secrets

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 12, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package api implements the key manager management API and common data types.

Index

Constants

View Source
const (

	// ChecksumSize is the length of checksum in bytes.
	ChecksumSize = 32

	// KeyPairIDSize is the size of a key pair ID in bytes.
	KeyPairIDSize = 32
)
View Source
const (
	// GasOpUpdatePolicy is the gas operation identifier for policy updates
	// costs.
	GasOpUpdatePolicy transaction.Op = "update_policy"
	// GasOpPublishMasterSecret is the gas operation identifier for publishing
	// key manager master secret.
	GasOpPublishMasterSecret transaction.Op = "publish_master_secret"
	// GasOpPublishEphemeralSecret is the gas operation identifier for publishing
	// key manager ephemeral secret.
	GasOpPublishEphemeralSecret transaction.Op = "publish_ephemeral_secret"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is a gRPC keymanager secrets client.

type ConsensusParameterChanges

type ConsensusParameterChanges struct {
	// GasCosts are the new gas costs.
	GasCosts transaction.Costs `json:"gas_costs,omitempty"`
}

ConsensusParameterChanges are allowed key manager consensus parameter changes.

type ConsensusParameters

type ConsensusParameters struct {
	GasCosts transaction.Costs `json:"gas_costs,omitempty"`
}

ConsensusParameters are the key manager consensus parameters.

type EnclavePolicySGX

type EnclavePolicySGX struct {
	// MayQuery is the map of runtime IDs to the vector of enclave IDs that
	// may query private key material.
	//
	// TODO: This could be made more sophisticated and seggregate based on
	// contract ID as well, but for now punt on the added complexity.
	MayQuery map[common.Namespace][]sgx.EnclaveIdentity `json:"may_query"`

	// MayReplicate is the vector of enclave IDs that may retrieve the master
	// secret (Note: Each enclave ID may always implicitly replicate from other
	// instances of itself).
	MayReplicate []sgx.EnclaveIdentity `json:"may_replicate"`
}

EnclavePolicySGX is the per-SGX key manager enclave ID access control policy.

type EncryptedEphemeralSecret

type EncryptedEphemeralSecret struct {
	// ID is the runtime ID of the key manager.
	ID common.Namespace `json:"runtime_id"`

	// Epoch is the epoch to which the secret belongs.
	Epoch beacon.EpochTime `json:"epoch"`

	// Secret is the encrypted secret.
	Secret EncryptedSecret `json:"secret"`
}

EncryptedEphemeralSecret is an encrypted ephemeral secret.

type EncryptedMasterSecret

type EncryptedMasterSecret struct {
	// ID is the runtime ID of the key manager.
	ID common.Namespace `json:"runtime_id"`

	// Generation is the generation of the secret.
	Generation uint64 `json:"generation"`

	// Epoch is the epoch in which the secret was created.
	Epoch beacon.EpochTime `json:"epoch"`

	// Secret is the encrypted secret.
	Secret EncryptedSecret `json:"secret"`
}

EncryptedMasterSecret is an encrypted master secret.

type EncryptedSecret

type EncryptedSecret struct {
	// Checksum is the secret verification checksum.
	Checksum []byte `json:"checksum"`

	// PubKey is the public key used to derive the symmetric key for decryption.
	PubKey x25519.PublicKey `json:"pub_key"`

	// Ciphertexts is the map of REK encrypted secrets.
	Ciphertexts map[x25519.PublicKey][]byte `json:"ciphertexts"`
}

EncryptedSecret is a secret encrypted with Deoxys-II MRAE algorithm.

func (*EncryptedSecret) MarshalJSON

func (es *EncryptedSecret) MarshalJSON() ([]byte, error)

XXX: Nexus-specific addition/hack. We implement MarshalJSON here because the the encoding/json library does not recognize the x25519.PublicKey type as a valid map key.

type EphemeralKeyRequest

type EphemeralKeyRequest struct {
	Height    *uint64          `json:"height"`
	ID        common.Namespace `json:"runtime_id"`
	KeyPairID KeyPairID        `json:"key_pair_id"`
	Epoch     beacon.EpochTime `json:"epoch"`
}

EphemeralKeyRequest is the ephemeral key RPC request, sent to the key manager enclave.

type EphemeralSecretPublishedEvent

type EphemeralSecretPublishedEvent struct {
	Secret *SignedEncryptedEphemeralSecret
}

EphemeralSecretPublishedEvent is the key manager ephemeral secret published event.

type GenerateEphemeralSecretRequest

type GenerateEphemeralSecretRequest struct {
	Epoch beacon.EpochTime `json:"epoch"`
}

GenerateEphemeralSecretRequest is the generate ephemeral secret RPC request, sent to the key manager enclave.

type GenerateEphemeralSecretResponse

type GenerateEphemeralSecretResponse struct {
	SignedSecret SignedEncryptedEphemeralSecret `json:"signed_secret"`
}

GenerateEphemeralSecretResponse is the RPC response, returned as part of a GenerateEphemeralSecretRequest from the key manager enclave.

type GenerateMasterSecretRequest

type GenerateMasterSecretRequest struct {
	Generation uint64           `json:"generation"`
	Epoch      beacon.EpochTime `json:"epoch"`
}

GenerateMasterSecretRequest is the generate master secret RPC request, sent to the key manager enclave.

type GenerateMasterSecretResponse

type GenerateMasterSecretResponse struct {
	SignedSecret SignedEncryptedMasterSecret `json:"signed_secret"`
}

GenerateMasterSecretResponse is the RPC response, returned as part of a GenerateMasterSecretRequest from the key manager enclave.

type Genesis

type Genesis struct {
	// Parameters are the key manager consensus parameters.
	Parameters ConsensusParameters `json:"params"`

	Statuses []*Status `json:"statuses,omitempty"`
}

Genesis is the key manager management genesis state.

type InitRequest

type InitRequest struct {
	Status Status `json:"status,omitempty"`
}

InitRequest is the initialization RPC request, sent to the key manager enclave.

type InitResponse

type InitResponse struct {
	IsSecure       bool                 `json:"is_secure"`
	Checksum       []byte               `json:"checksum"`
	NextChecksum   []byte               `json:"next_checksum,omitempty"`
	PolicyChecksum []byte               `json:"policy_checksum"`
	RSK            *signature.PublicKey `json:"rsk,omitempty"`
	NextRSK        *signature.PublicKey `json:"next_rsk,omitempty"`
}

InitResponse is the initialization RPC response, returned as part of a SignedInitResponse from the key manager enclave.

type KeyPairID

type KeyPairID [KeyPairIDSize]byte

KeyPairID is a 256-bit key pair identifier.

type LoadEphemeralSecretRequest

type LoadEphemeralSecretRequest struct {
	SignedSecret SignedEncryptedEphemeralSecret `json:"signed_secret"`
}

LoadEphemeralSecretRequest is the load ephemeral secret RPC request, sent to the key manager enclave.

type LoadMasterSecretRequest

type LoadMasterSecretRequest struct {
	SignedSecret SignedEncryptedMasterSecret `json:"signed_secret"`
}

LoadMasterSecretRequest is the load master secret RPC request, sent to the key manager enclave.

type LongTermKeyRequest

type LongTermKeyRequest struct {
	Height     *uint64          `json:"height"`
	ID         common.Namespace `json:"runtime_id"`
	KeyPairID  KeyPairID        `json:"key_pair_id"`
	Generation uint64           `json:"generation"`
}

LongTermKeyRequest is the long-term key RPC request, sent to the key manager enclave.

type MasterSecretPublishedEvent

type MasterSecretPublishedEvent struct {
	Secret *SignedEncryptedMasterSecret
}

MasterSecretPublishedEvent is the key manager master secret published event.

type PolicySGX

type PolicySGX struct {
	// Serial is the monotonically increasing policy serial number.
	Serial uint32 `json:"serial"`

	// ID is the runtime ID that this policy is valid for.
	ID common.Namespace `json:"id"`

	// Enclaves is the per-key manager enclave ID access control policy.
	Enclaves map[sgx.EnclaveIdentity]*EnclavePolicySGX `json:"enclaves"`

	// MasterSecretRotationInterval is the time interval in epochs between master secret rotations.
	// Zero disables rotations.
	MasterSecretRotationInterval beacon.EpochTime `json:"master_secret_rotation_interval,omitempty"`

	// MaxEphemeralSecretAge is the maximum age of an ephemeral secret in the number of epochs.
	MaxEphemeralSecretAge beacon.EpochTime `json:"max_ephemeral_secret_age,omitempty"`
}

PolicySGX is a key manager access control policy for the replicated SGX key manager.

type SignedEncryptedEphemeralSecret

type SignedEncryptedEphemeralSecret struct {
	// Secret is the encrypted ephemeral secret.
	Secret EncryptedEphemeralSecret `json:"secret"`

	// Signature is a signature of the ephemeral secret.
	Signature signature.RawSignature `json:"signature"`
}

SignedEncryptedEphemeralSecret is a RAK signed encrypted ephemeral secret.

type SignedEncryptedMasterSecret

type SignedEncryptedMasterSecret struct {
	// Secret is the encrypted master secret.
	Secret EncryptedMasterSecret `json:"secret"`

	// Signature is a signature of the master secret.
	Signature signature.RawSignature `json:"signature"`
}

SignedEncryptedMasterSecret is a RAK signed encrypted master secret.

type SignedInitResponse

type SignedInitResponse struct {
	InitResponse InitResponse `json:"init_response"`
	Signature    []byte       `json:"signature"`
}

SignedInitResponse is the signed initialization RPC response, returned from the key manager enclave.

type SignedPolicySGX

type SignedPolicySGX struct {
	Policy PolicySGX `json:"policy"`

	Signatures []signature.Signature `json:"signatures"`
}

SignedPolicySGX is a signed SGX key manager access control policy.

type SignedPublicKey

type SignedPublicKey struct {
	Key        x25519.PublicKey       `json:"key"`
	Checksum   []byte                 `json:"checksum"`
	Signature  signature.RawSignature `json:"signature"`
	Expiration *beacon.EpochTime      `json:"expiration,omitempty"`
}

SignedPublicKey is the RPC response, returned as part of an EphemeralKeyRequest from the key manager enclave.

type Status

type Status struct {
	// ID is the runtime ID of the key manager.
	ID common.Namespace `json:"id"`

	// IsInitialized is true iff the key manager is done initializing.
	IsInitialized bool `json:"is_initialized"`

	// IsSecure is true iff the key manager is secure.
	IsSecure bool `json:"is_secure"`

	// Generation is the generation of the latest master secret.
	Generation uint64 `json:"generation,omitempty"`

	// RotationEpoch is the epoch of the last master secret rotation.
	RotationEpoch beacon.EpochTime `json:"rotation_epoch,omitempty"`

	// Checksum is the key manager master secret verification checksum.
	Checksum []byte `json:"checksum"`

	// Nodes is the list of currently active key manager node IDs.
	Nodes []signature.PublicKey `json:"nodes"`

	// Policy is the key manager policy.
	Policy *SignedPolicySGX `json:"policy"`

	// RSK is the runtime signing key of the key manager.
	RSK *signature.PublicKey `json:"rsk,omitempty"`
}

Status is the current key manager status.

type StatusUpdateEvent

type StatusUpdateEvent struct {
	Statuses []*Status
}

StatusUpdateEvent is the keymanager status update event.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL