Documentation
¶
Index ¶
- type BatchCrypto
- type BatchCryptoPayload
- type EncryptedFormatter
- func (e *EncryptedFormatter) Deformat(_ string, formattedValue []byte, _ ...spi.Tag) (string, []byte, []spi.Tag, error)
- func (e *EncryptedFormatter) Format(key string, value []byte, tags ...spi.Tag) (string, []byte, []spi.Tag, error)
- func (e *EncryptedFormatter) UsesDeterministicKeyFormatting() bool
- type EncryptedFormatterOption
- type MACCrypto
- type MACDigester
- type PerfCrypto
- type RESTProvider
- func (r *RESTProvider) Close() error
- func (r *RESTProvider) GetOpenStores() []spi.Store
- func (r *RESTProvider) GetStoreConfig(name string) (spi.StoreConfiguration, error)
- func (r *RESTProvider) OpenStore(name string) (spi.Store, error)
- func (r *RESTProvider) SetStoreConfig(name string, config spi.StoreConfiguration) error
- type RESTProviderOption
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BatchCrypto ¶
type BatchCrypto struct {
// contains filtered or unexported fields
}
BatchCrypto is used for computing all EDV cryptos.
func NewBatchCrypto ¶
func NewBatchCrypto(macKH, kwKH interface{}, performanceCrypto PerfCrypto) *BatchCrypto
NewBatchCrypto compute MACs and EDV encrypt payloads.
func (*BatchCrypto) ComputeCrypto ¶
func (e *BatchCrypto) ComputeCrypto(req *BatchCryptoPayload) (*BatchCryptoPayload, error)
ComputeCrypto computes all the MACs and EDV encryptions necessary by a KMS instance.
type BatchCryptoPayload ¶
type BatchCryptoPayload struct {
Prefix string `json:"Prefix,omitempty"`
DocID string `json:"DocID"`
DocTags []spi.Tag `json:"DocTags,omitempty"`
DocPayload string `json:"DocPayload"`
}
BatchCryptoPayload struct represents a type that contains tags and document payloads for MACs and EDV encryption.
type EncryptedFormatter ¶
type EncryptedFormatter struct {
// contains filtered or unexported fields
}
EncryptedFormatter formats data for use with an Encrypted Data Vault.
func NewEncryptedFormatter ¶
func NewEncryptedFormatter(jweEncrypter jose.Encrypter, jweDecrypter jose.Decrypter, macCrypto *MACCrypto, options ...EncryptedFormatterOption) *EncryptedFormatter
NewEncryptedFormatter returns a new instance of an EncryptedFormatter.
func (*EncryptedFormatter) Deformat ¶
func (e *EncryptedFormatter) Deformat(_ string, formattedValue []byte, _ ...spi.Tag) (string, []byte, []spi.Tag, error)
Deformat takes formattedValue (which is expected to be a marshalled encrypted document produced by the Format function above), and returns the unformatted key, value and tags which are all contained in formattedValue. The unformatted key and tags must come from the encrypted document (formatted value) since they cannot be cannot be derived from the formatted key and tags, respectively.
func (*EncryptedFormatter) Format ¶
func (e *EncryptedFormatter) Format(key string, value []byte, tags ...spi.Tag) (string, []byte, []spi.Tag, error)
Format returns formatted versions of key, value and tags in the following ways: For the formatted key (string): If this EncryptedFormatter was initialized with the WithDeterministicDocumentIDs option, then the formatted key (document ID) will be generated in a deterministic way that allows it to be derived from the unformatted key. Otherwise, the document ID is generated in a random manner. For the formatted value ([]byte): This will be a marshalled EDV encrypted document based on the unformatted key, value and tags. For the formatted tags ([]spi.Tag): The tag names and values are converted to the same format that EDV encrypted indexes use. and tags turns key into an EDV-compatible document ID, turns tag names and values into the format needed for EDV encrypted indexes, and turns key + value + tags into an encrypted document, which is then returned as the formatted value from this function.
func (*EncryptedFormatter) UsesDeterministicKeyFormatting ¶
func (e *EncryptedFormatter) UsesDeterministicKeyFormatting() bool
UsesDeterministicKeyFormatting indicates whether this encrypted formatter will produce deterministic or random document IDs. See the WithDeterministicDocumentIDs option near the top of this file for more information.
type EncryptedFormatterOption ¶
type EncryptedFormatterOption func(opts *EncryptedFormatter)
EncryptedFormatterOption allows for configuration of an EncryptedFormatter.
