transit

package
v0.8.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2025 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	// Maps JWT Alg to Vault Transit properties
	SupportedKeyTypeMap = map[string]*JWTKeyTransit{
		"RS256": {
			APISignatureAlgorithm: "pkcs1v15",
			APIHashAlgorithm:      "sha2-256",
			SupportedKeyType: []string{
				"rsa-2048",
				"rsa-3072",
				"rsa-4096",
			},
		},
		"RS384": {
			APISignatureAlgorithm: "pkcs1v15",
			APIHashAlgorithm:      "sha2-384",
			SupportedKeyType: []string{
				"rsa-2048",
				"rsa-3072",
				"rsa-4096",
			},
		},
		"RS512": {
			APISignatureAlgorithm: "pkcs1v15",
			APIHashAlgorithm:      "sha2-512",
			SupportedKeyType: []string{
				"rsa-2048",
				"rsa-3072",
				"rsa-4096",
			},
		},
		"ES256": {
			APISignatureAlgorithm: "pss",
			APIHashAlgorithm:      "sha2-256",
			SupportedKeyType:      []string{"ecdsa-p256"},
		},
		"ES384": {
			APISignatureAlgorithm: "pss",
			APIHashAlgorithm:      "sha2-384",
			SupportedKeyType:      []string{"ecdsa-p384"},
		},
		"ES512": {
			APISignatureAlgorithm: "pss",
			APIHashAlgorithm:      "sha2-512",
			SupportedKeyType:      []string{"ecdsa-p521"},
		},
	}
)

Functions

This section is empty.

Types

type JWTKeyTransit 

type JWTKeyTransit struct {
	// vault transit 'signature_algorithm'
	APISignatureAlgorithm string
	// vault transit 'hash_algorithm'
	APIHashAlgorithm string

	// Vault supported key type
	SupportedKeyType []string
}

JWTKeyTransit metadata for Vault transit key properties

type TransitPublicKey 

type TransitPublicKey struct {
	// pub key for JWKS
	PublicKey crypto.PublicKey
	// Version
	Version int

	// Name
	Name string
}

func NewTransitPublicKey 

func NewTransitPublicKey(pub crypto.PublicKey, v int, name string) *TransitPublicKey

func (*TransitPublicKey) KeyID 

func (k *TransitPublicKey) KeyID() string

type TransitSigningMethodES256 

type TransitSigningMethodES256 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS256')

func NewTransitSigningMethodES256 

func NewTransitSigningMethodES256() *TransitSigningMethodES256

NewTransitSigningMethodES256 creates a new TransitSigningMethodRS256

func (*TransitSigningMethodES256) Alg 

func (m *TransitSigningMethodES256) Alg() string

func (*TransitSigningMethodES256) Sign 

func (m *TransitSigningMethodES256) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodES256) Verify 

func (m *TransitSigningMethodES256) Verify(signingString, signature string, key interface{}) error

type TransitSigningMethodES384 

type TransitSigningMethodES384 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS256')

func NewTransitSigningMethodES384 

func NewTransitSigningMethodES384() *TransitSigningMethodES384

NewTransitSigningMethodES384 creates a new TransitSigningMethodRS256

func (*TransitSigningMethodES384) Alg 

func (m *TransitSigningMethodES384) Alg() string

func (*TransitSigningMethodES384) Sign 

func (m *TransitSigningMethodES384) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodES384) Verify 

func (m *TransitSigningMethodES384) Verify(signingString, signature string, key interface{}) error

type TransitSigningMethodES512 

type TransitSigningMethodES512 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS256')

func NewTransitSigningMethodES512 

func NewTransitSigningMethodES512() *TransitSigningMethodES512

NewTransitSigningMethodES512 creates a new TransitSigningMethodRS256

func (*TransitSigningMethodES512) Alg 

func (m *TransitSigningMethodES512) Alg() string

func (*TransitSigningMethodES512) Sign 

func (m *TransitSigningMethodES512) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodES512) Verify 

func (m *TransitSigningMethodES512) Verify(signingString, signature string, key interface{}) error

type TransitSigningMethodRS256 

type TransitSigningMethodRS256 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS256')

