Documentation ¶
Overview ¶
Package cryptoutil implements cryptography utilities.
Index ¶
- Variables
- func NewCacheKeyService(inner crypto.KeyService, ttl time.Duration, size int) crypto.KeyService
- func NewCacheKeyVault(inner crypto.KeyVault, opts ...CacheKeyVaultOption) crypto.KeyVault
- func NewMemKeyVault(m map[string][]byte) crypto.KeyVault
- func UnwrapAES128Key(ctx context.Context, wrapped *ttnpb.KeyEnvelope, ks crypto.KeyService) (key types.AES128Key, err error)
- func UnwrapKeyEnvelope(ctx context.Context, ke *ttnpb.KeyEnvelope, ks crypto.KeyService) (*ttnpb.KeyEnvelope, error)
- func UnwrapSelectedSessionKeys(ctx context.Context, ks crypto.KeyService, sk *ttnpb.SessionKeys, ...) (*ttnpb.SessionKeys, error)
- func WrapAES128Key(ctx context.Context, key types.AES128Key, kekLabel string, ...) (*ttnpb.KeyEnvelope, error)
- func WrapAES128KeyWithKEK(ctx context.Context, key types.AES128Key, kekLabel string, kek types.AES128Key) (*ttnpb.KeyEnvelope, error)
- type CacheKeyVaultClock
- type CacheKeyVaultClockFunc
- type CacheKeyVaultOption
- type ComponentPrefixKEKLabeler
Constants ¶
This section is empty.
Variables ¶
var EmptyKeyVault crypto.KeyVault = emptyKeyVault{}
EmptyKeyVault is an empty key vault.
Functions ¶
func NewCacheKeyService ¶ added in v3.24.0
func NewCacheKeyService(inner crypto.KeyService, ttl time.Duration, size int) crypto.KeyService
NewCacheKeyService returns a new crypto.KeyService that caches the results of Unwrap.
func NewCacheKeyVault ¶ added in v3.9.0
func NewCacheKeyVault(inner crypto.KeyVault, opts ...CacheKeyVaultOption) crypto.KeyVault
NewCacheKeyVault returns a new crypto.KeyVault that caches the keys in memory. Certificates are cached for the duration of their validity minus one hour, maximed by the given time-to-live.
func NewMemKeyVault ¶
NewMemKeyVault returns a crypto.KeyVault that stores keys in memory. Certificates must be PEM encoded. The given map must not be modified after calling this function.
func UnwrapAES128Key ¶
func UnwrapAES128Key( ctx context.Context, wrapped *ttnpb.KeyEnvelope, ks crypto.KeyService, ) (key types.AES128Key, err error)
UnwrapAES128Key performs the RFC 3394 Unwrap algorithm on the given key envelope using the given key service. If the KEK label is empty, the key is assumed to be stored in the clear.
func UnwrapKeyEnvelope ¶ added in v3.10.0
func UnwrapKeyEnvelope(ctx context.Context, ke *ttnpb.KeyEnvelope, ks crypto.KeyService) (*ttnpb.KeyEnvelope, error)
UnwrapKeyEnvelope calls UnwrapAES128Key on the given key envelope using the given key service if necessary and returns the result as a key envelope. NOTE: UnwrapKeyEnvelope returns ke if unwrapping is not necessary.
func UnwrapSelectedSessionKeys ¶
func UnwrapSelectedSessionKeys( ctx context.Context, ks crypto.KeyService, sk *ttnpb.SessionKeys, prefix string, paths ...string, ) (*ttnpb.SessionKeys, error)
UnwrapSelectedSessionKeys unwraps the selected session keys in the given session keys using the given key service.
func WrapAES128Key ¶
func WrapAES128Key( ctx context.Context, key types.AES128Key, kekLabel string, ks crypto.KeyService, ) (*ttnpb.KeyEnvelope, error)
WrapAES128Key performs the RFC 3394 Wrap algorithm on the given key using the given key service and KEK label. If the KEK label is empty, the key will be returned in the clear.
func WrapAES128KeyWithKEK ¶ added in v3.10.0
func WrapAES128KeyWithKEK( ctx context.Context, key types.AES128Key, kekLabel string, kek types.AES128Key, ) (*ttnpb.KeyEnvelope, error)
WrapAES128KeyWithKEK wraps the key with the given KEK. If the KEK label is empty, the key will be returned in the clear.
Types ¶
type CacheKeyVaultClock ¶ added in v3.24.0
CacheKeyVaultClock provides a time source.
type CacheKeyVaultClockFunc ¶ added in v3.24.0
CacheKeyVaultClockFunc implements CacheKeyVaultClock.
func (CacheKeyVaultClockFunc) Now ¶ added in v3.24.0
func (f CacheKeyVaultClockFunc) Now() time.Time
Now implements CacheKeyVaultClock.
type CacheKeyVaultOption ¶ added in v3.24.0
type CacheKeyVaultOption interface {
// contains filtered or unexported methods
}
CacheKeyVaultOption configures CacheKeyVault.
func WithCacheKeyVaultClock ¶ added in v3.24.0
func WithCacheKeyVaultClock(clock CacheKeyVaultClock) CacheKeyVaultOption
WithCacheKeyVaultClock configures a time source. This is useful for testing.
func WithCacheKeyVaultSize ¶ added in v3.24.0
func WithCacheKeyVaultSize(size int) CacheKeyVaultOption
WithCacheKeyVaultSize configures the size of the cache.
func WithCacheKeyVaultTTL ¶ added in v3.24.0
func WithCacheKeyVaultTTL(ttl, errTTL time.Duration) CacheKeyVaultOption
WithCacheKeyVaultTTL configures the time-to-live of the cache. If 0, no expiry is used.
type ComponentPrefixKEKLabeler ¶
type ComponentPrefixKEKLabeler struct { // Separator is the string to join parts. Separator string // ReplaceOldNew is a set of old and new string pairs to replace in parts. ReplaceOldNew []string }
ComponentPrefixKEKLabeler is a ComponentKEKLabeler that joins the component prefix, separators and host.
func (ComponentPrefixKEKLabeler) AsKEKLabel ¶
func (c ComponentPrefixKEKLabeler) AsKEKLabel(ctx context.Context, addr string) string
AsKEKLabel returns a KEK label in the form `as:host` from the given address, where `:` is the default separator. Empty parts are omitted.
func (ComponentPrefixKEKLabeler) NsKEKLabel ¶
func (c ComponentPrefixKEKLabeler) NsKEKLabel(ctx context.Context, netID *types.NetID, addr string) string
NsKEKLabel returns a KEK label in the form `ns:netID:host` from the given NetID and address, where `:` is the default separator. Empty parts are omitted.