capi

package
v0.23.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 2, 2022 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source 
const (
	ProviderNameArg  = "provider"
	ContainerNameArg = "key"
	HashArg          = "sha1"
	StoreLocationArg = "store-location" // 'machine', 'user', etc
	StoreNameArg     = "store"          // 'MY', 'CA', 'ROOT', etc
	KeyIDArg         = "key-id"
	SerialNumberArg  = "serial"
	IssuerNameArg    = "issuer"
)
View Source 
const (

	// Key storage properties
	NCRYPT_ALGORITHM_GROUP_PROPERTY = "Algorithm Group"
	NCRYPT_LENGTH_PROPERTY          = "Length"
	NCRYPT_KEY_TYPE_PROPERTY        = "Key Type"
	NCRYPT_UNIQUE_NAME_PROPERTY     = "Unique Name"
	NCRYPT_ECC_CURVE_NAME_PROPERTY  = "ECCCurveName"
	NCRYPT_IMPL_TYPE_PROPERTY       = "Impl Type"
	NCRYPT_PROV_HANDLE              = "Provider Handle"
	NCRYPT_PIN_PROPERTY             = "SmartCardPin"
	NCRYPT_SECURE_PIN_PROPERTY      = "SmartCardSecurePin"
	NCRYPT_READER_PROPERTY          = "SmartCardReader"
	NCRYPT_ALGORITHM_PROPERTY       = "Algorithm Name"
	NCRYPT_PCP_USAGE_AUTH_PROPERTY  = "PCP_USAGEAUTH"

	// Key Storage Flags
	NCRYPT_MACHINE_KEY_FLAG = 0x00000001

	// Errors
	NTE_NOT_SUPPORTED         = uint32(0x80090029)
	NTE_INVALID_PARAMETER     = uint32(0x80090027)
	NTE_BAD_FLAGS             = uint32(0x80090009)
	NTE_NO_MORE_ITEMS         = uint32(0x8009002A)
	NTE_BAD_KEYSET            = uint32(0x80090016)
	SCARD_W_CANCELLED_BY_USER = uint32(0x8010006E)

	BCRYPT_RSAPUBLIC_BLOB = "RSAPUBLICBLOB"
	BCRYPT_ECCPUBLIC_BLOB = "ECCPUBLICBLOB"

	// winerror.h constants
	CRYPT_E_NOT_FOUND                    = uint32(0x80092004)
	CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG  = uint32(0x00010000)
	CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG = uint32(0x00020000)
	CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG   = uint32(0x00040000)

	CERT_ID_ISSUER_SERIAL_NUMBER = uint32(1)
	CERT_ID_KEY_IDENTIFIER       = uint32(2)
	CERT_ID_SHA1_HASH            = uint32(3)

	CERT_NAME_STR_COMMA_FLAG = uint32(0x04000000)
	CERT_SIMPLE_NAME_STR     = uint32(1)
	CERT_X500_NAME_STR       = uint32(3)

	AT_KEYEXCHANGE = uint32(1)
	AT_SIGNATURE   = uint32(2)

	ALG_RSA        = "RSA"
	ALG_ECDSA_P256 = "ECDSA_P256"
	ALG_ECDSA_P384 = "ECDSA_P384"
	ALG_ECDSA_P521 = "ECDSA_P521"

	ProviderMSKSP = "Microsoft Software Key Storage Provider"
	ProviderMSSC  = "Microsoft Smart Card Key Storage Provider"
	ProviderMSPCP = "Microsoft Platform Crypto Provider"
)
View Source 
const Scheme = "capi"

Scheme is the scheme used in uris.

Variables

This section is empty.

Functions

This section is empty.

Types

type BCRYPT_PKCS1_PADDING_INFO 

type BCRYPT_PKCS1_PADDING_INFO struct {
	// contains filtered or unexported fields
}

type CAPIKMS 

type CAPIKMS struct {
	// contains filtered or unexported fields
}

CAPIKMS implements a KMS using Windows CryptoAPI (CAPI) and Next-Gen CryptoAPI (CNG).

The URI format used in CAPIKMS is the following:

  • capi:provider=STORAGE-PROVIDER;key=KEY-NAME

For certificates:

  • capi:store-location=[machine|user];store=My;sha1=<THUMBPRINT>
  • capi:store-location=[machine|user];store=My;key-id=<X509v3 Subject Key Identifier>
  • capi:store-location=[machine|user];store=My;issuer=<Issuer CN>;serial=<Certificate SN>

The scheme is "capi";

"provider" is the provider name and can be one of: - "Microsoft Software Key Storage Provider" - "Microsoft Smart Card Key Storage Provider" - "Microsoft Platform Crypto Provider" if not set it defaults to "Microsoft Software Key Storage Provider"

"key" key container name. If not set one is generated. "store-location" specifies the certificate store location - "user" or "machine" "store" certificate store name - "My", "Root", and "CA" are some examples "sha1" sha1 thumbprint of the certificate to load in hex format "key-id" X509v3 Subject Key Identifier of the certificate to load in hex format "serial" serial number of the certificate to load in hex format "issuer" Common Name of the certificate issuer

func New 

func New(ctx context.Context, opts apiv1.Options) (*CAPIKMS, error)

New returns a new CAPIKMS.

func (*CAPIKMS) Close 

func (k *CAPIKMS) Close() error

func (*CAPIKMS) CreateKey 

func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)

CreateKey generates a new key in the storage provider using nCryptCreatePersistedKey

func (*CAPIKMS) CreateSigner 

func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)

CreateSigner returns a nce crypto.Signer that will sign using the key passed in via the URI.

func (*CAPIKMS) GetPublicKey 

func (k *CAPIKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)

GetPublicKey returns the public key from the key id (Microsoft calls it 'Key Container Name') passed in via the URI

func (*CAPIKMS) LoadCertificate 

func (k *CAPIKMS) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)

LoadCertificate will return an x509.Certificate if passed a URI containing a subject key identifier (key-id) or sha1 hash

func (*CAPIKMS) StoreCertificate 

func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error

type CAPISigner 

type CAPISigner struct {
	PublicKey crypto.PublicKey
	// contains filtered or unexported fields
}

func (*CAPISigner) Public 

func (s *CAPISigner) Public() crypto.PublicKey

func (*CAPISigner) Sign 

func (s *CAPISigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

type CERT_ID_KEYIDORHASH 

type CERT_ID_KEYIDORHASH struct {
	KeyIDOrHash CRYPTOAPI_BLOB
	// contains filtered or unexported fields
}

CERT_ID - https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id TODO: might be able to merge these two types into one that uses interface{} instead

type CERT_ID_SERIAL 

type CERT_ID_SERIAL struct {
	Serial CERT_ISSUER_SERIAL_NUMBER
	// contains filtered or unexported fields
}

type CERT_ISSUER_SERIAL_NUMBER 

type CERT_ISSUER_SERIAL_NUMBER struct {
	Issuer       CRYPTOAPI_BLOB
	SerialNumber CRYPTOAPI_BLOB
}

CERT_ISSUER_SERIAL_NUMBER -- https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_issuer_serial_number

type CRYPTOAPI_BLOB 

type CRYPTOAPI_BLOB struct {
	// contains filtered or unexported fields
}

CRYPTOAPI_BLOB -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.