Documentation
¶
Index ¶
- Constants
- Variables
- type AuthProvider
- type CACertReq
- type CertKeyInfo
- type CertKeyLevel
- type CertKeyPair
- type CertLevelType
- type CertMeta
- type CertReq
- type CertSerialNumber
- type CertStorage
- type CertTool
- func (c *CertTool) CreateCertificate(req *x509.CertificateRequest, meta *CertMeta) (*x509.Certificate, error)
- func (c *CertTool) CreateCertificateRequest(req *CertReq, curKeyPair *CertKeyPair) (*x509.CertificateRequest, error)
- func (c *CertTool) CreateIntermediateCACertificate(req *CACertReq, ca *x509.Certificate, caKeyPair, curKeyPair *CertKeyPair) (*x509.Certificate, error)
- func (c *CertTool) CreateRootCACertificate(req *CACertReq, keyPair *CertKeyPair) (*x509.Certificate, error)
- func (c *CertTool) SetupDefaultServerCertKeyUsage() *CertTool
- type DefaultKeyStorage
- func (d *DefaultKeyStorage) FetchL2DataKey(name string) (int64, KeyType, []byte, error)
- func (d *DefaultKeyStorage) FetchLevel2KeySet(name string) (int64, *KeySet, error)
- func (d *DefaultKeyStorage) LoadL2DataKeyById(id int64) (KeyType, []byte, error)
- func (d *DefaultKeyStorage) LoadLevel2KeySetById(id int64) (*KeySet, error)
- func (d *DefaultKeyStorage) SetupUnsealProviderAndWait(provider UnsealProvider) error
- func (d *DefaultKeyStorage) StoreL2DataKey(l1KeyName, name string, keyType KeyType, key []byte) error
- func (d *DefaultKeyStorage) StoreLevel1KeySet(name string, key *KeySet) error
- func (d *DefaultKeyStorage) StoreLevel2KeySet(level1KeyName, name string, key *KeySet) error
- type GeneralKeyGen
- func (g GeneralKeyGen) Aes128() ([]byte, error)
- func (g GeneralKeyGen) ECDSA(keyType KeyType) ([]byte, error)
- func (g GeneralKeyGen) General128B() ([]byte, error)
- func (g GeneralKeyGen) General64B() ([]byte, error)
- func (g GeneralKeyGen) GenerateVitalKeySet() (*KeySet, error)
- func (g GeneralKeyGen) RSA(keyType KeyType) ([]byte, error)
- type KeyGen
- type KeySet
- func (k *KeySet) Aes() (cipher.Block, error)
- func (k *KeySet) AesGCMDec(encrypted, nonce []byte) ([]byte, error)
- func (k *KeySet) AesGCMEnc(data []byte) ([]byte, []byte, error)
- func (k *KeySet) CalculateCrc()
- func (k *KeySet) Ecdsa() (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)
- func (k *KeySet) Ed25519() (ed25519.PrivateKey, ed25519.PublicKey, error)
- func (k *KeySet) LoadFromBytes(data []byte) error
- func (k *KeySet) Rsa() (*rsa.PrivateKey, error)
- func (k *KeySet) SaveAsBytes() ([]byte, error)
- func (k *KeySet) VerifyCrc() bool
- type KeySetAlg
- type KeyStorage
- type KeyType
- type Level2CipherTool
- func (l *Level2CipherTool) Aes128Decrypt(keyId int64, ciphertext, nonce, additionalData []byte) (rPlaintext []byte, rerr error)
- func (l *Level2CipherTool) Aes128Encrypt(name string, plaintext, additionalData []byte) (keyId int64, rCiphertext, rNonce []byte, rerr error)
- func (l *Level2CipherTool) NewAes128Key(name string) error
- func (l *Level2CipherTool) NewEcdsaKey(name string, keyType KeyType) error
- func (l *Level2CipherTool) NewGeneral128BKey(name string) error
- func (l *Level2CipherTool) NewGeneral64BKey(name string) error
- func (l *Level2CipherTool) NewRsaKey(name string, keyType KeyType) error
- type PemTool
- func (p *PemTool) EncodeCertificate(cert *x509.Certificate) ([]byte, error)
- func (p *PemTool) EncodeCertificateRequest(csr []byte) ([]byte, error)
- func (p *PemTool) EncodeCertificateRevocationList(csr []byte) ([]byte, error)
- func (p *PemTool) EncodeCustom(data []byte, typeName string) ([]byte, error)
- func (p *PemTool) EncodeECDSAPrivateKey(pri *ecdsa.PrivateKey) ([]byte, error)
- func (p *PemTool) EncodeKeySet(ks *KeySet) ([]byte, error)
- func (p *PemTool) EncodeRsaPrivateKey(pri *rsa.PrivateKey) ([]byte, error)
- func (p *PemTool) ParseCertificate(data []byte) (*x509.Certificate, error)
- func (p *PemTool) ParseCertificateRequest(pemData []byte) (*x509.CertificateRequest, error)
- func (p *PemTool) ParseCertificateRevocationList(pemData []byte) (*x509.RevocationList, error)
- func (p *PemTool) ParseCustom(data []byte) ([]byte, error)
- func (p *PemTool) ParseECDSAPrivateKey(data []byte) (*ecdsa.PrivateKey, error)
- func (p *PemTool) ParseKeySet(data []byte) (*KeySet, error)
- func (p *PemTool) ParseRsaPrivateKey(data []byte) (*rsa.PrivateKey, error)
- type UnsealProvider
- type UnsealResponse
Constants ¶
View Source
const ( DefaultTokenString = "secret/default_token" TokenName = "secret_token" )
Variables ¶
View Source
var ( ErrUnsealFailedOnMismatchToken = errors.New("unseal failed on mismatch token") ErrNoSuchKey = errors.New("no such key") )
View Source
var ( ErrLevel1KeySetIsNotLoaded = errors.New("secretapi: secret store does not have the level 1 key loaded") ErrNoStoredUnsealTokenExists = errors.New("secretapi: secret store does not have the unsealed token") )
Functions ¶
This section is empty.
Types ¶
type AuthProvider ¶
type CACertReq ¶
type CertKeyInfo ¶
type CertKeyInfo struct {
CertKeyLevel CertKeyLevel
CertKeyId string
}
type CertKeyLevel ¶
type CertKeyLevel int
const ( CertKeyLevelLevel1Rsa CertKeyLevel = iota + 1001 CertKeyLevelLevel1Ecdsa )
const ( CertKeyLevelLevel2Rsa CertKeyLevel = iota + 2001 CertKeyLevelLevel2Ecdsa CertKeyLevelLevel2Custom CertKeyLevel = 2999 )
const (
CertKeyLevelUnseal CertKeyLevel = iota + 1
)
type CertKeyPair ¶
CertKeyPair is used for issuing new certificates If the key pair is from an external provider, crypto.PrivateKey and crypto.PublicKey interfaces can be implemented.
func (*CertKeyPair) FromPrivateKey ¶
func (k *CertKeyPair) FromPrivateKey(pri crypto.Signer) *CertKeyPair
type CertLevelType ¶
type CertLevelType int
const ( CertLevelTypeRootCA CertLevelType = iota + 1 CertLevelTypeIntermediateCA CertLevelTypeCert )
type CertMeta ¶
type CertMeta struct {
SerialNumber *big.Int
StartTime time.Time
ExpireTime time.Time
Version int
SignerCert *x509.Certificate
Signer *CertKeyPair
}
type CertSerialNumber ¶
type CertSerialNumber string
func (*CertSerialNumber) FromBigInt ¶
func (s *CertSerialNumber) FromBigInt(i *big.Int)
func (*CertSerialNumber) FromBytes ¶
func (s *CertSerialNumber) FromBytes(data []byte)
func (*CertSerialNumber) FromInt64 ¶
func (s *CertSerialNumber) FromInt64(n int64)
type CertStorage ¶
type CertStorage interface {
SaveRootCA(certName string, cert *x509.Certificate, keyInfo CertKeyInfo) (CertSerialNumber, error)
SaveIntermediateCA(certName string, caCertSerialNumber CertSerialNumber, cert *x509.Certificate, keyInfo CertKeyInfo) (CertSerialNumber, error)
SaveCert(certName string, caCertSerialNumber CertSerialNumber, cert *x509.Certificate, keyInfo CertKeyInfo) (CertSerialNumber, error)
LoadCertByName(certName string, certLevelType CertLevelType) (*x509.Certificate, CertKeyInfo, error)
LoadCertById(certSerialNumber CertSerialNumber) (*x509.Certificate, CertLevelType, CertKeyInfo, error)
NextCertSerialNumber() (CertSerialNumber, error)
}
type CertTool ¶
type CertTool struct {
EndUserCertKeyUsage x509.KeyUsage
EndUserCertExtKeyUsage []x509.ExtKeyUsage
}
func (*CertTool) CreateCertificate ¶
func (c *CertTool) CreateCertificate(req *x509.CertificateRequest, meta *CertMeta) (*x509.Certificate, error)
func (*CertTool) CreateCertificateRequest ¶
func (c *CertTool) CreateCertificateRequest(req *CertReq, curKeyPair *CertKeyPair) (*x509.CertificateRequest, error)
func (*CertTool) CreateIntermediateCACertificate ¶
func (c *CertTool) CreateIntermediateCACertificate(req *CACertReq, ca *x509.Certificate, caKeyPair, curKeyPair *CertKeyPair) (*x509.Certificate, error)
func (*CertTool) CreateRootCACertificate ¶
func (c *CertTool) CreateRootCACertificate(req *CACertReq, keyPair *CertKeyPair) (*x509.Certificate, error)
func (*CertTool) SetupDefaultServerCertKeyUsage ¶
type DefaultKeyStorage ¶
type DefaultKeyStorage struct {
}
func (*DefaultKeyStorage) FetchL2DataKey ¶
func (*DefaultKeyStorage) FetchLevel2KeySet ¶
func (d *DefaultKeyStorage) FetchLevel2KeySet(name string) (int64, *KeySet, error)
func (*DefaultKeyStorage) LoadL2DataKeyById ¶
func (d *DefaultKeyStorage) LoadL2DataKeyById(id int64) (KeyType, []byte, error)
func (*DefaultKeyStorage) LoadLevel2KeySetById ¶
func (d *DefaultKeyStorage) LoadLevel2KeySetById(id int64) (*KeySet, error)
func (*DefaultKeyStorage) SetupUnsealProviderAndWait ¶
func (d *DefaultKeyStorage) SetupUnsealProviderAndWait(provider UnsealProvider) error
func (*DefaultKeyStorage) StoreL2DataKey ¶
func (d *DefaultKeyStorage) StoreL2DataKey(l1KeyName, name string, keyType KeyType, key []byte) error
func (*DefaultKeyStorage) StoreLevel1KeySet ¶
func (d *DefaultKeyStorage) StoreLevel1KeySet(name string, key *KeySet) error
func (*DefaultKeyStorage) StoreLevel2KeySet ¶
func (d *DefaultKeyStorage) StoreLevel2KeySet(level1KeyName, name string, key *KeySet) error
type GeneralKeyGen ¶
type GeneralKeyGen struct {
}
func (GeneralKeyGen) Aes128 ¶
func (g GeneralKeyGen) Aes128() ([]byte, error)
func (GeneralKeyGen) General128B ¶
func (g GeneralKeyGen) General128B() ([]byte, error)
func (GeneralKeyGen) General64B ¶
func (g GeneralKeyGen) General64B() ([]byte, error)
func (GeneralKeyGen) GenerateVitalKeySet ¶
func (g GeneralKeyGen) GenerateVitalKeySet() (*KeySet, error)
type KeyGen ¶
type KeyGen interface {
GenerateVitalKeySet() (*KeySet, error)
Aes128() ([]byte, error)
General64B() ([]byte, error)
General128B() ([]byte, error)
RSA(keyType KeyType) ([]byte, error)
ECDSA(keyType KeyType) ([]byte, error)
}
var DefaultKeyGen KeyGen = GeneralKeyGen{}
type KeySet ¶
type KeySet struct {
AES256 []byte `json:"aes256"`
CRC_AES256 string `json:"crc_aes256"`
RSA4096 []byte `json:"rsa_4096"`
CRC_RSA4096 string `json:"crc_rsa_4096"`
ECDSA_P521 []byte `json:"ecdsa_p521"`
CRC_ECDSA_P521 string `json:"crc_ecdsa_p521"`
ED25519_PRI []byte `json:"ed25519_pri"`
CRC_ED25519_PRI string `json:"crc_ed25519_pri"`
ED25519_PUB []byte `json:"ed25519_pub"`
CRC_ED25519_PUB string `json:"crc_ed25519_pub"`
}
func (*KeySet) CalculateCrc ¶
func (k *KeySet) CalculateCrc()
func (*KeySet) LoadFromBytes ¶
func (*KeySet) SaveAsBytes ¶
type KeyStorage ¶
type KeyStorage interface {
// SetupUnsealProviderAndWait sets up UnsealProvider for other operations which depend on it
SetupUnsealProviderAndWait(provider UnsealProvider) error
// StoreLevel1KeySet will create or rotate the level1 KeySet for the corresponding name with the given key
StoreLevel1KeySet(name string, key *KeySet) error
// StoreLevel2KeySet will create or rotate the level2 KeySet for the corresponding level1 and level2 names with the given key
StoreLevel2KeySet(level1KeyName, name string, key *KeySet) error
// FetchLevel2KeySet fetches the raw key data for external use
FetchLevel2KeySet(name string) (int64, *KeySet, error)
// StoreL2DataKey will create or rotate the level2 specific type of key
StoreL2DataKey(l1KeyName, name string, keyType KeyType, key []byte) error
// FetchL2DataKey fetches the raw data for external use
FetchL2DataKey(name string) (int64, KeyType, []byte, error)
// LoadLevel2KeySetById loads KeySet by id
//
// This method should be only used for decryption since it will retrieve the key regardless of key status.
LoadLevel2KeySetById(id int64) (*KeySet, error)
// LoadL2DataKeyById loads data key by id
//
// This method should be only used for decryption since it will retrieve the key regardless of key status.
LoadL2DataKeyById(id int64) (KeyType, []byte, error)
}
type Level2CipherTool ¶
type Level2CipherTool struct {
// contains filtered or unexported fields
}
func NewLevel2CipherTool ¶
func NewLevel2CipherTool(storage KeyStorage, keyGen KeyGen, l1key string) *Level2CipherTool
func (*Level2CipherTool) Aes128Decrypt ¶
func (l *Level2CipherTool) Aes128Decrypt(keyId int64, ciphertext, nonce, additionalData []byte) (rPlaintext []byte, rerr error)
func (*Level2CipherTool) Aes128Encrypt ¶
func (*Level2CipherTool) NewAes128Key ¶
func (l *Level2CipherTool) NewAes128Key(name string) error
func (*Level2CipherTool) NewEcdsaKey ¶
func (l *Level2CipherTool) NewEcdsaKey(name string, keyType KeyType) error
func (*Level2CipherTool) NewGeneral128BKey ¶
func (l *Level2CipherTool) NewGeneral128BKey(name string) error
func (*Level2CipherTool) NewGeneral64BKey ¶
func (l *Level2CipherTool) NewGeneral64BKey(name string) error
type PemTool ¶
type PemTool struct {
}
PemTool supports encoding and decoding pem cert and private keys Pending items: password private key, bundled cert file
func NewPemTool ¶
func NewPemTool() *PemTool
func (*PemTool) EncodeCertificate ¶
func (p *PemTool) EncodeCertificate(cert *x509.Certificate) ([]byte, error)
func (*PemTool) EncodeCertificateRequest ¶
func (*PemTool) EncodeCertificateRevocationList ¶
func (*PemTool) EncodeCustom ¶
func (*PemTool) EncodeECDSAPrivateKey ¶
func (p *PemTool) EncodeECDSAPrivateKey(pri *ecdsa.PrivateKey) ([]byte, error)
func (*PemTool) EncodeRsaPrivateKey ¶
func (p *PemTool) EncodeRsaPrivateKey(pri *rsa.PrivateKey) ([]byte, error)
func (*PemTool) ParseCertificate ¶
func (p *PemTool) ParseCertificate(data []byte) (*x509.Certificate, error)
func (*PemTool) ParseCertificateRequest ¶
func (p *PemTool) ParseCertificateRequest(pemData []byte) (*x509.CertificateRequest, error)
func (*PemTool) ParseCertificateRevocationList ¶
func (p *PemTool) ParseCertificateRevocationList(pemData []byte) (*x509.RevocationList, error)
func (*PemTool) ParseECDSAPrivateKey ¶
func (p *PemTool) ParseECDSAPrivateKey(data []byte) (*ecdsa.PrivateKey, error)
func (*PemTool) ParseRsaPrivateKey ¶
func (p *PemTool) ParseRsaPrivateKey(data []byte) (*rsa.PrivateKey, error)
type UnsealProvider ¶
type UnsealProvider interface {
// WaitUnsealOperation waits for provider to finish unseal operation.
// The provider may trigger external flows to allow users to provide unseal information.
// The caller may cancel the operation once it reaches the deadline via the context.
// The provider should kick off the previous operation if a new one triggered in order to ensure the security.
WaitUnsealOperation(ctx context.Context, encToken string) (*UnsealResponse, error)
UseKeyId() string
Encrypt(ctx context.Context, plaintext []byte) ([]byte, string, error)
Decrypt(ctx context.Context, ciphertext []byte) ([]byte, error)
}
type UnsealResponse ¶
Source Files
Click to show internal directories.
Click to hide internal directories.