keysutil

package
v0.10.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 25, 2018 License: MPL-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// DefaultCacheSize is used if no cache size is specified for
	// NewEncryptedKeyStorage. This value is the number of cache entries to
	// store, not the size in bytes of the cache.
	DefaultCacheSize = 16 * 1024

	// DefaultPrefix is used if no prefix is specified for
	// NewEncryptedKeyStorage. Prefix must be defined so we can provide context
	// for the base folder.
	DefaultPrefix = "encryptedkeys/"

	// EncryptedKeyPolicyVersionTpl is a template that can be used to minimize
	// the amount of data that's stored with the ciphertext.
	EncryptedKeyPolicyVersionTpl = "{{version}}:"
)
View Source
const (
	Kdf_hmac_sha256_counter = iota // built-in helper
	Kdf_hkdf_sha256                // golang.org/x/crypto/hkdf
)

Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF

View Source
const (
	KeyType_AES256_GCM96 = iota
	KeyType_ECDSA_P256
	KeyType_ED25519
	KeyType_RSA2048
	KeyType_RSA4096
	KeyType_ChaCha20_Poly1305
)

Or this one...we need the default of zero to be the original AES256-GCM96

View Source
const (
	// ErrTooOld is returned whtn the ciphertext or signatures's key version is
	// too old.
	ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)"

	// DefaultVersionTemplate is used when no version template is provided.
	DefaultVersionTemplate = "vault:v{{version}}:"
)

Variables

View Source
var (
	// ErrPolicyDerivedKeys is returned if the provided policy does not use
	// derived keys. This is a requirement for this storage implementation.
	ErrPolicyDerivedKeys = errors.New("key policy must use derived keys")

	// ErrPolicyConvergentEncryption is returned if the provided policy does not use
	// convergent encryption. This is a requirement for this storage implementation.
	ErrPolicyConvergentEncryption = errors.New("key policy must use convergent encryption")

	// ErrPolicyConvergentVersion is returned if the provided policy does not use
	// a new enough convergent version. This is a requirement for this storage
	// implementation.
	ErrPolicyConvergentVersion = errors.New("key policy must use convergent version > 2")

	// ErrNilStorage is returned if the provided storage is nil.
	ErrNilStorage = errors.New("nil storage provided")

	// ErrNilPolicy is returned if the provided policy is nil.
	ErrNilPolicy = errors.New("nil policy provided")
)

Functions

func Base62Decode added in v0.9.6

func Base62Decode(input string) []byte

func Base62Encode added in v0.9.6

func Base62Encode(buf []byte) string

Types

type BackupInfo added in v0.9.1

type BackupInfo struct {
	Time    time.Time `json:"time"`
	Version int       `json:"version"`
}

type EncryptedKeyStorageConfig added in v0.9.6

type EncryptedKeyStorageConfig struct {
	// Policy is the key policy to use to encrypt the key paths.
	Policy *Policy

	// Prefix is the storage prefix for this instance of the EncryptedKeyStorage
	// object. This is stored in plaintext. If not set the DefaultPrefix will be
	// used.
	Prefix string

	// CacheSize is the number of elements to cache. If not set the
	// DetaultCacheSize will be used.
	CacheSize int
}

EncryptedKeyStorageConfig is used to configure an EncryptedKeyStorage object.

type EncryptedKeyStorageWrapper added in v0.9.6

type EncryptedKeyStorageWrapper struct {
	// contains filtered or unexported fields
}

func NewEncryptedKeyStorageWrapper added in v0.9.6

func NewEncryptedKeyStorageWrapper(config EncryptedKeyStorageConfig) (*EncryptedKeyStorageWrapper, error)

NewEncryptedKeyStorageWrapper takes an EncryptedKeyStorageConfig and returns a new EncryptedKeyStorage object.

func (*EncryptedKeyStorageWrapper) Wrap added in v0.9.6

type KeyData added in v0.9.1

type KeyData struct {
	Policy       *Policy       `json:"policy"`
	ArchivedKeys *archivedKeys `json:"archived_keys"`
}

type KeyEntry

type KeyEntry struct {
	// AES or some other kind that is a pure byte slice like ED25519
	Key []byte `json:"key"`

	// Key used for HMAC functions
	HMACKey []byte `json:"hmac_key"`

	// Time of creation
	CreationTime time.Time `json:"time"`

	EC_X *big.Int `json:"ec_x"`
	EC_Y *big.Int `json:"ec_y"`
	EC_D *big.Int `json:"ec_d"`

	RSAKey *rsa.PrivateKey `json:"rsa_key"`

	// The public key in an appropriate format for the type of key
	FormattedPublicKey string `json:"public_key"`

	// This is deprecated (but still filled) in favor of the value above which
	// is more precise
	DeprecatedCreationTime int64 `json:"creation_time"`
}

KeyEntry stores the key and metadata

type KeyType

type KeyType int

func (KeyType) DecryptionSupported

func (kt KeyType) DecryptionSupported() bool

func (KeyType) DerivationSupported

func (kt KeyType) DerivationSupported() bool

func (KeyType) EncryptionSupported

func (kt KeyType) EncryptionSupported() bool

func (KeyType) HashSignatureInput added in v0.7.3

func (kt KeyType) HashSignatureInput() bool

func (KeyType) SigningSupported

func (kt KeyType) SigningSupported() bool

func (KeyType) String

func (kt KeyType) String() string

type LockManager

type LockManager struct {
	// contains filtered or unexported fields
}

func NewLockManager

func NewLockManager(cacheDisabled bool) *LockManager

func (*LockManager) BackupPolicy added in v0.9.1

func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage, name string) (string, error)

func (*LockManager) CacheActive

func (lm *LockManager) CacheActive() bool

func (*LockManager) DeletePolicy

func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage, name string) error

func (*LockManager) GetPolicyExclusive

func (lm *LockManager) GetPolicyExclusive(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)

Get the policy with an exclusive lock

func (*LockManager) GetPolicyShared

func (lm *LockManager) GetPolicyShared(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)

Get the policy with a read lock. If we get an error saying an exclusive lock is needed (for instance, for an upgrade/migration), give up the read lock, call again with an exclusive lock, then swap back out for a read lock.

func (*LockManager) GetPolicyUpsert

func (lm *LockManager) GetPolicyUpsert(ctx context.Context, req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)

Get the policy with a read lock; if it returns that an exclusive lock is needed, retry. If successful, call one more time to get a read lock and return the value.

func (*LockManager) InvalidatePolicy added in v0.7.0

func (lm *LockManager) InvalidatePolicy(name string)

func (*LockManager) RestorePolicy added in v0.9.1

func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string) error

RestorePolicy acquires an exclusive lock on the policy name and restores the given policy along with the archive.

func (*LockManager) UnlockPolicy

func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)

func (*LockManager) UpdateCache added in v0.9.1

func (lm *LockManager) UpdateCache(name string, policy *Policy)

type Policy

type Policy struct {
	Name string      `json:"name"`
	Key  []byte      `json:"key,omitempty"` //DEPRECATED
	Keys keyEntryMap `json:"keys"`

	// Derived keys MUST provide a context and the master underlying key is
	// never used. If convergent encryption is true, the context will be used
	// as the nonce as well.
	Derived              bool `json:"derived"`
	KDF                  int  `json:"kdf"`
	ConvergentEncryption bool `json:"convergent_encryption"`

	// Whether the key is exportable
	Exportable bool `json:"exportable"`

	// The minimum version of the key allowed to be used for decryption
	MinDecryptionVersion int `json:"min_decryption_version"`

	// The minimum version of the key allowed to be used for encryption
	MinEncryptionVersion int `json:"min_encryption_version"`

	// The latest key version in this policy
	LatestVersion int `json:"latest_version"`

	// The latest key version in the archive. We never delete these, so this is
	// a max.
	ArchiveVersion int `json:"archive_version"`

	// Whether the key is allowed to be deleted
	DeletionAllowed bool `json:"deletion_allowed"`

	// The version of the convergent nonce to use
	ConvergentVersion int `json:"convergent_version"`

	// The type of key
	Type KeyType `json:"type"`

	// BackupInfo indicates the information about the backup action taken on
	// this policy
	BackupInfo *BackupInfo `json:"backup_info"`

	// RestoreInfo indicates the information about the restore action taken on
	// this policy
	RestoreInfo *RestoreInfo `json:"restore_info"`

	// AllowPlaintextBackup allows taking backup of the policy in plaintext
	AllowPlaintextBackup bool `json:"allow_plaintext_backup"`

	// VersionTemplate is used to prefix the ciphertext with information about
	// the key version. It must inclide {{version}} and a delimiter between the
	// version prefix and the ciphertext.
	VersionTemplate string `json:"version_template"`

	// StoragePrefix is used to add a prefix when storing and retrieving the
	// policy object.
	StoragePrefix string `json:"storage_prefix"`
	// contains filtered or unexported fields
}

Policy is the struct used to store metadata

func LoadPolicy added in v0.9.6

func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, error)

LoadPolicy will load a policy from the provided storage path and set the necessary un-exported variables. It is particularly useful when accessing a policy without the lock manager.

func NewPolicy added in v0.9.6

func NewPolicy(config PolicyConfig) *Policy

NewPolicy takes a policy config and returns a Policy with those settings.

func (*Policy) Backup added in v0.9.1

func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out string, retErr error)

Backup should be called with an exclusive lock held on the policy

func (*Policy) Decrypt

func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)

func (*Policy) DeriveKey

func (p *Policy) DeriveKey(context []byte, ver int) ([]byte, error)

DeriveKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.

func (*Policy) Encrypt

func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error)

func (*Policy) HMACKey

func (p *Policy) HMACKey(version int) ([]byte, error)

func (*Policy) LoadArchive

func (p *Policy) LoadArchive(ctx context.Context, storage logical.Storage) (*archivedKeys, error)

func (*Policy) MigrateKeyToKeysMap

func (p *Policy) MigrateKeyToKeysMap()

func (*Policy) NeedsUpgrade

func (p *Policy) NeedsUpgrade() bool

func (*Policy) Persist

func (p *Policy) Persist(ctx context.Context, storage logical.Storage) (retErr error)

func (*Policy) Rotate

func (p *Policy) Rotate(ctx context.Context, storage logical.Storage) (retErr error)

func (*Policy) Serialize

func (p *Policy) Serialize() ([]byte, error)

func (*Policy) Sign

func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm, sigAlgorithm string) (*SigningResult, error)

func (*Policy) Upgrade

func (p *Policy) Upgrade(ctx context.Context, storage logical.Storage) (retErr error)

func (*Policy) VerifySignature

func (p *Policy) VerifySignature(context, input []byte, sig, hashAlgorithm string, sigAlgorithm string) (bool, error)

type PolicyConfig added in v0.9.6

type PolicyConfig struct {
	// The name of the policy
	Name string `json:"name"`

	// The type of key
	Type KeyType

	// Derived keys MUST provide a context and the master underlying key is
	// never used. If convergent encryption is true, the context will be used
	// as the nonce as well.
	Derived              bool
	KDF                  int
	ConvergentEncryption bool

	// Whether the key is exportable
	Exportable bool

	// Whether the key is allowed to be deleted
	DeletionAllowed bool

	// AllowPlaintextBackup allows taking backup of the policy in plaintext
	AllowPlaintextBackup bool

	// VersionTemplate is used to prefix the ciphertext with information about
	// the key version. It must inclide {{version}} and a delimiter between the
	// version prefix and the ciphertext.
	VersionTemplate string

	// StoragePrefix is used to add a prefix when storing and retrieving the
	// policy object.
	StoragePrefix string
}

PolicyConfig is used to create a new policy

type PolicyRequest

type PolicyRequest struct {
	// The storage to use
	Storage logical.Storage

	// The name of the policy
	Name string

	// The key type
	KeyType KeyType

	// Whether it should be derived
	Derived bool

	// Whether to enable convergent encryption
	Convergent bool

	// Whether to allow export
	Exportable bool

	// Whether to upsert
	Upsert bool

	// Whether to allow plaintext backup
	AllowPlaintextBackup bool
}

PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.

type RestoreInfo added in v0.9.1

type RestoreInfo struct {
	Time    time.Time `json:"time"`
	Version int       `json:"version"`
}

type SigningResult added in v0.7.3

type SigningResult struct {
	Signature string
	PublicKey []byte
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL