signing

package

v1.4.7 Latest Latest Go to latest Published: Jun 3, 2026 License: MIT Imports: 25 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/NVIDIA/aistore

Links

Documentation ¶

Overview ¶

Package signing manages keys the auth service uses for signing and verification

Copyright (c) 2026, NVIDIA CORPORATION. All rights reserved.

Package signing manages keys the auth service uses for signing and verification

Copyright (c) 2026, NVIDIA CORPORATION. All rights reserved.

Index ¶

Constants
Variables
func NewHMACSigner(secret cmn.Censored) tok.Signer
type AsymmetricKeySigner
type JWKSProvider
type RSAKeyManager
- func NewRSAKeyManager(conf *config.RSAKeyConfig, passphrase cmn.Censored, db kvdb.AuthStorageDriver) *RSAKeyManager

Constants ¶

View Source

const (
	MinPassphraseLength  = 8
	MinPassphraseEntropy = 3
)

Constants for creating RSA keys and key set

Variables ¶

View Source

var (

	// ErrExternallyProvisioned is returned by RotateKey when the RSA key is externally
	// managed. Callers should map this to a 400 Bad Request rather than 500.
	ErrExternallyProvisioned = errors.New("key rotation is not supported when the RSA key is externally provisioned")
)

Functions ¶

func NewHMACSigner ¶

func NewHMACSigner(secret cmn.Censored) tok.Signer

Types ¶

type AsymmetricKeySigner ¶

type AsymmetricKeySigner interface {
	GetPubKey() string
	RotateKey() error
}

type JWKSProvider ¶

type JWKSProvider interface {
	GetJWKS() (jwk.Set, error)
}

type RSAKeyManager ¶

type RSAKeyManager struct {
	// contains filtered or unexported fields
}

RSAKeyManager is responsible for the lifecycle of RSA key pairs

func NewRSAKeyManager ¶

func NewRSAKeyManager(conf *config.RSAKeyConfig, passphrase cmn.Censored, db kvdb.AuthStorageDriver) *RSAKeyManager

func (*RSAKeyManager) GetJWKS ¶

func (r *RSAKeyManager) GetJWKS() (jwk.Set, error)

func (*RSAKeyManager) GetPubKey ¶

func (r *RSAKeyManager) GetPubKey() string

func (*RSAKeyManager) Init ¶

func (r *RSAKeyManager) Init() error

Init loads or generates the RSA key pair used for token signing. Must be called once at startup. When ExternallyProvisioned, a missing key file is a fatal error and API rotation is rejected. To pick up an externally rotated key, replace the file on disk and restart the process; live reload without a restart is not supported.

func (*RSAKeyManager) ResolveKey ¶

func (r *RSAKeyManager) ResolveKey(_ context.Context, t *jwt.Token) (any, error)

func (*RSAKeyManager) RotateKey ¶

func (r *RSAKeyManager) RotateKey() error

func (*RSAKeyManager) SignToken ¶

func (r *RSAKeyManager) SignToken(c jwt.Claims) (string, error)

SignToken signs JWT claims with the current RSA private key and includes the key ID header

func (*RSAKeyManager) ValidationConf ¶

func (r *RSAKeyManager) ValidationConf() *authn.ServerConf

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL