README
¶
go-keymaker
Note: work-in-progress
Distributed generation of RSA and ECDSA private keys. Used when a process needs a large number of keys generated securely, without overloading the local host. A pilot process contacts one or more key generation drones using a simple RPC protocol. The pilot uses buffered channels and asynchronous RPC to reduce latency. Channels are created and kept full by background goroutines. Private keys are PEM-encoded PKCS#8.
Primary goal is to keep the system lightweight and simple. A YAML configuration file defines the topology of the system but dynamic discovery of drones using Consul (ZK, Etcd) can be added if desired.
Example
Documentation
¶
Index ¶
- Constants
- func BuildClientTLSConfig(certPEM, keyPEM, bundlePEM []byte) (*tls.Config, error)
- func BuildDroneTLSConfig(certPEM, keyPEM, bundlePEM []byte, clientAuth string) (*tls.Config, error)
- func CheckKeyType(keyType string) error
- func GeneratePrivateKey(keyType string) (crypto.PrivateKey, error)
- func LoadClientTLSConfig(configDir string, cfg *ClientConfig) (*tls.Config, error)
- func LoadConfig(cfg interface{}, config []byte) error
- func LoadConfigFile(cfg interface{}, configPath string) error
- func LoadDroneTLSConfig(configDir string, cfg *DroneConfig) (*tls.Config, error)
- func LogFail(err error, msg string, args ...interface{})
- func MarshalPKCS8PrivateKey(key crypto.PrivateKey) ([]byte, error)
- func UnmarshalPEMPrivateKey(raw []byte) (crypto.PrivateKey, []byte, error)
- type Client
- type ClientConfig
- type Drone
- type DroneConfig
- type KeyResponse
- type State
Constants ¶
const ( // RSA1024 1024-bit RSA RSA1024 = "RSA1024" // RSA2048 2048-bit RSA RSA2048 = "RSA2048" // RSA4096 4096-bit RSA RSA4096 = "RSA4096" // ECDSA224 P224 elliptic curve ECDSA224 = "ECDSA224" // ECDSA256 P256 elliptic curve ECDSA256 = "ECDSA256" // ECDSA384 P384 elliptic curve ECDSA384 = "ECDSA384" // ECDSA521 P521 elliptic curve ECDSA521 = "ECDSA521" )
const ( // ErrOK - no error occurred ErrOK = iota // ErrBadRequest - request was invalid ErrBadRequest // ErrKeyGen - key generation failed ErrKeyGen )
Variables ¶
This section is empty.
Functions ¶
func BuildClientTLSConfig ¶
BuildClientTLSConfig constructs a tls.Config from the given parts
func BuildDroneTLSConfig ¶
BuildDroneTLSConfig constructs a tls.Config from the given parts
func CheckKeyType ¶
CheckKeyType checks if keyType argument is valid
func GeneratePrivateKey ¶
func GeneratePrivateKey(keyType string) (crypto.PrivateKey, error)
GeneratePrivateKey generates a private key of the given type.
func LoadClientTLSConfig ¶
func LoadClientTLSConfig(configDir string, cfg *ClientConfig) (*tls.Config, error)
LoadClientTLSConfig loads in the x509 parts of the client's configuration
func LoadConfig ¶
LoadConfig unmarshals YAML and populates a config struct
func LoadConfigFile ¶
LoadConfigFile unmarshals the YAML contents of configPath and populates a config
func LoadDroneTLSConfig ¶
func LoadDroneTLSConfig(configDir string, cfg *DroneConfig) (*tls.Config, error)
LoadDroneTLSConfig ...
func MarshalPKCS8PrivateKey ¶
func MarshalPKCS8PrivateKey(key crypto.PrivateKey) ([]byte, error)
MarshalPKCS8PrivateKey encodes a key in PKCS#8 binary
func UnmarshalPEMPrivateKey ¶
func UnmarshalPEMPrivateKey(raw []byte) (crypto.PrivateKey, []byte, error)
UnmarshalPEMPrivateKey decodes a private key from the PEM bytes. It returns the decoded private key along with any remaining bytes.
Types ¶
type Client ¶
type Client struct {
// Config contains client's configuration
Config *ClientConfig
// contains filtered or unexported fields
}
Client contacts one or more drones and generates keys
func NewClient ¶
func NewClient(config *ClientConfig) (*Client, error)
NewClient creates a client which contacts one or more drones
type ClientConfig ¶
type ClientConfig struct {
// Dir is the directory for the config file, or cwd.
Dir string
// Addresses of drones in the cluster
Addresses []string
// BufferSize indicates number of keys to keep in the channel at all times
BufferSize int `mapstructure:"buffer_size"`
// Certificate file path containing the client's certificate in PEM
Certificate string
// PrivateKey file path containing the client's private key in PEM
PrivateKey string `mapstructure:"private_key"`
// CABundle file path containing the CA certificate bundle in PEM. Used to
// authenticate drone certificates.
CABundle string `mapstructure:"ca_bundle"`
}
ClientConfig configures a drone client
type Drone ¶
type Drone struct {
Config *DroneConfig
// contains filtered or unexported fields
}
Drone defines an RPC service that generates keys
type DroneConfig ¶
type DroneConfig struct {
// Dir is the directory for the config file, or cwd.
Dir string
// Address and port to listen on
Address string
// Concurrency level
Concurrency int
// Certificate file path containing the certificate in PEM
Certificate string
// PrivateKey file path containing the private key in PEM
PrivateKey string `mapstructure:"private_key"`
// CABundle file path containing the CA certificate bundle in PEM. Used to
// authenticate client certificates.
CABundle string `mapstructure:"ca_bundle"`
// ClientAuth indicates strictness of client authentication
ClientAuth string `mapstructure:"client_auth"`
// ClientCN is a regular expression to match against the client
// certificate subject's CommonName
ClientCNRegexp string `mapstructure:"client_cn_regexp"`
}
DroneConfig configures a Drone
type KeyResponse ¶
KeyResponse is the response for a single RPC request
Source Files
Directories