cryptoutil

Documentation

Index

• Variables
• func NewCacheKeyVault(main crypto.KeyVault, ttl time.Duration, size int) crypto.KeyVault
• func UnwrapAES128Key(ctx context.Context, wrapped *ttnpb.KeyEnvelope, v crypto.KeyVault) (key types.AES128Key, err error)
• func UnwrapKeyEnvelope(ctx context.Context, ke *ttnpb.KeyEnvelope, v crypto.KeyVault) (*ttnpb.KeyEnvelope, error)
• func UnwrapSelectedSessionKeys(ctx context.Context, keyVault crypto.KeyVault, sk *ttnpb.SessionKeys, ...) (*ttnpb.SessionKeys, error)
• func WrapAES128Key(ctx context.Context, key types.AES128Key, kekLabel string, v crypto.KeyVault) (*ttnpb.KeyEnvelope, error)
• func WrapAES128KeyWithKEK(ctx context.Context, key types.AES128Key, kekLabel string, kek types.AES128Key) (*ttnpb.KeyEnvelope, error)
• type ComponentPrefixKEKLabeler
  • func (c ComponentPrefixKEKLabeler) AsKEKLabel(ctx context.Context, addr string) string
  • func (c ComponentPrefixKEKLabeler) NsKEKLabel(ctx context.Context, netID *types.NetID, addr string) string
• type MemKeyVault
  • func NewMemKeyVault(m map[string][]byte) *MemKeyVault
  • func (v MemKeyVault) Decrypt(ctx context.Context, ciphertext []byte, id string) ([]byte, error)
  • func (v MemKeyVault) Encrypt(ctx context.Context, plaintext []byte, id string) ([]byte, error)
  • func (v MemKeyVault) ExportCertificate(ctx context.Context, id string) (*tls.Certificate, error)
  • func (v MemKeyVault) GetCertificate(ctx context.Context, id string) (*x509.Certificate, error)
  • func (v MemKeyVault) HMACHash(_ context.Context, payload []byte, id string) ([]byte, error)
  • func (v MemKeyVault) Unwrap(ctx context.Context, ciphertext []byte, kekLabel string) ([]byte, error)
  • func (v MemKeyVault) Wrap(ctx context.Context, plaintext []byte, kekLabel string) ([]byte, error)

Variables

var EmptyKeyVault crypto.KeyVault = emptyKeyVault{}

EmptyKeyVault is an empty key vault.

Functions

func NewCacheKeyVault

func NewCacheKeyVault(main crypto.KeyVault, ttl time.Duration, size int) crypto.KeyVault

func UnwrapAES128Key

func UnwrapAES128Key(ctx context.Context, wrapped *ttnpb.KeyEnvelope, v crypto.KeyVault) (key types.AES128Key, err error)

UnwrapAES128Key performs the RFC 3394 Unwrap algorithm on the given key envelope using the given key vault. If the KEK label is empty, the key is assumed to be stored in the clear.

func UnwrapKeyEnvelope

func UnwrapKeyEnvelope(ctx context.Context, ke *ttnpb.KeyEnvelope, v crypto.KeyVault) (*ttnpb.KeyEnvelope, error)

UnwrapKeyEnvelope calls UnwrapAES128Key on the given key envelope using the given key vault if necessary and returns the result as a key envelope. NOTE: UnwrapKeyEnvelope returns ke if unwrapping is not necessary.

func UnwrapSelectedSessionKeys

func UnwrapSelectedSessionKeys(ctx context.Context, keyVault crypto.KeyVault, sk *ttnpb.SessionKeys, prefix string, paths ...string) (*ttnpb.SessionKeys, error)

func WrapAES128Key

func WrapAES128Key(ctx context.Context, key types.AES128Key, kekLabel string, v crypto.KeyVault) (*ttnpb.KeyEnvelope, error)

WrapAES128Key performs the RFC 3394 Wrap algorithm on the given key using the given key vault and KEK label. If the KEK label is empty, the key will be returned in the clear.

func WrapAES128KeyWithKEK

func WrapAES128KeyWithKEK(ctx context.Context, key types.AES128Key, kekLabel string, kek types.AES128Key) (*ttnpb.KeyEnvelope, error)

WrapAES128KeyWithKEK is like WrapAES128Key, but takes a KEK instead of key vault.

Types

type ComponentPrefixKEKLabeler

type ComponentPrefixKEKLabeler struct {
	// Separator is the string to join parts.
	Separator string
	// ReplaceOldNew is a set of old and new string pairs to replace in parts.
	ReplaceOldNew []string
}

ComponentPrefixKEKLabeler is a ComponentKEKLabeler that joins the component prefix, separators and host.

func (ComponentPrefixKEKLabeler) AsKEKLabel

func (c ComponentPrefixKEKLabeler) AsKEKLabel(ctx context.Context, addr string) string

AsKEKLabel returns a KEK label in the form `as:host` from the given address, where `:` is the default separator. Empty parts are omitted.

func (ComponentPrefixKEKLabeler) NsKEKLabel

func (c ComponentPrefixKEKLabeler) NsKEKLabel(ctx context.Context, netID *types.NetID, addr string) string

NsKEKLabel returns a KEK label in the form `ns:netID:host` from the given NetID and address, where `:` is the default separator. Empty parts are omitted.

type MemKeyVault

type MemKeyVault struct {
	ComponentPrefixKEKLabeler
	// contains filtered or unexported fields
}

MemKeyVault is a KeyVault that uses secrets from memory. This implementation does not provide any security as secrets are stored in the clear.

func NewMemKeyVault

func NewMemKeyVault(m map[string][]byte) *MemKeyVault

NewMemKeyVault returns a MemKeyVault. Certificates keys can be appended as PEM block.

func (MemKeyVault) Decrypt

func (v MemKeyVault) Decrypt(ctx context.Context, ciphertext []byte, id string) ([]byte, error)

Decrypt implements KeyVault.

func (MemKeyVault) Encrypt

func (v MemKeyVault) Encrypt(ctx context.Context, plaintext []byte, id string) ([]byte, error)

Encrypt implements KeyVault.

func (MemKeyVault) ExportCertificate

func (v MemKeyVault) ExportCertificate(ctx context.Context, id string) (*tls.Certificate, error)

ExportCertificate implements KeyVault.

func (MemKeyVault) GetCertificate

func (v MemKeyVault) GetCertificate(ctx context.Context, id string) (*x509.Certificate, error)

GetCertificate implements KeyVault.

func (MemKeyVault) HMACHash

func (v MemKeyVault) HMACHash(_ context.Context, payload []byte, id string) ([]byte, error)

HMACHash implements KeyVault.

func (MemKeyVault) Unwrap

func (v MemKeyVault) Unwrap(ctx context.Context, ciphertext []byte, kekLabel string) ([]byte, error)

Unwrap implements KeyVault.

func (MemKeyVault) Wrap

func (v MemKeyVault) Wrap(ctx context.Context, plaintext []byte, kekLabel string) ([]byte, error)

Wrap implements KeyVault.