Documentation
¶
Overview ¶
Package keys defines the interface to and implementation of key management operations.
Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.
Index ¶
- type AWSKMS
- type AZKeyID
- type AzureKeyVault
- func (v *AzureKeyVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (v *AzureKeyVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (v *AzureKeyVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- type AzureKeyVaultSigner
- type CloudKMSSigningKeyVersion
- type Config
- type EncryptionKeyAdder
- type GoogleCloudKMS
- func (kms *GoogleCloudKMS) CreateKeyVersion(ctx context.Context, parent string) (string, error)
- func (kms *GoogleCloudKMS) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (kms *GoogleCloudKMS) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (kms *GoogleCloudKMS) DestroyKeyVersion(ctx context.Context, id string) error
- func (kms *GoogleCloudKMS) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (kms *GoogleCloudKMS) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (kms *GoogleCloudKMS) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type HCValueKeyID
- type HashiCorpVault
- func (v *HashiCorpVault) CreateKeyVersion(ctx context.Context, parent string) (string, error)
- func (v *HashiCorpVault) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (v *HashiCorpVault) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (v *HashiCorpVault) DestroyKeyVersion(ctx context.Context, id string) error
- func (v *HashiCorpVault) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (v *HashiCorpVault) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- func (v *HashiCorpVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
- type HashiCorpVaultSigner
- type InMemory
- func (k *InMemory) AddEncryptionKey(keyID string, key []byte) error
- func (k *InMemory) AddSigningKey(keyID string, pk *ecdsa.PrivateKey) error
- func (k *InMemory) CreateEncryptionKey(keyID string) ([]byte, error)
- func (k *InMemory) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
- func (k *InMemory) Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
- func (k *InMemory) Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
- func (k *InMemory) NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
- type KeyManager
- func KeyManagerFor(ctx context.Context, config *Config) (KeyManager, error)
- func NewAWSKMS(ctx context.Context) (KeyManager, error)
- func NewAzureKeyVault(ctx context.Context) (KeyManager, error)
- func NewGoogleCloudKMS(ctx context.Context, config *Config) (KeyManager, error)
- func NewHashiCorpVault(ctx context.Context) (KeyManager, error)
- type KeyManagerType
- type KeyVersionCreator
- type KeyVersionDestroyer
- type SigningKeyAdder
- type SigningKeyManager
- type SigningKeyVersion
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSKMS ¶
type AWSKMS struct {
// contains filtered or unexported fields
}
AWSKMS implements the keys.KeyManager interface and can be used to sign export files using AWS KMS.
type AZKeyID ¶
func ParseAZKeyID ¶
type AzureKeyVault ¶
type AzureKeyVault struct {
// contains filtered or unexported fields
}
AzureKeyVault implements the keys.KeyManager interface and can be used to sign export files.
type AzureKeyVaultSigner ¶
type AzureKeyVaultSigner struct {
// contains filtered or unexported fields
}
func NewAzureKeyVaultSigner ¶
func NewAzureKeyVaultSigner(ctx context.Context, client *keyvault.BaseClient, vault, key, version string) (*AzureKeyVaultSigner, error)
NewAzureKeyVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.
func (*AzureKeyVaultSigner) Public ¶
func (s *AzureKeyVaultSigner) Public() crypto.PublicKey
Public returns the public key. The public key is fetched when the signer is created.
func (*AzureKeyVaultSigner) Sign ¶
func (s *AzureKeyVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)
Sign signs the given digest using the public key.
type CloudKMSSigningKeyVersion ¶ added in v0.5.0
type CloudKMSSigningKeyVersion struct {
// contains filtered or unexported fields
}
func (*CloudKMSSigningKeyVersion) CreatedAt ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) CreatedAt() time.Time
func (*CloudKMSSigningKeyVersion) DestroyedAt ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) DestroyedAt() time.Time
func (*CloudKMSSigningKeyVersion) KeyID ¶ added in v0.5.0
func (k *CloudKMSSigningKeyVersion) KeyID() string
type Config ¶
type Config struct {
KeyManagerType KeyManagerType `env:"KEY_MANAGER, default=GOOGLE_CLOUD_KMS"`
// CreateHSMKeys indicates than when keys are creating, HSM level
// protection should or should not be used if available.
// Adherence to this config setting is optional and based
// upon the key manager implementation and underlying capabilities.
CreateHSMKeys bool `env:"CREATE_HSM_KEYS, default=true"`
}
Config defines configuration.
type EncryptionKeyAdder ¶ added in v0.3.0
EncryptionKeyAdder supports creating encryption keys.
type GoogleCloudKMS ¶
type GoogleCloudKMS struct {
// contains filtered or unexported fields
}
GoogleCloudKMS implements the keys.KeyManager interface and can be used to sign export files.
func (*GoogleCloudKMS) CreateKeyVersion ¶ added in v0.5.1
CreateKeyVersion creates a new version for the given key. The parent key must already exist.
func (*GoogleCloudKMS) CreateSigningKey ¶ added in v0.5.1
func (kms *GoogleCloudKMS) CreateSigningKey(ctx context.Context, parent, name string) (string, error)
CreateSigningKey creates a new signing key in Cloud KMS. If a key already exists, it returns the existing key.
func (*GoogleCloudKMS) DestroyKeyVersion ¶ added in v0.5.1
func (kms *GoogleCloudKMS) DestroyKeyVersion(ctx context.Context, id string) error
DestroyKeyVersion marks the given key version for destruction. If the version does not exist, it does nothing. The id is the full resource name like projects/locations/keyRings/...
func (*GoogleCloudKMS) SigningKeyVersions ¶ added in v0.5.0
func (kms *GoogleCloudKMS) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions returns the list of key versions for the parent parsed as signing keys.
type HCValueKeyID ¶
func NewHCValueKeyID ¶
func NewHCValueKeyID(keyID string) (*HCValueKeyID, error)
type HashiCorpVault ¶
type HashiCorpVault struct {
// contains filtered or unexported fields
}
HashiCorpVault implements the keys.KeyManager interface and can be used to sign export files and encrypt/decrypt data.
For encryption keys, when using valut, the keys must be created with
`derived=true`
func (*HashiCorpVault) CreateKeyVersion ¶ added in v0.6.0
CreateKeyVersion rotates the given key.
func (*HashiCorpVault) CreateSigningKey ¶ added in v0.6.0
CreateSigningKey creates a new signing key with the given name.
func (*HashiCorpVault) DestroyKeyVersion ¶ added in v0.6.0
func (v *HashiCorpVault) DestroyKeyVersion(ctx context.Context, id string) error
DestroyKeyVersion is unimplemented on Vault. Vault can only trim keys up to a point (which might be unsafe).
func (*HashiCorpVault) NewSigner ¶
NewSigner creates a new signer that uses a key in HashiCorp Vault's transit backend. The keyID is in the format:
name@version
Both name and version are required.
func (*HashiCorpVault) SigningKeyVersions ¶ added in v0.6.0
func (v *HashiCorpVault) SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
SigningKeyVersions returns the signing keys for the given key name.
type HashiCorpVaultSigner ¶
type HashiCorpVaultSigner struct {
// contains filtered or unexported fields
}
func NewHashiCorpVaultSigner ¶
func NewHashiCorpVaultSigner(ctx context.Context, client *vaultapi.Client, name, version string) (*HashiCorpVaultSigner, error)
NewHashiCorpVaultSigner creates a new signing interface compatible with HashiCorp Vault's transit backend. The key name and key version are required.
func (*HashiCorpVaultSigner) Public ¶
func (s *HashiCorpVaultSigner) Public() crypto.PublicKey
Public returns the public key. The public key is fetched when the signer is created.
func (*HashiCorpVaultSigner) Sign ¶
func (s *HashiCorpVaultSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error)
Sign signs the given digest using the public key.
type InMemory ¶
type InMemory struct {
// contains filtered or unexported fields
}
InMemory is useful for testing. Do NOT use in a running system as all keys are only kept in memory and will be lost across server reboots.
func NewInMemory ¶
NewInMemory creates a new, local, in memory KeyManager.
func (*InMemory) AddEncryptionKey ¶
AddEncryptionKey stores the key on the system.
func (*InMemory) AddSigningKey ¶
func (k *InMemory) AddSigningKey(keyID string, pk *ecdsa.PrivateKey) error
AddSigningKey adds a new ECDSA P256 Signing Key identified by the provided keyID.
func (*InMemory) CreateEncryptionKey ¶ added in v0.3.0
CreateEncryptionKey generates and stores new encryption key identified by the provided keyID.
func (*InMemory) CreateSigningKey ¶ added in v0.3.0
CreateSigningKey generates a new ECDSA P256 Signing Key identified by the provided keyID
type KeyManager ¶
type KeyManager interface {
NewSigner(ctx context.Context, keyID string) (crypto.Signer, error)
// Encrypt wile enctypt a byte array along with accompaning Additional Authenticated Data (AAD).
// The ability for AAD to be empty, depends on the implementation being used.
//
// Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD
// The Azure Key Vault implementation does not.
Encrypt(ctx context.Context, keyID string, plaintext []byte, aad []byte) ([]byte, error)
// Decrypt will descrypt a previously encrypted byte array along with accompaning Additional
// Authenticated Data (AAD).
// If AAD was passed in on the encryption, the same AAD must be passed in to decrypt.
//
// Currently Google Cloud KMS, Hashicorp Vault and AWS KMS support AAD
// The Azure Key Vault implementation does not.
Decrypt(ctx context.Context, keyID string, ciphertext []byte, aad []byte) ([]byte, error)
}
KeyManager defines the interface for working with a KMS system that is able to sign bytes using PKI. KeyManager implementations must be able to return a crypto.Signer.
func KeyManagerFor ¶
func KeyManagerFor(ctx context.Context, config *Config) (KeyManager, error)
KeyManagerFor returns the appropriate key manager for the given type.
func NewAzureKeyVault ¶
func NewAzureKeyVault(ctx context.Context) (KeyManager, error)
NewAzureKeyVault creates a new KeyVault key manager instance.
func NewGoogleCloudKMS ¶
func NewGoogleCloudKMS(ctx context.Context, config *Config) (KeyManager, error)
func NewHashiCorpVault ¶
func NewHashiCorpVault(ctx context.Context) (KeyManager, error)
NewHashiCorpVault creates a new Vault key manager instance.
type KeyManagerType ¶
type KeyManagerType string
KeyManagerType defines a specific key manager.
const ( KeyManagerTypeAWSKMS KeyManagerType = "AWS_KMS" KeyManagerTypeAzureKeyVault KeyManagerType = "AZURE_KEY_VAULT" KeyManagerTypeGoogleCloudKMS KeyManagerType = "GOOGLE_CLOUD_KMS" KeyManagerTypeHashiCorpVault KeyManagerType = "HASHICORP_VAULT" KeyManagerTypeInMemory KeyManagerType = "IN_MEMORY" )
type KeyVersionCreator ¶ added in v0.5.1
type KeyVersionCreator interface {
// CreateKeyVersion creates a new key version for the given parent, returning
// the ID of the new version. The parent key must already exist.
CreateKeyVersion(ctx context.Context, parent string) (string, error)
}
KeyVersionCreator supports creating a new version of an existing key.
type KeyVersionDestroyer ¶ added in v0.5.1
type KeyVersionDestroyer interface {
// DestroyKeyVersion destroys the given key version, if it exists. If the
// version does not exist, it should not return an error.
DestroyKeyVersion(ctx context.Context, id string) error
}
KeyVersionDestroyer supports destroying a key version.
type SigningKeyAdder ¶ added in v0.3.0
type SigningKeyAdder interface {
AddSigningKey(string, *ecdsa.PrivateKey) error
}
SigningKeyAdder supports creating signing keys.
type SigningKeyManager ¶ added in v0.5.1
type SigningKeyManager interface {
// SigningKeyVersions returns the list of signing keys for the provided
// parent. If the parent does not exist, it returns an error.
SigningKeyVersions(ctx context.Context, parent string) ([]SigningKeyVersion, error)
// CreateSigningKey creates a new signing key in the given parent, returning
// the id. If the key already exists, it returns the key's id.
CreateSigningKey(ctx context.Context, parent, name string) (string, error)
KeyVersionCreator
KeyVersionDestroyer
}
SigningKeyManager supports extended management of signing keys, versions, and rotation.
type SigningKeyVersion ¶ added in v0.5.0
type SigningKeyVersion interface {
KeyID() string
CreatedAt() time.Time
DestroyedAt() time.Time
Signer(ctx context.Context) (crypto.Signer, error)
}
SigningKeyVersion represents the necessary details that this application needs to manage signing keys in an external KMS.
Source Files