nonprod

package

v0.3.1 Latest Latest Go to latest Published: Mar 1, 2025 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation ¶

Overview ¶

Package nonprod provides an in-memory signer and CA for endorsement using generated or provided keys.

This package is testonly and non-production since key material should not be loaded into memory on the endorsing machine, likely a compilation node. Instead, signing should be offloaded to a trusted device whose sole purpose is key management and signing.

Index ¶

func DefaultOpts() crypto.SignerOpts
func RsaPublicKeyToPEM(pub *rsa.PublicKey) []byte
type Key
type KeyInfo
type Options
type Signer
- func MakeCustomSigner(ctx context.Context, opts *Options) (*Signer, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DefaultOpts ¶

func DefaultOpts() crypto.SignerOpts

DefaultOpts returns the only crypto signing options setting that is supported.

func RsaPublicKeyToPEM ¶

func RsaPublicKeyToPEM(pub *rsa.PublicKey) []byte

RsaPublicKeyToPEM returns an RSA public key in its PEM encoding.

Types ¶

type Key ¶

type Key struct {
	// Private is optional for creating a fake Signer. If nil, will be generated.
	Private *rsa.PrivateKey
	Cert    *x509.Certificate
	Info    KeyInfo
}

Key represents a precreated private key that will get certificates for a nonprod signer.

type KeyInfo ¶

type KeyInfo struct {
	// KeyVersionName is the key's unique name (path) for use in signing requests.
	KeyVersionName string
	// PkixName is the whole subject description of the key. If set, overrides CommonName.
	PkixName *pkix.Name
}

KeyInfo represents configurable parts of a fake signer's representation of a key.

type Options ¶

type Options struct {
	Now               time.Time
	Random            io.Reader
	CA                styp.CertificateAuthority
	Root              Key
	PrimarySigningKey Key
	SigningKeys       []Key
}

Options carries all the configurable components for a non-production in-memory signer.

type Signer ¶

type Signer struct {
	Now time.Time
	// Keys require randomness to create.
	Rand io.Reader
	Keys map[string]*rsa.PrivateKey
}

Signer is an in-memory implementation of the Signer interface for endorsing golden measurements.

func MakeCustomSigner ¶

func MakeCustomSigner(ctx context.Context, opts *Options) (*Signer, error)

MakeCustomSigner creates a new nonprod Signer with keys of the given names and private keys.

func (*Signer) ClearKeys ¶

func (s *Signer) ClearKeys()

ClearKeys clears the keys in the signer as part of a wipeout operation.

func (*Signer) DestroyKeyVersion ¶

func (s *Signer) DestroyKeyVersion(keyVersionName string)

DestroyKeyVersion destroys the private key for keyVersionName if it exists.

func (*Signer) GenerateRootKey ¶

func (s *Signer) GenerateRootKey(keyVersionName string) (*rsa.PrivateKey, error)

GenerateRootKey registers and returns a new key with root key settings.

func (*Signer) GenerateSigningKey ¶

func (s *Signer) GenerateSigningKey(keyVersionName string) (*rsa.PrivateKey, error)

GenerateSigningKey registers and returns a new key with signing key settings.

func (*Signer) LoadKey ¶

func (s *Signer) LoadKey(name string, key any) error

LoadKey stores a given key only if it's the correct type. Otherwise it returns an error.

func (*Signer) PublicKey ¶

func (s *Signer) PublicKey(_ context.Context, keyVersionName string) ([]byte, error)

PublicKey returns the PEM-encoded public key of the given keyVersionName.

func (*Signer) Sign ¶

func (s *Signer) Sign(_ context.Context, keyVersionName string, digest styp.Digest, opts crypto.SignerOpts) ([]byte, error)

Sign uses the given key to sign the given digest. toSign must be the result of hashing the input message with SHA384.

Source Files ¶

View all Source files

nonprod.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL