Documentation ¶
Overview ¶
Package kms implements Key Management System According the best practices from "sections 3.5 and 3.6 of the PCI DSS standard" and "ANSI X9.17 - Financial Institution Key Management". we store a Elliptic Curve Master Key as the "Key Encrypting Key". The KEK is used to encrypt/decrypt and sign the PrivateKey which will be use with ECDH to generate Data Encrypting Key.
Index ¶
- Variables
- func ClosePublicKeyStore()
- func DecodePrivateKey(keyBytes []byte, masterKey []byte) (key *asymmetric.PrivateKey, err error)
- func DelNode(id proto.NodeID) (err error)
- func EncodePrivateKey(key *asymmetric.PrivateKey, masterKey []byte) (keyBytes []byte, err error)
- func GetAllNodeID() (nodeIDs []proto.NodeID, err error)
- func GetLocalNodeID() (rawNodeID proto.NodeID, err error)
- func GetLocalNodeIDBytes() (rawNodeID []byte, err error)
- func GetLocalNonce() (nonce *mine.Uint256, err error)
- func GetLocalPrivateKey() (private *asymmetric.PrivateKey, err error)
- func GetLocalPublicKey() (public *asymmetric.PublicKey, err error)
- func GetNodeInfo(id proto.NodeID) (nodeInfo *proto.Node, err error)
- func GetPublicKey(id proto.NodeID) (publicKey *asymmetric.PublicKey, err error)
- func InitBP()
- func InitLocalKeyPair(privateKeyPath string, masterKey []byte) (err error)
- func InitPublicKeyStore(dbPath string, initNodes []proto.Node) (err error)
- func IsIDPubNonceValid(id *proto.RawNodeID, nonce *mine.Uint256, key *asymmetric.PublicKey) bool
- func LoadPrivateKey(keyFilePath string, masterKey []byte) (key *asymmetric.PrivateKey, err error)
- func ResetBucket() error
- func ResetLocalKeyStore()
- func SavePrivateKey(keyFilePath string, key *asymmetric.PrivateKey, masterKey []byte) (err error)
- func SetLocalKeyPair(private *asymmetric.PrivateKey, public *asymmetric.PublicKey)
- func SetLocalNodeIDNonce(rawNodeID []byte, nonce *mine.Uint256)
- func SetNode(nodeInfo *proto.Node) (err error)
- func SetPublicKey(id proto.NodeID, nonce mine.Uint256, publicKey *asymmetric.PublicKey) (err error)
- type LocalKeyStore
- type PublicKeyStore
Constants ¶
This section is empty.
Variables ¶
var ( // AnonymousNodeID is the anonymous node id AnonymousNodeID = proto.NodeID(strings.Repeat("f", 64)) // AnonymousRawNodeID is the anonymous node id AnonymousRawNodeID = AnonymousNodeID.ToRawNodeID() )
var ( // ErrNotKeyFile indicates specified key file is empty ErrNotKeyFile = errors.New("private key file empty") // ErrHashNotMatch indicates specified key hash is wrong ErrHashNotMatch = errors.New("private key hash not match") // ErrInvalidBase58Version indicates specified key is not base58 version ErrInvalidBase58Version = errors.New("invalid base58 version") // PrivateKeyStoreVersion defines the private key version byte. PrivateKeyStoreVersion byte = 0x23 )
var ( // ErrPKSNotInitialized indicates public keystore not initialized ErrPKSNotInitialized = errors.New("public keystore not initialized") // ErrNilNode indicates input node is nil ErrNilNode = errors.New("nil node") // ErrKeyNotFound indicates key not found ErrKeyNotFound = errors.New("key not found") // ErrNodeIDKeyNonceNotMatch indicates node id, key, nonce not match ErrNodeIDKeyNonceNotMatch = errors.New("nodeID, key, nonce not match") )
var ( // BP hold the initial BP info BP *conf.BPInfo )
var ( // ErrNilField indicates field is nil ErrNilField = errors.New("local field is nil") )
var ( // Unittest is a test flag Unittest bool )
Functions ¶
func ClosePublicKeyStore ¶
func ClosePublicKeyStore()
ClosePublicKeyStore closes the public key store.
func DecodePrivateKey ¶
func DecodePrivateKey(keyBytes []byte, masterKey []byte) (key *asymmetric.PrivateKey, err error)
DecodePrivateKey loads private key from private key bytes form.
func EncodePrivateKey ¶
func EncodePrivateKey(key *asymmetric.PrivateKey, masterKey []byte) (keyBytes []byte, err error)
EncodePrivateKey encode private to key to string format.
func GetAllNodeID ¶
GetAllNodeID get all node ids exist in store.
func GetLocalNodeID ¶
GetLocalNodeID gets current node ID in hash string format.
func GetLocalNodeIDBytes ¶
GetLocalNodeIDBytes get current node ID copy in []byte.
func GetLocalNonce ¶
GetLocalNonce gets current node nonce copy.
func GetLocalPrivateKey ¶
func GetLocalPrivateKey() (private *asymmetric.PrivateKey, err error)
GetLocalPrivateKey gets local private key, if not set yet returns nil
all call to this func will be logged.
func GetLocalPublicKey ¶
func GetLocalPublicKey() (public *asymmetric.PublicKey, err error)
GetLocalPublicKey gets local public key, if not set yet returns nil.
func GetNodeInfo ¶
GetNodeInfo gets node info of given id Returns an error if the id was not found.
func GetPublicKey ¶
func GetPublicKey(id proto.NodeID) (publicKey *asymmetric.PublicKey, err error)
GetPublicKey gets a PublicKey of given id Returns an error if the id was not found.
func InitLocalKeyPair ¶
InitLocalKeyPair initializes local private key.
func InitPublicKeyStore ¶
InitPublicKeyStore opens a db file, if not exist, creates it. and creates a bucket if not exist.
func IsIDPubNonceValid ¶
IsIDPubNonceValid returns if `id == HashBlock(key, nonce)`.
func LoadPrivateKey ¶
func LoadPrivateKey(keyFilePath string, masterKey []byte) (key *asymmetric.PrivateKey, err error)
LoadPrivateKey loads private key from keyFilePath, and verifies the hash head.
func ResetLocalKeyStore ¶
func ResetLocalKeyStore()
ResetLocalKeyStore FOR UNIT TEST, DO NOT USE IT.
func SavePrivateKey ¶
func SavePrivateKey(keyFilePath string, key *asymmetric.PrivateKey, masterKey []byte) (err error)
SavePrivateKey saves private key with its hash on the head to keyFilePath, default perm is 0600.
func SetLocalKeyPair ¶
func SetLocalKeyPair(private *asymmetric.PrivateKey, public *asymmetric.PublicKey)
SetLocalKeyPair sets private and public key, this is a one time thing.
func SetLocalNodeIDNonce ¶
SetLocalNodeIDNonce sets private and public key, this is a one time thing.
func SetPublicKey ¶
SetPublicKey verifies nonce and set Public Key.
Types ¶
type LocalKeyStore ¶
LocalKeyStore is the type hold local private & public key.
type PublicKeyStore ¶
type PublicKeyStore struct {
// contains filtered or unexported fields
}
PublicKeyStore holds db and bucket name.