Crypto) ByManufacturer(manufacturer string) (Provider, error)

ByManufacturer returns a provider by manufacturer

func (*Crypto) Default

func (c *Crypto) Default() Provider

Default returns a default crypto provider

func (*Crypto) LoadGPGPrivateKey

func (c *Crypto) LoadGPGPrivateKey(creationTime time.Time, key []byte) (*packet.PrivateKey, error)

LoadGPGPrivateKey returns GPG private key. The input key can be in PEM encoded format, or PKCS11 URI.

func (*Crypto) LoadPrivateKey

func (c *Crypto) LoadPrivateKey(key []byte) (Provider, crypto.PrivateKey, error)

LoadPrivateKey returns crypto.PrivateKey. The input key can be in PEM encoded format, or PKCS11 URI.

func (*Crypto) LoadTLSKeyPair

func (c *Crypto) LoadTLSKeyPair(certFile, keyFile string) (*tls.Certificate, error)

LoadTLSKeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data. The certificate file may contain intermediate certificates following the leaf certificate to form a certificate chain. On successful return, Certificate.Leaf will be nil because the parsed form of the certificate is not retained.

func (*Crypto) TLSKeyPair

func (c *Crypto) TLSKeyPair(certPEMBlock, keyPEMBlock []byte) (*tls.Certificate, error)

TLSKeyPair parses a public/private key pair from a pair of PEM encoded data. On successful return, Certificate.Leaf will be nil because the parsed form of the certificate is not retained.

type KeyGenerator

type KeyGenerator interface {
	// GenerateRSAKey returns RSA key for purpose: 1-signing, 2-encryption
	GenerateRSAKey(label string, bits int, purpose int) (crypto.PrivateKey, error)
	GenerateECDSAKey(label string, curve elliptic.Curve) (crypto.PrivateKey, error)
	IdentifyKey(crypto.PrivateKey) (keyID, label string, err error)
	ExportKey(keyID string) (string, []byte, error)
	GetKey(keyID string) (crypto.PrivateKey, error)
}

KeyGenerator defines interface for key generation operations

type KeyManager

type KeyManager interface {
	CurrentSlotID() uint
	EnumTokens(currentSlotOnly bool, slotInfoFunc func(slotID uint, description, label, manufacturer, model, serial string) error) error
	EnumKeys(slotID uint, prefix string, keyInfoFunc func(id, label, typ, class, currentVersionID string, creationTime *time.Time) error) error
	DestroyKeyPairOnSlot(slotID uint, keyID string) error
	FindKeyPairOnSlot(slotID uint, keyID, label string) (crypto.PrivateKey, error)
	KeyInfo(slotID uint, keyID string, includePublic bool, keyInfoFunc func(id, label, typ, class, currentVersionID, pubKey string, creationTime *time.Time) error) error
}

KeyManager defines interface for key management operations

type PrivateKeyURI

type PrivateKeyURI interface {
	// Token manufacturer
	Manufacturer() string

	// Model manufacturer
	Model() string

	// Token serial number
	TokenSerial() string

	// Token label
	TokenLabel() string

	// Key ID
	ID() string
}

PrivateKeyURI holds PKCS#11 private key information.

A token may be identified either by serial number or label. If both are specified then the first match wins.

func ParsePrivateKeyURI

func ParsePrivateKeyURI(uri string) (PrivateKeyURI, error)

ParsePrivateKeyURI parses a PKCS #11 URI into a key configuration

type Provider

type Provider interface {
	KeyGenerator
	Manufacturer() string
	Model() string
}

Provider defines an interface to work with crypto providers: HSM, SoftHSM, KMS, crytpto

func Crypto11Loader

func Crypto11Loader(cfg TokenConfig) (Provider, error)

Crypto11Loader provides loader for crypto11 provider

func LoadProvider

func LoadProvider(configLocation string) (Provider, error)

LoadProvider load a single provider

type ProviderLoader

type ProviderLoader func(cfg TokenConfig) (Provider, error)

ProviderLoader is interface for loading provider by manufacturer

func Unregister

func Unregister(manufacturer string) (ProviderLoader, error)

Unregister provider loader by manufacturer

type TokenConfig

type TokenConfig interface {
	// Manufacturer name of the manufacturer
	Manufacturer() string

	// Model name of the device
	Model() string

	// Full path to PKCS#11 library
	Path() string

	// Token serial number
	TokenSerial() string

	// Token label
	TokenLabel() string

	// Pin is a secret to access the token.
	// If it's prefixed with `file:`, then it will be loaded from the file.
	Pin() string

	// Comma separated key=value pair of attributes(e.g. "ServiceName=x,UserName=y")
	Attributes() string
}

TokenConfig holds PKCS#11 configuration information.

A token may be identified either by serial number or label. If both are specified then the first match wins.

Supply this to Configure(), or alternatively use ConfigureFromFile().

func LoadTokenConfig

func LoadTokenConfig(filename string) (TokenConfig, error)

LoadTokenConfig loads PKCS#11 token configuration

func ParseTokenURI

func ParseTokenURI(uri string) (TokenConfig, error)

ParseTokenURI parses a PKCS #11 URI into a PKCS #11 configuration. Note that the module path will override the module name if present.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL