pkg

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2020 License: GPL-3.0 Imports: 28 Imported by: 12

Documentation

Index

Constants

View Source 
const MinKeySize = 2048

MinKeySize defines the minimum (RSA) key size

View Source 
const ModuleName = "Crypto"

ModuleName == Registry

Variables

View Source 
var ErrCSRSignatureInvalid = core.NewError("CSR signature is invalid", false)

ErrCSRSignatureInvalid indicates the signature on the CSR (Proof of Possesion) is invalid

View Source 
var ErrCertificateNotTrusted = errors.New("X.509 certificate not trusted")

ErrCertificateNotTrusted indicates that the X.509 certificate is not trusted noinspection GoErrorStringFormat

View Source 
var ErrCertificateNotValidAtSigningTime = errors.New("X.509 certificate was not valid at the time of signing")

ErrCertificateNotValidAtSigningTime indicates the X.509 certificate was not valid (NotBefore/NotAfter) at the time at which the signing took place. noinspection GoErrorStringFormat

View Source 
var ErrIllegalNonce = core.NewError("illegal nonce given", false)

ErrIllegalNonce indicates an incorrect nonce

View Source 
var ErrInvalidAlgorithm = core.NewError("invalid algorithm for public key", false)

ErrInvalidAlgorithm indicates an invalid public key was used

View Source 
var ErrInvalidCertChain = errors.New("X.509 certificate chain is invalid")

ErrInvalidCertChain indicates that the provided X.509 certificate chain is invalid noinspection GoErrorStringFormat

View Source 
var ErrInvalidKeySize = core.NewError(fmt.Sprintf("invalid keySize, needs to be at least %d bits", MinKeySize), false)

ErrInvalidKeySize is returned when the keySize for new keys is too short

View Source 
var ErrMissingActor = core.NewError("missing actor", false)

ErrMissingActor indicates the actor is missing

View Source 
var ErrMissingLegalEntityURI = core.NewError("missing legalEntity URI", false)

ErrMissingLegalEntityURI is returned when a required legal entity is missing

View Source 
var ErrMissingSubject = core.NewError("missing subject", false)

ErrMissingSubject indicates the Subject is missing

View Source 
var ErrRsaPubKeyConversion = core.NewError("Unable to convert public key to RSA public key", false)

ErrRsaPubKeyConversion indicates a public key could not be converted to an RSA public key

View Source 
var ErrUnableToParseCSR = core.NewError("unable to parse CSR", false)

ErrUnableToParseCSR indicates the CSR is invalid

View Source 
var ErrUnknownCA = core.NewError("unknown CA", false)

ErrUnknownCA indicates that the signing CA is unknown (e.g. its keys are unavailable for signing)

View Source 
var ErrWrongPublicKey = core.NewError("failed to decode PEM block containing public key, key is of the wrong type", false)

ErrWrongPublicKey indicates a wrong public key format

Functions

func CertificateToJWK 

func CertificateToJWK(cert *x509.Certificate) (jwk.Key, error)

CertificateToJWK constructs a new JWK based on the given X.509 certificate.

func GetX509ChainFromHeaders 

func GetX509ChainFromHeaders(headers jwkHeaderReader) ([]*x509.Certificate, error)

GetX509ChainFromHeaders tries to retrieve the X.509 certificate chain ("x5c") from the JWK/JWS and parse it. If it doesn't contain the "x5c" header, nil is returned. If the header is present but it couldn't be parsed, an error is returned.

func JwkToMap 

func JwkToMap(key jwk.Key) (map[string]interface{}, error)

JwkToMap transforms a Jwk key to a map. Can be used for json serialization

func MapToJwk 

func MapToJwk(jwkAsMap map[string]interface{}) (jwk.Key, error)

MapToJwk transforms a Jwk in map structure to a Jwk Key. The map structure is a typical result from json deserialization.

func MapToX509CertChain 

func MapToX509CertChain(jwkAsMap map[string]interface{}) ([]*x509.Certificate, error)

func MapsToJwkSet 

func MapsToJwkSet(maps []map[string]interface{}) (*jwk.Set, error)

MapsToJwkSet transforms JWKs in map structures to a JWK set, just like MapToJwk.

func PemToJwk 

func PemToJwk(pub []byte) (jwk.Key, error)

PemToJwk transforms pem to jwk for PublicKey

func PemToPublicKey 

func PemToPublicKey(pub []byte) (*rsa.PublicKey, error)

PemToPublicKey converts a PEM encoded public key to an rsa.PublicKeyInPEM

func PublicKeyToPem 

func PublicKeyToPem(pub *rsa.PublicKey) (string, error)

PublicKeyToPem converts an rsa.PublicKeyInPEM to PEM encoding

func ValidateJWK 

func ValidateJWK(maps ...interface{}) error

ValidateJWK tests whether the given map (all) can is a parsable representation of a JWK. If not, an error is returned. If nil is returned, all supplied maps are parsable as JWK.

Types

type CertificateProfile 

type CertificateProfile struct {
	KeyUsage x509.KeyUsage
	IsCA     bool
	// MaxPathLen is ignored when IsCa = false
	MaxPathLen int
	// NumDaysValid is the number of days the certificate is valid, starting today
	NumDaysValid int
	// contains filtered or unexported fields
}

CertificateProfile is used to specify input parameters for certificate issuance.

type CertificateVerifier 

type CertificateVerifier interface {
	Verify(*x509.Certificate) error
}

type Client 

type Client interface {
	// decrypt a cipherText for the given legalEntity
	DecryptKeyAndCipherTextFor(cipherText types.DoubleEncryptedCipherText, legalEntity types.LegalEntity) ([]byte, error)
	// EncryptKeyAndPlainTextFor encrypts a piece of data for the given public keys
	EncryptKeyAndPlainTextWith(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
	// ExternalIdFor calculates an externalId for a (custodian, subject, actor) triple. Where the custodian is needed for private key selection
	ExternalIdFor(subject string, actor string, entity types.LegalEntity) ([]byte, error)
	// GenerateKeyPairFor creates a KeyPair on the storage for given legalEntity
	GenerateKeyPairFor(legalEntity types.LegalEntity) error
	// SignFor signs a piece of data for a legal entity
	SignFor(data []byte, legalEntity types.LegalEntity) ([]byte, error)
	// SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.
	SignCertificate(entity types.LegalEntity, ca types.LegalEntity, pkcs10 []byte, profile CertificateProfile) ([]byte, error)
	// GetOpaquePrivateKey returns the current private key for a given legal entity. It can be used for signing, but cannot be exported.
	GetOpaquePrivateKey(entity types.LegalEntity) (crypto.Signer, error)
	// VerifyWith verifies a signature for a given jwk
	VerifyWith(data []byte, sig []byte, jwk jwk.Key) (bool, error)
	// PublicKeyInPEM returns the PEM encoded PublicKey for a given legal entity
	PublicKeyInPEM(legalEntity types.LegalEntity) (string, error)
	// PublicKeyInJWK returns the JWK encoded PublicKey for a given legal entity
	PublicKeyInJWK(legalEntity types.LegalEntity) (jwk.Key, error)
	// SignJwtFor creates a signed JWT given a legalEntity and map of claims
	SignJwtFor(claims map[string]interface{}, legalEntity types.LegalEntity) (string, error)
	// JWSSignEphemeral signs payload according to the JWS spec with a temporary key and certificate which are generated just for this operation.
	// In other words, the key and certificate are not stored and cannot be used for any other cryptographic operation.
	// The certificate's validity is as short as possible, just spanning the instant of signing.
	//  payload:     data to be signed
	//  ca:          Certificate Authority which should issue the certificate.
	//  csr:         Certificate Signing Request which is used for issuing the X.509 certificate which is included in the JWS.
	//               The CSR indicates which entity (e.g. vendor, organization, etc) is signing the payload.
	//  signingTime: instant which is checked later when verifying the signature. The certificate will just span this instant.
	JWSSignEphemeral(payload []byte, ca types.LegalEntity, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)
	// VerifyJWS verifies a JWS ("signature"): it parses the JWS, checks if it's been signed with the expected algorithm,
	// if it's signed with a certificate supplied in the "x5c" field of the JWS, if the certificate is trusted according
	// to the certificate verifier and whether the certificate was valid at the time of signing ("signingTime").
	// If the verification succeeds the payload that the JWS protects is returned.
	// If any of the verifications fail an error is returned (and no payload).
	VerifyJWS(signature []byte, signingTime time.Time, certVerifier CertificateVerifier) ([]byte, error)
	// KeyExistsFor returns a simple true if a key has been generated for the given legal entity
	KeyExistsFor(legalEntity types.LegalEntity) bool
}

CryptoClient defines the functions than can be called by a Cmd, Direct or via rest call.

func NewCryptoClient 

func NewCryptoClient() Client

NewCryptoClient returns a CryptoClient which either resolves call directly to the engine or uses a REST client.

