Documentation
¶
Index ¶
- Variables
- func Decrypt(privKeyObjs []*Pkcs11KeyFileObject, pkcs11blobstr []byte) ([]byte, error)
- func EncryptMultiple(pubKeys []interface{}, data []byte) ([]byte, error)
- func GetDefaultModuleDirectories() []string
- func GetDefaultModuleDirectoriesYaml(indent string) string
- func IsPkcs11PrivateKey(yamlstr []byte) bool
- func IsPkcs11PublicKey(yamlstr []byte) bool
- func ParsePkcs11Uri(uri string) (*pkcs11uri.Pkcs11URI, error)
- type Pkcs11Blob
- type Pkcs11Config
- type Pkcs11KeyFile
- type Pkcs11KeyFileObject
- type Pkcs11Recipient
Constants ¶
This section is empty.
Variables ¶
var ( // OAEPLabel defines the label we use for OAEP encryption; this cannot be changed OAEPLabel = []byte("") // OAEPSha1Params describes the OAEP parameters with sha1 hash algorithm; needed by SoftHSM OAEPSha1Params = &pkcs11.OAEPParams{ HashAlg: pkcs11.CKM_SHA_1, MGF: pkcs11.CKG_MGF1_SHA1, SourceType: pkcs11.CKZ_DATA_SPECIFIED, SourceData: OAEPLabel, } // OAEPSha256Params describes the OAEP parameters with sha256 hash algorithm OAEPSha256Params = &pkcs11.OAEPParams{ HashAlg: pkcs11.CKM_SHA256, MGF: pkcs11.CKG_MGF1_SHA256, SourceType: pkcs11.CKZ_DATA_SPECIFIED, SourceData: OAEPLabel, } )
Functions ¶
func Decrypt ¶
func Decrypt(privKeyObjs []*Pkcs11KeyFileObject, pkcs11blobstr []byte) ([]byte, error)
Decrypt tries to decrypt one of the recipients' blobs using a pkcs11 private key. The input pkcs11blobstr is a string with the following format: { recipients: [ // recipient list { "version": 0, "blob": <base64 encoded RSA OAEP encrypted blob>, "hash": <hash used for OAEP other than 'sha1'> } , { "version": 0, "blob": <base64 encoded RSA OAEP encrypted blob>, "hash": <hash used for OAEP other than 'sha1'> } , [...] } Note: More recent versions of this code explicitly write 'sha1' while older versions left it empty in case of 'sha1'.
func EncryptMultiple ¶
EncryptMultiple encrypts for one or multiple pkcs11 devices; the public keys passed to this function may either be *rsa.PublicKey or *pkcs11uri.Pkcs11URI; the returned byte array is a JSON string of the following format: { recipients: [ // recipient list { "version": 0, "blob": <base64 encoded RSA OAEP encrypted blob>, "hash": <hash used for OAEP other than 'sha256'> } , { "version": 0, "blob": <base64 encoded RSA OAEP encrypted blob>, "hash": <hash used for OAEP other than 'sha256'> } , [...] ] }
func GetDefaultModuleDirectories ¶
func GetDefaultModuleDirectories() []string
GetDefaultModuleDirectories returns module directories covering a variety of Linux distros
func GetDefaultModuleDirectoriesYaml ¶
GetDefaultModuleDirectoresFormatted returns the default module directories formatted for YAML
func IsPkcs11PrivateKey ¶
IsPkcs11PrivateKey checks whether the given YAML represents a Pkcs11 private key
func IsPkcs11PublicKey ¶
IsPkcs11PublicKey checks whether the given YAML represents a Pkcs11 public key
Types ¶
type Pkcs11Blob ¶
type Pkcs11Blob struct {
Version uint `json:"version"`
Recipients []Pkcs11Recipient `json:"recipients"`
}
Pkcs11Blob holds the encrypted blobs for all recipients; this is what we will put into the image's annotations
type Pkcs11Config ¶
type Pkcs11Config struct {
ModuleDirectories []string `yaml:"module-directories"`
AllowedModulePaths []string `yaml:"allowed-module-paths"`
}
Pkcs11Config describes the layout of a pkcs11 config file The file has the following yaml format: module-directories: - /usr/lib64/pkcs11/ allowd-module-paths - /usr/lib64/pkcs11/libsofthsm2.so
func ParsePkcs11ConfigFile ¶
func ParsePkcs11ConfigFile(yamlstr []byte) (*Pkcs11Config, error)
ParsePkcs11ConfigFile parses a pkcs11 config file hat influences the module search behavior as well as the set of modules that users are allowed to use
type Pkcs11KeyFile ¶
type Pkcs11KeyFile struct {
Pkcs11 struct {
Uri string `yaml:"uri"`
} `yaml:"pkcs11"`
Module struct {
Env map[string]string `yaml:"env,omitempty"`
} `yaml:"module"`
}
Pkcs11KeyFile describes the format of the pkcs11 (private) key file. It also carries pkcs11 module related environment variables that are transferred to the Pkcs11URI object and activated when the pkcs11 module is used.
type Pkcs11KeyFileObject ¶
Pkcs11KeyFileObject is a representation of the Pkcs11KeyFile with the pkcs11 URI as an object
func ParsePkcs11KeyFile ¶
func ParsePkcs11KeyFile(yamlstr []byte) (*Pkcs11KeyFileObject, error)
ParsePkcs11KeyFile parses a pkcs11 key file holding a pkcs11 URI describing a private key. The file has the following yaml format: pkcs11: - uri : <pkcs11 uri> An error is returned if the pkcs11 URI is malformed
type Pkcs11Recipient ¶
type Pkcs11Recipient struct {
Version uint `json:"version"`
Blob string `json:"blob"`
Hash string `json:"hash,omitempty"`
}
Pkcs11Recipient holds the b64-encoded and encrypted blob for a particular recipient
Source Files