Documentation
¶
Index ¶
- Constants
- type Decrypter
- type KMS
- func (k *KMS) Close() error
- func (k *KMS) CreateDecrypter(req *apiv1.CreateDecrypterRequest) (crypto.Decrypter, error)
- func (k *KMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
- func (k *KMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
- func (k *KMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
- type KeyManagementClient
- type Signer
Constants ¶
const Scheme = string(apiv1.AmazonKMS)
Scheme is the scheme used in uris, the string "awskms".
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Decrypter ¶ added in v0.58.0
type Decrypter struct {
// contains filtered or unexported fields
}
Decrypter implements a crypto.Decrypter using AWS KMS.
func NewDecrypter ¶ added in v0.58.0
func NewDecrypter(client KeyManagementClient, decryptionKey string) (*Decrypter, error)
NewDecrypter creates a new crypto.Decrypter backed by the given AWS KMS. decryption key.
func (*Decrypter) Decrypt ¶ added in v0.58.0
func (d *Decrypter) Decrypt(_ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
Decrypt decrypts ciphertext using the decryption key backed by AWS KMS and returns the plaintext bytes. An error is returned when decryption fails. AWS KMS only supports RSA keys with 2048, 3072 or 4096 bits and will always use OAEP. It supports SHA1 and SHA256. Labels are not supported. Before calling out to AWS, some validation is performed so that known bad parameters are detected client-side and a more meaningful error is returned for those cases.
Also see https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#key-spec-rsa.
type KMS ¶
type KMS struct {
// contains filtered or unexported fields
}
KMS implements a KMS using AWS Key Management Service.
func New ¶
New creates a new AWSKMS. By default, clients will be created using the credentials in `~/.aws/credentials`, but this can be overridden using the CredentialsFile option, the Region and Profile can also be configured as options.
AWS clients can also be configured with environment variables, see docs at https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/ for all the options.
func (*KMS) CreateDecrypter ¶ added in v0.58.0
CreateDecrypter implements the apiv1.Decrypter interface and returns a crypto.Decrypter backed by a decryption key in AWS KMS.
func (*KMS) CreateKey ¶
func (k *KMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
CreateKey generates a new key in KMS and returns the public key version of it.
func (*KMS) CreateSigner ¶
CreateSigner creates a new crypto.Signer with a previously configured key.
func (*KMS) GetPublicKey ¶
GetPublicKey returns a public key from KMS.
type KeyManagementClient ¶
type KeyManagementClient interface {
GetPublicKey(ctx context.Context, input *kms.GetPublicKeyInput, opts ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
CreateKey(ctx context.Context, input *kms.CreateKeyInput, opts ...func(*kms.Options)) (*kms.CreateKeyOutput, error)
CreateAlias(ctx context.Context, input *kms.CreateAliasInput, opts ...func(*kms.Options)) (*kms.CreateAliasOutput, error)
Sign(ctx context.Context, input *kms.SignInput, opts ...func(*kms.Options)) (*kms.SignOutput, error)
Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error)
}
KeyManagementClient defines the methods on KeyManagementClient that this package will use. This interface will be used for unit testing.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer implements a crypto.Signer using the AWS KMS.
func NewSigner ¶
func NewSigner(client KeyManagementClient, signingKey string) (*Signer, error)
NewSigner creates a new signer using a key in the AWS KMS.
Source Files