gcpkms

package

v0.0.11 Latest Latest Go to latest Published: May 11, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/PointerByte/GoForge

Links

Open Source Insights

Documentation ¶

Overview ¶

Package gcpkms provides the same repository-style cryptographic API as the local package, backed by Google Cloud KMS when a Cloud KMS key reference is supplied.

The package supports provider-backed symmetric encryption, HMAC, RSA-OAEP, RSA signing, and Ed25519 signing through the Google Cloud KMS SDK, while still routing explicit local keys to the local implementation. Provider-side verification paths that are not exposed by Cloud KMS are completed by fetching the public key and verifying locally.

When a provider key identifier is needed, the package reads it from viper using "encrypt.vault.gcp-kms.key-id", with compatibility fallback to "encrypt.gcp-kms.key-id".

Index ¶

type AsymmetricRepository
- func NewAsymmetricRepository() AsymmetricRepository
type HashRepository
- func NewHashRepository() HashRepository
type Repository
- func NewRepository() *Repository
type SignatureRepository
- func NewSignatureRepository() SignatureRepository
type SymmetricRepository
- func NewSymmetricRepository() SymmetricRepository

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AsymmetricRepository ¶

type AsymmetricRepository interface {
	// GenerateRSAKeys creates an RSA decryption key in GCP KMS and returns its
	// public key plus metadata reference.
	GenerateRSAKeys(ctx context.Context, size common.SizeAsymetrycKey) (*models.KeyData, error)
	// GenerateECCKeys creates an ECC key pair when provider-backed support is
	// available for the backend.
	GenerateECCKeys(ctx context.Context, curve common.CurveAsymmetricKey) (*models.KeyData, error)
	// RSA_OAEP_Encode encrypts plaintext with a GCP KMS key reference or a
	// Base64 RSA public key.
	RSA_OAEP_Encode(ctx context.Context, publicKey, text string) (string, error)
	// RSA_OAEP_Decode decrypts ciphertext produced by RSA_OAEP_Encode using a
	// GCP KMS key reference or a Base64 RSA private key.
	RSA_OAEP_Decode(ctx context.Context, privateKey, cipherText string) (string, error)
	// ECC_Encode encrypts plaintext with a supported provider-backed ECC key or
	// falls back to a local Base64 ECC public key.
	ECC_Encode(ctx context.Context, publicKey, text string) (string, error)
	// ECC_Decode decrypts ciphertext produced by ECC_Encode using a supported
	// provider-backed ECC key or a local Base64 ECC private key.
	ECC_Decode(ctx context.Context, privateKey, cipherText string) (string, error)
}

func NewAsymmetricRepository ¶

func NewAsymmetricRepository() AsymmetricRepository

type HashRepository ¶

type HashRepository interface {
	// HMAC generates an HMAC-SHA256 value with GCP KMS when secretKey is
	// a KMS reference, or locally otherwise.
	HMAC(ctx context.Context, secretKey, message string) string
	// Sha256Hex returns the SHA-256 digest encoded as hexadecimal.
	Sha256Hex(ctx context.Context, message string) string
	// Blake3 returns the BLAKE3 digest encoded as Base64.
	Blake3(ctx context.Context, message string) string
}

func NewHashRepository ¶

func NewHashRepository() HashRepository

type Repository ¶

type Repository struct {
	SymmetricRepository
	AsymmetricRepository
	SignatureRepository
	HashRepository
}

func NewRepository ¶

func NewRepository() *Repository

type SignatureRepository ¶

type SignatureRepository interface {
	// GenerateEd255Keys creates an Ed25519 signing key in GCP KMS when possible.
	GenerateEd255Keys(ctx context.Context) (*models.KeyData, error)
	// SignEd25519 signs text with a GCP KMS key reference or a Base64 Ed25519
	// private key.
	SignEd25519(ctx context.Context, privateKey, text string) (string, error)
	// VerifyEd25519 verifies a Base64 Ed25519 signature with a GCP KMS key
	// reference or a Base64 Ed25519 public key.
	VerifyEd25519(ctx context.Context, publicKey, text, signature string) error
	// SignRSAPSS signs text with a GCP KMS RSA signing key reference or a
	// Base64 RSA private key.
	SignRSAPSS(ctx context.Context, privateKey, text string) (string, error)
	// VerifyRSAPSS verifies a Base64 RSA-PSS signature with a GCP KMS key
	// reference or a Base64 RSA public key.
	VerifyRSAPSS(ctx context.Context, publicKey, text, signature string) error
	// Sign_RSA_PKCS1v15_SHA256 signs data with RSA PKCS#1 v1.5 using GCP KMS when
	// privateKey is empty, or a local Base64 RSA private key otherwise.
	Sign_RSA_PKCS1v15_SHA256(ctx context.Context, privateKey, data string) (string, error)
	// Verify_RSA_PKCS1v15_SHA256 verifies an RSA PKCS#1 v1.5 SHA-256 signature with GCP KMS
	// when publicKey is empty, or a local Base64 RSA public key otherwise.
	Verify_RSA_PKCS1v15_SHA256(ctx context.Context, data, publicKey string, signature string) error
}

func NewSignatureRepository ¶

func NewSignatureRepository() SignatureRepository

type SymmetricRepository ¶

type SymmetricRepository interface {
	// GenerateSymetrycKeys creates a GCP KMS symmetric key and returns its
	// metadata reference.
	GenerateSymetrycKeys(ctx context.Context, size common.SizeSymetrycKey) (*models.KeyData, error)
	// EncryptAES encrypts plaintext with a GCP KMS symmetric key reference or
	// falls back to local AES-GCM when secretKey is a Base64 AES key.
	EncryptAES(ctx context.Context, secretKey, value string, additional *string) (string, error)
	// DecryptAES decrypts ciphertext produced by EncryptAES using GCP KMS or a
	// local Base64 AES key.
	DecryptAES(ctx context.Context, secretKey, cipherValue string, additional *string) (string, error)
}

func NewSymmetricRepository ¶

func NewSymmetricRepository() SymmetricRepository

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL