Documentation
¶
Index ¶
- Constants
- Variables
- func RegisterHardwareKeyAgentServiceServer(s grpc.ServiceRegistrar, srv HardwareKeyAgentServiceServer)
- type HardwareKeyAgentServiceClient
- type HardwareKeyAgentServiceServer
- type Hash
- type KeyInfo
- func (*KeyInfo) Descriptor() ([]byte, []int)deprecated
- func (x *KeyInfo) GetClusterName() string
- func (x *KeyInfo) GetPinCacheTtl() *durationpb.Duration
- func (x *KeyInfo) GetPinRequired() bool
- func (x *KeyInfo) GetProxyHost() string
- func (x *KeyInfo) GetTouchRequired() bool
- func (x *KeyInfo) GetUsername() string
- func (*KeyInfo) ProtoMessage()
- func (x *KeyInfo) ProtoReflect() protoreflect.Message
- func (x *KeyInfo) Reset()
- func (x *KeyInfo) String() string
- type KeyRef
- func (*KeyRef) Descriptor() ([]byte, []int)deprecated
- func (x *KeyRef) GetPublicKeyDer() []byte
- func (x *KeyRef) GetSerialNumber() uint32
- func (x *KeyRef) GetSlotKey() PIVSlotKey
- func (*KeyRef) ProtoMessage()
- func (x *KeyRef) ProtoReflect() protoreflect.Message
- func (x *KeyRef) Reset()
- func (x *KeyRef) String() string
- type PIVSlotKey
- type PingRequest
- type PingResponse
- type SignRequest
- func (*SignRequest) Descriptor() ([]byte, []int)deprecated
- func (x *SignRequest) GetCommand() string
- func (x *SignRequest) GetDigest() []byte
- func (x *SignRequest) GetHash() Hash
- func (x *SignRequest) GetKeyInfo() *KeyInfo
- func (x *SignRequest) GetKeyRef() *KeyRef
- func (x *SignRequest) GetSaltLength() uint32
- func (*SignRequest) ProtoMessage()
- func (x *SignRequest) ProtoReflect() protoreflect.Message
- func (x *SignRequest) Reset()
- func (x *SignRequest) String() string
- type Signature
- type UnimplementedHardwareKeyAgentServiceServer
- type UnsafeHardwareKeyAgentServiceServer
Constants ¶
View Source
const ( HardwareKeyAgentService_Ping_FullMethodName = "/teleport.hardwarekeyagent.v1.HardwareKeyAgentService/Ping" HardwareKeyAgentService_Sign_FullMethodName = "/teleport.hardwarekeyagent.v1.HardwareKeyAgentService/Sign" )
Variables ¶
View Source
var ( PIVSlotKey_name = map[int32]string{ 0: "PIV_SLOT_KEY_UNSPECIFIED", 1: "PIV_SLOT_KEY_9A", 2: "PIV_SLOT_KEY_9C", 3: "PIV_SLOT_KEY_9D", 4: "PIV_SLOT_KEY_9E", } PIVSlotKey_value = map[string]int32{ "PIV_SLOT_KEY_UNSPECIFIED": 0, "PIV_SLOT_KEY_9A": 1, "PIV_SLOT_KEY_9C": 2, "PIV_SLOT_KEY_9D": 3, "PIV_SLOT_KEY_9E": 4, } )
Enum value maps for PIVSlotKey.
View Source
var ( Hash_name = map[int32]string{ 0: "HASH_UNSPECIFIED", 1: "HASH_NONE", 2: "HASH_SHA256", 3: "HASH_SHA512", } Hash_value = map[string]int32{ "HASH_UNSPECIFIED": 0, "HASH_NONE": 1, "HASH_SHA256": 2, "HASH_SHA512": 3, } )
Enum value maps for Hash.
View Source
var File_teleport_hardwarekeyagent_v1_hardwarekeyagent_service_proto protoreflect.FileDescriptor
View Source
var HardwareKeyAgentService_ServiceDesc = grpc.ServiceDesc{ ServiceName: "teleport.hardwarekeyagent.v1.HardwareKeyAgentService", HandlerType: (*HardwareKeyAgentServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Ping", Handler: _HardwareKeyAgentService_Ping_Handler, }, { MethodName: "Sign", Handler: _HardwareKeyAgentService_Sign_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "teleport/hardwarekeyagent/v1/hardwarekeyagent_service.proto", }
HardwareKeyAgentService_ServiceDesc is the grpc.ServiceDesc for HardwareKeyAgentService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
Functions ¶
func RegisterHardwareKeyAgentServiceServer ¶
func RegisterHardwareKeyAgentServiceServer(s grpc.ServiceRegistrar, srv HardwareKeyAgentServiceServer)
Types ¶
type HardwareKeyAgentServiceClient ¶
type HardwareKeyAgentServiceClient interface {
// Ping the agent service to check if it is active.
