Package database contains the management of interactions with the database for createion and storage of the wrapped keys that encrypet revision certificates.

    RevisionKey data is stored in the revisionkeys table. * The most recently created 'allowed' key is considered to be the effective key.

    The effective key is used to encrypt outgoing revision tokens.

    * Any still 'allowed' key can be used to decrypt incoming revision tokens.

    This package also supports the creation of new keys with a locally generated AES key that is encrypted using the provided KMS and stored in the database in it's encrypted form.



    This section is empty.


    This section is empty.


    This section is empty.


    type KMSConfig

    type KMSConfig struct {
    	WrapperKeyID string
    	KeyManager   keys.KeyManager

      KMSConfig represents the configuration of the RevisionDB in terms how how it should utilize the given KeyManager for wrapping/unwrapping keys.

      type RevisionDB

      type RevisionDB struct {
      	// contains filtered or unexported fields

        RevisionDB wraps a database connection and provides functions for interacting with revision keys.

        func New

        func New(db *database.DB, c *KMSConfig) (*RevisionDB, error)

          New creates a new `RevisionDB`

          func (*RevisionDB) CreateRevisionKey

          func (rdb *RevisionDB) CreateRevisionKey(ctx context.Context) (*RevisionKey, error)

            CreateRevisionKey generates a new AES key and wraps it

            func (*RevisionDB) DestroyKey

            func (rdb *RevisionDB) DestroyKey(ctx context.Context, keyID int64) error

              DestroyKey zeros out the wrapped key and marks the key as allowed=false.

              func (*RevisionDB) GetAllowedRevisionKeyIDs

              func (rdb *RevisionDB) GetAllowedRevisionKeyIDs(ctx context.Context) (int64, map[int64]struct{}, error)

                GetAllowedRevisionKeyIDs returns just the IDs of still allowed keys. Once the keys have been unwrapped, there is no reason to continue to unwrap them.

                The first return value is the ID of the currently effective key (most recently created, still active) The second return value is a map of the currently allowed keys for decryption

                func (*RevisionDB) GetAllowedRevisionKeys

                func (rdb *RevisionDB) GetAllowedRevisionKeys(ctx context.Context) (int64, []*RevisionKey, error)

                  GetAllowedRevisionKeys returns all of the currently allowed revision keys. This method will unwrap all of the keys so that they can be used to create and verify revision tokens.

                  The first return value is the ID of the effective RevisionKey. The second is a slice of all currently allowed RevisionKeys for decryption purposes. The returned revision keys will be sorted in reverse time order by creation time.

                  func (*RevisionDB) GetEffectiveRevisionKey

                  func (rdb *RevisionDB) GetEffectiveRevisionKey(ctx context.Context) (*RevisionKey, error)

                    GetEffectiveRevisionKey returns the revision key to use when encrypting revision tokens. This is consided the most recently created key that is still "allowed"

                    type RevisionKey

                    type RevisionKey struct {
                    	KeyID         int64
                    	AAD           []byte // AAD for the wrapping/unwrapping of the cipher block.
                    	WrappedCipher []byte
                    	CreatedAt     time.Time
                    	Allowed       bool
                    	// The unwrapped cipher.
                    	DEK []byte

                      RevisionKey represents an individual revision key.

                      func (*RevisionKey) KeyIDString

                      func (r *RevisionKey) KeyIDString() string

                        KeyIDString returns the keyID as a string that can be used in the encoded revision tokens.

                        Source Files