func NewTransitSigningMethodRS256 

func NewTransitSigningMethodRS256() *TransitSigningMethodRS256

NewTransitSigningMethodRS256 creates a new TransitSigningMethodRS256

func (*TransitSigningMethodRS256) Alg 

func (m *TransitSigningMethodRS256) Alg() string

func (*TransitSigningMethodRS256) Sign 

func (m *TransitSigningMethodRS256) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodRS256) Verify 

func (m *TransitSigningMethodRS256) Verify(signingString, signature string, key interface{}) error

type TransitSigningMethodRS384 

type TransitSigningMethodRS384 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS384')

func NewTransitSigningMethodRS384 

func NewTransitSigningMethodRS384() *TransitSigningMethodRS384

NewTransitSigningMethodRS384 creates a new TransitSigningMethodRS384

func (*TransitSigningMethodRS384) Alg 

func (m *TransitSigningMethodRS384) Alg() string

func (*TransitSigningMethodRS384) Sign 

func (m *TransitSigningMethodRS384) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodRS384) Verify 

func (m *TransitSigningMethodRS384) Verify(signingString, signature string, key interface{}) error

type TransitSigningMethodRS512 

type TransitSigningMethodRS512 struct{}

implement jwt SigningMethod interface: Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error Alg() string // returns the alg identifier for this method (example: 'HS512')

func NewTransitSigningMethodRS512 

func NewTransitSigningMethodRS512() *TransitSigningMethodRS512

NewTransitSigningMethodRS512 creates a new TransitSigningMethodRS512

func (*TransitSigningMethodRS512) Alg 

func (m *TransitSigningMethodRS512) Alg() string

func (*TransitSigningMethodRS512) Sign 

func (m *TransitSigningMethodRS512) Sign(signingString string, key interface{}) (string, error)

func (*TransitSigningMethodRS512) Verify 

func (m *TransitSigningMethodRS512) Verify(signingString, signature string, key interface{}) error

type VaultTransitKey 

type VaultTransitKey struct {
	// transit backend mount
	MountPath string
	// transit Key Name
	Name string

	// 'key' type
	Type string

	// Version
	Version int

	// Set sig version
	SigVersion int

	// List of public keys
	PublicKeys []*TransitPublicKey
	// contains filtered or unexported fields
}

func NewVaultTransitKey 

func NewVaultTransitKey(ctx context.Context, l *zap.Logger, client *vault.Client, mount string, name string) (*VaultTransitKey, error)

func (*VaultTransitKey) GetPublicKeyFromTransitResponse 

func (k *VaultTransitKey) GetPublicKeyFromTransitResponse(keyInfo *vault.Secret, version int) (crypto.PublicKey, error)

GetPublicKeyFromTransitResponse return parsed public key from the keyInfo transit read API response

func (*VaultTransitKey) JWTSign 

func (k *VaultTransitKey) JWTSign(signingString, alg string) (string, error)

JWTSign signs JWT signingString with the alg

func (*VaultTransitKey) JWTVerify 

func (k *VaultTransitKey) JWTVerify(signingString, signature, alg string) error

JWTVerify verifies the 'signature' matches the 'signingString' for the 'alg'

func (*VaultTransitKey) LatestKeyID 

func (k *VaultTransitKey) LatestKeyID() string

LatestKeyID return latest kid for adding in jwt header

func (*VaultTransitKey) SetSigKeyVersion 

func (k *VaultTransitKey) SetSigKeyVersion(v int)

func (*VaultTransitKey) SetSignVersionFromKeyID 

func (k *VaultTransitKey) SetSignVersionFromKeyID(kid string) error

func (*VaultTransitKey) Sign 

func (k *VaultTransitKey) Sign(inputBytes []byte, apiSigAlg string, apiHashAlg string, marshallingAlg string, prehashed bool) (string, error)

Sign byte payload, and returns "signature" output of transit sign api

func (*VaultTransitKey) SyncKeyInfo 

func (k *VaultTransitKey) SyncKeyInfo() error

SyncKeyInfo read transit key info

func (*VaultTransitKey) Validate 

func (k *VaultTransitKey) Validate(alg string) (*JWTKeyTransit, error)

Validate this transit key supports the jwt alg

func (*VaultTransitKey) Verify 

func (k *VaultTransitKey) Verify(inputBytes []byte, signature string, apiSigAlg string, apiHashAlg string, marshallingAlg string, prehashed bool) (bool, error)

verify byte payload, and signature (without the "vault:v1") 

returns true if signature is valid for byte payload

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.