Documentation ¶
Overview ¶
Package gcpkms implements crypto.Signer and crypto.Decrypter backed by AWS KMS.
Index ¶
- type Client
- type Decrypter
- func (d *Decrypter) Algorithm() cryptokms.Algorithm
- func (d *Decrypter) CreatedAt() time.Time
- func (d *Decrypter) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
- func (d *Decrypter) DecryptContext(ctx context.Context, _ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
- func (d *Decrypter) HashFunc() crypto.Hash
- func (d *Decrypter) Public() crypto.PublicKey
- func (d *Decrypter) WithContext(ctx context.Context) *Decrypter
- type Signer
- func (s *Signer) Algorithm() cryptokms.Algorithm
- func (s *Signer) CreatedAt() time.Time
- func (s *Signer) HashFunc() crypto.Hash
- func (s *Signer) Public() crypto.PublicKey
- func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
- func (s *Signer) SignContext(ctx context.Context, _ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
- func (s *Signer) WithContext(ctx context.Context) *Signer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client interface { DescribeKey(ctx context.Context, params *kms.DescribeKeyInput, optFns ...func(*kms.Options)) (*kms.DescribeKeyOutput, error) GetPublicKey(ctx context.Context, params *kms.GetPublicKeyInput, optFns ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error) Sign(ctx context.Context, params *kms.SignInput, optFns ...func(*kms.Options)) (*kms.SignOutput, error) Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error) }
AWS KMS Asymmetric KMS client. For all uses this is equivalent to github.com/aws/aws-sdk-go-v2/service/kms.Client. In AWS SDK v2, service interfaces are not generated. This implements extremely limited set of AWS KMS Client methods so that it can be mocked in unit tests. This is not a complete interface for AWS KMS client. This only supports limited number of methods required for testing. Outside of unit tests you can always pass github.com/aws/aws-sdk-go-v2/service/kms.Client, as it always implements this interface.
This interface may be backward incompatible between minor versions.
type Decrypter ¶
type Decrypter struct {
// contains filtered or unexported fields
}
Decrypter implements crypto.Decrypter interface backed by AWS KMS asymmetric key. Only keys with ENCRYPT_DECRYPT usage are supported.
func NewDecrypter ¶
Returns a new signer backed by AWS KMS asymmetric key which supports signing. keyID must be either key ARN or key alias ARN.
- Key Usage MUST be set to ENCRYPT_DECRYPT.
Following key specs(algorithms) are supported.
- RSA_2048
- RSA_3072
- RSA_4096
Following encryption algorithms are supported.
- RSAES_OAEP_SHA_1
- RSAES_OAEP_SHA_256
Following IAM Actions must be allowed on the key by the caller.
- kms:Decrypt
- kms:DescribeKey
- kms:GetPublicKey
See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html for more info.
func (*Decrypter) Decrypt ¶
func (d *Decrypter) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
This is a wrapper around DecryptContext.
func (*Decrypter) DecryptContext ¶
func (d *Decrypter) DecryptContext(ctx context.Context, _ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
DecryptContext decrypts the message with asymmetric key. The rand parameter is ignored, and it can be nil.
func (*Decrypter) HashFunc ¶
HashFunc returns the default hash algorithm used for computing the digest. If underlying KMS key supports multiple hashes, defaults to best suitable hash. In most AWSKMS cases when multiple decryption algorithms are supported, this is crypto.SHA256.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer implements crypto.Signer interface backed by AWS KMS asymmetric key. Only keys with SIGN_VERIFY usage are supported.
func NewSigner ¶
Returns a new signer backed by AWS KMS key which supports signing. keyID must be either key ARN or key alias ARN.
- Key Usage MUST be set to SIGN_VERIFY.
Following key specs(algorithms) are supported.
- RSA_2048
- RSA_3072
- RSA_4096
- ECC_NIST_P256
- ECC_NIST_P384
- ECC_NIST_P521
Following IAM Actions must be allowed on the key by the caller.
- kms:Sign
- kms:DescribeKey
- kms:GetPublicKey
See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html for more info.
func (*Signer) HashFunc ¶
HashFunc returns the default hash algorithm used for computing the digest. If multiple signing algorithms are supported, this returns sane default, typically crypto.SHA256.