Documentation ¶
Index ¶
- Constants
- func IsAccessible() bool
- func SetTouchToSignUI(notifier func(), callback func())
- func SetYubikeyKeyMode(keyMode int) error
- type ErrBackupFailed
- type IPKCS11Ctx
- type YubiPrivateKey
- type YubiStore
- func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error
- func (s *YubiStore) GetKey(keyID string) (data.PrivateKey, data.RoleName, error)
- func (s *YubiStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error)
- func (s *YubiStore) ListKeys() map[string]trustmanager.KeyInfo
- func (s YubiStore) Name() string
- func (s *YubiStore) RemoveKey(keyID string) error
Constants ¶
const ( // UserPin is the user pin of a yubikey (in PIV parlance, is the PIN) UserPin = "123456" // SOUserPin is the "Security Officer" user pin - this is the PIV management // (MGM) key, which is different than the admin pin of the Yubikey PGP interface // (which in PIV parlance is the PUK, and defaults to 12345678) SOUserPin = "010203040506070801020304050607080102030405060708" // KeymodeNone means that no touch or PIN is required to sign with the yubikey KeymodeNone = 0 // KeymodeTouch means that only touch is required to sign with the yubikey KeymodeTouch = 1 // KeymodePinOnce means that the pin entry is required once the first time to sign with the yubikey KeymodePinOnce = 2 // KeymodePinAlways means that pin entry is required every time to sign with the yubikey KeymodePinAlways = 4 )
Variables ¶
This section is empty.
Functions ¶
func SetTouchToSignUI ¶
func SetTouchToSignUI(notifier func(), callback func())
SetTouchToSignUI - allows configurable UX for notifying a user that they need to touch the yubikey to sign. The callback may be used to provide a mechanism for updating a GUI (such as removing a modal) after the touch has been made
func SetYubikeyKeyMode ¶
SetYubikeyKeyMode - sets the mode when generating yubikey keys. This is to be used for testing. It does nothing if not building with tag pkcs11.
Types ¶
type ErrBackupFailed ¶
type ErrBackupFailed struct {
// contains filtered or unexported fields
}
ErrBackupFailed is returned when a YubiStore fails to back up a key that is added
func (ErrBackupFailed) Error ¶
func (err ErrBackupFailed) Error() string
type IPKCS11Ctx ¶
type IPKCS11Ctx interface { Destroy() Initialize() error Finalize() error GetSlotList(tokenPresent bool) ([]uint, error) OpenSession(slotID uint, flags uint) (pkcs11.SessionHandle, error) CloseSession(sh pkcs11.SessionHandle) error Login(sh pkcs11.SessionHandle, userType uint, pin string) error Logout(sh pkcs11.SessionHandle) error CreateObject(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) ( pkcs11.ObjectHandle, error) DestroyObject(sh pkcs11.SessionHandle, oh pkcs11.ObjectHandle) error GetAttributeValue(sh pkcs11.SessionHandle, o pkcs11.ObjectHandle, a []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) FindObjectsInit(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) error FindObjects(sh pkcs11.SessionHandle, max int) ( []pkcs11.ObjectHandle, bool, error) FindObjectsFinal(sh pkcs11.SessionHandle) error SignInit(sh pkcs11.SessionHandle, m []*pkcs11.Mechanism, o pkcs11.ObjectHandle) error Sign(sh pkcs11.SessionHandle, message []byte) ([]byte, error) }
IPKCS11Ctx is an interface for wrapping the parts of github.com/miekg/pkcs11.Ctx that yubikeystore requires
func SetupHSMEnv ¶
func SetupHSMEnv(libraryPath string, libLoader pkcs11LibLoader) ( IPKCS11Ctx, pkcs11.SessionHandle, error)
SetupHSMEnv is a method that depends on the existences
type YubiPrivateKey ¶
type YubiPrivateKey struct { data.ECDSAPublicKey // contains filtered or unexported fields }
YubiPrivateKey represents a private key inside of a yubikey
func NewYubiPrivateKey ¶
func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey, passRetriever notary.PassRetriever) *YubiPrivateKey
NewYubiPrivateKey returns a YubiPrivateKey, which implements the data.PrivateKey interface except that the private material is inaccessible
func (*YubiPrivateKey) CryptoSigner ¶
func (y *YubiPrivateKey) CryptoSigner() crypto.Signer
CryptoSigner returns a crypto.Signer tha wraps the YubiPrivateKey. Needed for Certificate generation only
func (*YubiPrivateKey) Private ¶
func (y *YubiPrivateKey) Private() []byte
Private is not implemented in hardware keys
func (*YubiPrivateKey) Sign ¶
func (y *YubiPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error)
Sign is a required method of the crypto.Signer interface and the data.PrivateKey interface
func (YubiPrivateKey) SignatureAlgorithm ¶
func (y YubiPrivateKey) SignatureAlgorithm() data.SigAlgorithm
SignatureAlgorithm returns which algorithm this key uses to sign - currently hardcoded to ECDSA
type YubiStore ¶
type YubiStore struct {
// contains filtered or unexported fields
}
YubiStore is a KeyStore for private keys inside a Yubikey
func NewYubiStore ¶
func NewYubiStore(backupStore trustmanager.KeyStore, passphraseRetriever notary.PassRetriever) ( *YubiStore, error)
NewYubiStore returns a YubiStore, given a backup key store to write any generated keys to (usually a KeyFileStore)
func (*YubiStore) AddKey ¶
func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error
AddKey puts a key inside the Yubikey, as well as writing it to the backup store
func (*YubiStore) GetKey ¶
GetKey retrieves a key from the Yubikey only (it does not look inside the backup store)
func (*YubiStore) GetKeyInfo ¶
func (s *YubiStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error)
GetKeyInfo is not yet implemented
func (*YubiStore) ListKeys ¶
func (s *YubiStore) ListKeys() map[string]trustmanager.KeyInfo
ListKeys returns a list of keys in the yubikey store