Documentation
¶
Index ¶
- Constants
- type BackupInfo
- type KeyData
- type KeyEntry
- type KeyType
- type LockManager
- func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage, name string) (string, error)
- func (lm *LockManager) CacheActive() bool
- func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage, name string) error
- func (lm *LockManager) GetPolicyExclusive(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
- func (lm *LockManager) GetPolicyShared(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
- func (lm *LockManager) GetPolicyUpsert(ctx context.Context, req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)
- func (lm *LockManager) InvalidatePolicy(name string)
- func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string) error
- func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)
- func (lm *LockManager) UpdateCache(name string, policy *Policy)
- type Policy
- func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out string, retErr error)
- func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)
- func (p *Policy) DeriveKey(context []byte, ver int) ([]byte, error)
- func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error)
- func (p *Policy) HMACKey(version int) ([]byte, error)
- func (p *Policy) LoadArchive(ctx context.Context, storage logical.Storage) (*archivedKeys, error)
- func (p *Policy) MigrateKeyToKeysMap()
- func (p *Policy) NeedsUpgrade() bool
- func (p *Policy) Persist(ctx context.Context, storage logical.Storage) (retErr error)
- func (p *Policy) Rotate(ctx context.Context, storage logical.Storage) (retErr error)
- func (p *Policy) Serialize() ([]byte, error)
- func (p *Policy) Sign(ver int, context, input []byte, algorithm string) (*SigningResult, error)
- func (p *Policy) Upgrade(ctx context.Context, storage logical.Storage) (retErr error)
- func (p *Policy) VerifySignature(context, input []byte, sig, algorithm string) (bool, error)
- type PolicyRequest
- type RestoreInfo
- type SigningResult
Constants ¶
View Source
const ( Kdf_hmac_sha256_counter = iota // built-in helper Kdf_hkdf_sha256 // golang.org/x/crypto/hkdf )
Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF
View Source
const ( KeyType_AES256_GCM96 = iota KeyType_ECDSA_P256 KeyType_ED25519 KeyType_RSA2048 KeyType_RSA4096 KeyType_ChaCha20_Poly1305 )
Or this one...we need the default of zero to be the original AES256-GCM96
View Source
const ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BackupInfo ¶ added in v0.9.1
type KeyData ¶ added in v0.9.1
type KeyData struct {
Policy *Policy `json:"policy"`
ArchivedKeys *archivedKeys `json:"archived_keys"`
}
type KeyEntry ¶
type KeyEntry struct {
// AES or some other kind that is a pure byte slice like ED25519
Key []byte `json:"key"`
// Key used for HMAC functions
HMACKey []byte `json:"hmac_key"`
// Time of creation
CreationTime time.Time `json:"time"`
EC_X *big.Int `json:"ec_x"`
EC_Y *big.Int `json:"ec_y"`
EC_D *big.Int `json:"ec_d"`
RSAKey *rsa.PrivateKey `json:"rsa_key"`
// The public key in an appropriate format for the type of key
FormattedPublicKey string `json:"public_key"`
// This is deprecated (but still filled) in favor of the value above which
// is more precise
DeprecatedCreationTime int64 `json:"creation_time"`
}
KeyEntry stores the key and metadata
type KeyType ¶
type KeyType int
func (KeyType) DecryptionSupported ¶
func (KeyType) DerivationSupported ¶
func (KeyType) EncryptionSupported ¶
func (KeyType) HashSignatureInput ¶ added in v0.7.3
func (KeyType) SigningSupported ¶
type LockManager ¶
type LockManager struct {
// contains filtered or unexported fields
}
func NewLockManager ¶
func NewLockManager(cacheDisabled bool) *LockManager
func (*LockManager) BackupPolicy ¶ added in v0.9.1
func (*LockManager) CacheActive ¶
func (lm *LockManager) CacheActive() bool
func (*LockManager) DeletePolicy ¶
func (*LockManager) GetPolicyExclusive ¶
func (lm *LockManager) GetPolicyExclusive(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
Get the policy with an exclusive lock
func (*LockManager) GetPolicyShared ¶
func (lm *LockManager) GetPolicyShared(ctx context.Context, storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)
Get the policy with a read lock. If we get an error saying an exclusive lock is needed (for instance, for an upgrade/migration), give up the read lock, call again with an exclusive lock, then swap back out for a read lock.
func (*LockManager) GetPolicyUpsert ¶
func (lm *LockManager) GetPolicyUpsert(ctx context.Context, req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)
Get the policy with a read lock; if it returns that an exclusive lock is needed, retry. If successful, call one more time to get a read lock and return the value.
func (*LockManager) InvalidatePolicy ¶ added in v0.7.0
func (lm *LockManager) InvalidatePolicy(name string)
func (*LockManager) RestorePolicy ¶ added in v0.9.1
func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string) error
RestorePolicy acquires an exclusive lock on the policy name and restores the given policy along with the archive.
func (*LockManager) UnlockPolicy ¶
func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)
func (*LockManager) UpdateCache ¶ added in v0.9.1
func (lm *LockManager) UpdateCache(name string, policy *Policy)
type Policy ¶
type Policy struct {
Name string `json:"name"`
Key []byte `json:"key,omitempty"` //DEPRECATED
Keys keyEntryMap `json:"keys"`
// Derived keys MUST provide a context and the master underlying key is
// never used. If convergent encryption is true, the context will be used
// as the nonce as well.
Derived bool `json:"derived"`
KDF int `json:"kdf"`
ConvergentEncryption bool `json:"convergent_encryption"`
// Whether the key is exportable
Exportable bool `json:"exportable"`
// The minimum version of the key allowed to be used for decryption
MinDecryptionVersion int `json:"min_decryption_version"`
// The minimum version of the key allowed to be used for encryption
MinEncryptionVersion int `json:"min_encryption_version"`
// The latest key version in this policy
LatestVersion int `json:"latest_version"`
// The latest key version in the archive. We never delete these, so this is
// a max.
ArchiveVersion int `json:"archive_version"`
// Whether the key is allowed to be deleted
DeletionAllowed bool `json:"deletion_allowed"`
// The version of the convergent nonce to use
ConvergentVersion int `json:"convergent_version"`
// The type of key
Type KeyType `json:"type"`
// BackupInfo indicates the information about the backup action taken on
// this policy
BackupInfo *BackupInfo `json:"backup_info"`
// RestoreInfo indicates the information about the restore action taken on
// this policy
RestoreInfo *RestoreInfo `json:"restore_info"`
// AllowPlaintextBackup allows taking backup of the policy in plaintext
AllowPlaintextBackup bool `json:"allow_plaintext_backup"`
}
Policy is the struct used to store metadata
func (*Policy) Backup ¶ added in v0.9.1
Backup should be called with an exclusive lock held on the policy
func (*Policy) DeriveKey ¶
DeriveKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.
func (*Policy) LoadArchive ¶
func (*Policy) MigrateKeyToKeysMap ¶
func (p *Policy) MigrateKeyToKeysMap()
func (*Policy) NeedsUpgrade ¶
type PolicyRequest ¶
type PolicyRequest struct {
// The storage to use
Storage logical.Storage
// The name of the policy
Name string
// The key type
KeyType KeyType
// Whether it should be derived
Derived bool
// Whether to enable convergent encryption
Convergent bool
// Whether to allow export
Exportable bool
// Whether to upsert
Upsert bool
// Whether to allow plaintext backup
AllowPlaintextBackup bool
}
PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.
type RestoreInfo ¶ added in v0.9.1
type SigningResult ¶ added in v0.7.3
Source Files
Click to show internal directories.
Click to hide internal directories.