Documentation ¶
Overview ¶
Package keys defines the interface to and implementation of key management operations.
Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.
Index ¶
- func ParseECDSAPublicKey(pemBlock string) (*ecdsa.PublicKey, error)
- func RegisterManager(name string, fn KeyManagerFunc)
- func RegisteredManagers() []string
- func TestEncryptionKey(tb testing.TB, kms KeyManager) string
- func TestSigningKey(tb testing.TB, kms KeyManager) string
- type Config
- type EncryptionKeyManager
- type Filesystem
- func (k *Filesystem) CreateEncryptionKey(_ context.Context, parent, name string) (string, error)
- func (k *Filesystem) CreateKeyVersion(_ context.Context, parent string) (string, error)
- func (k *Filesystem) CreateSigningKey(_ context.Context, parent, name string) (string, error)
- func (k *Filesystem) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (k *Filesystem) DestroyKeyVersion(_ context.Context, id string) error
- func (k *Filesystem) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (k *Filesystem) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (k *Filesystem) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type KeyManager
- type KeyManagerFunc
- type KeyVersionCreator
- type KeyVersionDestroyer
- type SigningKeyManager
- type SigningKeyVersion
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ParseECDSAPublicKey ¶ added in v0.20.0
ParseECDSAPublicKey is a convenience function for decoding an ECDSA public key in PEM format.
func RegisterManager ¶ added in v0.22.0
func RegisterManager(name string, fn KeyManagerFunc)
RegisterManager registers a new key manager with the given name. If a manager is already registered with the given name, it panics. Managers are usually registered via an init function.
func RegisteredManagers ¶ added in v0.22.0
func RegisteredManagers() []string
RegisteredManagers returns the list of the names of the registered key managers.
func TestEncryptionKey ¶ added in v0.7.0
func TestEncryptionKey(tb testing.TB, kms KeyManager) string
TestEncryptionKey creates a new encryption key and key version in the given key manager. If the provided key manager does not support managing encryption keys, it calls t.Fatal.
func TestSigningKey ¶ added in v0.7.0
func TestSigningKey(tb testing.TB, kms KeyManager) string
TestSigningKey creates a new signing key and key version in the given key manager. If the provided key manager does not support managing signing keys, it calls t.Fatal.
Types ¶
type Config ¶
type Config struct { // Type is the type of the key manager. Type string `env:"KEY_MANAGER, default=FILESYSTEM"` // CreateHSMKeys indicates than when keys are creating, HSM level // protection should or should not be used if available. // Adherence to this config setting is optional and based // upon the key manager implementation and underlying capabilities. CreateHSMKeys bool `env:"CREATE_HSM_KEYS, default=true"` // FilesystemRoot is the root path where keys are managed on the filesystem. FilesystemRoot string `env:"KEY_FILESYSTEM_ROOT"` }
Config defines configuration.
type EncryptionKeyManager ¶ added in v0.7.0
type EncryptionKeyManager interface { // CreateEncryptionKey creates a new encryption key in the given parent, // returning the id. If the key already exists, it returns the key's id. CreateEncryptionKey(ctx context.Context, parent, name string) (string, error) KeyVersionCreator KeyVersionDestroyer }
EncryptionKeyManager supports extended management of encryption keys, versions, and rotation.
type Filesystem ¶ added in v0.7.0
type Filesystem struct {
// contains filtered or unexported fields
}
Filesystem is a key manager that uses the filesystem to store and retrieve keys. It should only be used for local development and testing.
func (*Filesystem) CreateEncryptionKey ¶ added in v0.7.0
CreateEncryptionKey creates an encryption key. For this implementation, that means it creates a folder on disk (but no keys inside). If the folder already exists, it returns its name.
func (*Filesystem) CreateKeyVersion ¶ added in v0.7.0
CreateKeyVersion creates a new key version for the parent. If the parent is a signing key, it creates a signing key. If the parent is an encryption key, it creates an encryption key. If the parent does not exist, it returns an error.
func (*Filesystem) CreateSigningKey ¶ added in v0.7.0
CreateSigningKey creates a signing key. For this implementation, that means it creates a folder on disk (but no keys inside). If the folder already exists, it returns its name.
func (*Filesystem) Decrypt ¶ added in v0.7.0
func (k *Filesystem) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
Decrypt decrypts the ciphertext. It returns an error if decryption fails or if the key does not exist.
func (*Filesystem) DestroyKeyVersion ¶ added in v0.7.0
func (k *Filesystem) DestroyKeyVersion(_ context.Context, id string) error
DestroyKeyVersion destroys the given key version. It does nothing if the key does not exist.
func (*Filesystem) Encrypt ¶ added in v0.7.0
func (k *Filesystem) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
Encrypt encrypts the given plaintext and aad with the key. If the key does not exist, it returns an error.
func (*Filesystem) NewSigner ¶ added in v0.7.0
NewSigner creates a new signer from the given key. If the key does not exist, it returns an error. If the key is not a signing key, it returns an error.
func (*Filesystem) SigningKeyVersions ¶ added in v0.7.0
func (k *Filesystem) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions lists all the versions for the given parent. If the provided parent is not a signing key, it returns an error.
type KeyManager ¶
type KeyManager interface { NewSigner(ctx context.Context, keyID string) (crypto.Signer, error) // Encrypt will encrypt a byte array along with accompanying Additional Authenticated Data (AAD). // The ability for AAD to be empty, depends on the implementation being used. // // Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD // The Azure Key Vault implementation does not. Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error) // Decrypt will decrypt a previously encrypted byte array along with accompanying Additional // Authenticated Data (AAD). // If AAD was passed in on the encryption, the same AAD must be passed in to decrypt. // // Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD // The Azure Key Vault implementation does not. Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error) }
KeyManager defines the interface for working with a KMS system that is able to sign bytes using PKI. KeyManager implementations must be able to return a crypto.Signer.
func KeyManagerFor ¶
func KeyManagerFor(ctx context.Context, cfg *Config) (KeyManager, error)
KeyManagerFor returns the key manager with the given name, or an error if one does not exist.
func NewFilesystem ¶ added in v0.7.0
func NewFilesystem(ctx context.Context, cfg *Config) (KeyManager, error)
NewFilesystem creates a new KeyManager backed by the local filesystem. It should only be used for development and testing.
If root is provided and does not exist, it will be created. If root is a relative path, it's relative to where the process is currently executing. If root is not supplied, all data is dumped in the current working directory.
In general, root should either be a hardcoded path like $(pwd)/local or a temporary directory like os.TempDir().
func TestKeyManager ¶ added in v0.7.0
func TestKeyManager(tb testing.TB) KeyManager
TestKeyManager creates a new key manager suitable for use in tests.
type KeyManagerFunc ¶ added in v0.22.0
type KeyManagerFunc func(context.Context, *Config) (KeyManager, error)
KeyManagerFunc is a func that returns a key manager or error.
type KeyVersionCreator ¶ added in v0.5.1
type KeyVersionCreator interface { // CreateKeyVersion creates a new key version for the given parent, returning // the ID of the new version. The parent key must already exist. CreateKeyVersion(ctx context.Context, parent string) (string, error) }
KeyVersionCreator supports creating a new version of an existing key.
type KeyVersionDestroyer ¶ added in v0.5.1
type KeyVersionDestroyer interface { // DestroyKeyVersion destroys the given key version, if it exists. If the // version does not exist, it should not return an error. DestroyKeyVersion(ctx context.Context, id string) error }
KeyVersionDestroyer supports destroying a key version.
type SigningKeyManager ¶ added in v0.5.1
type SigningKeyManager interface { // SigningKeyVersions returns the list of signing keys for the provided // parent. If the parent does not exist, it returns an error. SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error) // CreateSigningKey creates a new signing key in the given parent, returning // the id. If the key already exists, it returns the key's id. CreateSigningKey(ctx context.Context, parent, name string) (string, error) KeyVersionCreator KeyVersionDestroyer }
SigningKeyManager supports extended management of signing keys, versions, and rotation.
type SigningKeyVersion ¶ added in v0.5.0
type SigningKeyVersion interface { KeyID() string CreatedAt() time.Time DestroyedAt() time.Time Signer(ctx context.Context) (crypto.Signer, error) }
SigningKeyVersion represents the necessary details that this application needs to manage signing keys in an external KMS.