keyset

package
Version: v1.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2021 License: Apache-2.0 Imports: 12 Imported by: 54

Documentation

Overview

Package keyset provides methods to generate, read, write or validate keysets.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Validate

func Validate(keyset *tinkpb.Keyset) error

Validate validates the given key set. Returns nil if it is valid; an error otherwise.

func ValidateKeyVersion

func ValidateKeyVersion(version, maxExpected uint32) error

ValidateKeyVersion checks whether the given version is valid. The version is valid only if it is the range [0..maxExpected]

Types

type BinaryReader

type BinaryReader struct {
	// contains filtered or unexported fields
}

BinaryReader deserializes a keyset from binary proto format.

func NewBinaryReader

func NewBinaryReader(r io.Reader) *BinaryReader

NewBinaryReader returns new BinaryReader that will read from r.

func (*BinaryReader) Read

func (bkr *BinaryReader) Read() (*tinkpb.Keyset, error)

Read parses a (cleartext) keyset from the underlying io.Reader.

func (*BinaryReader) ReadEncrypted

func (bkr *BinaryReader) ReadEncrypted() (*tinkpb.EncryptedKeyset, error)

ReadEncrypted parses an EncryptedKeyset from the underlying io.Reader.

type BinaryWriter

type BinaryWriter struct {
	// contains filtered or unexported fields
}

BinaryWriter serializes a keyset into binary proto format.

func NewBinaryWriter

func NewBinaryWriter(w io.Writer) *BinaryWriter

NewBinaryWriter returns a new BinaryWriter that will write to w.

func (*BinaryWriter) Write

func (bkw *BinaryWriter) Write(keyset *tinkpb.Keyset) error

Write writes the keyset to the underlying io.Writer.

func (*BinaryWriter) WriteEncrypted

func (bkw *BinaryWriter) WriteEncrypted(keyset *tinkpb.EncryptedKeyset) error

WriteEncrypted writes the encrypted keyset to the underlying io.Writer.

type Handle

type Handle struct {
	// contains filtered or unexported fields
}

Handle provides access to a Keyset protobuf, to limit the exposure of actual protocol buffers that hold sensitive key material.

func NewHandle

func NewHandle(kt *tinkpb.KeyTemplate) (*Handle, error)

NewHandle creates a keyset handle that contains a single fresh key generated according to the given KeyTemplate.

func NewHandleWithNoSecrets

func NewHandleWithNoSecrets(ks *tinkpb.Keyset) (*Handle, error)

NewHandleWithNoSecrets creates a new instance of KeysetHandle using the given keyset which does not contain any secret key material.

func Read

func Read(reader Reader, masterKey tink.AEAD) (*Handle, error)

Read tries to create a Handle from an encrypted keyset obtained via reader.

func ReadWithNoSecrets

func ReadWithNoSecrets(reader Reader) (*Handle, error)

ReadWithNoSecrets tries to create a keyset.Handle from a keyset obtained via reader.

func (*Handle) KeysetInfo added in v1.5.0

func (h *Handle) KeysetInfo() *tinkpb.KeysetInfo

KeysetInfo returns KeysetInfo representation of the managed keyset. The result does not contain any sensitive key material.

func (*Handle) Primitives

func (h *Handle) Primitives() (*primitiveset.PrimitiveSet, error)

Primitives creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keyset handle, assuming all the corresponding key managers are present (keys with status!=ENABLED are skipped).

The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.

func (*Handle) PrimitivesWithKeyManager

func (h *Handle) PrimitivesWithKeyManager(km registry.KeyManager) (*primitiveset.PrimitiveSet, error)

PrimitivesWithKeyManager creates a set of primitives corresponding to the keys with status=ENABLED in the keyset of the given keysetHandle, using the given key manager (instead of registered key managers) for keys supported by it. Keys not supported by the key manager are handled by matching registered key managers (if present), and keys with status!=ENABLED are skipped.

This enables custom treatment of keys, for example providing extra context (e.g. credentials for accessing keys managed by a KMS), or gathering custom monitoring/profiling information.

The returned set is usually later "wrapped" into a class that implements the corresponding Primitive-interface.

func (*Handle) Public

func (h *Handle) Public() (*Handle, error)

Public returns a Handle of the public keys if the managed keyset contains private keys.

func (*Handle) String

func (h *Handle) String() string

String returns a string representation of the managed keyset. The result does not contain any sensitive key material.

func (*Handle) Write

func (h *Handle) Write(writer Writer, masterKey tink.AEAD) error

Write encrypts and writes the enclosing keyset.

func (*Handle) WriteWithNoSecrets

func (h *Handle) WriteWithNoSecrets(w Writer) error

WriteWithNoSecrets exports the keyset in h to the given Writer w returning an error if the keyset contains secret key material.

type JSONReader

type JSONReader struct {
	// contains filtered or unexported fields
}

JSONReader deserializes a keyset from json format.

func NewJSONReader

func NewJSONReader(r io.Reader) *JSONReader

NewJSONReader returns new JSONReader that will read from r.

func (*JSONReader) Read

func (bkr *JSONReader) Read() (*tinkpb.Keyset, error)

Read parses a (cleartext) keyset from the underlying io.Reader.

func (*JSONReader) ReadEncrypted

func (bkr *JSONReader) ReadEncrypted() (*tinkpb.EncryptedKeyset, error)

ReadEncrypted parses an EncryptedKeyset from the underlying io.Reader.

type JSONWriter

type JSONWriter struct {
	// contains filtered or unexported fields
}

JSONWriter serializes a keyset into binary proto format.

func NewJSONWriter

func NewJSONWriter(w io.Writer) *JSONWriter

NewJSONWriter returns a new JSONWriter that will write to w.

func (*JSONWriter) Write

func (bkw *JSONWriter) Write(keyset *tinkpb.Keyset) error

Write writes the keyset to the underlying io.Writer.

func (*JSONWriter) WriteEncrypted

func (bkw *JSONWriter) WriteEncrypted(keyset *tinkpb.EncryptedKeyset) error

WriteEncrypted writes the encrypted keyset to the underlying io.Writer.

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages a Keyset-proto, with convenience methods that rotate, disable, enable or destroy keys. Note: It is not thread-safe.

func NewManager

func NewManager() *Manager

NewManager creates a new instance with an empty Keyset.

func NewManagerFromHandle

func NewManagerFromHandle(kh *Handle) *Manager

NewManagerFromHandle creates a new instance from the given Handle.

func (*Manager) Handle

func (km *Manager) Handle() (*Handle, error)

Handle creates a new Handle for the managed keyset.

func (*Manager) Rotate

func (km *Manager) Rotate(kt *tinkpb.KeyTemplate) error

Rotate generates a fresh key using the given key template and sets the new key as the primary key.

type MemReaderWriter

type MemReaderWriter struct {
	Keyset          *tinkpb.Keyset
	EncryptedKeyset *tinkpb.EncryptedKeyset
}

MemReaderWriter implements keyset.Reader and keyset.Writer for *tinkpb.Keyset and *tinkpb.EncryptedKeyset.

func (*MemReaderWriter) Read

func (m *MemReaderWriter) Read() (*tinkpb.Keyset, error)

Read returns *tinkpb.Keyset from memory.

func (*MemReaderWriter) ReadEncrypted

func (m *MemReaderWriter) ReadEncrypted() (*tinkpb.EncryptedKeyset, error)

ReadEncrypted returns *tinkpb.EncryptedKeyset from memory.

func (*MemReaderWriter) Write

func (m *MemReaderWriter) Write(keyset *tinkpb.Keyset) error

Write keyset to memory.

func (*MemReaderWriter) WriteEncrypted

func (m *MemReaderWriter) WriteEncrypted(keyset *tinkpb.EncryptedKeyset) error

WriteEncrypted keyset to memory.

type Reader

type Reader interface {
	// Read returns a (cleartext) Keyset object from the underlying source.
	Read() (*tinkpb.Keyset, error)

	// ReadEncrypted returns an EncryptedKeyset object from the underlying source.
	ReadEncrypted() (*tinkpb.EncryptedKeyset, error)
}

Reader knows how to read a Keyset or an EncryptedKeyset from some source. In order to turn a Reader into a KeysetHandle for use, callers must use insecure.KeysetHandle or by keyset.Read (with encryption).

type Writer

type Writer interface {
	// Write keyset to some storage system.
	Write(Keyset *tinkpb.Keyset) error

	// Write EncryptedKeyset to some storage system.
	WriteEncrypted(keyset *tinkpb.EncryptedKeyset) error
}

Writer knows how to write a Keyset or an EncryptedKeyset to some source.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL