keyring

package
v0.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 9, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// Name is the unique identifier of this keyring.
	Name string

	// RotationDays is the number of days between automatic rotations. If zero, automatic rotation is disabled.
	RotationDays int

	// MaxOldKeys determines how many old keys (1-254) are kept for validation. This value, multiplied by RotationDays
	// determines the minimum amount of time a signature remains valid.
	MaxOldKeys int

	// Keys specifies a set of keys to use for encrypting and decrypting the private key.
	Keys Keys
}

Config allows specifying operational parameters of a keyring.

type DB

type DB struct {
	// contains filtered or unexported fields
}

DB implements a Keyring using postgres as the datastore.

func NewDB

func NewDB(ctx context.Context, logger *log.Logger, db *sql.DB, cfg *Config) (*DB, error)

NewDB creates a new postgres-backed keyring.

func (*DB) RotateKeys

func (db *DB) RotateKeys(ctx context.Context) error

RotateKeys will force a key rotation.

func (*DB) Shutdown

func (db *DB) Shutdown(ctx context.Context) error

Shutdown allows gracefully shutting down the keyring (e.g. auto rotations) after finishing any in-progress rotations.

func (*DB) Sign

func (db *DB) Sign(p []byte) ([]byte, error)

Sign will sign a message and return the signature.

func (*DB) SignJWT

func (db *DB) SignJWT(c jwt.Claims) (string, error)

func (*DB) Verify

func (db *DB) Verify(p []byte, signature []byte) (valid, oldKey bool)

Verify will validate the signature and metadata, and optionally length, of a message.

func (*DB) VerifyJWT

func (db *DB) VerifyJWT(s string, c jwt.Claims, iss, aud string) (bool, error)

type Keyring

type Keyring interface {
	RotateKeys(ctx context.Context) error

	Sign(p []byte) ([]byte, error)
	Verify(p []byte, signature []byte) (valid, oldKey bool)

	SignJWT(jwt.Claims) (string, error)
	VerifyJWT(token string, c jwt.Claims, iss, aud string) (bool, error)

	Shutdown(context.Context) error
}

A Keyring allows signing and verifying messages.

type Keys

type Keys [][]byte

Keys represents a set of encryption/decryption keys.

func (Keys) Decrypt

func (k Keys) Decrypt(pemData []byte) (data []byte, n int, err error)

Decrypt will decrypt PEM-encoded data using the first successful key. The index of the used key is returned as n.

func (Keys) Encrypt

func (k Keys) Encrypt(label string, data []byte) ([]byte, error)

Encrypt will encrypt and then encode data into PEM-format.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL