README
¶
awskms
A Go crypto.Signer and crypto.Decrypter implementation for AWS's KMS Asymmetric key support
Documentation
¶
Overview ¶
Package awskms implements a crypto.Signer that uses AWS's KMS service
e.g for creating a suitible key: `aws kms create-key --customer-master-key-spec RSA_2048 --key-usage SIGN_VERIFY` `aws kms create-key --customer-master-key-spec RSA_2048 --key-usage ENCRYPT_DECRYPT`
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Decrypter ¶
type Decrypter struct {
// contains filtered or unexported fields
}
Decrypter implents a crypto.Decrypter that uses a RSA key stored in AWS It should be initialized via NewDecrypter
func NewDecrypter ¶
NewDecrypter will configure a new decrypter using the given KMS client, bound to the given key. This requires successful connectivity to the KMS service, to retrieve the public key.
func (*Decrypter) Decrypt ¶
func (d *Decrypter) Decrypt(rand io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error)
Decrypt decrypts msg. A *DecrypterOpts can be passed to customize the algorithm in use. If opts are nil, EncryptionAlgorithmOaepSha256 will be used.
type DecrypterOpts ¶
type DecrypterOpts struct {
// Context sets the context for remote calls.
Context context.Context
// EncryptionAlgorithm indicates the encryption algorithm that was used.
// If not set, defaults to types.EncryptionAlgorithmSpecRsaesOaepSha1
EncryptionAlgorithm kmstypes.EncryptionAlgorithmSpec
}
DecrypterOpts implements crypto.DecrypterOpts for this Decrypter
type KMSClient ¶
type KMSClient interface {
GetPublicKey(context.Context, *kms.GetPublicKeyInput, ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
Sign(context.Context, *kms.SignInput, ...func(*kms.Options)) (*kms.SignOutput, error)
Decrypt(context.Context, *kms.DecryptInput, ...func(*kms.Options)) (*kms.DecryptOutput, error)
}
KMSClient describes the KMS operations this module requires, this will normally be satisfied by the aws-sdk-go-v2 *kms.Client
type KeyInfo ¶
type KeyInfo struct {
// ID contains the ID of the key.
ID string
// ARN contains the AWS Resource Name for the KMS key
ARN string
// Alias contains the key alias that was used to retrieve the key, if it was
// retrieve by an alias. Otherwise, it will be empty. The alias/ prefix is
// stripped.
Alias string
}
KeyInfo contains information about the underlying KMS key.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer is a crypto.Signer that uses a AWS KMS backed key. It should be initialized via NewSigner
func NewSigner ¶
NewSigner will configure a new Signer using the given KMS client, bound to the given key. This requires successful connectivity to the KMS service, to retrieve the public key.
func (*Signer) Sign ¶
func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign signs digest with the private key. By default, for an RSA key a PKCS#1 v1.5 signature, and for an EC key a DER-serialised, ASN.1 signature structure will be returned. If the passed options are a *rsa.PSSOptions, the RSA key will return a PSS signature. If a *SignerOpts is passed, the Base options will be treated as if they were passed directly.
Hash is required, as must correspond to a hash the KMS service supports.
rand is unused.
type SignerOpts ¶
type SignerOpts struct {
// Context to use for remote calls.
Context context.Context
// Options to use to select algorithm etc. This can not be nil.
Options crypto.SignerOpts
}
SignerOpts implements crypto.SignerOpts for this Signer. It can wrap a Base set of options, as per the Sign method docs.
func (*SignerOpts) HashFunc ¶
func (s *SignerOpts) HashFunc() crypto.Hash
HashFunc is unused - we need this to implement crypto.SignerOpts, but we will use either the Base's SignerOpts, or treat it like no opts were passed.
Source Files