keysharecore

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 28, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	JWTIssuerDefault    = "keyshare_server"
	JWTPinExpiryDefault = 5 * 60 // seconds
)
View Source
const ChallengeJWTMaxExpiry = 6 * time.Minute

ChallengeJWTMaxExpiry is the maximum exp (expiry) that we allow JWTs to have with which calls to GenerateChallenge() (i.e. /users/verify_start) are authenticated.

Variables

View Source
var (
	ErrInvalidPin                = errors.New("invalid pin")
	ErrPinTooLong                = errors.New("pin too long")
	ErrInvalidChallenge          = errors.New("challenge out of bounds")
	ErrInvalidJWT                = errors.New("invalid jwt token")
	ErrExpiredJWT                = errors.New("jwt expired")
	ErrKeyNotFound               = errors.New("public key not found")
	ErrUnknownCommit             = errors.New("unknown commit id")
	ErrChallengeResponseRequired = errors.New("challenge-response authentication required")
	ErrWrongChallenge            = errors.New("wrong challenge")
)
View Source
var (
	ErrKeyshareSecretTooBig   = errors.New("Keyshare secret too big to store")
	ErrKeyshareSecretNegative = errors.New("Keyshare secret negative")
	ErrNoSuchKey              = errors.New("Key identifier unknown")
)

Functions

This section is empty.

Types

type AESKey

type AESKey [32]byte

func GenerateDecryptionKey

func GenerateDecryptionKey() (AESKey, error)

type Configuration

type Configuration struct {
	// Keys used for storage encryption/decryption
	DecryptionKey   AESKey
	DecryptionKeyID uint32

	// Key used to sign keyshare protocol messages
	JWTPrivateKey   *rsa.PrivateKey
	JWTPrivateKeyID uint32

	JWTIssuer    string
	JWTPinExpiry int // in seconds
}

type Core

type Core struct {
	// contains filtered or unexported fields
}

func NewKeyshareCore

func NewKeyshareCore(conf *Configuration) *Core

func (*Core) ChangePin

func (c *Core) ChangePin(secrets UserSecrets, jwtt string) (UserSecrets, error)

ChangePin changes the pin in an encrypted keyshare user secret to a new value, after validating that the request was validly signed and that the old value is known by the caller.

func (*Core) ChangePinLegacy added in v0.11.0

func (c *Core) ChangePinLegacy(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error)

ChangePinLegacy is like ChangePin() but for legacy clients that have not yet upgraded to challenge-response.

func (*Core) DangerousAddDecryptionKey

func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey)

DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID. Calling this will cause all keyshare secrets generated with the key to be trusted.

func (*Core) DangerousAddTrustedPublicKey

func (c *Core) DangerousAddTrustedPublicKey(keyID irma.PublicKeyIdentifier, key *gabikeys.PublicKey)

DangerousAddTrustedPublicKey adds a public key as trusted by keysharecore. Calling this on incorrectly generated key material WILL compromise keyshare secrets!

func (*Core) GenerateChallenge added in v0.11.0

func (c *Core) GenerateChallenge(secrets UserSecrets, jwtt string) ([]byte, error)

func (*Core) GenerateCommitments

func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*gabi.ProofPCommitment, uint64, error)

GenerateCommitments generates keyshare commitments using the specified Idemix public key(s).

func (*Core) GenerateResponse

func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitID uint64, challenge *big.Int, keyID irma.PublicKeyIdentifier) (string, error)

GenerateResponse generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and challenge.

func (*Core) NewUserSecrets

func (c *Core) NewUserSecrets(pin string, pk *ecdsa.PublicKey) (UserSecrets, error)

NewUserSecrets generates a new keyshare secret, secured with the given pin.

func (*Core) SetUserPublicKey added in v0.11.0

func (c *Core) SetUserPublicKey(secrets UserSecrets, pin string, pk *ecdsa.PublicKey) (string, UserSecrets, error)

func (*Core) ValidateAuth added in v0.11.0

func (c *Core) ValidateAuth(secrets UserSecrets, jwtt string) (string, error)

ValidateAuth checks pin for validity and generates JWT for future access.

func (*Core) ValidateAuthLegacy added in v0.11.0

func (c *Core) ValidateAuthLegacy(secrets UserSecrets, pin string) (string, error)

ValidateAuthLegacy checks pin for validity and generates JWT for future access.

func (*Core) ValidateJWT

func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error

ValidateJWT checks whether the given JWT is currently valid as an access token for operations on the provided encrypted keyshare user secrets.

type UserSecrets

type UserSecrets []byte

UserSecrets contains the encrypted data of a keyshare user.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL