keys

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeriveKeyFromPassword 

func DeriveKeyFromPassword(password []byte, salt []byte) []byte

DeriveKeyFromPassword derives a 32-byte key from a password using Argon2id

func GenerateEd25519KeyPair 

func GenerateEd25519KeyPair() (ed25519.PublicKey, ed25519.PrivateKey, error)

GenerateEd25519KeyPair generates a new Ed25519 key pair

func GenerateEd25519KeyPairFromSeed 

func GenerateEd25519KeyPairFromSeed(seed []byte) (ed25519.PublicKey, ed25519.PrivateKey)

GenerateEd25519KeyPairFromSeed generates a deterministic Ed25519 key pair from a seed The seed should be 32 bytes. If using user input, stretch it with DeriveKeyFromPassword first.

func HashPublicKey 

func HashPublicKey(publicKey crypto.PublicKey) ([]byte, error)

HashPublicKey creates a hash of a public key for use as ConfirmationID. Supports any algorithm registered in the algorithm registry.

func NewSigner 

func NewSigner(opts ...SignerOption) (crypto.Signer, error)

NewSigner is the factory function for creating signers. This is the default implementation, used when the `pkcs11` build tag is NOT active.

func ZeroizeBytes 

func ZeroizeBytes(b []byte)

ZeroizeBytes securely zeros a byte slice from memory. It uses runtime.KeepAlive to prevent the compiler from optimizing out the zeroization operation.

Usage: 

secret := []byte{...}
defer ZeroizeBytes(secret)

func ZeroizePrivateKey 

func ZeroizePrivateKey(key ed25519.PrivateKey)

ZeroizePrivateKey securely zeros an Ed25519 private key from memory. It uses runtime.KeepAlive to prevent the compiler from optimizing out the zeroization operation.

Usage: 

privateKey := ed25519.PrivateKey{...}
defer ZeroizePrivateKey(privateKey)

Types

type Ed25519Signer 

type Ed25519Signer struct {
	// contains filtered or unexported fields
}

Ed25519Signer implements Signer for Ed25519 keys It is safe for concurrent use.

func NewEd25519Signer 

func NewEd25519Signer(privateKey ed25519.PrivateKey) *Ed25519Signer

NewEd25519Signer creates a new Ed25519 signer with the given private key

func (*Ed25519Signer) Destroy 

func (s *Ed25519Signer) Destroy()

Destroy securely zeros the private key material This method is safe for concurrent use and idempotent. Once called, all future Sign() calls will fail.

func (*Ed25519Signer) Public 

func (s *Ed25519Signer) Public() crypto.PublicKey

Public returns the public key associated with this signer

func (*Ed25519Signer) Sign 

func (s *Ed25519Signer) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) ([]byte, error)

Sign creates a signature for the given message. Concurrency guarantee: If Destroy() is called concurrently with Sign(), either Sign() will complete successfully before destruction, or it will fail with "signer has been destroyed". Partial destruction during signing is prevented by the read lock, which is held during the entire signing operation.

type SecurePrivateKey 

type SecurePrivateKey struct {
	// contains filtered or unexported fields
}

SecurePrivateKey wraps a private key with automatic cleanup. Supports Ed25519 and any algorithm registered in the algorithm registry. The key is automatically zeroed when the wrapper is destroyed.

func GenerateSecureKeyPair 

func GenerateSecureKeyPair() (ed25519.PublicKey, *SecurePrivateKey, error)

GenerateSecureKeyPair generates a new Ed25519 key pair with automatic cleanup. The returned SecurePrivateKey will automatically zero the private key when destroyed.

Usage: 

pub, secPriv, err := GenerateSecureKeyPair()
if err != nil {
    return err
}
defer secPriv.Destroy()

func GenerateSecureKeyPairForAlgorithm 

func GenerateSecureKeyPairForAlgorithm(alg algorithm.Algorithm) (crypto.PublicKey, *SecurePrivateKey, error)

GenerateSecureKeyPairForAlgorithm generates a key pair for the specified algorithm. The returned SecurePrivateKey will automatically zero the private key when destroyed.

func NewSecurePrivateKey 

func NewSecurePrivateKey(key ed25519.PrivateKey) *SecurePrivateKey

NewSecurePrivateKey creates a new SecurePrivateKey wrapper for an Ed25519 key. The key will be automatically zeroed when Destroy() is called.

func NewSecurePrivateKeyGeneric 

func NewSecurePrivateKeyGeneric(key crypto.PrivateKey) *SecurePrivateKey

NewSecurePrivateKeyGeneric creates a new SecurePrivateKey wrapper for any key type. Use this for non-Ed25519 keys (e.g., ML-DSA). The key will be zeroed via the algorithm registry when Destroy() is called.

func (*SecurePrivateKey) Destroy 

func (s *SecurePrivateKey) Destroy()

Destroy securely zeros the private key from memory. After calling Destroy, the key cannot be used. This is idempotent - calling multiple times is safe. Safe to call on nil receiver.

IMPORTANT: Ed25519 keys are fully zeroized. ML-DSA-44 keys have limited zeroization due to cloudflare/circl API limitations - the serialized representation is zeroed, but internal struct fields may persist. For production use of ML-DSA master keys, implement key rotation policies and coordinate with security team.

func (*SecurePrivateKey) Key 

func (s *SecurePrivateKey) Key() ed25519.PrivateKey

Key returns the wrapped Ed25519 private key if it hasn't been destroyed. Returns nil if the key has been destroyed, if the receiver is nil, or if the underlying key is not Ed25519.

func (*SecurePrivateKey) Public 

func (s *SecurePrivateKey) Public() ed25519.PublicKey

Public returns the public key associated with this private key. Returns nil if the key has been destroyed or if the receiver is nil.

func (*SecurePrivateKey) PublicKey 

func (s *SecurePrivateKey) PublicKey() crypto.PublicKey

PublicKey returns the public key for any algorithm type. Returns nil if the key has been destroyed or if the receiver is nil.

func (*SecurePrivateKey) RawKey 

func (s *SecurePrivateKey) RawKey() crypto.PrivateKey

RawKey returns the wrapped private key regardless of algorithm type. Returns nil if the key has been destroyed or if the receiver is nil.

func (*SecurePrivateKey) Sign 

func (s *SecurePrivateKey) Sign(message []byte) []byte

Sign signs the given message with the private key. Returns nil if the key has been destroyed or if the receiver is nil.

type Signer 

type Signer interface {
	crypto.Signer
}

Signer provides a simple interface for signing operations that aligns with Go's standard crypto.Signer for the MVP

type SignerOption 

type SignerOption func(*signerConfig) error

A SignerOption configures a Signer.

func WithAlgorithm 

func WithAlgorithm(alg algorithm.Algorithm) SignerOption

WithAlgorithm sets the signing algorithm for the software signer. Default is Ed25519. Only affects the "software" module.

func WithModule 

func WithModule(module string) SignerOption

WithModule specifies which signer implementation to use. Valid values: "software" (default), "pkcs11".

func WithOptions 

func WithOptions(opts string) SignerOption

WithOptions provides module-specific configuration as an opaque string.

func WithPIN 

func WithPIN(pin string) SignerOption

WithPIN provides the PIN for hardware-backed signers.

func WithValidity 

func WithValidity(d time.Duration) SignerOption

WithValidity sets the desired certificate validity duration.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.