Documentation
¶
Index ¶
- Constants
- func CreateKID(keyBytes []byte, kt kms.KeyType) (string, error)
- type CryptoBox
- func (b *CryptoBox) Easy(payload, nonce, theirPub []byte, myKID string) ([]byte, error)
- func (b *CryptoBox) EasyOpen(cipherText, nonce, theirPub, myPub []byte) ([]byte, error)
- func (b *CryptoBox) Seal(payload, theirEncPub []byte, randSource io.Reader) ([]byte, error)
- func (b *CryptoBox) SealOpen(cipherText, myPub []byte) ([]byte, error)
- type LocalKMS
- func (l *LocalKMS) Create(kt kms.KeyType) (string, interface{}, error)
- func (l *LocalKMS) CreateAndExportPubKeyBytes(kt kms.KeyType) (string, []byte, error)
- func (l *LocalKMS) ExportPubKeyBytes(id string) ([]byte, kms.KeyType, error)
- func (l *LocalKMS) Get(keyID string) (interface{}, error)
- func (l *LocalKMS) ImportPrivateKey(privKey interface{}, kt kms.KeyType, opts ...kms.PrivateKeyOpts) (string, interface{}, error)
- func (l *LocalKMS) PubKeyBytesToHandle(pubKey []byte, kt kms.KeyType) (interface{}, error)
- func (l *LocalKMS) Rotate(kt kms.KeyType, keyID string) (string, interface{}, error)
- type PubKeyWriter
Constants ¶
const (
// Namespace is the keystore's DB storage namespace.
Namespace = "kmsdb"
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CryptoBox ¶ added in v0.1.4
type CryptoBox struct {
// contains filtered or unexported fields
}
CryptoBox provides an elliptic-curve-based authenticated encryption scheme
Payloads are encrypted using symmetric encryption (XChacha20Poly1305) using a shared key derived from a shared secret created by
Curve25519 Elliptic Curve Diffie-Hellman key exchange.
CryptoBox is created by a KMS, and reads secret keys from the KMS
for encryption/decryption, so clients do not need to see the secrets themselves.
func NewCryptoBox ¶ added in v0.1.4
func NewCryptoBox(w kms.KeyManager) (*CryptoBox, error)
NewCryptoBox creates a CryptoBox which provides crypto box encryption using the given KMS's key.
func (*CryptoBox) Easy ¶ added in v0.1.4
Easy seals a message with a provided nonce theirPub is used as a public key, while myPub is used to identify the private key that should be used.
func (*CryptoBox) EasyOpen ¶ added in v0.1.4
EasyOpen unseals a message sealed with Easy, where the nonce is provided theirPub is the public key used to decrypt directly, while myPub is used to identify the private key to be used.
func (*CryptoBox) Seal ¶ added in v0.1.4
Seal seals a payload using the equivalent of libsodium box_seal
Generates an ephemeral keypair to use for the sender, and includes the ephemeral sender public key in the message.
type LocalKMS ¶
type LocalKMS struct {
// contains filtered or unexported fields
}
LocalKMS implements kms.KeyManager to provide key management capabilities using a local db. It uses an underlying secret lock service (default local secretLock) to wrap (encrypt) keys prior to storing them.
func NewWithPrefix ¶ added in v0.1.6
NewWithPrefix will create a new (local) KMS service using a store name prefixed with storePrefix.
func (*LocalKMS) Create ¶
Create a new key/keyset/key handle for the type kt Returns:
- keyID of the handle
- handle instance (to private key)
- error if failure
func (*LocalKMS) CreateAndExportPubKeyBytes ¶ added in v0.1.4
CreateAndExportPubKeyBytes will create a key of type kt and export its public key in raw bytes and returns it. The key must be an asymmetric key. Returns:
- keyID of the new handle created.
- marshalled public key []byte
- error if it fails to export the public key bytes
func (*LocalKMS) ExportPubKeyBytes ¶ added in v0.1.3
ExportPubKeyBytes will fetch a key referenced by id then gets its public key in raw bytes and returns it. The key must be an asymmetric key. Returns:
- marshalled public key []byte
- error if it fails to export the public key bytes
func (*LocalKMS) Get ¶
Get key handle for the given keyID Returns:
- handle instance (to private key)
- error if failure
func (*LocalKMS) ImportPrivateKey ¶ added in v0.1.3
func (l *LocalKMS) ImportPrivateKey(privKey interface{}, kt kms.KeyType, opts ...kms.PrivateKeyOpts) (string, interface{}, error)
ImportPrivateKey will import privKey into the KMS storage for the given keyType then returns the new key id and the newly persisted Handle. 'privKey' possible types are: *ecdsa.PrivateKey and ed25519.PrivateKey 'keyType' possible types are signing key types only (ECDSA keys or Ed25519) 'opts' allows setting the keysetID of the imported key using WithKeyID() option. If the ID is already used, then an error is returned. Returns:
- keyID of the handle
- handle instance (to private key)
- error if import failure (key empty, invalid, doesn't match keyType, unsupported keyType or storing key failed)
func (*LocalKMS) PubKeyBytesToHandle ¶ added in v0.1.3
PubKeyBytesToHandle will create and return a key handle for pubKey of type kt it returns an error if it failed creating the key handle Note: The key handle created is not stored in the KMS, it's only useful to execute the crypto primitive associated with it.
type PubKeyWriter ¶ added in v0.1.3
type PubKeyWriter struct {
// KeyType is Key Type of the written key. It's needed as Write() is an interface function and can't return it.
KeyType kms.KeyType
// contains filtered or unexported fields
}
PubKeyWriter will write the raw bytes of a Tink KeySet's primary public key The keyset must be one of the keyURLs defined above Note: Only signing public keys and ecdh key types created in tinkcrypto can be exported through this PubKeyWriter. ECHDES has its own Writer to export its public keys due to cyclic dependency.
func NewWriter ¶ added in v0.1.3
func NewWriter(w io.Writer) *PubKeyWriter
NewWriter creates a new PubKeyWriter instance.
func (*PubKeyWriter) Write ¶ added in v0.1.3
func (p *PubKeyWriter) Write(keyset *tinkpb.Keyset) error
Write writes the public keyset to the underlying w.Writer.
func (*PubKeyWriter) WriteEncrypted ¶ added in v0.1.3
func (p *PubKeyWriter) WriteEncrypted(keyset *tinkpb.EncryptedKeyset) error
WriteEncrypted writes the encrypted keyset to the underlying w.Writer.
Source Files
Directories