Documentation ¶
Overview ¶
Package keys defines the interface to and implementation of key management operations.
Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.
Index ¶
- func TestEncryptionKey(tb testing.TB, kms KeyManager) string
- func TestSigningKey(tb testing.TB, kms KeyManager) string
- type AWSKMS
- type AZKeyID
- type AzureKeyVault
- func (v *AzureKeyVault) CreateKeyVersion(ctx context.Context, parent string) (string, error)
- func (v *AzureKeyVault) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (v *AzureKeyVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (v *AzureKeyVault) DestroyKeyVersion(ctx context.Context, id string) error
- func (v *AzureKeyVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (v *AzureKeyVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (v *AzureKeyVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type AzureKeyVaultSigner
- type CloudKMSSigningKeyVersion
- type Config
- type EncryptionKeyManager
- type Filesystem
- func (k *Filesystem) CreateEncryptionKey(_ context.Context, parent, name string) (string, error)
- func (k *Filesystem) CreateKeyVersion(_ context.Context, parent string) (string, error)
- func (k *Filesystem) CreateSigningKey(_ context.Context, parent, name string) (string, error)
- func (k *Filesystem) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (k *Filesystem) DestroyKeyVersion(_ context.Context, id string) error
- func (k *Filesystem) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (k *Filesystem) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (k *Filesystem) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type GoogleCloudKMS
- func (kms *GoogleCloudKMS) CreateKeyVersion(ctx context.Context, parent string) (string, error)
- func (kms *GoogleCloudKMS) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (kms *GoogleCloudKMS) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (kms *GoogleCloudKMS) DestroyKeyVersion(ctx context.Context, id string) error
- func (kms *GoogleCloudKMS) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (kms *GoogleCloudKMS) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (kms *GoogleCloudKMS) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type HCValueKeyID
- type HashiCorpVault
- func (v *HashiCorpVault) CreateKeyVersion(ctx context.Context, parent string) (string, error)
- func (v *HashiCorpVault) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (v *HashiCorpVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (v *HashiCorpVault) DestroyKeyVersion(ctx context.Context, id string) error
- func (v *HashiCorpVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (v *HashiCorpVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (v *HashiCorpVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type HashiCorpVaultSigner
- type KeyManager
- func KeyManagerFor(ctx context.Context, config *Config) (KeyManager, error)
- func NewAWSKMS(ctx context.Context) (KeyManager, error)
- func NewAzureKeyVault(ctx context.Context) (KeyManager, error)
- func NewGoogleCloudKMS(ctx context.Context, config *Config) (KeyManager, error)
- func NewHashiCorpVault(ctx context.Context) (KeyManager, error)
- func TestKeyManager(tb testing.TB) KeyManager
- type KeyManagerType
- type KeyVersionCreator
- type KeyVersionDestroyer
- type SigningKeyManager
- type SigningKeyVersion
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func TestEncryptionKey ¶ added in v0.7.0
func TestEncryptionKey(tb testing.TB, kms KeyManager) string
TestEncryptionKey creates a new encryption key and key version in the given key manager. If the provided key manager does not support managing encryption keys, it calls t.Fatal.
func TestSigningKey ¶ added in v0.7.0
func TestSigningKey(tb testing.TB, kms KeyManager) string
TestSigningKey creates a new signing key and key version in the given key manager. If the provided key manager does not support managing signing keys, it calls t.Fatal.
Types ¶
type AWSKMS ¶
type AWSKMS struct {
// contains filtered or unexported fields
}
AWSKMS implements the keys.KeyManager interface and can be used to sign export files using AWS KMS.
type AZKeyID ¶
func ParseAZKeyID ¶
type AzureKeyVault ¶
type AzureKeyVault struct {
// contains filtered or unexported fields
}
AzureKeyVault implements the keys.KeyManager interface and can be used to sign export files.
func (*AzureKeyVault) CreateKeyVersion ¶ added in v0.8.0
CreateKeyVersion creates a new key version for the given parent, returning the ID of the new version. The parent key must already exist.
func (*AzureKeyVault) CreateSigningKey ¶ added in v0.8.0
CreateSigningKey creates a new signing key in the given parent, returning the id. If the key already exists, it returns the key's id.
func (*AzureKeyVault) DestroyKeyVersion ¶ added in v0.8.0
func (v *AzureKeyVault) DestroyKeyVersion(ctx context.Context, id string) error
DestroyKeyVersion destroys the given key version, if it exists. If the version does not exist, it should not return an error.
func (*AzureKeyVault) NewSigner ¶
NewSigner creates a new signer that uses a key in HashiCorp Vault's transit backend. The keyID in the format:
AZURE_KEY_VAULT_NAME/SECRET_NAME/SECRET_VERSION
For example:
my-company-vault/api-key/1
Both name and version are required.
func (*AzureKeyVault) SigningKeyVersions ¶ added in v0.8.0
func (v *AzureKeyVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions returns the list of signing keys for the provided parent. If the parent does not exist, it returns an error.
type AzureKeyVaultSigner ¶
type AzureKeyVaultSigner struct {
// contains filtered or unexported fields
}
func NewAzureKeyVaultSigner ¶
func NewAzureKeyVaultSigner(ctx context.Context, client *keyvault.BaseClient, vault, key, version string) (*AzureKeyVaultSigner, error)
NewAzureKeyVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.
func (*AzureKeyVaultSigner) Public ¶
func (s *AzureKeyVaultSigner) Public() crypto.PublicKey
Public returns the public key. The public key is fetched when the signer is created.
func (*AzureKeyVaultSigner) Sign ¶
func (s *AzureKeyVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)
Sign signs the given digest using the public key.
type CloudKMSSigningKeyVersion ¶ added in v0.5.0
type CloudKMSSigningKeyVersion struct {
// contains filtered or unexported fields
}
func (*CloudKMSSigningKeyVersion) CreatedAt ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) CreatedAt() time.Time
func (*CloudKMSSigningKeyVersion) DestroyedAt ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) DestroyedAt() time.Time
func (*CloudKMSSigningKeyVersion) KeyID ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) KeyID() string
type Config ¶
type Config struct { KeyManagerType KeyManagerType `env:"KEY_MANAGER, default=GOOGLE_CLOUD_KMS"` // CreateHSMKeys indicates than when keys are creating, HSM level // protection should or should not be used if available. // Adherence to this config setting is optional and based // upon the key manager implementation and underlying capabilities. CreateHSMKeys bool `env:"CREATE_HSM_KEYS, default=true"` // FilesystemRoot is the root path where keys are managed on the filesystem. FilesystemRoot string `env:"KEY_FILESYSTEM_ROOT"` }
Config defines configuration.
type EncryptionKeyManager ¶ added in v0.7.0
type EncryptionKeyManager interface { // CreateEncryptionKey creates a new encryption key in the given parent, // returning the id. If the key already exists, it returns the key's id. CreateEncryptionKey(ctx context.Context, parent, name string) (string, error) KeyVersionCreator KeyVersionDestroyer }
EncryptionKeyManager supports extended management of encryption keys, versions, and rotation.
type Filesystem ¶ added in v0.7.0
type Filesystem struct {
// contains filtered or unexported fields
}
Filesystem is a key manager that uses the filesystem to store and retrieve keys. It should only be used for local development and testing.
func NewFilesystem ¶ added in v0.7.0
func NewFilesystem(ctx context.Context, root string) (*Filesystem, error)
NewFilesystem creates a new KeyManager backed by the local filesystem. It should only be used for development and testing.
If root is provided and does not exist, it will be created. If root is a relative path, it's relative to where the process is currently executing. If root is not supplied, all data is dumped in the current working directory.
In general, root should either be a hardcoded path like $(pwd)/local or a temporary directory like os.TempDir().
func (*Filesystem) CreateEncryptionKey ¶ added in v0.7.0
CreateEncryptionKey creates an encryption key. For this implementation, that means it creates a folder on disk (but no keys inside). If the folder already exists, it returns its name.
func (*Filesystem) CreateKeyVersion ¶ added in v0.7.0
CreateKeyVersion creates a new key version for the parent. If the parent is a signing key, it creates a signing key. If the parent is an encryption key, it creates an encryption key. If the parent does not exist, it returns an error.
func (*Filesystem) CreateSigningKey ¶ added in v0.7.0
CreateSigningKey creates a signing key. For this implementation, that means it creates a folder on disk (but no keys inside). If the folder already exists, it returns its name.
func (*Filesystem) Decrypt ¶ added in v0.7.0
func (k *Filesystem) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
Decrypt decrypts the ciphertext. It returns an error if decryption fails or if the key does not exist.
func (*Filesystem) DestroyKeyVersion ¶ added in v0.7.0
func (k *Filesystem) DestroyKeyVersion(_ context.Context, id string) error
DestroyKeyVersion destroys the given key version. It does nothing if the key does not exist.
func (*Filesystem) Encrypt ¶ added in v0.7.0
func (k *Filesystem) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
Encrypt encrypts the given plaintext and aad with the key. If the key does not exist, it returns an error.
func (*Filesystem) NewSigner ¶ added in v0.7.0
NewSigner creates a new signer from the given key. If the key does not exist, it returns an error. If the key is not a signing key, it returns an error.
func (*Filesystem) SigningKeyVersions ¶ added in v0.7.0
func (k *Filesystem) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions lists all the versions for the given parent. If the provided parent is not a signing key, it returns an error.
type GoogleCloudKMS ¶
type GoogleCloudKMS struct {
// contains filtered or unexported fields
}
GoogleCloudKMS implements the keys.KeyManager interface and can be used to sign export files.
func (*GoogleCloudKMS) CreateKeyVersion ¶ added in v0.5.1
CreateKeyVersion creates a new version for the given key. The parent key must already exist.
func (*GoogleCloudKMS) CreateSigningKey ¶ added in v0.5.1
func (kms *GoogleCloudKMS) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
CreateSigningKey creates a new signing key in Cloud KMS. If a key already exists, it returns the existing key.
func (*GoogleCloudKMS) DestroyKeyVersion ¶ added in v0.5.1
func (kms *GoogleCloudKMS) DestroyKeyVersion(ctx context.Context, id string) error
DestroyKeyVersion marks the given key version for destruction. If the version does not exist, it does nothing. The id is the full resource name like projects/locations/keyRings/...
func (*GoogleCloudKMS) SigningKeyVersions ¶ added in v0.5.0
func (kms *GoogleCloudKMS) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions returns the list of key versions for the parent parsed as signing keys.
type HCValueKeyID ¶
func NewHCValueKeyID ¶
func NewHCValueKeyID(keyID string) (*HCValueKeyID, error)
type HashiCorpVault ¶
type HashiCorpVault struct {
// contains filtered or unexported fields
}
HashiCorpVault implements the keys.KeyManager interface and can be used to sign export files and encrypt/decrypt data.
For encryption keys, when using valut, the keys must be created with
`derived=true`
func (*HashiCorpVault) CreateKeyVersion ¶ added in v0.6.0
CreateKeyVersion rotates the given key.
func (*HashiCorpVault) CreateSigningKey ¶ added in v0.6.0
CreateSigningKey creates a new signing key with the given name.
func (*HashiCorpVault) DestroyKeyVersion ¶ added in v0.6.0
func (v *HashiCorpVault) DestroyKeyVersion(ctx context.Context, id string) error
DestroyKeyVersion is unimplemented on Vault. Vault can only trim keys up to a point (which might be unsafe).
func (*HashiCorpVault) NewSigner ¶
NewSigner creates a new signer that uses a key in HashiCorp Vault's transit backend. The keyID is in the format:
name@version
Both name and version are required.
func (*HashiCorpVault) SigningKeyVersions ¶ added in v0.6.0
func (v *HashiCorpVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions returns the signing keys for the given key name.
type HashiCorpVaultSigner ¶
type HashiCorpVaultSigner struct {
// contains filtered or unexported fields
}
func NewHashiCorpVaultSigner ¶
func NewHashiCorpVaultSigner(ctx context.Context, client *vaultapi.Client, name, version string) (*HashiCorpVaultSigner, error)
NewHashiCorpVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.
func (*HashiCorpVaultSigner) Public ¶
func (s *HashiCorpVaultSigner) Public() crypto.PublicKey
Public returns the public key. The public key is fetched when the signer is created.
func (*HashiCorpVaultSigner) Sign ¶
func (s *HashiCorpVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)
Sign signs the given digest using the public key.
type KeyManager ¶
type KeyManager interface { NewSigner(ctx context.Context, keyID string) (crypto.Signer, error) // Encrypt wile enctypt a byte array along with accompaning Additional Authenticated Data (AAD). // The ability for AAD to be empty, depends on the implementation being used. // // Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD // The Azure Key Vault implementation does not. Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error) // Decrypt will descrypt a previously encrypted byte array along with accompaning Additional // Authenticated Data (AAD). // If AAD was passed in on the encryption, the same AAD must be passed in to decrypt. // // Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD // The Azure Key Vault implementation does not. Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error) }
KeyManager defines the interface for working with a KMS system that is able to sign bytes using PKI. KeyManager implementations must be able to return a crypto.Signer.
func KeyManagerFor ¶
func KeyManagerFor(ctx context.Context, config *Config) (KeyManager, error)
KeyManagerFor returns the appropriate key manager for the given type.
func NewAzureKeyVault ¶
func NewAzureKeyVault(ctx context.Context) (KeyManager, error)
NewAzureKeyVault creates a new KeyVault key manager instance.
func NewGoogleCloudKMS ¶
func NewGoogleCloudKMS(ctx context.Context, config *Config) (KeyManager, error)
func NewHashiCorpVault ¶
func NewHashiCorpVault(ctx context.Context) (KeyManager, error)
NewHashiCorpVault creates a new Vault key manager instance.
func TestKeyManager ¶ added in v0.7.0
func TestKeyManager(tb testing.TB) KeyManager
TestKeyManager creates a new key manager suitable for use in tests.
type KeyManagerType ¶
type KeyManagerType string
KeyManagerType defines a specific key manager.
const ( KeyManagerTypeAWSKMS KeyManagerType = "AWS_KMS" KeyManagerTypeAzureKeyVault KeyManagerType = "AZURE_KEY_VAULT" KeyManagerTypeGoogleCloudKMS KeyManagerType = "GOOGLE_CLOUD_KMS" KeyManagerTypeHashiCorpVault KeyManagerType = "HASHICORP_VAULT" KeyManagerTypeFilesystem KeyManagerType = "FILESYSTEM" )
type KeyVersionCreator ¶ added in v0.5.1
type KeyVersionCreator interface { // CreateKeyVersion creates a new key version for the given parent, returning // the ID of the new version. The parent key must already exist. CreateKeyVersion(ctx context.Context, parent string) (string, error) }
KeyVersionCreator supports creating a new version of an existing key.
type KeyVersionDestroyer ¶ added in v0.5.1
type KeyVersionDestroyer interface { // DestroyKeyVersion destroys the given key version, if it exists. If the // version does not exist, it should not return an error. DestroyKeyVersion(ctx context.Context, id string) error }
KeyVersionDestroyer supports destroying a key version.
type SigningKeyManager ¶ added in v0.5.1
type SigningKeyManager interface { // SigningKeyVersions returns the list of signing keys for the provided // parent. If the parent does not exist, it returns an error. SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error) // CreateSigningKey creates a new signing key in the given parent, returning // the id. If the key already exists, it returns the key's id. CreateSigningKey(ctx context.Context, parent, name string) (string, error) KeyVersionCreator KeyVersionDestroyer }
SigningKeyManager supports extended management of signing keys, versions, and rotation.
type SigningKeyVersion ¶ added in v0.5.0
type SigningKeyVersion interface { KeyID() string CreatedAt() time.Time DestroyedAt() time.Time Signer(ctx context.Context) (crypto.Signer, error) }
SigningKeyVersion represents the necessary details that this application needs to manage signing keys in an external KMS.