type Crypto 

type Crypto struct {
	Storage storage.Storage
	Config  CryptoConfig
	// contains filtered or unexported fields
}

default implementation for CryptoInstance

func CryptoInstance 

func CryptoInstance() *Crypto

func (*Crypto) Configure 

func (client *Crypto) Configure() error

Configure loads the given configurations in the engine. Any wrong combination will return an error

func (*Crypto) DecryptKeyAndCipherTextFor 

func (client *Crypto) DecryptKeyAndCipherTextFor(cipherText types.DoubleEncryptedCipherText, legalEntity types.LegalEntity) ([]byte, error)

Main decryption function, first the symmetric key will be decrypted using the private key of the legal entity. The resulting symmetric key will then be used to decrypt the given cipherText.

func (*Crypto) EncryptKeyAndPlainTextWith 

func (client *Crypto) EncryptKeyAndPlainTextWith(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)

EncryptKeyAndPlainTextFor encrypts a piece of data for the given public key

func (*Crypto) ExternalIdFor 

func (client *Crypto) ExternalIdFor(subject string, actor string, entity types.LegalEntity) ([]byte, error)

ExternalIdFor creates an unique identifier which is repeatable. It uses the legalEntity private key as key. This is not for security but does generate the same unique identifier every time. It should only be used as unique identifier for consent records. Using the private key also ensure the BSN can not be deduced from the externalID. todo: check by others if this makes sense

func (*Crypto) GenerateKeyPairFor 

func (client *Crypto) GenerateKeyPairFor(legalEntity types.LegalEntity) error

generate a new rsa keypair for the given legalEntity. The legalEntity uri is base64 encoded and used as filename for the key.

func (*Crypto) GetOpaquePrivateKey 

func (client *Crypto) GetOpaquePrivateKey(entity types.LegalEntity) (crypto.Signer, error)

GetOpaquePrivateKey returns the current private key for a given legal entity. It can be used for signing, but cannot be exported.

func (Crypto) JWSSignEphemeral 

func (client Crypto) JWSSignEphemeral(payload []byte, ca types.LegalEntity, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)

func (*Crypto) KeyExistsFor 

func (client *Crypto) KeyExistsFor(legalEntity types.LegalEntity) bool

KeyExistsFor checks storage for an entry for the given legal entity and returns true if it exists

func (*Crypto) PublicKeyInJWK 

func (client *Crypto) PublicKeyInJWK(legalEntity types.LegalEntity) (jwk.Key, error)

PublicKeyInJWK loads the key from storage and wraps it in a Key format. Supports RSA, ECDSA and Symmetric style keys

func (*Crypto) PublicKeyInPEM 

func (client *Crypto) PublicKeyInPEM(legalEntity types.LegalEntity) (string, error)

PublicKeyInPEM loads the key from storage and returns it as PEM encoded. Only supports RSA style keys

func (*Crypto) SignCertificate 

func (client *Crypto) SignCertificate(entity types.LegalEntity, ca types.LegalEntity, pkcs10 []byte, profile CertificateProfile) ([]byte, error)

SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.

func (*Crypto) SignFor 

func (client *Crypto) SignFor(data []byte, legalEntity types.LegalEntity) ([]byte, error)

SignFor signs a piece of data for a legal entity. This requires the private key for the legal entity to be present. It is expected that the plain data is given. It uses the SHA256 hashing function todo: SHA_256?

func (*Crypto) SignJwtFor 

func (client *Crypto) SignJwtFor(claims map[string]interface{}, legalEntity types.LegalEntity) (string, error)

SignJwtFor creates a signed JWT given a legalEntity and map of claims

func (*Crypto) VerifyJWS 

func (client *Crypto) VerifyJWS(signature []byte, signingTime time.Time, certVerifier CertificateVerifier) ([]byte, error)

func (*Crypto) VerifyWith 

func (client *Crypto) VerifyWith(data []byte, sig []byte, key jwk.Key) (bool, error)

VerifyWith verfifies a signature of some data with a given PublicKeyInPEM. It uses the SHA256 hashing function.

type CryptoConfig 

type CryptoConfig struct {
	Keysize int
	Storage string
	Fspath  string
}

Source Files

View all Source files

Directories

Path Synopsis
The backend package contains the various options for storing the actual private keys.
 The backend package contains the various options for storing the actual private keys.
types and interfaces used by all other packages
 types and interfaces used by all other packages

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.