keysharecore

package

v0.12.5 Latest Latest Go to latest Published: May 25, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/privacybydesign/irmago

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type AESKey
- func GenerateDecryptionKey() (AESKey, error)
type Configuration
type Core
- func NewKeyshareCore(conf *Configuration) *Core
type UserSecrets

Constants ¶

View Source

const (
	JWTIssuerDefault    = "keyshare_server"
	JWTPinExpiryDefault = 5 * 60 // seconds
)

View Source

const ChallengeJWTMaxExpiry = 6 * time.Minute

ChallengeJWTMaxExpiry is the maximum exp (expiry) that we allow JWTs to have with which calls to GenerateChallenge() (i.e. /users/verify_start) are authenticated.

Variables ¶

View Source

var (
	ErrInvalidPin                = errors.New("invalid pin")
	ErrPinTooLong                = errors.New("pin too long")
	ErrInvalidChallenge          = errors.New("challenge out of bounds")
	ErrInvalidJWT                = errors.New("invalid jwt token")
	ErrExpiredJWT                = errors.New("jwt expired")
	ErrKeyNotFound               = errors.New("public key not found")
	ErrUnknownCommit             = errors.New("unknown commit id")
	ErrChallengeResponseRequired = errors.New("challenge-response authentication required")
	ErrWrongChallenge            = errors.New("wrong challenge")
)

View Source

var (
	ErrKeyshareSecretTooBig   = errors.New("Keyshare secret too big to store")
	ErrKeyshareSecretNegative = errors.New("Keyshare secret negative")
	ErrNoSuchKey              = errors.New("Key identifier unknown")
)

Functions ¶

This section is empty.

Types ¶

type AESKey ¶

type AESKey [32]byte

func GenerateDecryptionKey ¶

func GenerateDecryptionKey() (AESKey, error)

type Configuration ¶

type Configuration struct {
	// Keys used for storage encryption/decryption
	DecryptionKey   AESKey
	DecryptionKeyID uint32

	// Key used to sign keyshare protocol messages
	JWTPrivateKey   *rsa.PrivateKey
	JWTPrivateKeyID uint32

	JWTIssuer    string
	JWTPinExpiry int // in seconds
}

type Core ¶

type Core struct {
	// contains filtered or unexported fields
}

func NewKeyshareCore ¶

func NewKeyshareCore(conf *Configuration) *Core

func (*Core) ChangePin ¶

func (c *Core) ChangePin(secrets UserSecrets, jwtt string) (UserSecrets, error)

ChangePin changes the pin in an encrypted keyshare user secret to a new value, after validating that the request was validly signed and that the old value is known by the caller.

func (*Core) ChangePinLegacy ¶ added in v0.11.0

func (c *Core) ChangePinLegacy(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error)

ChangePinLegacy is like ChangePin() but for legacy clients that have not yet upgraded to challenge-response.

func (*Core) DangerousAddDecryptionKey ¶

func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey)

DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID. Calling this will cause all keyshare secrets generated with the key to be trusted.

func (*Core) DangerousAddTrustedPublicKey ¶

func (c *Core) DangerousAddTrustedPublicKey(keyID irma.PublicKeyIdentifier, key *gabikeys.PublicKey)

DangerousAddTrustedPublicKey adds a public key as trusted by keysharecore. Calling this on incorrectly generated key material WILL compromise keyshare secrets!

func (*Core) GenerateChallenge ¶ added in v0.11.0

func (c *Core) GenerateChallenge(secrets UserSecrets, jwtt string) ([]byte, error)

func (*Core) GenerateCommitments ¶

func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*gabi.ProofPCommitment, uint64, error)

GenerateCommitments generates keyshare commitments using the specified Idemix public key(s).

func (*Core) GenerateResponse ¶

func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitID uint64, challenge *big.Int, keyID irma.PublicKeyIdentifier) (string, error)

GenerateResponse generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and challenge.

func (*Core) NewUserSecrets ¶

func (c *Core) NewUserSecrets(pin string, pk *ecdsa.PublicKey) (UserSecrets, error)

NewUserSecrets generates a new keyshare secret, secured with the given pin.

func (*Core) SetUserPublicKey ¶ added in v0.11.0

func (c *Core) SetUserPublicKey(secrets UserSecrets, pin string, pk *ecdsa.PublicKey) (string, UserSecrets, error)

func (*Core) ValidateAuth ¶ added in v0.11.0

func (c *Core) ValidateAuth(secrets UserSecrets, jwtt string) (string, error)

ValidateAuth checks pin for validity and generates JWT for future access.

func (*Core) ValidateAuthLegacy ¶ added in v0.11.0

func (c *Core) ValidateAuthLegacy(secrets UserSecrets, pin string) (string, error)

ValidateAuthLegacy checks pin for validity and generates JWT for future access.

func (*Core) ValidateJWT ¶

func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error

ValidateJWT checks whether the given JWT is currently valid as an access token for operations on the provided encrypted keyshare user secrets.

type UserSecrets ¶

type UserSecrets []byte

UserSecrets contains the encrypted data of a keyshare user.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL