database

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 31, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package database contains the management of interactions with the database for createion and storage of the wrapped keys that encrypet revision certificates.

RevisionKey data is stored in the revisionkeys table.

  • The most recently created 'allowed' key is considered to be the effective key. The effective key is used to encrypt outgoing revision tokens.
  • Any still 'allowed' key can be used to decrypt incoming revision tokens.

This package also supports the creation of new keys with a locally generated AES key that is encrypted using the provided KMS and stored in the database in it's encrypted form.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type KMSConfig

type KMSConfig struct {
	WrapperKeyID string
	KeyManager   keys.KeyManager
}

KMSConfig represents the configuration of the RevisionDB in terms how how it should utilize the given KeyManager for wrapping/unwrapping keys.

type RevisionDB

type RevisionDB struct {
	// contains filtered or unexported fields
}

RevisionDB wraps a database connection and provides functions for interacting with revision keys.

func New

func New(db *database.DB, c *KMSConfig) (*RevisionDB, error)

New creates a new `RevisionDB`

func (*RevisionDB) CreateRevisionKey

func (rdb *RevisionDB) CreateRevisionKey(ctx context.Context) (*RevisionKey, error)

CreateRevisionKey generates a new AES key and wraps it

func (*RevisionDB) DestroyKey

func (rdb *RevisionDB) DestroyKey(ctx context.Context, keyID int64) error

DestroyKey zeros out the wrapped key and marks the key as allowed=false.

func (*RevisionDB) GetAllowedRevisionKeyIDs

func (rdb *RevisionDB) GetAllowedRevisionKeyIDs(ctx context.Context) (int64, map[int64]struct{}, error)

GetAllowedRevisionKeyIDs returns just the IDs of still allowed keys. Once the keys have been unwrapped, there is no reason to continue to unwrap them.

The first return value is the ID of the currently effective key (most recently created, still active) The second return value is a map of the currently allowed keys for decryption

func (*RevisionDB) GetAllowedRevisionKeys

func (rdb *RevisionDB) GetAllowedRevisionKeys(ctx context.Context) (int64, []*RevisionKey, error)

GetAllowedRevisionKeys returns all of the currently allowed revision keys. This method will unwrap all of the keys so that they can be used to create and verify revision tokens.

The first return value is the ID of the effective RevisionKey. The second is a slice of all currently allowed RevisionKeys for decryption purposes. The returned revision keys will be sorted in reverse time order by creation time.

func (*RevisionDB) GetEffectiveRevisionKey

func (rdb *RevisionDB) GetEffectiveRevisionKey(ctx context.Context) (*RevisionKey, error)

GetEffectiveRevisionKey returns the revision key to use when encrypting revision tokens. This is consided the most recently created key that is still "allowed"

type RevisionKey

type RevisionKey struct {
	KeyID         int64
	AAD           []byte // AAD for the wrapping/unwrapping of the cipher block.
	WrappedCipher []byte
	CreatedAt     time.Time
	Allowed       bool

	// The unwrapped cipher.
	DEK []byte
}

RevisionKey represents an individual revision key.

func (*RevisionKey) KeyIDString

func (r *RevisionKey) KeyIDString() string

KeyIDString returns the keyID as a string that can be used in the encoded revision tokens.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL