Documentation
¶
Index ¶
- Constants
- Variables
- func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error)
- func ParsePKCS8RSAPSSPrivateKey(der []byte) (key interface{}, err error)
- type AEADFactory
- type AssociatedDataFactory
- type BackupInfo
- type Cache
- type EncryptedKeyStorageConfig
- type EncryptedKeyStorageWrapper
- type EncryptionOptions
- type HashType
- type HybridKeyConfig
- type KeyData
- type KeyEntry
- type KeyType
- func (kt KeyType) AssociatedDataSupported() bool
- func (kt KeyType) CMACSupported() bool
- func (kt KeyType) DecryptionSupported() bool
- func (kt KeyType) DerivationSupported() bool
- func (kt KeyType) EncryptionSupported() bool
- func (kt KeyType) HMACSupported() bool
- func (kt KeyType) HashSignatureInput() bool
- func (kt KeyType) ImportPublicKeySupported() bool
- func (kt KeyType) IsEnterpriseOnly() bool
- func (kt KeyType) PaddingSchemesSupported() bool
- func (kt KeyType) SigningSupported() bool
- func (kt KeyType) String() string
- type LockManager
- func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage, name string) (string, error)
- func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage, name string) error
- func (lm *LockManager) GetCacheSize() int
- func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error)
- func (lm *LockManager) GetUseCache() bool
- func (lm *LockManager) ImportPolicy(ctx context.Context, req PolicyRequest, key []byte, rand io.Reader) error
- func (lm *LockManager) InitCache(cacheSize int) error
- func (lm *LockManager) InvalidatePolicy(name string)
- func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string, force bool) error
- type ManagedKeyFactory
- type ManagedKeyParameters
- type MarshalingType
- type PaddingScheme
- type Policy
- func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out string, retErr error)
- func (p *Policy) CMACKey(version int) ([]byte, error)
- func (p *Policy) CreateCsr(keyVersion int, csrTemplate *x509.CertificateRequest) ([]byte, error)
- func (p *Policy) Decrypt(context, nonce []byte, value string) (string, error)
- func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factories ...any) (string, error)
- func (p *Policy) DecryptWithOptions(opts EncryptionOptions, value string, factories ...any) (string, error)
- func (p *Policy) DeriveKey(context, salt []byte, ver int, numBytes int) ([]byte, error)
- func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error)
- func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value string, factories ...any) (string, error)
- func (p *Policy) EncryptWithOptions(opts EncryptionOptions, value string, factories ...any) (string, error)
- func (p *Policy) GetKey(context []byte, ver, numBytes int) ([]byte, error)
- func (p *Policy) HMACKey(version int) ([]byte, error)
- func (p *Policy) HMACWithManagedKey(ctx context.Context, ver int, ...) (hmacBytes []byte, err error)
- func (p *Policy) Import(ctx context.Context, storage logical.Storage, key []byte, randReader io.Reader) error
- func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical.Storage, keyVersion int, key []byte) error
- func (p *Policy) ImportPublicOrPrivate(ctx context.Context, storage logical.Storage, key []byte, isPrivateKey bool, ...) error
- func (p *Policy) KeyVersionCanBeUpdated(keyVersion int, isPrivateKey bool) error
- func (p *Policy) LoadArchive(ctx context.Context, storage logical.Storage) (*archivedKeys, error)
- func (p *Policy) Lock(exclusive bool)
- func (p *Policy) MigrateKeyToKeysMap()
- func (p *Policy) NeedsUpgrade() bool
- func (p *Policy) Persist(ctx context.Context, storage logical.Storage) (retErr error)
- func (p *Policy) Rotate(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
- func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error)
- func (p *Policy) RotateManagedKey(ctx context.Context, storage logical.Storage, managedKeyUUID string) error
- func (p *Policy) Serialize() ([]byte, error)
- func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, sigAlgorithm string, ...) (*SigningResult, error)
- func (p *Policy) SignWithOptions(ver int, context, input []byte, options *SigningOptions) (*SigningResult, error)
- func (p *Policy) SymmetricDecryptRaw(encKey, ciphertext []byte, opts SymmetricOpts) ([]byte, error)
- func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts SymmetricOpts) ([]byte, error)
- func (p *Policy) Unlock()
- func (p *Policy) Upgrade(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
- func (p *Policy) ValidateAndPersistCertificateChain(ctx context.Context, keyVersion int, certChain []*x509.Certificate, ...) error
- func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm x509.PublicKeyAlgorithm, ...) (bool, error)
- func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, sigAlgorithm string, ...) (bool, error)
- func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, options *SigningOptions) (bool, error)
- func (p *Policy) WrapKey(ver int, targetKey any, targetKeyType KeyType, hash hash.Hash) (string, error)
- type PolicyConfig
- type PolicyRequest
- type RestoreInfo
- type SigningOptions
- type SigningResult
- type SymmetricOpts
- type TransitLRU
- type TransitSyncMap
Constants ¶
View Source
const ( // DefaultCacheSize is used if no cache size is specified for // NewEncryptedKeyStorage. This value is the number of cache entries to // store, not the size in bytes of the cache. DefaultCacheSize = 16 * 1024 // DefaultPrefix is used if no prefix is specified for // NewEncryptedKeyStorage. Prefix must be defined so we can provide context // for the base folder. DefaultPrefix = "encryptedkeys/" // EncryptedKeyPolicyVersionTpl is a template that can be used to minimize // the amount of data that's stored with the ciphertext. EncryptedKeyPolicyVersionTpl = "{{version}}:" )
View Source
const ( Kdf_hmac_sha256_counter = iota // built-in helper Kdf_hkdf_sha256 // golang.org/x/crypto/hkdf HmacMinKeySize = 256 / 8 HmacMaxKeySize = 4096 / 8 )
Careful with iota; don't put anything before it in this const block because we need the default of zero to be the old-style KDF
View Source
const ( KeyType_AES256_GCM96 = iota KeyType_ECDSA_P256 KeyType_ED25519 KeyType_RSA2048 KeyType_RSA4096 KeyType_ChaCha20_Poly1305 KeyType_ECDSA_P384 KeyType_ECDSA_P521 KeyType_AES128_GCM96 KeyType_RSA3072 KeyType_MANAGED_KEY KeyType_HMAC KeyType_AES128_CMAC KeyType_AES256_CMAC KeyType_ML_DSA KeyType_HYBRID KeyType_AES192_CMAC KeyType_SLH_DSA KeyType_AES128_CBC KeyType_AES256_CBC )
Or this one...we need the default of zero to be the original AES256-GCM96
View Source
const ( ParameterSet_ML_DSA_44 = "44" ParameterSet_ML_DSA_65 = "65" ParameterSet_ML_DSA_87 = "87" ParameterSet_SLH_DSA_SHA2_128S = "slh-dsa-sha2-128s" ParameterSet_SLH_DSA_SHAKE_128S = "slh-dsa-shake-128s" ParameterSet_SLH_DSA_SHA2_128F = "slh-dsa-sha2-128f" ParameterSet_SLH_DSA_SHAKE_128F = "slh-dsa-shake-128f" ParameterSet_SLH_DSA_SHA2_192S = "slh-dsa-sha2-192s" ParameterSet_SLH_DSA_SHAKE_192S = "slh-dsa-shake-192s" ParameterSet_SLH_DSA_SHA2_192F = "slh-dsa-sha2-192f" ParameterSet_SLH_DSA_SHAKE_192F = "slh-dsa-shake-192f" ParameterSet_SLH_DSA_SHA2_256S = "slh-dsa-sha2-256s" ParameterSet_SLH_DSA_SHAKE_256S = "slh-dsa-shake-256s" ParameterSet_SLH_DSA_SHA2_256F = "slh-dsa-sha2-256f" ParameterSet_SLH_DSA_SHAKE_256F = "slh-dsa-shake-256f" )
View Source
const ( // ErrTooOld is returned whtn the ciphertext or signatures's key version is // too old. ErrTooOld = "ciphertext or signature version is disallowed by policy (too old)" // DefaultVersionTemplate is used when no version template is provided. DefaultVersionTemplate = "vault:v{{version}}:" )
View Source
const ( PaddingScheme_OAEP = PaddingScheme("oaep") PaddingScheme_PKCS1v15 = PaddingScheme("pkcs1v15") )
Variables ¶
View Source
var ( HashTypeMap = map[string]HashType{ "none": HashTypeNone, "sha1": HashTypeSHA1, "sha2-224": HashTypeSHA2224, "sha2-256": HashTypeSHA2256, "sha2-384": HashTypeSHA2384, "sha2-512": HashTypeSHA2512, "sha3-224": HashTypeSHA3224, "sha3-256": HashTypeSHA3256, "sha3-384": HashTypeSHA3384, "sha3-512": HashTypeSHA3512, } HashFuncMap = map[HashType]func() hash.Hash{ HashTypeNone: nil, HashTypeSHA1: sha1.New, HashTypeSHA2224: sha256.New224, HashTypeSHA2256: sha256.New, HashTypeSHA2384: sha512.New384, HashTypeSHA2512: sha512.New, HashTypeSHA3224: sha3.New224, HashTypeSHA3256: sha3.New256, HashTypeSHA3384: sha3.New384, HashTypeSHA3512: sha3.New512, } CryptoHashMap = map[HashType]crypto.Hash{ HashTypeNone: 0, HashTypeSHA1: crypto.SHA1, HashTypeSHA2224: crypto.SHA224, HashTypeSHA2256: crypto.SHA256, HashTypeSHA2384: crypto.SHA384, HashTypeSHA2512: crypto.SHA512, HashTypeSHA3224: crypto.SHA3_224, HashTypeSHA3256: crypto.SHA3_256, HashTypeSHA3384: crypto.SHA3_384, HashTypeSHA3512: crypto.SHA3_512, } MarshalingTypeMap = _MarshalingTypeNameToValueMap )
View Source
var ( // ErrPolicyDerivedKeys is returned if the provided policy does not use // derived keys. This is a requirement for this storage implementation. ErrPolicyDerivedKeys = errors.New("key policy must use derived keys") // ErrPolicyConvergentEncryption is returned if the provided policy does not use // convergent encryption. This is a requirement for this storage implementation. ErrPolicyConvergentEncryption = errors.New("key policy must use convergent encryption") // ErrPolicyConvergentVersion is returned if the provided policy does not use // a new enough convergent version. This is a requirement for this storage // implementation. ErrPolicyConvergentVersion = errors.New("key policy must use convergent version > 2") // ErrNilStorage is returned if the provided storage is nil. ErrNilStorage = errors.New("nil storage provided") // ErrNilPolicy is returned if the provided policy is nil. ErrNilPolicy = errors.New("nil policy provided") )
Functions ¶
func ParsePKCS8Ed25519PrivateKey ¶ added in v0.5.1
ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.
It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. More types might be supported in the future.
This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
func ParsePKCS8RSAPSSPrivateKey ¶ added in v0.9.0
ParsePKCS8RSAPSSPrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.
This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10).
It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. More types might be supported in the future.
This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
Types ¶
type AEADFactory ¶ added in v0.6.0
type AssociatedDataFactory ¶ added in v0.6.1
type BackupInfo ¶
type EncryptedKeyStorageConfig ¶
type EncryptedKeyStorageConfig struct {
// Policy is the key policy to use to encrypt the key paths.
Policy *Policy
// Prefix is the storage prefix for this instance of the EncryptedKeyStorage
// object. This is stored in plaintext. If not set the DefaultPrefix will be
// used.
Prefix string
// CacheSize is the number of elements to cache. If not set the
// DetaultCacheSize will be used.
