cloudkms

package
v0.45.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 21, 2024 License: Apache-2.0 Imports: 23 Imported by: 4

Documentation

Index

Constants

View Source 
const Scheme = string(apiv1.CloudKMS)

Scheme is the scheme used in uris, the string "cloudkms".

Variables

View Source 
var ErrTooManyRetries = errors.New("too many retries")

ErrTooManyRetries is the type of error when a method attempts too many retries.

Functions

func Parent 

func Parent(name string) (string, string)

Parent splits a string in the format `key/value/key2/value2` in a parent and child, for the previous string it will return `key/value` and `value2`.

Types

type CloudKMS 

type CloudKMS struct {
	// contains filtered or unexported fields
}

CloudKMS implements a KMS using Google's Cloud apiv1.

func New 

func New(ctx context.Context, opts apiv1.Options) (*CloudKMS, error)

New creates a new CloudKMS configured with a new client.

func NewCloudKMS 

func NewCloudKMS(client KeyManagementClient) *CloudKMS

NewCloudKMS creates a CloudKMS with a given client.

func (*CloudKMS) Close 

func (k *CloudKMS) Close() error

Close closes the connection of the Cloud KMS client.

func (*CloudKMS) CreateDecrypter added in v0.31.0 

func (k *CloudKMS) CreateDecrypter(req *apiv1.CreateDecrypterRequest) (crypto.Decrypter, error)

CreateDecrypter implements the apiv1.Decrypter interface and returns a crypto.Decrypter backed by a decryption key in Google Cloud KMS.

func (*CloudKMS) CreateKey 

func (k *CloudKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)

CreateKey creates in Google's Cloud KMS a new asymmetric key for signing.

func (*CloudKMS) CreateSigner 

func (k *CloudKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)

CreateSigner returns a new cloudkms signer configured with the given signing key name.

func (*CloudKMS) GetPublicKey 

func (k *CloudKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)

GetPublicKey gets from Google's Cloud KMS a public key by name. Key names follow the pattern: 

projects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})/cryptoKeyVersions/([a-zA-Z0-9_-]{1,63})

type Decrypter added in v0.31.0 

type Decrypter struct {
	// contains filtered or unexported fields
}

Decrypter implements a crypto.Decrypter using Google Cloud KMS.

func NewDecrypter added in v0.31.0 

func NewDecrypter(client KeyManagementClient, decryptionKey string) (*Decrypter, error)

NewDecrypter creates a new crypto.Decrypter backed by the given Google Cloud KMS decryption key.

func (*Decrypter) Decrypt added in v0.31.0 

func (d *Decrypter) Decrypt(_ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)

Decrypt decrypts ciphertext using the decryption key backed by Google Cloud KMS and returns the plaintext bytes. An error is returned when decryption fails. Google Cloud KMS only supports RSA keys with 2048, 3072 or 4096 bits and will always use OAEP. It supports SHA1, SHA256 and SHA512. Labels are not supported. Before calling out to GCP, some validation is performed so that known bad parameters are detected client-side and a more meaningful error is returned for those cases.

Also see https://cloud.google.com/kms/docs/algorithms#asymmetric_encryption_algorithms.

func (*Decrypter) Public added in v0.31.0 

func (d *Decrypter) Public() crypto.PublicKey

Public returns the public key of this decrypter

type KeyManagementClient 

type KeyManagementClient interface {
	Close() error
	GetPublicKey(context.Context, *kmspb.GetPublicKeyRequest, ...gax.CallOption) (*kmspb.PublicKey, error)
	AsymmetricSign(context.Context, *kmspb.AsymmetricSignRequest, ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error)
	AsymmetricDecrypt(context.Context, *kmspb.AsymmetricDecryptRequest, ...gax.CallOption) (*kmspb.AsymmetricDecryptResponse, error)
	CreateCryptoKey(context.Context, *kmspb.CreateCryptoKeyRequest, ...gax.CallOption) (*kmspb.CryptoKey, error)
	GetKeyRing(context.Context, *kmspb.GetKeyRingRequest, ...gax.CallOption) (*kmspb.KeyRing, error)
	CreateKeyRing(context.Context, *kmspb.CreateKeyRingRequest, ...gax.CallOption) (*kmspb.KeyRing, error)
	CreateCryptoKeyVersion(ctx context.Context, req *kmspb.CreateCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error)
}

KeyManagementClient defines the methods on KeyManagementClient that this package will use. This interface will be used for unit testing.

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer implements a crypto.Signer using Google's Cloud KMS.

func NewSigner 

func NewSigner(c KeyManagementClient, signingKey string) (*Signer, error)

NewSigner creates a new crypto.Signer the given CloudKMS signing key.

func (*Signer) Public 

func (s *Signer) Public() crypto.PublicKey

Public returns the public key of this signer or an error.

func (*Signer) Sign 

func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign signs digest with the private key stored in Google's Cloud KMS.

func (*Signer) SignatureAlgorithm 

func (s *Signer) SignatureAlgorithm() x509.SignatureAlgorithm

SignatureAlgorithm returns the algorithm that must be specified in a certificate to sign. This is specially important to distinguish RSA and RSAPSS schemas.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.