keys

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 17, 2020 License: Apache-2.0 Imports: 26 Imported by: 22

Documentation

Overview

Package keys defines the interface to and implementation of key management operations.

Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AWSKMS 

type AWSKMS struct {
	// contains filtered or unexported fields
}

AWSKMS implements the keys.KeyManager interface and can be used to sign export files using AWS KMS.

func (*AWSKMS) Decrypt 

func (s *AWSKMS) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)

func (*AWSKMS) Encrypt 

func (s *AWSKMS) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

func (*AWSKMS) NewSigner 

func (s *AWSKMS) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

type AZKeyID 

type AZKeyID struct {
	Vault   string
	Key     string
	Version string
}

func ParseAZKeyID 

func ParseAZKeyID(keyID string) (*AZKeyID, error)

type AzureKeyVault 

type AzureKeyVault struct {
	// contains filtered or unexported fields
}

AzureKeyVault implements the keys.KeyManager interface and can be used to sign export files.

func (*AzureKeyVault) Decrypt 

func (v *AzureKeyVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)

func (*AzureKeyVault) Encrypt 

func (v *AzureKeyVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

func (*AzureKeyVault) NewSigner 

func (v *AzureKeyVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

NewSigner creates a new signer that uses a key in HashiCorp Vault's transit backend. The keyID in the format: 

AZURE_KEY_VAULT_NAME/SECRET_NAME/SECRET_VERSION

For example: 

my-company-vault/api-key/1

Both name and version are required.

type AzureKeyVaultSigner 

type AzureKeyVaultSigner struct {
	// contains filtered or unexported fields
}

func NewAzureKeyVaultSigner 

func NewAzureKeyVaultSigner(ctx context.Context, client *keyvault.BaseClient, vault, key, version string) (*AzureKeyVaultSigner, error)

NewAzureKeyVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.

func (*AzureKeyVaultSigner) Public 

func (s *AzureKeyVaultSigner) Public() crypto.PublicKey

Public returns the public key. The public key is fetched when the signer is created.

func (*AzureKeyVaultSigner) Sign 

func (s *AzureKeyVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)

Sign signs the given digest using the public key.

type Config 

type Config struct {
	KeyManagerType KeyManagerType `env:"KEY_MANAGER,default=GOOGLE_CLOUD_KMS"`
}

Config defines configuration.

type EncryptionKeyAdder added in v0.3.0 

type EncryptionKeyAdder interface {
	AddEncryptionKey(string, []byte) error
}

EncryptionKeyAdder supports creating encryption keys.

type EncryptionKeyCreator added in v0.3.0 

type EncryptionKeyCreator interface {
	CreateEncryptionKey(string) ([]byte, error)
}

EncryptionKeyCreator supports creating encryption keys.

type GoogleCloudKMS 

type GoogleCloudKMS struct {
	// contains filtered or unexported fields
}

GoogleCloudKMS implements the keys.KeyManager interface and can be used to sign export files.

func (*GoogleCloudKMS) Decrypt 

func (kms *GoogleCloudKMS) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)

func (*GoogleCloudKMS) Encrypt 

func (kms *GoogleCloudKMS) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

func (*GoogleCloudKMS) NewSigner 

func (kms *GoogleCloudKMS) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

type HCValueKeyID 

type HCValueKeyID struct {
	Name    string
	Version string
}

func NewHCValueKeyID 

func NewHCValueKeyID(keyID string) (*HCValueKeyID, error)

type HashiCorpVault 

type HashiCorpVault struct {
	// contains filtered or unexported fields
}

HashiCorpVault implements the keys.KeyManager interface and can be used to sign export files and encrypt/decrypt data.

For encryption keys, when using valut, the keys must be created with 

`derived=true`

func (*HashiCorpVault) Decrypt 

func (v *HashiCorpVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)

func (*HashiCorpVault) Encrypt 

func (v *HashiCorpVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

func (*HashiCorpVault) NewSigner 

func (v *HashiCorpVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

NewSigner creates a new signer that uses a key in HashiCorp Vault's transit backend. The keyID is in the format: 

name@version

Both name and version are required.

type HashiCorpVaultSigner 

type HashiCorpVaultSigner struct {
	// contains filtered or unexported fields
}

func NewHashiCorpVaultSigner 

func NewHashiCorpVaultSigner(ctx context.Context, client *vaultapi.Client, name, version string) (*HashiCorpVaultSigner, error)

NewHashiCorpVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.

func (*HashiCorpVaultSigner) Public 

func (s *HashiCorpVaultSigner) Public() crypto.PublicKey

Public returns the public key. The public key is fetched when the signer is created.

func (*HashiCorpVaultSigner) Sign 

func (s *HashiCorpVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)

Sign signs the given digest using the public key.

type InMemory 

type InMemory struct {
	// contains filtered or unexported fields
}

InMemory is useful for testing. Do NOT use in a running system as all keys are only kept in memory and will be lost across server reboots.

func NewInMemory 

func NewInMemory(ctx context.Context) (*InMemory, error)

NewInMemory creates a new, local, in memory KeyManager.

func (*InMemory) AddEncryptionKey 

func (k *InMemory) AddEncryptionKey(keyID string, key []byte) error

AddEncryptionKey stores the key on the system.

func (*InMemory) AddSigningKey 

func (k *InMemory) AddSigningKey(keyID string, pk *ecdsa.PrivateKey) error

AddSigningKey adds a new ECDSA P256 Signing Key identified by the provided keyID.

func (*InMemory) CreateEncryptionKey added in v0.3.0 

func (k *InMemory) CreateEncryptionKey(keyID string) ([]byte, error)

CreateEncryptionKey generates and stores new encryption key identified by the provided keyID.

func (*InMemory) CreateSigningKey added in v0.3.0 

func (k *InMemory) CreateSigningKey(keyID string) (*ecdsa.PrivateKey, error)

CreateSigningKey generates a new ECDSA P256 Signing Key identified by the provided keyID

func (*InMemory) Decrypt 

func (k *InMemory) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)

func (*InMemory) Encrypt 

func (k *InMemory) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

func (*InMemory) NewSigner 

func (k *InMemory) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

type KeyManager 

type KeyManager interface {
	NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)

	// Encrypt wile enctypt a byte array along with accompaning Additional Authenticated Data (AAD).
	// The ability for AAD to be empty, depends on the implementation being used.
	//
	// Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD
	// The Azure Key Vault implementation does not.
	Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)

	// Decrypt will descrypt a previously encrypted byte array along with accompaning Additional
	// Authenticated Data (AAD).
	// If AAD was passed in on the encryption, the same AAD must be passed in to decrypt.
	//
	// Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD
	// The Azure Key Vault implementation does not.
	Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
}

KeyManager defines the interface for working with a KMS system that is able to sign bytes using PKI. KeyManager implementations must be able to return a crypto.Signer.

func KeyManagerFor 

func KeyManagerFor(ctx context.Context, typ KeyManagerType) (KeyManager, error)

KeyManagerFor returns the appropriate key manager for the given type.

func NewAWSKMS 

func NewAWSKMS(ctx context.Context) (KeyManager, error)

func NewAzureKeyVault 

func NewAzureKeyVault(ctx context.Context) (KeyManager, error)

NewAzureKeyVault creates a new KeyVault key manager instance.

func NewGoogleCloudKMS 

func NewGoogleCloudKMS(ctx context.Context) (KeyManager, error)

func NewHashiCorpVault 

func NewHashiCorpVault(ctx context.Context) (KeyManager, error)

NewHashiCorpVault creates a new Vault key manager instance.

type KeyManagerType 

type KeyManagerType string

KeyManagerType defines a specific key manager. 

const (
	KeyManagerTypeAWSKMS         KeyManagerType = "AWS_KMS"
	KeyManagerTypeAzureKeyVault  KeyManagerType = "AZURE_KEY_VAULT"
	KeyManagerTypeGoogleCloudKMS KeyManagerType = "GOOGLE_CLOUD_KMS"
	KeyManagerTypeHashiCorpVault KeyManagerType = "HASHICORP_VAULT"
	KeyManagerTypeInMemory       KeyManagerType = "IN_MEMORY"
)

type SigningKeyAdder added in v0.3.0 

type SigningKeyAdder interface {
	AddSigningKey(string, *ecdsa.PrivateKey) error
}

SigningKeyAdder supports creating signing keys.

type SigningKeyCreator added in v0.3.0 

type SigningKeyCreator interface {
	CreateSigningKey(string) (*ecdsa.PrivateKey, error)
}

SigningKeyCreator supports creating signing keys.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.