CacheSize int
}
EncryptedKeyStorageConfig is used to configure an EncryptedKeyStorage object.
type EncryptedKeyStorageWrapper ¶
type EncryptedKeyStorageWrapper struct {
// contains filtered or unexported fields
}
func NewEncryptedKeyStorageWrapper ¶
func NewEncryptedKeyStorageWrapper(config EncryptedKeyStorageConfig) (*EncryptedKeyStorageWrapper, error)
NewEncryptedKeyStorageWrapper takes an EncryptedKeyStorageConfig and returns a new EncryptedKeyStorage object.
type EncryptionOptions ¶ added in v0.19.0
type HybridKeyConfig ¶ added in v0.14.1
type KeyData ¶
type KeyData struct {
Policy *Policy `json:"policy"`
ArchivedKeys *archivedKeys `json:"archived_keys"`
}
type KeyEntry ¶
type KeyEntry struct {
// AES or some other kind that is a pure byte slice like ED25519
Key []byte `json:"key"`
// Key used for HMAC functions
HMACKey []byte `json:"hmac_key"`
// Time of creation
CreationTime time.Time `json:"time"`
EC_X *big.Int `json:"ec_x,omitempty"`
EC_Y *big.Int `json:"ec_y,omitempty"`
EC_D *big.Int `json:"ec_d,omitempty"`
RSAKey *rsa.PrivateKey `json:"rsa_key,omitempty"`
RSAPublicKey *rsa.PublicKey `json:"rsa_public_key,omitempty"`
// The public key in an appropriate format for the type of key
FormattedPublicKey string `json:"public_key,omitempty"`
// If convergent is enabled, the version (falling back to what's in the
// policy)
ConvergentVersion int `json:"convergent_version,omitempty"`
// This is deprecated (but still filled) in favor of the value above which
// is more precise
DeprecatedCreationTime int64 `json:"creation_time"`
ManagedKeyUUID string `json:"managed_key_id,omitempty"`
// Key entry certificate chain. If set, leaf certificate key matches the
// KeyEntry key
CertificateChain [][]byte `json:"certificate_chain,omitempty"`
// contains filtered or unexported fields
}
KeyEntry stores the key and metadata
func (KeyEntry) IsEntPrivateKeyMissing ¶ added in v0.14.1
func (e KeyEntry) IsEntPrivateKeyMissing() bool
func (*KeyEntry) IsPrivateKeyMissing ¶ added in v0.9.1
type KeyType ¶
type KeyType int
func (KeyType) AssociatedDataSupported ¶ added in v0.6.1
func (KeyType) CMACSupported ¶ added in v0.13.0
func (KeyType) DecryptionSupported ¶
func (KeyType) DerivationSupported ¶
func (KeyType) EncryptionSupported ¶
func (KeyType) HMACSupported ¶ added in v0.13.0
func (KeyType) HashSignatureInput ¶
func (KeyType) ImportPublicKeySupported ¶ added in v0.9.1
func (KeyType) IsEnterpriseOnly ¶ added in v0.19.0
func (KeyType) PaddingSchemesSupported ¶ added in v0.14.1
func (KeyType) SigningSupported ¶
type LockManager ¶
type LockManager struct {
// contains filtered or unexported fields
}
func NewLockManager ¶
func NewLockManager(useCache bool, cacheSize int) (*LockManager, error)
func (*LockManager) BackupPolicy ¶
func (*LockManager) DeletePolicy ¶
func (*LockManager) GetCacheSize ¶ added in v0.1.12
func (lm *LockManager) GetCacheSize() int
func (*LockManager) GetPolicy ¶
func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error)
When the function returns, if caching was disabled, the Policy's lock must be unlocked when the caller is done (and it should not be re-locked).
func (*LockManager) GetUseCache ¶ added in v0.1.12
func (lm *LockManager) GetUseCache() bool
func (*LockManager) ImportPolicy ¶ added in v0.5.0
func (lm *LockManager) ImportPolicy(ctx context.Context, req PolicyRequest, key []byte, rand io.Reader) error
func (*LockManager) InitCache ¶ added in v0.3.0
func (lm *LockManager) InitCache(cacheSize int) error
func (*LockManager) InvalidatePolicy ¶
func (lm *LockManager) InvalidatePolicy(name string)
func (*LockManager) RestorePolicy ¶
func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storage, name, backup string, force bool) error
RestorePolicy acquires an exclusive lock on the policy name and restores the given policy along with the archive.
type ManagedKeyFactory ¶ added in v0.8.0
type ManagedKeyFactory interface {
GetManagedKeyParameters() ManagedKeyParameters
}
type ManagedKeyParameters ¶ added in v0.8.0
type ManagedKeyParameters struct {
ManagedKeySystemView logical.ManagedKeySystemView
BackendUUID string
Context context.Context
}
type MarshalingType ¶
type MarshalingType uint32
const ( MarshalingTypeASN1 MarshalingType MarshalingTypeJWS )
func MarshalingTypeString ¶ added in v0.13.0
func MarshalingTypeString(s string) (MarshalingType, error)
MarshalingTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func MarshalingTypeValues ¶ added in v0.13.0
func MarshalingTypeValues() []MarshalingType
MarshalingTypeValues returns all values of the enum
func (MarshalingType) IsAMarshalingType ¶ added in v0.13.0
func (i MarshalingType) IsAMarshalingType() bool
IsAMarshalingType returns "true" if the value is listed in the enum definition. "false" otherwise
func (MarshalingType) String ¶ added in v0.13.0
func (i MarshalingType) String() string
type PaddingScheme ¶ added in v0.14.1
type PaddingScheme string
func ParsePaddingScheme ¶ added in v0.14.1
func ParsePaddingScheme(s string) (PaddingScheme, error)
ParsePaddingScheme expects a lower case string that can be directly compared to a defined padding scheme or returns an error.
func (PaddingScheme) String ¶ added in v0.14.1
func (p PaddingScheme) String() string
type Policy ¶
type Policy struct {
Name string `json:"name"`
Key []byte `json:"key,omitempty"` // DEPRECATED
KeySize int `json:"key_size,omitempty"` // For algorithms with variable key sizes
Keys keyEntryMap `json:"keys"`
// Derived keys MUST provide a context and the master underlying key is
// never used. If convergent encryption is true, the context will be used
// as the nonce as well.
Derived bool `json:"derived"`
KDF int `json:"kdf"`
ConvergentEncryption bool `json:"convergent_encryption"`
// Whether the key is exportable
Exportable bool `json:"exportable"`
// The minimum version of the key allowed to be used for decryption
MinDecryptionVersion int `json:"min_decryption_version"`
// The minimum version of the key allowed to be used for encryption
MinEncryptionVersion int `json:"min_encryption_version"`
// The latest key version in this policy
LatestVersion int `json:"latest_version"`
// The latest key version in the archive. We never delete these, so this is
// a max.
ArchiveVersion int `json:"archive_version"`
// ArchiveMinVersion is the minimum version of the key in the archive.
ArchiveMinVersion int `json:"archive_min_version"`
// MinAvailableVersion is the minimum version of the key present. All key
// versions before this would have been deleted.
MinAvailableVersion int `json:"min_available_version"`
// Whether the key is allowed to be deleted
DeletionAllowed bool `json:"deletion_allowed"`
// The version of the convergent nonce to use
ConvergentVersion int `json:"convergent_version"`
// The type of key
Type KeyType `json:"type"`
// BackupInfo indicates the information about the backup action taken on
// this policy
BackupInfo *BackupInfo `json:"backup_info"`
// RestoreInfo indicates the information about the restore action taken on
// this policy
RestoreInfo *RestoreInfo `json:"restore_info"`
// AllowPlaintextBackup allows taking backup of the policy in plaintext
AllowPlaintextBackup bool `json:"allow_plaintext_backup"`
// VersionTemplate is used to prefix the ciphertext with information about
// the key version. It must inclide {{version}} and a delimiter between the
// version prefix and the ciphertext.
VersionTemplate string `json:"version_template"`
// StoragePrefix is used to add a prefix when storing and retrieving the
// policy object.
StoragePrefix string `json:"storage_prefix"`
// AutoRotatePeriod defines how frequently the key should automatically
// rotate. Setting this to zero disables automatic rotation for the key.