func WithDeterministicDocumentIDs ¶
func WithDeterministicDocumentIDs() EncryptedFormatterOption
WithDeterministicDocumentIDs indicates whether the document IDs produced by this formatter can be deterministically derived (using an HMAC function) from the unformatted keys. Having deterministic document IDs allows the EDV REST storage provider (and the more general formatted storage provider wrapper in the storageutil module) to operate faster. Per the Confidential Storage specification, document IDs are supposed to be randomly generated. Other than the randomness aspect, the document IDs produced by this formatter with this optimization enabled are still in the correct format: Base58-encoded 128-bit values. This means that they should still be valid in any EDV server, since it's impossible for any EDV server to determine whether our IDs are random anyway.
func WithEDVBatchCrypto ¶
func WithEDVBatchCrypto(batchCrypto *BatchCrypto) EncryptedFormatterOption
WithEDVBatchCrypto adds support for executing MAC/JWE encryption and KeyWrapping in 1 batch call on a remote KMS server. If set, then the default Encryption and MACCrypto calls during format() will not be executed locally. BatchCrypto handles these operations instead.
type MACCrypto ¶
type MACCrypto struct {
// contains filtered or unexported fields
}
MACCrypto is used for computing MACs.
func NewMACCrypto ¶
func NewMACCrypto(kh interface{}, macDigester MACDigester) *MACCrypto
NewMACCrypto returns a new instance of a MACCrypto.
type MACDigester ¶
MACDigester represents a type that can compute MACs.
type PerfCrypto ¶
type PerfCrypto interface {
BatchCrypto(req *BatchCryptoPayload, macKH, encKH interface{}) (*BatchCryptoPayload, error)
}
PerfCrypto is used for computing all MAC and JWE encryption+KW in one call for performance optimization.
type RESTProvider ¶
type RESTProvider struct {
// contains filtered or unexported fields
}
RESTProvider is a spi.Provider that can be used to store data in a server supporting the data vault HTTP API as defined in https://identity.foundation/confidential-storage/#http-api.
func NewRESTProvider ¶
func NewRESTProvider(edvServerURL, vaultID string, formatter *EncryptedFormatter, options ...RESTProviderOption) *RESTProvider
NewRESTProvider returns a new RESTProvider. edvServerURL is the base URL for the EDV server. vaultID is the ID of the vault where this provider will store data. The vault must be created in advance, and since the EDV REST API does not provide a method to check if a vault with a given ID exists, any errors due to a non-existent vault will be deferred until calls are actually made to it in the store.
func (*RESTProvider) Close ¶
func (r *RESTProvider) Close() error
Close always returns a nil error since there's nothing to close for a RESTProvider.
func (*RESTProvider) GetOpenStores ¶
func (r *RESTProvider) GetOpenStores() []spi.Store
GetOpenStores returns all currently open stores.
func (*RESTProvider) GetStoreConfig ¶
func (r *RESTProvider) GetStoreConfig(name string) (spi.StoreConfiguration, error)
GetStoreConfig returns the store configuration currently stored in memory.
func (*RESTProvider) OpenStore ¶
func (r *RESTProvider) OpenStore(name string) (spi.Store, error)
OpenStore opens a new RESTStore, using name as the namespace.
func (*RESTProvider) SetStoreConfig ¶
func (r *RESTProvider) SetStoreConfig(name string, config spi.StoreConfiguration) error
SetStoreConfig isn't needed for EDV storage, since indexes are managed by the server automatically based on the tags used in values. This method simply stores the configuration in memory so that it can be retrieved later via the GetStoreConfig method, which allows it to be more consistent with how other store implementations work. TODO (#2492) Store store config in persistent EDV storage for true consistency with other store implementations.
type RESTProviderOption ¶
type RESTProviderOption func(opts *RESTProvider)
RESTProviderOption allows for configuration of a RESTProvider.
func WithBatchEndpointExtension ¶
func WithBatchEndpointExtension() RESTProviderOption
WithBatchEndpointExtension option is a performance optimization that allows for restStore.Batch to only require one REST call. The EDV server that this RESTProvider connects to must support the TrustBloc EDV server extension as defined here: https://github.com/trustbloc/edv/blob/main/docs/extensions.md#batch-endpoint.
func WithFullDocumentsReturnedFromQueries ¶
func WithFullDocumentsReturnedFromQueries() RESTProviderOption
WithFullDocumentsReturnedFromQueries option is a performance optimization that speeds up queries by getting full documents from the EDV server instead of only document locations - each of which would require a separate REST call to retrieve. The EDV server that this RESTProvider connects to must support the TrustBloc EDV server extension as defined here: https://github.com/trustbloc/edv/blob/main/docs/extensions.md#return-full-documents-on-query.
func WithHeaders ¶
func WithHeaders(addHeadersFunc addHeaders) RESTProviderOption
WithHeaders option is for setting additional http request headers (since it's a function, it can call a remote authorization server to fetch the necessary info needed in these headers).
func WithTLSConfig ¶
func WithTLSConfig(tlsConfig *tls.Config) RESTProviderOption
WithTLSConfig is an option that allows for the definition of a secured HTTP transport using a tls.Config instance.
Source Files