keys

package
v11.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2022 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package keys defines common interfaces for Teleport client keys.

Index

Constants

View Source 
const (
	PKCS1PrivateKeyType = "RSA PRIVATE KEY"
	PKCS8PrivateKeyType = "PRIVATE KEY"
	ECPrivateKeyType    = "EC PRIVATE KEY"
)

Variables

This section is empty.

Functions

func IsPrivateKeyPolicyError 

func IsPrivateKeyPolicyError(err error) bool

IsPrivateKeyPolicyError returns true if the given error is a private key policy error.

func LoadX509KeyPair 

func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair parse a tls.Certificate from a private key file and certificate file. This should be used instead of tls.LoadX509KeyPair to support non-raw private keys, like PIV keys.

func NewPrivateKeyPolicyError 

func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error

func X509KeyPair 

func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)

X509KeyPair parse a tls.Certificate from a private key PEM and certificate PEM. This should be used instead of tls.X509KeyPair to support non-raw private keys, like PIV keys.

Types

type AttestationData 

type AttestationData struct {
	// PublicKeyDER is the public key in PKIX, ASN.1 DER form.
	PublicKeyDER []byte `json:"public_key"`
	// PrivateKeyPolicy specifies the private key policy supported by the associated private key.
	PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"`
}

AttestationData is verified attestation data for a public key.

type AttestationStatement 

type AttestationStatement attestation.AttestationStatement

AttestationStatement is an attestation statement for a hardware private key that supports json marshaling through the standard json/encoding package.

func AttestationStatementFromProto 

func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement

AttestationStatementFromProto converts an AttestationStatement from its protobuf form.

func GetAttestationStatement 

func GetAttestationStatement(priv *PrivateKey) (*AttestationStatement, error)

GetAttestationStatement returns an AttestationStatement for the given private key. If the given private key does not have a HardwareSigner, then a nil statement and error will be returned.

func (*AttestationStatement) MarshalJSON 

func (ar *AttestationStatement) MarshalJSON() ([]byte, error)

MarshalJSON implements custom protobuf json marshaling.

func (*AttestationStatement) ToProto 

func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement

ToProto converts this AttestationStatement to its protobuf form.

func (*AttestationStatement) UnmarshalJSON 

func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error

UnmarshalJSON implements custom protobuf json unmarshaling.

type HardwareSigner 

type HardwareSigner interface {
	crypto.Signer

	// GetAttestationStatement returns an AttestationStatement for this private key.
	GetAttestationStatement() (*AttestationStatement, error)

	// GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key.
	GetPrivateKeyPolicy() PrivateKeyPolicy
}

HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key. This enables the ability to enforce hardware key private key policies.

type PrivateKey 

type PrivateKey struct {
	crypto.Signer
	// contains filtered or unexported fields
}

PrivateKey implements crypto.Signer with additional helper methods. The underlying private key may be a standard crypto.Signer implemented in the standard library (aka *rsa.PrivateKey, *ecdsa.PrivateKey, or ed25519.PrivateKey), or it may be a custom implementation for a non-standard private key, such as a hardware key.

func GetOrGenerateYubiKeyPrivateKey 

func GetOrGenerateYubiKeyPrivateKey(touchRequired bool) (*PrivateKey, error)

func LoadKeyPair 

func LoadKeyPair(privFile, sshPubFile string) (*PrivateKey, error)

LoadKeyPair returns the PrivateKey for the given private and public key files.

func LoadPrivateKey 

func LoadPrivateKey(keyFile string) (*PrivateKey, error)

LoadPrivateKey returns the PrivateKey for the given key file.

func NewPrivateKey 

func NewPrivateKey(signer crypto.Signer, keyPEM []byte) (*PrivateKey, error)

NewPrivateKey returns a new PrivateKey for the given crypto.Signer.

func ParseKeyPair 

func ParseKeyPair(privPEM, marshalledSSHPub []byte) (*PrivateKey, error)

ParseKeyPair returns the PrivateKey for the given private and public key PEM blocks.

func ParsePrivateKey 

func ParsePrivateKey(keyPEM []byte) (*PrivateKey, error)

ParsePrivateKey returns the PrivateKey for the given key PEM block.

func (*PrivateKey) AsAgentKey 

func (k *PrivateKey) AsAgentKey(sshCert *ssh.Certificate) (agent.AddedKey, error)

AsAgentKey converts PrivateKey to a agent.AddedKey. If the given PrivateKey is not supported as an agent key, a trace.NotImplemented error is returned.

func (*PrivateKey) MarshalSSHPublicKey 

func (k *PrivateKey) MarshalSSHPublicKey() []byte

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) PPKFile 

func (k *PrivateKey) PPKFile() ([]byte, error)

PPKFile returns a PuTTY PPK-formatted keypair

func (*PrivateKey) PrivateKeyPEM 

func (k *PrivateKey) PrivateKeyPEM() []byte

PrivateKeyPEM returns PEM encoded private key data. This may be data necessary to retrieve the key, such as a YubiKey serial number and slot, or it can be a PKCS marshaled private key.

The resulting PEM encoded data should only be decoded with ParsePrivateKey to prevent errors from parsing non PKCS marshaled keys, such as a PIV key.

func (*PrivateKey) RSAPrivateKeyPEM 

func (k *PrivateKey) RSAPrivateKeyPEM() ([]byte, error)

RSAPrivateKeyPEM returns a PEM encoded RSA private key for the given key. If the given key is not an RSA key, then an error will be returned.

This is used by some integrations which currently only support raw RSA private keys, like Kubernetes, MongoDB, and PPK files for windows.

func (*PrivateKey) SSHPublicKey 

func (k *PrivateKey) SSHPublicKey() ssh.PublicKey

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) TLSCertificate 

func (k *PrivateKey) TLSCertificate(certPEMBlock []byte) (tls.Certificate, error)

TLSCertificate parses the given TLS certificate(s) paired with the private key to rerturn a tls.Certificate, ready to be used in a TLS handshake.

type PrivateKeyPolicy 

type PrivateKeyPolicy string

PrivateKeyPolicy is a requirement for client private key storage. 

const (
	// PrivateKeyPolicyNone means that the client can store their private keys
	// anywhere (usually on disk).
	PrivateKeyPolicyNone PrivateKeyPolicy = "none"
	// PrivateKeyPolicyHardwareKey means that the client must use a valid
	// hardware key to generate and store their private keys securely.
	PrivateKeyPolicyHardwareKey PrivateKeyPolicy = "hardware_key"
	// PrivateKeyPolicyHardwareKeyTouch means that the client must use a valid
	// hardware key to generate and store their private keys securely, and
	// this key must require touch to be accessed and used.
	PrivateKeyPolicyHardwareKeyTouch PrivateKeyPolicy = "hardware_key_touch"
)

func GetPrivateKeyPolicy 

func GetPrivateKeyPolicy(priv *PrivateKey) PrivateKeyPolicy

GetPrivateKeyPolicy returns the PrivateKeyPolicy that applies to the given private key.

func ParsePrivateKeyPolicyError 

func ParsePrivateKeyPolicyError(err error) (PrivateKeyPolicy, error)

ParsePrivateKeyPolicyError checks if the given error is a private key policy error and returns the contained unmet PrivateKeyPolicy.

func (PrivateKeyPolicy) VerifyPolicy 

func (p PrivateKeyPolicy) VerifyPolicy(policy PrivateKeyPolicy) error

VerifyPolicy verifies that the given policy meets the requirements of this policy. If not, it will return a private key policy error, which can be parsed to retrieve the unmet policy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.