AutoRotatePeriod time.Duration `json:"auto_rotate_period"`
// Imported indicates whether the key was generated by Vault or imported
// from an external source
Imported bool
// AllowImportedKeyRotation indicates whether an imported key may be rotated by Vault
AllowImportedKeyRotation bool
// ParameterSet indicates the parameter set to use with ML-DSA and SLH-DSA keys
ParameterSet string
// HybridConfig contains the key types and parameters for hybrid keys
HybridConfig HybridKeyConfig
// contains filtered or unexported fields
}
Policy is the struct used to store metadata
func LoadPolicy ¶
LoadPolicy will load a policy from the provided storage path and set the necessary un-exported variables. It is particularly useful when accessing a policy without the lock manager.
func NewPolicy ¶
func NewPolicy(config PolicyConfig) *Policy
NewPolicy takes a policy config and returns a Policy with those settings.
func (*Policy) DecryptWithFactory ¶ added in v0.6.1
func (*Policy) DecryptWithOptions ¶ added in v0.19.0
func (*Policy) DeriveKey ¶
DeriveKey is used to derive a symmetric key given a context and salt. This does not check the policies Derived flag, but just implements the derivation logic. GetKey is responsible for switching on the policy config.
func (*Policy) EncryptWithFactory ¶ added in v0.6.0
func (*Policy) EncryptWithOptions ¶ added in v0.19.0
func (*Policy) GetKey ¶ added in v0.2.0
GetKey is used to derive the encryption key that should be used depending on the policy. If derivation is disabled the raw key is used and no context is required, otherwise the KDF mode is used with the context to derive the proper key.
func (*Policy) HMACWithManagedKey ¶ added in v0.8.0
func (*Policy) ImportPrivateKeyForVersion ¶ added in v0.9.1
func (*Policy) ImportPublicOrPrivate ¶ added in v0.9.1
func (*Policy) KeyVersionCanBeUpdated ¶ added in v0.9.1
func (*Policy) LoadArchive ¶
func (*Policy) MigrateKeyToKeysMap ¶
func (p *Policy) MigrateKeyToKeysMap()
func (*Policy) NeedsUpgrade ¶
func (*Policy) Rotate ¶
func (p *Policy) Rotate(ctx context.Context, storage logical.Storage, randReader io.Reader) (retErr error)
Rotate rotates the policy and persists it to storage. If the rotation partially fails, the policy state will be restored.
func (*Policy) RotateInMemory ¶ added in v0.2.0
RotateInMemory rotates the policy but does not persist it to storage.
func (*Policy) RotateManagedKey ¶ added in v0.8.0
func (*Policy) Sign ¶
func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, sigAlgorithm string, marshaling MarshalingType) (*SigningResult, error)
func (*Policy) SignWithOptions ¶ added in v0.6.0
func (p *Policy) SignWithOptions(ver int, context, input []byte, options *SigningOptions) (*SigningResult, error)
func (*Policy) SymmetricDecryptRaw ¶ added in v0.2.0
func (p *Policy) SymmetricDecryptRaw(encKey, ciphertext []byte, opts SymmetricOpts) ([]byte, error)
Symmetrically decrypt a ciphertext given the convergence configuration and appropriate keys
func (*Policy) SymmetricEncryptRaw ¶ added in v0.2.0
func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts SymmetricOpts) ([]byte, error)
Symmetrically encrypt a plaintext given the convergence configuration and appropriate keys
func (*Policy) ValidateAndPersistCertificateChain ¶ added in v0.10.0
func (*Policy) ValidateLeafCertKeyMatch ¶ added in v0.10.0
func (*Policy) VerifySignature ¶
func (*Policy) VerifySignatureWithOptions ¶ added in v0.6.0
type PolicyConfig ¶
type PolicyConfig struct {
// The name of the policy
Name string `json:"name"`
// The type of key
Type KeyType
// Derived keys MUST provide a context and the master underlying key is
// never used.
Derived bool
KDF int
ConvergentEncryption bool
// Whether the key is exportable
Exportable bool
// Whether the key is allowed to be deleted
DeletionAllowed bool
// AllowPlaintextBackup allows taking backup of the policy in plaintext
AllowPlaintextBackup bool
// VersionTemplate is used to prefix the ciphertext with information about
// the key version. It must inclide {{version}} and a delimiter between the
// version prefix and the ciphertext.
VersionTemplate string
// StoragePrefix is used to add a prefix when storing and retrieving the
// policy object.
StoragePrefix string
// ParameterSet indicates the parameter set to use with ML-DSA and SLH-DSA keys
ParameterSet string
}
PolicyConfig is used to create a new policy
type PolicyRequest ¶
type PolicyRequest struct {
// The storage to use
Storage logical.Storage
// The name of the policy
Name string
// The key type
KeyType KeyType
// The key size for variable key size algorithms
KeySize int
// Whether it should be derived
Derived bool
// Whether to enable convergent encryption
Convergent bool
// Whether to allow export
Exportable bool
// Whether to upsert
Upsert bool
// Whether to allow plaintext backup
AllowPlaintextBackup bool
// How frequently the key should automatically rotate
AutoRotatePeriod time.Duration
// AllowImportedKeyRotation indicates whether an imported key may be rotated by Vault
AllowImportedKeyRotation bool
// Indicates whether a private or public key is imported/upserted
IsPrivateKey bool
// The UUID of the managed key, if using one
ManagedKeyUUID string
// ParameterSet indicates the parameter set to use with ML-DSA and SLH-DSA keys
ParameterSet string
// HybridConfig contains the key types and parameters for hybrid keys
HybridConfig HybridKeyConfig
}
PolicyRequest holds values used when requesting a policy. Most values are only used during an upsert.
type RestoreInfo ¶
type SigningOptions ¶ added in v0.6.0
type SigningOptions struct {
HashAlgorithm HashType
Marshaling MarshalingType
SaltLength int
SigAlgorithm string
SigContext string // Provide a context for Ed25519ctx signatures
ManagedKeyParams ManagedKeyParameters
}
type SigningResult ¶
type SymmetricOpts ¶ added in v0.2.0
type SymmetricOpts struct {
// Whether to use convergent encryption
Convergent bool
// The version of the convergent encryption scheme
ConvergentVersion int
// The nonce, if not randomly generated
Nonce []byte
// Additional data to include in AEAD authentication
AdditionalData []byte
// The HMAC key, for generating IVs in convergent encryption
HMACKey []byte
// Allows an external provider of the AEAD, for e.g. managed keys
AEADFactory AEADFactory
}
SymmetricOpts are the arguments to symmetric operations that are "optional", e.g. not always used. This improves the aesthetics of calls to those functions.
type TransitLRU ¶ added in v0.1.12
type TransitLRU struct {
// contains filtered or unexported fields
}
func NewTransitLRU ¶ added in v0.1.12
func NewTransitLRU(size int) (*TransitLRU, error)
func (*TransitLRU) Delete ¶ added in v0.1.12
func (c *TransitLRU) Delete(key interface{})
func (*TransitLRU) Load ¶ added in v0.1.12
func (c *TransitLRU) Load(key interface{}) (value interface{}, ok bool)
func (*TransitLRU) Size ¶ added in v0.1.12
func (c *TransitLRU) Size() int
func (*TransitLRU) Store ¶ added in v0.1.12
func (c *TransitLRU) Store(key, value interface{})
type TransitSyncMap ¶ added in v0.1.12
type TransitSyncMap struct {
// contains filtered or unexported fields
}
func NewTransitSyncMap ¶ added in v0.1.12
func NewTransitSyncMap() *TransitSyncMap
func (*TransitSyncMap) Delete ¶ added in v0.1.12
func (c *TransitSyncMap) Delete(key interface{})
func (*TransitSyncMap) Load ¶ added in v0.1.12
func (c *TransitSyncMap) Load(key interface{}) (value interface{}, ok bool)
func (*TransitSyncMap) Size ¶ added in v0.1.12
func (c *TransitSyncMap) Size() int
func (*TransitSyncMap) Store ¶ added in v0.1.12
func (c *TransitSyncMap) Store(key, value interface{})
Source Files
Click to show internal directories.
Click to hide internal directories.