Documentation ¶
Overview ¶
Package registry provides a container that for each supported key type holds a corresponding KeyManager object, which can generate new keys or instantiate the primitive corresponding to given key.
Registry is initialized at startup, and is later used to instantiate primitives for given keys or keysets. Keeping KeyManagers for all primitives in a single Registry (rather than having a separate KeyManager per primitive) enables modular construction of compound primitives from "simple" ones, e.g., AES-CTR-HMAC AEAD encryption uses IND-CPA encryption and a MAC.
Note that regular users will usually not work directly with Registry, but rather via primitive factories, which in the background query the Registry for specific KeyManagers. Registry is public though, to enable configurations with custom primitives and KeyManagers.
Index ¶
- func ClearKMSClients()
- func NewKey(kt *tinkpb.KeyTemplate) (proto.Message, error)
- func NewKeyData(kt *tinkpb.KeyTemplate) (*tinkpb.KeyData, error)
- func Primitive(typeURL string, sk []byte) (interface{}, error)
- func PrimitiveFromKeyData(kd *tinkpb.KeyData) (interface{}, error)
- func RegisterKMSClient(k KMSClient)
- func RegisterKeyManager(km KeyManager) error
- type KMSClient
- type KeyManager
- type PrivateKeyManager
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClearKMSClients ¶ added in v1.6.0
func ClearKMSClients()
ClearKMSClients removes all registered KMS clients.
func NewKey ¶
func NewKey(kt *tinkpb.KeyTemplate) (proto.Message, error)
NewKey generates a new key for the given key template.
func NewKeyData ¶
func NewKeyData(kt *tinkpb.KeyTemplate) (*tinkpb.KeyData, error)
NewKeyData generates a new KeyData for the given key template.
func Primitive ¶
Primitive creates a new primitive for the given serialized key using the KeyManager identified by the given typeURL. Note that the returned primitive does not add/remove the output prefix. It is the caller's responsibility to handle this correctly, based on the key's output_prefix_type.
func PrimitiveFromKeyData ¶
PrimitiveFromKeyData creates a new primitive for the key given in the given KeyData. Note that the returned primitive does not add/remove the output prefix. It is the caller's responsibility to handle this correctly, based on the key's output_prefix_type.
func RegisterKMSClient ¶
func RegisterKMSClient(k KMSClient)
RegisterKMSClient is used to register a new KMS client
func RegisterKeyManager ¶
func RegisterKeyManager(km KeyManager) error
RegisterKeyManager registers the given key manager. Does not allow to overwrite existing key managers.
Types ¶
type KMSClient ¶
type KMSClient interface { // Supported true if this client does support keyURI Supported(keyURI string) bool // GetAEAD gets an AEAD backend by keyURI. GetAEAD(keyURI string) (tink.AEAD, error) }
KMSClient knows how to produce primitives backed by keys stored in remote KMS services.
func GetKMSClient ¶
GetKMSClient fetches a KMSClient by a given URI.
type KeyManager ¶
type KeyManager interface { // Primitive constructs a primitive instance for the key given in serializedKey, which must be a // serialized key protocol buffer handled by this manager. Primitive(serializedKey []byte) (interface{}, error) // NewKey generates a new key according to specification in serializedKeyFormat, which must be // supported by this manager. NewKey(serializedKeyFormat []byte) (proto.Message, error) // DoesSupport returns true iff this KeyManager supports key type identified by typeURL. DoesSupport(typeURL string) bool // TypeURL returns the type URL that identifes the key type of keys managed by this key manager. TypeURL() string // NewKeyData generates a new KeyData according to specification in serializedkeyFormat. // This should be used solely by the key management API. NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error) }
KeyManager "understands" keys of a specific key types: it can generate keys of a supported type and create primitives for supported keys. A key type is identified by the global name of the protocol buffer that holds the corresponding key material, and is given by type_url-field of KeyData-protocol buffer.
func GetKeyManager ¶
func GetKeyManager(typeURL string) (KeyManager, error)
GetKeyManager returns the key manager for the given typeURL if existed.
type PrivateKeyManager ¶
type PrivateKeyManager interface { KeyManager // PublicKeyData extracts the public key data from the private key. PublicKeyData(serializedKey []byte) (*tinkpb.KeyData, error) }
PrivateKeyManager is a special type of KeyManager that understands private key types.