apiv1

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Register added in v0.14.5

func Register(t Type, fn KeyManagerNewFunc)

Register adds to the registry a method to create a KeyManager of type t.

Types

type CertificateManager added in v0.14.5

type CertificateManager interface {
	LoadCertificate(req *LoadCertificateRequest) (*x509.Certificate, error)
	StoreCertificate(req *StoreCertificateRequest) error
}

CertificateManager is the interface implemented by the KMS that can load and store x509.Certificates.

type CreateDecrypterRequest added in v0.15.16

type CreateDecrypterRequest struct {
	Decrypter        crypto.Decrypter
	DecryptionKey    string
	DecryptionKeyPEM []byte
	Password         []byte
}

CreateDecrypterRequest is the parameter used in the kms.Decrypt method.

type CreateKeyRequest

type CreateKeyRequest struct {
	// Name represents the key name or label used to identify a key.
	//
	// Used by: awskms, cloudkms, azurekms, pkcs11, yubikey.
	Name string

	// SignatureAlgorithm represents the type of key to create.
	SignatureAlgorithm SignatureAlgorithm

	// Bits is the number of bits on RSA keys.
	Bits int

	// ProtectionLevel specifies how cryptographic operations are performed.
	// Used by: cloudkms, azurekms.
	ProtectionLevel ProtectionLevel

	// Extractable defines if the new key may be exported from the HSM under a
	// wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit.
	//
	// Used by: pkcs11
	Extractable bool
}

CreateKeyRequest is the parameter used in the kms.CreateKey method.

type CreateKeyResponse

type CreateKeyResponse struct {
	Name                string
	PublicKey           crypto.PublicKey
	PrivateKey          crypto.PrivateKey
	CreateSignerRequest CreateSignerRequest
}

CreateKeyResponse is the response value of the kms.CreateKey method.

type CreateSignerRequest

type CreateSignerRequest struct {
	Signer        crypto.Signer
	SigningKey    string
	SigningKeyPEM []byte
	TokenLabel    string
	PublicKey     string
	PublicKeyPEM  []byte
	Password      []byte
}

CreateSignerRequest is the parameter used in the kms.CreateSigner method.

type Decrypter added in v0.15.16

type Decrypter interface {
	CreateDecrypter(req *CreateDecrypterRequest) (crypto.Decrypter, error)
}

Decrypter is an interface implemented by KMSes that are used in operations that require decryption

type ErrAlreadyExists added in v0.15.7

type ErrAlreadyExists struct {
	Message string
}

ErrAlreadyExists is the type of error returned if a key already exists. This is currently only implmented on pkcs11.

func (ErrAlreadyExists) Error added in v0.15.7

func (e ErrAlreadyExists) Error() string

type ErrNotImplemented

type ErrNotImplemented struct {
	Message string
}

ErrNotImplemented is the type of error returned if an operation is not implemented.

func (ErrNotImplemented) Error

func (e ErrNotImplemented) Error() string

type GetPublicKeyRequest

type GetPublicKeyRequest struct {
	Name string
}

GetPublicKeyRequest is the parameter used in the kms.GetPublicKey method.

type KeyManager added in v0.14.5

type KeyManager interface {
	GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
	CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
	CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
	Close() error
}

KeyManager is the interface implemented by all the KMS.

type KeyManagerNewFunc added in v0.14.5

type KeyManagerNewFunc func(ctx context.Context, opts Options) (KeyManager, error)

KeyManagerNewFunc is the type that represents the method to initialize a new KeyManager.

func LoadKeyManagerNewFunc added in v0.14.5

func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool)

LoadKeyManagerNewFunc returns the function initialize a KayManager.

type LoadCertificateRequest added in v0.14.5

type LoadCertificateRequest struct {
	Name string
}

LoadCertificateRequest is the parameter used in the LoadCertificate method of a CertificateManager.

type NameValidator added in v0.17.5

type NameValidator interface {
	ValidateName(s string) error
}

ValidateName is an interface that KeyManager can implement to validate a given name or URI.

type Options

type Options struct {
	// The type of the KMS to use.
	Type string `json:"type"`

	// Path to the credentials file used in CloudKMS and AmazonKMS.
	CredentialsFile string `json:"credentialsFile,omitempty"`

	// URI is based on the PKCS #11 URI Scheme defined in
	// https://tools.ietf.org/html/rfc7512 and represents the configuration used
	// to connect to the KMS.
	//
	// Used by: pkcs11
	URI string `json:"uri,omitempty"`

	// Pin used to access the PKCS11 module. It can be defined in the URI using
	// the pin-value or pin-source properties.
	Pin string `json:"pin,omitempty"`

	// ManagementKey used in YubiKeys. Default management key is the hexadecimal
	// string 010203040506070801020304050607080102030405060708:
	//   []byte{
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//   }
	ManagementKey string `json:"managementKey,omitempty"`

	// Region to use in AmazonKMS.
	Region string `json:"region,omitempty"`

	// Profile to use in AmazonKMS.
	Profile string `json:"profile,omitempty"`
}

Options are the KMS options. They represent the kms object in the ca.json.

func (*Options) Validate

func (o *Options) Validate() error

Validate checks the fields in Options.

type ProtectionLevel

type ProtectionLevel int

ProtectionLevel specifies on some KMS how cryptographic operations are performed.

const (
	// Protection level not specified.
	UnspecifiedProtectionLevel ProtectionLevel = iota
	// Crypto operations are performed in software.
	Software
	// Crypto operations are performed in a Hardware Security Module.
	HSM
)

func (ProtectionLevel) String

func (p ProtectionLevel) String() string

String returns a string representation of p.

type SignatureAlgorithm

type SignatureAlgorithm int

SignatureAlgorithm used for cryptographic signing.

const (
	// Not specified.
	UnspecifiedSignAlgorithm SignatureAlgorithm = iota
	// RSASSA-PKCS1-v1_5 key and a SHA256 digest.
	SHA256WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA384 digest.
	SHA384WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA512 digest.
	SHA512WithRSA
	// RSASSA-PSS key with a SHA256 digest.
	SHA256WithRSAPSS
	// RSASSA-PSS key with a SHA384 digest.
	SHA384WithRSAPSS
	// RSASSA-PSS key with a SHA512 digest.
	SHA512WithRSAPSS
	// ECDSA on the NIST P-256 curve with a SHA256 digest.
	ECDSAWithSHA256
	// ECDSA on the NIST P-384 curve with a SHA384 digest.
	ECDSAWithSHA384
	// ECDSA on the NIST P-521 curve with a SHA512 digest.
	ECDSAWithSHA512
	// EdDSA on Curve25519 with a SHA512 digest.
	PureEd25519
)

func (SignatureAlgorithm) String

func (s SignatureAlgorithm) String() string

String returns a string representation of s.

type StoreCertificateRequest added in v0.14.5

type StoreCertificateRequest struct {
	Name        string
	Certificate *x509.Certificate

	// Extractable defines if the new certificate may be exported from the HSM
	// under a wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit.
	//
	// Used by: pkcs11
	Extractable bool
}

StoreCertificateRequest is the parameter used in the StoreCertificate method of a CertificateManager.

type Type

type Type string

Type represents the KMS type used.

const (
	// DefaultKMS is a KMS implementation using software.
	DefaultKMS Type = ""
	// SoftKMS is a KMS implementation using software.
	SoftKMS Type = "softkms"
	// CloudKMS is a KMS implementation using Google's Cloud KMS.
	CloudKMS Type = "cloudkms"
	// AmazonKMS is a KMS implementation using Amazon AWS KMS.
	AmazonKMS Type = "awskms"
	// PKCS11 is a KMS implementation using the PKCS11 standard.
	PKCS11 Type = "pkcs11"
	// YubiKey is a KMS implementation using a YubiKey PIV.
	YubiKey Type = "yubikey"
	// SSHAgentKMS is a KMS implementation using ssh-agent to access keys.
	SSHAgentKMS Type = "sshagentkms"
	// AzureKMS is a KMS implementation using Azure Key Vault.
	AzureKMS Type = "azurekms"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL