Version: v0.6.4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2016 License: MPL-2.0 Imports: 27 Imported by: 0




View Source
const (
	Kdf_hmac_sha256_counter = iota // built-in helper
	Kdf_hkdf_sha256                //

Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF

View Source
const (
	KeyType_AES256_GCM96 = iota

Or this one...we need the default of zero to be the original AES256-GCM96

View Source
const ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)"


This section is empty.


This section is empty.


type KeyEntry

type KeyEntry struct {
	AESKey             []byte   `json:"key"`
	HMACKey            []byte   `json:"hmac_key"`
	CreationTime       int64    `json:"creation_time"`
	EC_X               *big.Int `json:"ec_x"`
	EC_Y               *big.Int `json:"ec_y"`
	EC_D               *big.Int `json:"ec_d"`
	FormattedPublicKey string   `json:"public_key"`

KeyEntry stores the key and metadata

type KeyType

type KeyType int

func (KeyType) DecryptionSupported

func (kt KeyType) DecryptionSupported() bool

func (KeyType) DerivationSupported

func (kt KeyType) DerivationSupported() bool

func (KeyType) EncryptionSupported

func (kt KeyType) EncryptionSupported() bool

func (KeyType) SigningSupported

func (kt KeyType) SigningSupported() bool

func (KeyType) String

func (kt KeyType) String() string

type LockManager

type LockManager struct {
	// contains filtered or unexported fields

func NewLockManager

func NewLockManager(cacheDisabled bool) *LockManager

func (*LockManager) CacheActive

func (lm *LockManager) CacheActive() bool

func (*LockManager) DeletePolicy

func (lm *LockManager) DeletePolicy(storage logical.Storage, name string) error

func (*LockManager) GetPolicyExclusive

func (lm *LockManager) GetPolicyExclusive(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)

Get the policy with an exclusive lock

func (*LockManager) GetPolicyShared

func (lm *LockManager) GetPolicyShared(storage logical.Storage, name string) (*Policy, *sync.RWMutex, error)

Get the policy with a read lock. If we get an error saying an exclusive lock is needed (for instance, for an upgrade/migration), give up the read lock, call again with an exclusive lock, then swap back out for a read lock.

func (*LockManager) GetPolicyUpsert

func (lm *LockManager) GetPolicyUpsert(req PolicyRequest) (*Policy, *sync.RWMutex, bool, error)

Get the policy with a read lock; if it returns that an exclusive lock is needed, retry. If successful, call one more time to get a read lock and return the value.

func (*LockManager) UnlockPolicy

func (lm *LockManager) UnlockPolicy(lock *sync.RWMutex, lockType bool)

type Policy

type Policy struct {
	Name string      `json:"name"`
	Key  []byte      `json:"key,omitempty"` //DEPRECATED
	Keys keyEntryMap `json:"keys"`

	// Derived keys MUST provide a context and the master underlying key is
	// never used. If convergent encryption is true, the context will be used
	// as the nonce as well.
	Derived              bool `json:"derived"`
	KDF                  int  `json:"kdf"`
	ConvergentEncryption bool `json:"convergent_encryption"`

	// The minimum version of the key allowed to be used
	// for decryption
	MinDecryptionVersion int `json:"min_decryption_version"`

	// The latest key version in this policy
	LatestVersion int `json:"latest_version"`

	// The latest key version in the archive. We never delete these, so this is
	// a max.
	ArchiveVersion int `json:"archive_version"`

	// Whether the key is allowed to be deleted
	DeletionAllowed bool `json:"deletion_allowed"`

	// The version of the convergent nonce to use
	ConvergentVersion int `json:"convergent_version"`

	// The type of key
	Type KeyType `json:"type"`

Policy is the struct used to store metadata

func (*Policy) Decrypt

func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)

func (*Policy) DeriveKey

func (p *Policy) DeriveKey(context []byte, ver int) ([]byte, error)

DeriveKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.

func (*Policy) Encrypt

func (p *Policy) Encrypt(context, nonce []byte, value string) (string, error)

func (*Policy) HMACKey

func (p *Policy) HMACKey(version int) ([]byte, error)

func (*Policy) LoadArchive

func (p *Policy) LoadArchive(storage logical.Storage) (*archivedKeys, error)

func (*Policy) MigrateKeyToKeysMap

func (p *Policy) MigrateKeyToKeysMap()

func (*Policy) NeedsUpgrade

func (p *Policy) NeedsUpgrade() bool

func (*Policy) Persist

func (p *Policy) Persist(storage logical.Storage) error

func (*Policy) Rotate

func (p *Policy) Rotate(storage logical.Storage) error

func (*Policy) Serialize

func (p *Policy) Serialize() ([]byte, error)

func (*Policy) Sign

func (p *Policy) Sign(hashedInput []byte) (string, error)

func (*Policy) Upgrade

func (p *Policy) Upgrade(storage logical.Storage) error

func (*Policy) VerifySignature

func (p *Policy) VerifySignature(hashedInput []byte, sig string) (bool, error)

type PolicyRequest

type PolicyRequest struct {
	// The storage to use
	Storage logical.Storage

	// The name of the policy
	Name string

	// The key type
	KeyType KeyType

	// Whether it should be derived
	Derived bool

	// Whether to enable convergent encryption
	Convergent bool

	// Whether to upsert
	Upsert bool

PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL