Documentation
¶
Index ¶
- func MatchAnyRegex(str []byte, regex []string) bool
- type Config
- type Option
- type Pkcs11Security
- func (p *Pkcs11Security) CachePublicData(data []byte, identity string) error
- func (p *Pkcs11Security) CachedPublicData(identity string) ([]byte, error)
- func (p *Pkcs11Security) CallerIdentity(caller string) (string, error)
- func (p *Pkcs11Security) CallerName() string
- func (p *Pkcs11Security) ChecksumBytes(data []byte) []byte
- func (p *Pkcs11Security) ChecksumString(data string) []byte
- func (p *Pkcs11Security) Enroll(ctx context.Context, wait time.Duration, cb func(int)) error
- func (p *Pkcs11Security) HTTPClient(secure bool) (*http.Client, error)
- func (p *Pkcs11Security) Identity() string
- func (p *Pkcs11Security) Logout() error
- func (p *Pkcs11Security) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (p *Pkcs11Security) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
- func (p *Pkcs11Security) Provider() string
- func (p *Pkcs11Security) PublicCertPem() (*pem.Block, error)
- func (p *Pkcs11Security) PublicCertTXT() ([]byte, error)
- func (s *Pkcs11Security) RemoteSignRequest(str []byte) (signed []byte, err error)
- func (p *Pkcs11Security) SSLContext() (*http.Transport, error)
- func (p *Pkcs11Security) SignBytes(str []byte) ([]byte, error)
- func (p *Pkcs11Security) SignString(str string) ([]byte, error)
- func (p *Pkcs11Security) TLSConfig() (*tls.Config, error)
- func (p *Pkcs11Security) Validate() ([]string, bool)
- func (p *Pkcs11Security) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (p *Pkcs11Security) VerifyCertificate(certpem []byte, name string) error
- func (p *Pkcs11Security) VerifyStringSignature(str string, sig []byte, identity string) bool
- type PrivateKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MatchAnyRegex ¶
Types ¶
type Config ¶
type Config struct {
// CAFile is the file where the trusted CA cert resides
CAFile string
// CertCacheDir is the dir where cached certs reside
CertCacheDir string
// PrivilegedUsers is a list of regular expressions that identity privileged users
PrivilegedUsers []string
// AllowList is a list of regular expressions that identity valid users to allow in
AllowList []string
// DisableTLSVerify disables TLS verify in HTTP clients etc
DisableTLSVerify bool
// AlwaysOverwriteCache supports always overwriting the local filesystem cache
AlwaysOverwriteCache bool
// PKCS11DriverFile points to the dynamic library file to use (usually a .so file)
PKCS11DriverFile string
// PKCS11Slot specifies which slot of the pkcs11 device to use
PKCS11Slot uint
}
type Option ¶
type Option func(*Pkcs11Security) error
func WithChoriaConfig ¶
func WithChoriaConfig(c *config.Config) Option
type Pkcs11Security ¶
type Pkcs11Security struct {
// contains filtered or unexported fields
}
func New ¶
func New(opts ...Option) (*Pkcs11Security, error)
func (*Pkcs11Security) CachePublicData ¶
func (p *Pkcs11Security) CachePublicData(data []byte, identity string) error
CachePublicData caches the public key for a identity
func (*Pkcs11Security) CachedPublicData ¶
func (p *Pkcs11Security) CachedPublicData(identity string) ([]byte, error)
CachedPublicData retrieves the previously cached public data for a given identity
func (*Pkcs11Security) CallerIdentity ¶
func (p *Pkcs11Security) CallerIdentity(caller string) (string, error)
CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity
func (*Pkcs11Security) CallerName ¶
func (p *Pkcs11Security) CallerName() string
CallerName creates a choria like caller name in the form of choria=identity
func (*Pkcs11Security) ChecksumBytes ¶
func (p *Pkcs11Security) ChecksumBytes(data []byte) []byte
ChecksumBytes calculates a sha256 checksum for data
func (*Pkcs11Security) ChecksumString ¶
func (p *Pkcs11Security) ChecksumString(data string) []byte
ChecksumString calculates a sha256 checksum for data
func (*Pkcs11Security) HTTPClient ¶
func (p *Pkcs11Security) HTTPClient(secure bool) (*http.Client, error)
func (*Pkcs11Security) Identity ¶
func (p *Pkcs11Security) Identity() string
Identity determines the choria certname
func (*Pkcs11Security) Logout ¶
func (p *Pkcs11Security) Logout() error
func (*Pkcs11Security) PrivilegedVerifyByteSignature ¶
func (p *Pkcs11Security) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity
func (*Pkcs11Security) PrivilegedVerifyStringSignature ¶
func (p *Pkcs11Security) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
PrivilegedVerifyStringSignature verifies if the signature received is from any of the privilged certs or the given identity
func (*Pkcs11Security) Provider ¶
func (p *Pkcs11Security) Provider() string
func (*Pkcs11Security) PublicCertPem ¶
func (p *Pkcs11Security) PublicCertPem() (*pem.Block, error)
PublicCertPem retrieves the public certificate for this instance
func (*Pkcs11Security) PublicCertTXT ¶
func (p *Pkcs11Security) PublicCertTXT() ([]byte, error)
PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity
func (*Pkcs11Security) RemoteSignRequest ¶ added in v0.6.0
func (s *Pkcs11Security) RemoteSignRequest(str []byte) (signed []byte, err error)
RemoteSignRequest signs a choria request against using a remote signer and returns a secure request
func (*Pkcs11Security) SSLContext ¶
func (p *Pkcs11Security) SSLContext() (*http.Transport, error)
SSLContext creates a SSL context loaded with our certs and ca
func (*Pkcs11Security) SignBytes ¶
func (p *Pkcs11Security) SignBytes(str []byte) ([]byte, error)
SignBytes signs a message using a SHA256 PKCS1v15 protocol
func (*Pkcs11Security) SignString ¶
func (p *Pkcs11Security) SignString(str string) ([]byte, error)
SignString signs a message using a SHA256 PKCS1v15 protocol
func (*Pkcs11Security) TLSConfig ¶
func (p *Pkcs11Security) TLSConfig() (*tls.Config, error)
TLSConfig creates a TLS configuration for use by NATS, HTTPS etc
func (*Pkcs11Security) Validate ¶
func (p *Pkcs11Security) Validate() ([]string, bool)
Validate determines if the node represents a valid SSL configuration
func (*Pkcs11Security) VerifyByteSignature ¶
func (p *Pkcs11Security) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used
func (*Pkcs11Security) VerifyCertificate ¶
func (p *Pkcs11Security) VerifyCertificate(certpem []byte, name string) error
VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given
func (*Pkcs11Security) VerifyStringSignature ¶
func (p *Pkcs11Security) VerifyStringSignature(str string, sig []byte, identity string) bool
VerifyStringSignature verify that str matches signature sig made by the key of identity
type PrivateKey ¶
type PrivateKey struct {
PublicKey crypto.PublicKey
PrivateKey *p11.PrivateKey
}
func (*PrivateKey) Public ¶
func (k *PrivateKey) Public() crypto.PublicKey
func (*PrivateKey) Sign ¶
func (k *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign signs any compatible hash that is sent to it (see hashPrefixes for supported hashes) need to handle as many hash types as possible, since this is being used by http/tls driver
Source Files