Documentation
¶
Overview ¶
Package azurekeyvault provides the same repository-style cryptographic API as the local package, backed by Azure Key Vault when a Key Vault key reference is supplied.
The package supports provider-backed symmetric encryption, RSA-OAEP, RSA-PSS, RSA SHA-256, and HMAC through the Azure SDK, while still routing explicit local keys to the local implementation. Ed25519 remains local-only because Azure Key Vault doesn't expose provider-backed Ed25519 operations in this package.
When a provider key identifier is needed, the package reads it from viper using "encrypt.vault.azure-key-vault.key-id", with compatibility fallback to "encrypt.azure-key-vault.key-id".
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AsymmetricRepository ¶
type AsymmetricRepository interface {
// GenerateRSAKeys creates an RSA key in Azure Key Vault and returns its
// public key plus metadata reference.
GenerateRSAKeys(ctx context.Context, size common.SizeAsymetrycKey) (*models.KeyData, error)
// GenerateECCKeys creates an ECC key pair when provider-backed support is
// available for the backend.
GenerateECCKeys(ctx context.Context, curve common.CurveAsymmetricKey) (*models.KeyData, error)
// RSA_OAEP_Encode encrypts plaintext with an Azure Key Vault key reference
// or a Base64 RSA public key.
RSA_OAEP_Encode(ctx context.Context, publicKey, text string) (string, error)
// RSA_OAEP_Decode decrypts ciphertext produced by RSA_OAEP_Encode using an
// Azure Key Vault key reference or a Base64 RSA private key.
RSA_OAEP_Decode(ctx context.Context, privateKey, cipherText string) (string, error)
// ECC_Encode encrypts plaintext with a supported provider-backed ECC key or
// falls back to a local Base64 ECC public key.
ECC_Encode(ctx context.Context, publicKey, text string) (string, error)
// ECC_Decode decrypts ciphertext produced by ECC_Encode using a supported
// provider-backed ECC key or a local Base64 ECC private key.
ECC_Decode(ctx context.Context, privateKey, cipherText string) (string, error)
}
func NewAsymmetricRepository ¶
func NewAsymmetricRepository() AsymmetricRepository
type HashRepository ¶
type HashRepository interface {
// HMAC generates an HMAC-SHA256 value with Azure Key Vault when
// secretKey is a vault reference, or locally otherwise.
HMAC(ctx context.Context, secretKey, message string) string
// Sha256Hex returns the SHA-256 digest encoded as hexadecimal.
Sha256Hex(ctx context.Context, message string) string
// Blake3 returns the BLAKE3 digest encoded as Base64.
Blake3(ctx context.Context, message string) string
}
func NewHashRepository ¶
func NewHashRepository() HashRepository
type Repository ¶
type Repository struct {
SymmetricRepository
AsymmetricRepository
SignatureRepository
HashRepository
}
func NewRepository ¶
func NewRepository() *Repository
type SignatureRepository ¶
type SignatureRepository interface {
// GenerateEd255Keys creates an Ed25519 signing key when provider-backed
// support is available for the backend.
GenerateEd255Keys(ctx context.Context) (*models.KeyData, error)
// SignEd25519 signs text with a supported provider-backed key or a Base64
// Ed25519 private key.
SignEd25519(ctx context.Context, privateKey, text string) (string, error)
// VerifyEd25519 verifies a Base64 Ed25519 signature with a supported
// provider-backed key or a Base64 Ed25519 public key.
VerifyEd25519(ctx context.Context, publicKey, text, signature string) error
// SignRSAPSS signs text with an Azure Key Vault RSA signing key reference or
// a Base64 RSA private key.
SignRSAPSS(ctx context.Context, privateKey, text string) (string, error)
// VerifyRSAPSS verifies a Base64 RSA-PSS signature with an Azure Key Vault
// key reference or a Base64 RSA public key.
VerifyRSAPSS(ctx context.Context, publicKey, text, signature string) error
// Sign_RSA_PKCS1v15_SHA256 signs data with RSA PKCS#1 v1.5 using Azure Key Vault
// when privateKey is empty, or a local Base64 RSA private key otherwise.
Sign_RSA_PKCS1v15_SHA256(ctx context.Context, privateKey, data string) (string, error)
// Verify_RSA_PKCS1v15_SHA256 verifies an RSA PKCS#1 v1.5 SHA-256 signature with Azure Key
// Vault when publicKey is empty, or a local Base64 RSA public key otherwise.
Verify_RSA_PKCS1v15_SHA256(ctx context.Context, data, publicKey string, signature string) error
}
func NewSignatureRepository ¶
func NewSignatureRepository() SignatureRepository
type SymmetricRepository ¶
type SymmetricRepository interface {
// GenerateSymetrycKeys creates an Azure Key Vault symmetric key and returns
// its metadata reference.
GenerateSymetrycKeys(ctx context.Context, size common.SizeSymetrycKey) (*models.KeyData, error)
// EncryptAES encrypts plaintext with an Azure Key Vault symmetric key
// reference or falls back to local AES-GCM when secretKey is a Base64 AES
// key.
EncryptAES(ctx context.Context, secretKey, value string, additional *string) (string, error)
// DecryptAES decrypts ciphertext produced by EncryptAES using Azure Key
// Vault or a local Base64 AES key.
DecryptAES(ctx context.Context, secretKey, cipherValue string, additional *string) (string, error)
}
func NewSymmetricRepository ¶
func NewSymmetricRepository() SymmetricRepository
Source Files
Click to show internal directories.
Click to hide internal directories.