awskms

package
v0.0.0-...-403e7f8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2024 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package gcpkms implements crypto.Signer and crypto.Decrypter backed by AWS KMS.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client interface {
	DescribeKey(ctx context.Context, params *kms.DescribeKeyInput, optFns ...func(*kms.Options)) (*kms.DescribeKeyOutput, error)
	GetPublicKey(ctx context.Context, params *kms.GetPublicKeyInput, optFns ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
	Sign(ctx context.Context, params *kms.SignInput, optFns ...func(*kms.Options)) (*kms.SignOutput, error)
	Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error)
}

AWS KMS Asymmetric KMS client. For all uses this is equivalent to github.com/aws/aws-sdk-go-v2/service/kms.Client. In AWS SDK v2, service interfaces are not generated. This implements extremely limited set of AWS KMS Client methods so that it can be mocked in unit tests. This is not a complete interface for AWS KMS client. This only supports limited number of methods required for testing. Outside of unit tests you can always pass github.com/aws/aws-sdk-go-v2/service/kms.Client, as it always implements this interface.

This interface may be backward incompatible between minor versions.

type Decrypter 

type Decrypter struct {
	// contains filtered or unexported fields
}

Decrypter implements crypto.Decrypter interface backed by AWS KMS asymmetric key. Only keys with ENCRYPT_DECRYPT usage are supported.

func NewDecrypter 

func NewDecrypter(ctx context.Context, client Client, keyID string) (*Decrypter, error)

Returns a new signer backed by AWS KMS asymmetric key which supports signing. keyID must be either key ARN or key alias ARN.

  • Key Usage MUST be set to ENCRYPT_DECRYPT.

Following key specs(algorithms) are supported.

  • RSA_2048
  • RSA_3072
  • RSA_4096

Following encryption algorithms are supported.

  • RSAES_OAEP_SHA_1
  • RSAES_OAEP_SHA_256

Following IAM Actions must be allowed on the key by the caller.

  • kms:Decrypt
  • kms:DescribeKey
  • kms:GetPublicKey

See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html for more info.

func (*Decrypter) Algorithm 

func (d *Decrypter) Algorithm() cryptokms.Algorithm

Algorithm returns KMS key algorithm.

func (*Decrypter) CreatedAt 

func (d *Decrypter) CreatedAt() time.Time

CreatedAt time at which KMS key was created.

func (*Decrypter) Decrypt 

func (d *Decrypter) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)

This is a wrapper around DecryptContext.

func (*Decrypter) DecryptContext 

func (d *Decrypter) DecryptContext(ctx context.Context, _ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)

DecryptContext decrypts the message with asymmetric key. The rand parameter is ignored, and it can be nil.

func (*Decrypter) HashFunc 

func (d *Decrypter) HashFunc() crypto.Hash

HashFunc returns the default hash algorithm used for computing the digest. If underlying KMS key supports multiple hashes, defaults to best suitable hash. In most AWSKMS cases when multiple decryption algorithms are supported, this is crypto.SHA256.

func (*Decrypter) Public 

func (d *Decrypter) Public() crypto.PublicKey

Public returns the public key for the signer.

func (*Decrypter) WithContext 

func (d *Decrypter) WithContext(ctx context.Context) *Decrypter

WithContext adds the given context to the decrypter.

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer implements crypto.Signer interface backed by AWS KMS asymmetric key. Only keys with SIGN_VERIFY usage are supported.

func NewSigner 

func NewSigner(ctx context.Context, client Client, keyID string) (*Signer, error)

Returns a new signer backed by AWS KMS key which supports signing. keyID must be either key ARN or key alias ARN.

  • Key Usage MUST be set to SIGN_VERIFY.

Following key specs(algorithms) are supported.

  • RSA_2048
  • RSA_3072
  • RSA_4096
  • ECC_NIST_P256
  • ECC_NIST_P384
  • ECC_NIST_P521

Following IAM Actions must be allowed on the key by the caller.

  • kms:Sign
  • kms:DescribeKey
  • kms:GetPublicKey

See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html for more info.

func (*Signer) Algorithm 

func (s *Signer) Algorithm() cryptokms.Algorithm

Algorithm returns KMS key algorithm.

func (*Signer) CreatedAt 

func (s *Signer) CreatedAt() time.Time

CreatedAt time at which KMS key was created.

func (*Signer) HashFunc 

func (s *Signer) HashFunc() crypto.Hash

HashFunc returns the default hash algorithm used for computing the digest. If multiple signing algorithms are supported, this returns sane default, typically crypto.SHA256.

func (*Signer) Public 

func (s *Signer) Public() crypto.PublicKey

Public returns the public key for the signer.

func (*Signer) Sign 

func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign is a wrapper around SignContext.

func (*Signer) SignContext 

func (s *Signer) SignContext(ctx context.Context, _ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

SignContext signs the given digest with asymmetric key. The random parameter is ignored, and thus it can be as nil.

func (*Signer) WithContext 

func (s *Signer) WithContext(ctx context.Context) *Signer

WithContext adds the given context to the signer.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.