Ping(ctx context.Context, in *PingRequest, opts ...grpc.CallOption) (*PingResponse, error)
// Sign produces a signature with the provided options for the specified hardware private key
//
// This rpc implements Go's crypto.Signer interface.
Sign(ctx context.Context, in *SignRequest, opts ...grpc.CallOption) (*Signature, error)
}
HardwareKeyAgentServiceClient is the client API for HardwareKeyAgentService service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
HardwareKeyAgentService provides an agent service for hardware key (PIV) signatures. This allows multiple Teleport clients to share a PIV connection rather than blocking each other, due to the exclusive nature of PIV connections. This also enabled shared hardware key states, such as a custom PIN cache shared across Teleport clients.
func NewHardwareKeyAgentServiceClient ¶
func NewHardwareKeyAgentServiceClient(cc grpc.ClientConnInterface) HardwareKeyAgentServiceClient
type HardwareKeyAgentServiceServer ¶
type HardwareKeyAgentServiceServer interface {
// Ping the agent service to check if it is active.
Ping(context.Context, *PingRequest) (*PingResponse, error)
// Sign produces a signature with the provided options for the specified hardware private key
//
// This rpc implements Go's crypto.Signer interface.
Sign(context.Context, *SignRequest) (*Signature, error)
// contains filtered or unexported methods
}
HardwareKeyAgentServiceServer is the server API for HardwareKeyAgentService service. All implementations must embed UnimplementedHardwareKeyAgentServiceServer for forward compatibility.
HardwareKeyAgentService provides an agent service for hardware key (PIV) signatures. This allows multiple Teleport clients to share a PIV connection rather than blocking each other, due to the exclusive nature of PIV connections. This also enabled shared hardware key states, such as a custom PIN cache shared across Teleport clients.
type Hash ¶
type Hash int32
Hash refers to a specific hash function used during signing.
func (Hash) Descriptor ¶
func (Hash) Descriptor() protoreflect.EnumDescriptor
func (Hash) EnumDescriptor
deprecated
func (Hash) Number ¶
func (x Hash) Number() protoreflect.EnumNumber
func (Hash) Type ¶
func (Hash) Type() protoreflect.EnumType
type KeyInfo ¶
type KeyInfo struct {
// TouchRequired is a client hint as to whether the hardware private key requires touch.
// The agent will use this to provide the ideal UX for the touch prompt. If this client
// hint is incorrect, touch will still be prompted.
TouchRequired bool `protobuf:"varint,1,opt,name=touch_required,json=touchRequired,proto3" json:"touch_required,omitempty"`
// PinRequired is a client hint as to whether the hardware private key requires PIN.
// The agent will use this to provide the ideal UX for the PIN prompt. If this client
// hint is incorrect, PIN will still be prompted for YubiKey versions >= 4.3.0, and
// failing with an auth error otherwise.
PinRequired bool `protobuf:"varint,2,opt,name=pin_required,json=pinRequired,proto3" json:"pin_required,omitempty"`
// ProxyHost is a Teleport proxy hostname that the key is associated with.
// May be used to add context to PIN/touch prompts.
ProxyHost string `protobuf:"bytes,3,opt,name=proxy_host,json=proxyHost,proto3" json:"proxy_host,omitempty"`
// Username is a Teleport username that the key is associated with.
// May be used to add context to PIN/touch prompts.
Username string `protobuf:"bytes,4,opt,name=username,proto3" json:"username,omitempty"`
// ClusterName is a Teleport cluster name that the key is associated with.
// May be used to add context to PIN/touch prompts.
ClusterName string `protobuf:"bytes,5,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"`
// PinCacheTtl is the amount of time that the PIN should be cached for
// PIN prompts associated with this key. A TTL of 0 means no PIN caching.
PinCacheTtl *durationpb.Duration `protobuf:"bytes,6,opt,name=pin_cache_ttl,json=pinCacheTtl,proto3" json:"pin_cache_ttl,omitempty"`
// contains filtered or unexported fields
}
KeyInfo contains additional information about a hardware private key.
func (*KeyInfo) Descriptor
deprecated
func (*KeyInfo) GetClusterName ¶
func (*KeyInfo) GetPinCacheTtl ¶
func (x *KeyInfo) GetPinCacheTtl() *durationpb.Duration
func (*KeyInfo) GetPinRequired ¶
func (*KeyInfo) GetProxyHost ¶
func (*KeyInfo) GetTouchRequired ¶
func (*KeyInfo) GetUsername ¶
func (*KeyInfo) ProtoMessage ¶
func (*KeyInfo) ProtoMessage()
func (*KeyInfo) ProtoReflect ¶
func (x *KeyInfo) ProtoReflect() protoreflect.Message
type KeyRef ¶
type KeyRef struct {
// SerialNumber is the serial number of the hardware key.
SerialNumber uint32 `protobuf:"varint,1,opt,name=serial_number,json=serialNumber,proto3" json:"serial_number,omitempty"`
// SlotKey is a PIV slot key reference.
SlotKey PIVSlotKey `` /* 128-byte string literal not displayed */
// PublicKey is the public key encoded in PKIX, ASN.1 DER form. If the public key does
// not match the private key currently in the hardware key's PIV slot, the signature
// will fail early.
PublicKeyDer []byte `protobuf:"bytes,3,opt,name=public_key_der,json=publicKeyDer,proto3" json:"public_key_der,omitempty"`
// contains filtered or unexported fields
}
KeyRef references a specific hardware private key.
func (*KeyRef) Descriptor
deprecated
func (*KeyRef) GetPublicKeyDer ¶
func (*KeyRef) GetSerialNumber ¶
func (*KeyRef) GetSlotKey ¶
func (x *KeyRef) GetSlotKey() PIVSlotKey
func (*KeyRef) ProtoMessage ¶
func (*KeyRef) ProtoMessage()
func (*KeyRef) ProtoReflect ¶
func (x *KeyRef) ProtoReflect() protoreflect.Message
type PIVSlotKey ¶
type PIVSlotKey int32
PIVSlotKey is the key reference for a specific PIV slot.
const ( // PIV slot key not specified. PIVSlotKey_PIV_SLOT_KEY_UNSPECIFIED PIVSlotKey = 0 // PIV slot key 9a. This is the default slot for pin_policy=never, touch_policy=never. PIVSlotKey_PIV_SLOT_KEY_9A PIVSlotKey = 1 // PIV slot key 9c. This is the default slot for pin_policy=never, touch_policy=cached. PIVSlotKey_PIV_SLOT_KEY_9C PIVSlotKey = 2 // PIV slot key 9d. This is the default slot for pin_policy=once, touch_policy=cached. PIVSlotKey_PIV_SLOT_KEY_9D PIVSlotKey = 3 // PIV slot key 9e. This is the default slot for pin_policy=once, touch_policy=never. PIVSlotKey_PIV_SLOT_KEY_9E PIVSlotKey = 4 )
func (PIVSlotKey) Descriptor ¶
func (PIVSlotKey) Descriptor() protoreflect.EnumDescriptor
func (PIVSlotKey) Enum ¶
func (x PIVSlotKey) Enum() *PIVSlotKey
func (PIVSlotKey) EnumDescriptor
deprecated
func (PIVSlotKey) EnumDescriptor() ([]byte, []int)
Deprecated: Use PIVSlotKey.Descriptor instead.
func (PIVSlotKey) Number ¶
func (x PIVSlotKey) Number() protoreflect.EnumNumber
func (PIVSlotKey) String ¶
func (x PIVSlotKey) String() string
func (PIVSlotKey) Type ¶
func (PIVSlotKey) Type() protoreflect.EnumType
type PingRequest ¶
type PingRequest struct {
// contains filtered or unexported fields
}
PingRequest is a request to Ping.
func (*PingRequest) Descriptor
deprecated
func (*PingRequest) Descriptor() ([]byte, []int)
Deprecated: Use PingRequest.ProtoReflect.Descriptor instead.
func (*PingRequest) ProtoMessage ¶
func (*PingRequest) ProtoMessage()
func (*PingRequest) ProtoReflect ¶
func (x *PingRequest) ProtoReflect() protoreflect.Message
func (*PingRequest) Reset ¶
func (x *PingRequest) Reset()
func (*PingRequest) String ¶
func (x *PingRequest) String() string
type PingResponse ¶
type PingResponse struct {
// PID is the PID of the client process running the agent.
Pid uint32 `protobuf:"varint,1,opt,name=pid,proto3" json:"pid,omitempty"`
// contains filtered or unexported fields
}
PingResponse is a response to Ping.
func (*PingResponse) Descriptor
deprecated
func (*PingResponse) Descriptor() ([]byte, []int)
Deprecated: Use PingResponse.ProtoReflect.Descriptor instead.
func (*PingResponse) GetPid ¶
func (x *PingResponse) GetPid() uint32
func (*PingResponse) ProtoMessage ¶
func (*PingResponse) ProtoMessage()
func (*PingResponse) ProtoReflect ¶
func (x *PingResponse) ProtoReflect() protoreflect.Message
func (*PingResponse) Reset ¶
func (x *PingResponse) Reset()
func (*PingResponse) String ¶
func (x *PingResponse) String() string
type SignRequest ¶
type SignRequest struct {
// Digest is a hashed message to sign.
Digest []byte `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"`
// Hash is the hash function used to prepare the digest.
Hash Hash `protobuf:"varint,2,opt,name=hash,proto3,enum=teleport.hardwarekeyagent.v1.Hash" json:"hash,omitempty"`
// SaltLength specifies the length of the salt added to the digest before a signature.
// This salt length is precomputed by the client, following the crypto/rsa implementation.
// Only used, and required, for PSS RSA signatures.
SaltLength uint32 `protobuf:"varint,3,opt,name=salt_length,json=saltLength,proto3" json:"salt_length,omitempty"`
// KeyRef references a specific hardware private key.
KeyRef *KeyRef `protobuf:"bytes,4,opt,name=key_ref,json=keyRef,proto3" json:"key_ref,omitempty"`
// KeyInfo contains additional, optional key info which generally will improve UX by
// giving the agent context about the key, such as whether PIN/touch prompts are
// expected, or what cluster login is trying to interface with the key.
KeyInfo *KeyInfo `protobuf:"bytes,5,opt,name=key_info,json=keyInfo,proto3" json:"key_info,omitempty"`
// Command is the client command or action requiring a signature, e.g. "tsh ssh server01".
// The agent can include this detail in PIN/touch prompts to show the origin of the
// signature request to the user.
Command string `protobuf:"bytes,6,opt,name=command,proto3" json:"command,omitempty"`
// contains filtered or unexported fields
}
SignRequest is a request to perform a signature with a specific hardware private key.
func (*SignRequest) Descriptor
deprecated
func (*SignRequest) Descriptor() ([]byte, []int)
Deprecated: Use SignRequest.ProtoReflect.Descriptor instead.
func (*SignRequest) GetCommand ¶
func (x *SignRequest) GetCommand() string
func (*SignRequest) GetDigest ¶
func (x *SignRequest) GetDigest() []byte
func (*SignRequest) GetHash ¶
func (x *SignRequest) GetHash() Hash
func (*SignRequest) GetKeyInfo ¶
func (x *SignRequest) GetKeyInfo() *KeyInfo
func (*SignRequest) GetKeyRef ¶
func (x *SignRequest) GetKeyRef() *KeyRef
func (*SignRequest) GetSaltLength ¶
func (x *SignRequest) GetSaltLength() uint32
func (*SignRequest) ProtoMessage ¶
func (*SignRequest) ProtoMessage()
func (*SignRequest) ProtoReflect ¶
func (x *SignRequest) ProtoReflect() protoreflect.Message
func (*SignRequest) Reset ¶
func (x *SignRequest) Reset()
func (*SignRequest) String ¶
func (x *SignRequest) String() string
type Signature ¶
type Signature struct {
// For an RSA key, signature should be either a PKCS #1 v1.5 or PSS signature,
// depending on the hash and salt chosen. For an (EC)DSA key, it should be a
// DER-serialised, ASN.1 signature structure.
Signature []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
// contains filtered or unexported fields
}
Signature is a private key signature.
func (*Signature) Descriptor
deprecated
func (*Signature) GetSignature ¶
func (*Signature) ProtoMessage ¶
func (*Signature) ProtoMessage()
func (*Signature) ProtoReflect ¶
func (x *Signature) ProtoReflect() protoreflect.Message
type UnimplementedHardwareKeyAgentServiceServer ¶
type UnimplementedHardwareKeyAgentServiceServer struct{}
UnimplementedHardwareKeyAgentServiceServer must be embedded to have forward compatible implementations.
NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.
func (UnimplementedHardwareKeyAgentServiceServer) Ping ¶
func (UnimplementedHardwareKeyAgentServiceServer) Ping(context.Context, *PingRequest) (*PingResponse, error)
func (UnimplementedHardwareKeyAgentServiceServer) Sign ¶
func (UnimplementedHardwareKeyAgentServiceServer) Sign(context.Context, *SignRequest) (*Signature, error)
type UnsafeHardwareKeyAgentServiceServer ¶
type UnsafeHardwareKeyAgentServiceServer interface {
// contains filtered or unexported methods
}
UnsafeHardwareKeyAgentServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to HardwareKeyAgentServiceServer will result in compilation errors.
Source Files
Click to show internal directories.
Click to hide internal directories.