keysharecore

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 17, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	JWTIssuerDefault    = "keyshare_server"
	JWTPinExpiryDefault = 5 * 60 // seconds
)
View Source 
const ChallengeJWTMaxExpiry = 6 * time.Minute

ChallengeJWTMaxExpiry is the maximum exp (expiry) that we allow JWTs to have with which calls to GenerateChallenge() (i.e. /users/verify_start) are authenticated.

Variables

View Source 
var (
	ErrInvalidPin                = errors.New("invalid pin")
	ErrPinTooLong                = errors.New("pin too long")
	ErrInvalidChallenge          = errors.New("challenge out of bounds")
	ErrInvalidJWT                = errors.New("invalid jwt token")
	ErrExpiredJWT                = errors.New("jwt expired")
	ErrKeyNotFound               = errors.New("public key not found")
	ErrUnknownCommit             = errors.New("unknown commit id")
	ErrChallengeResponseRequired = errors.New("challenge-response authentication required")
	ErrWrongChallenge            = errors.New("wrong challenge")
)
View Source 
var (
	ErrKeyshareSecretTooBig   = errors.New("Keyshare secret too big to store")
	ErrKeyshareSecretNegative = errors.New("Keyshare secret negative")
	ErrNoSuchKey              = errors.New("Key identifier unknown")
)

Functions

This section is empty.

Types

type AESKey 

type AESKey [32]byte

func GenerateDecryptionKey 

func GenerateDecryptionKey() (AESKey, error)

type Configuration 

type Configuration struct {
	// Keys used for storage encryption/decryption
	DecryptionKey   AESKey
	DecryptionKeyID uint32

	// Key used to sign keyshare protocol messages
	JWTPrivateKey   *rsa.PrivateKey
	JWTPrivateKeyID uint32

	JWTIssuer    string
	JWTPinExpiry int // in seconds
}

type Core 

type Core struct {
	// contains filtered or unexported fields
}

func NewKeyshareCore 

func NewKeyshareCore(conf *Configuration) *Core

func (*Core) ChangePin 

func (c *Core) ChangePin(secrets UserSecrets, jwtt string) (UserSecrets, error)

ChangePin changes the pin in an encrypted keyshare user secret to a new value, after validating that the request was validly signed and that the old value is known by the caller.

func (*Core) ChangePinLegacy added in v0.11.0 

func (c *Core) ChangePinLegacy(secrets UserSecrets, oldpinRaw, newpinRaw string) (UserSecrets, error)

ChangePinLegacy is like ChangePin() but for legacy clients that have not yet upgraded to challenge-response.

func (*Core) DangerousAddDecryptionKey 

func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey)

DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID. Calling this will cause all keyshare secrets generated with the key to be trusted.

func (*Core) DangerousAddTrustedPublicKey 

func (c *Core) DangerousAddTrustedPublicKey(keyID irma.PublicKeyIdentifier, key *gabikeys.PublicKey)

DangerousAddTrustedPublicKey adds a public key as trusted by keysharecore. Calling this on incorrectly generated key material WILL compromise keyshare secrets!

func (*Core) GenerateChallenge added in v0.11.0 

func (c *Core) GenerateChallenge(secrets UserSecrets, jwtt string) ([]byte, error)

func (*Core) GenerateCommitments 

func (c *Core) GenerateCommitments(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*gabi.ProofPCommitment, uint64, error)

GenerateCommitments generates keyshare commitments using the specified Idemix public key(s).

func (*Core) GeneratePs added in v0.14.0 

func (c *Core) GeneratePs(secrets UserSecrets, accessToken string, keyIDs []irma.PublicKeyIdentifier) ([]*big.Int, error)

GeneratePs generates a list of keyshare server P's, i.e. a list of R_0^keyshareSecret.

func (*Core) GenerateResponse 

func (c *Core) GenerateResponse(secrets UserSecrets, accessToken string, commitID uint64, challenge *big.Int, keyID irma.PublicKeyIdentifier) (string, error)

GenerateResponse generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and challenge.

func (*Core) GenerateResponseV2 added in v0.14.0 

func (c *Core) GenerateResponseV2(
	secrets UserSecrets,
	accessToken string,
	commitID uint64,
	hashedComms gabi.KeyshareCommitmentRequest,
	req gabi.KeyshareResponseRequest[irma.PublicKeyIdentifier],
	keyID irma.PublicKeyIdentifier,
	linkable bool) (string, error)

GenerateResponseV2 generates the response of a zero-knowledge proof of the keyshare secret, for a given previous commit and response request. In older versions of the IRMA protocol (2.8 or below), issuers need a response that is linkable to earlier issuance sessions. In this case, the ProofP.P will be set as well. The linkable parameter indicates whether the ProofP.P should be included.

func (*Core) NewUserSecrets 

func (c *Core) NewUserSecrets(pin string, pk *ecdsa.PublicKey) (UserSecrets, error)

NewUserSecrets generates a new keyshare secret, secured with the given pin.

func (*Core) SetUserPublicKey added in v0.11.0 

func (c *Core) SetUserPublicKey(secrets UserSecrets, pin string, pk *ecdsa.PublicKey) (string, UserSecrets, error)

func (*Core) ValidateAuth added in v0.11.0 

func (c *Core) ValidateAuth(secrets UserSecrets, jwtt string) (string, error)

ValidateAuth checks pin for validity and generates JWT for future access.

func (*Core) ValidateAuthLegacy added in v0.11.0 

func (c *Core) ValidateAuthLegacy(secrets UserSecrets, pin string) (string, error)

ValidateAuthLegacy checks pin for validity and generates JWT for future access.

func (*Core) ValidateJWT 

func (c *Core) ValidateJWT(secrets UserSecrets, jwt string) error

ValidateJWT checks whether the given JWT is currently valid as an access token for operations on the provided encrypted keyshare user secrets.

type UserSecrets 

type UserSecrets []byte

UserSecrets contains the encrypted data of a keyshare user.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.