keymanager

package

v1.2.2 Latest Latest Go to latest Published: Apr 26, 2026 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Jaro-c/authcore

Links

Open Source Insights

Documentation ¶

Overview ¶

Package keymanager handles the creation, storage, and loading of authcore's cryptographic key material.

On first use it creates a ".authcore" directory (or a caller-specified path), writes a .gitignore that prevents secrets from being committed, and generates the following files:

ed25519_private.pem  — Ed25519 private key, PKCS#8 PEM, mode 0600
ed25519_public.pem   — Ed25519 public key,  PKIX  PEM, mode 0644
refresh_secret.key   — 32-byte HMAC-SHA256 secret, hex-encoded, mode 0600

On subsequent calls the existing files are loaded and validated; no new material is generated unless a file is missing.

Key-file loading is size-capped at 4 KiB. A healthy Ed25519 PEM is ~200 bytes and a hex-encoded HMAC secret is 65 bytes, so the cap leaves comfortable headroom for PEM comment headers while refusing a corrupted or attacker-replaced key file that would otherwise be loaded whole into memory before PEM decoding rejects it.

The KeyManager is read-only after construction and safe for concurrent use.

Index ¶

type KeyManager
- func New(dir string, log logger) (*KeyManager, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type KeyManager ¶

type KeyManager struct {
	// contains filtered or unexported fields
}

KeyManager holds cryptographic material loaded at startup. All fields are immutable after New returns; no mutex is required.

func New ¶

func New(dir string, log logger) (*KeyManager, error)

New initialises the KeyManager for the given directory.

It creates the directory if it does not exist, writes a protective .gitignore, then generates or loads each key file.

dir must be a writable path. Use "." to place the ".authcore" folder in the current working directory, or provide an absolute path for containerised / restricted environments.

func (*KeyManager) Dir ¶

func (km *KeyManager) Dir() string

Dir returns the absolute path of the key directory.

func (*KeyManager) KeyID ¶

func (km *KeyManager) KeyID() string

KeyID returns the stable identifier for the current signing key. See computeKeyID for the derivation details.

func (*KeyManager) PrivateKey ¶

func (km *KeyManager) PrivateKey() ed25519.PrivateKey

PrivateKey returns the Ed25519 private key used for signing operations. The returned slice must not be modified by the caller.

func (*KeyManager) PublicKey ¶

func (km *KeyManager) PublicKey() ed25519.PublicKey

PublicKey returns the Ed25519 public key used for signature verification. The returned slice must not be modified by the caller.

func (*KeyManager) RefreshSecret ¶

func (km *KeyManager) RefreshSecret() []byte

RefreshSecret returns the 32-byte secret used as the HMAC-SHA256 key when hashing refresh tokens before database storage. The returned slice must not be modified by the caller.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL