pkg

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 22, 2020 License: GPL-3.0 Imports: 28 Imported by: 12

Documentation

Index

Constants

View Source
const MinKeySize = 2048

MinKeySize defines the minimum (RSA) key size

View Source
const TLSCertificateValidityInDays = 60

TLSCertificateValidityInDays holds the number of days issued TLS certificates are valid

Variables

View Source
var ErrCSRSignatureInvalid = core.NewError("CSR signature is invalid", false)

ErrCSRSignatureInvalid indicates the signature on the CSR (Proof of Possesion) is invalid

View Source
var ErrCertificateNotTrusted = errors.New("X.509 certificate not trusted")

ErrCertificateNotTrusted indicates that the X.509 certificate is not trusted noinspection GoErrorStringFormat

View Source
var ErrIllegalNonce = core.NewError("illegal nonce given", false)

ErrIllegalNonce indicates an incorrect nonce

View Source
var ErrInvalidAlgorithm = core.NewError("invalid algorithm for public key", false)

ErrInvalidAlgorithm indicates an invalid public key was used

View Source
var ErrInvalidCertChain = errors.New("X.509 certificate chain is invalid")

ErrInvalidCertChain indicates that the provided X.509 certificate chain is invalid noinspection GoErrorStringFormat

View Source
var ErrInvalidKeyIdentifier = core.NewError("invalid key identifier", false)

ErrInvalidKeyIdentifier is returned when the provided key identifier isn't valid

View Source
var ErrInvalidKeySize = core.NewError(fmt.Sprintf("invalid keySize, needs to be at least %d bits", MinKeySize), false)

ErrInvalidKeySize is returned when the keySize for new keys is too short

View Source
var ErrMissingActor = core.NewError("missing actor", false)

ErrMissingActor indicates the actor is missing

View Source
var ErrMissingSubject = core.NewError("missing subject", false)

ErrMissingSubject indicates the Subject is missing

View Source
var ErrUnableToParseCSR = core.NewError("unable to parse CSR", false)

ErrUnableToParseCSR indicates the CSR is invalid

View Source
var ErrUnknownCA = core.NewError("unknown CA", false)

ErrUnknownCA indicates that the signing CA is unknown (e.g. its keys are unavailable for signing)

Functions

This section is empty.

Types

type CertificateProfile

type CertificateProfile struct {
	KeyUsage    x509.KeyUsage
	ExtKeyUsage []x509.ExtKeyUsage
	IsCA        bool
	// MaxPathLen is ignored when IsCa = false
	MaxPathLen int
	// NumDaysValid is the number of days the certificate is valid, starting today
	NumDaysValid int
	// contains filtered or unexported fields
}

CertificateProfile is used to specify input parameters for certificate issuance.

type Client

type Client interface {
	// DecryptKeyAndCipherText decrypts a cipherText using the given key (private key must be present).
	DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
	// EncryptKeyAndPlainText encrypts a piece of data for the given public keys
	EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
	// CalculateExternalId calculates an externalId for a (custodian, subject, actor) triple using the given key (private key must be present).
	CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
	// GenerateKeyPair generates a key pair. If the key already exists, it is overwritten and associated certificates are removed.
	GenerateKeyPair(key types.KeyIdentifier) (crypto.PublicKey, error)
	// SignFor signs a piece of data using the given key (private key must be present).
	Sign(data []byte, key types.KeyIdentifier) ([]byte, error)
	// SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.
	SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error)
	// GetPrivateKey returns the specified private key (for e.g. signing) in non-exportable form.
	GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error)
	// VerifyWith verifies a signature for a given jwk
	VerifyWith(data []byte, sig []byte, jwk jwk.Key) (bool, error)
	// GetTLSCertificate retrieves a TLS certificate which is issued under the given key. If there's no TLS certificate for the
	// given entity or it has expired, a new certificate will be issued. As such, the key MUST be a Certificate Authority
	// or otherwise an error will be returned.
	//
	// If all goes well, the TLS certificate is returned alongside the corresponding private key.
	GetTLSCertificate(caKey types.KeyIdentifier) (*x509.Certificate, crypto.PrivateKey, error)
	// GetPublicKeyAsPEM returns the PEM encoded PublicKey
	GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
	// GetPublicKeyAsJWK returns the JWK encoded PublicKey for a given legal entity
	GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error)
	// SignJWT creates a signed JWT using the given key and map of claims (private key must be present).
	SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error)
	// SignJWSEphemeral signs payload according to the JWS spec with a temporary key and certificate which are generated just for this operation.
	// In other words, the key and certificate are not stored and cannot be used for any other cryptographic operation.
	// The certificate's validity is as short as possible, just spanning the instant of signing.
	//  payload:     data to be signed
	//  caKey:       key of the Certificate Authority which should issue the certificate (private key and certificate must be present).
	//  csr:         Certificate Signing Request which is used for issuing the X.509 certificate which is included in the JWS.
	//               The CSR indicates which entity (e.g. vendor, organization, etc) is signing the payload.
	//  signingTime: instant which is checked later when verifying the signature. The certificate will just span this instant.
	SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)
	// VerifyJWS verifies a JWS ("signature"): it parses the JWS, checks if it's been signed with the expected algorithm,
	// if it's signed with a certificate supplied in the "x5c" field of the JWS, if the certificate is trusted according
	// to the certificate verifier and whether the certificate was valid at the time of signing ("signingTime").
	// If the verification succeeds the payload that the JWS protects is returned.
	// If any of the verifications fail an error is returned (and no payload).
	VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error)
	// PrivateKeyExists returns if the specified private key eixsts.
	PrivateKeyExists(key types.KeyIdentifier) bool
	// TrustStore returns the trust store backing the crypto module.
	TrustStore() cert.TrustStore
}

CryptoClient defines the functions than can be called by a Cmd, Direct or via rest call.

func NewCryptoClient

func NewCryptoClient() Client

NewCryptoClient returns a CryptoClient which either resolves call directly to the engine or uses a REST client.

type Crypto

type Crypto struct {
	Storage storage.Storage
	Config  CryptoConfig
	// contains filtered or unexported fields
}

default implementation for CryptoInstance

func CryptoInstance

func CryptoInstance() *Crypto

func (*Crypto) CalculateExternalId added in v0.14.0

func (client *Crypto) CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)

CalculateExternalId creates an unique identifier which is repeatable. It uses the legalEntity private key as key. This is not for security but does generate the same unique identifier every time. It should only be used as unique identifier for consent records. Using the private key also ensure the BSN can not be deduced from the externalID. todo: check by others if this makes sense

func (*Crypto) Configure

func (client *Crypto) Configure() error

Configure loads the given configurations in the engine. Any wrong combination will return an error

func (*Crypto) DecryptKeyAndCipherText added in v0.14.0

func (client *Crypto) DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)

Main decryption function, first the symmetric key will be decrypted using the private key of the legal entity. The resulting symmetric key will then be used to decrypt the given cipherText.

func (*Crypto) EncryptKeyAndPlainText added in v0.14.0

func (client *Crypto) EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)

EncryptKeyAndPlainTextFor encrypts a piece of data for the given public key

func (*Crypto) GenerateKeyPair added in v0.14.0

func (client *Crypto) GenerateKeyPair(key types.KeyIdentifier) (crypto.PublicKey, error)

GenerateKeyPair generates a new key pair. If a key pair with the same identifier already exists, it is overwritten.

func (*Crypto) GetPrivateKey added in v0.14.0

func (client *Crypto) GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error)

GetPrivateKey returns the specified private key. It can be used for signing, but cannot be exported.

func (*Crypto) GetPublicKeyAsJWK added in v0.14.0

func (client *Crypto) GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error)

PublicKeyInJWK loads the key from storage and wraps it in a Key format. Supports RSA, ECDSA and Symmetric style keys

func (*Crypto) GetPublicKeyAsPEM added in v0.14.0

func (client *Crypto) GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)

PublicKeyInPEM loads the key from storage and returns it as PEM encoded. Only supports RSA style keys

func (*Crypto) GetTLSCertificate added in v0.14.0

func (client *Crypto) GetTLSCertificate(caKey types.KeyIdentifier) (*x509.Certificate, crypto.PrivateKey, error)

func (*Crypto) PrivateKeyExists added in v0.14.0

func (client *Crypto) PrivateKeyExists(key types.KeyIdentifier) bool

PrivateKeyExists checks storage for an entry for the given legal entity and returns true if it exists

func (*Crypto) Sign added in v0.14.0

func (client *Crypto) Sign(data []byte, key types.KeyIdentifier) ([]byte, error)

SignFor signs a piece of data using the given key. It is expected that the plain data is given, and it uses the SHA256 hashing function. todo: SHA_256?

func (*Crypto) SignCertificate

func (client *Crypto) SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error)

SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.

func (Crypto) SignJWSEphemeral added in v0.14.0

func (client Crypto) SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)

func (*Crypto) SignJWT added in v0.14.0

func (client *Crypto) SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error)

SignJwtFor creates a signed JWT given a legalEntity and map of claims

func (Crypto) TrustStore added in v0.14.0

func (client Crypto) TrustStore() cert.TrustStore

func (*Crypto) VerifyJWS

func (client *Crypto) VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error)

func (*Crypto) VerifyWith

func (client *Crypto) VerifyWith(data []byte, sig []byte, key jwk.Key) (bool, error)

VerifyWith verfifies a signature of some data with a given PublicKeyInPEM. It uses the SHA256 hashing function.

type CryptoConfig

type CryptoConfig struct {
	Keysize int
	Storage string
	Fspath  string
}

Directories

Path Synopsis
The backend package contains the various options for storing the actual private keys.
The backend package contains the various options for storing the actual private keys.
types and interfaces used by all other packages
types and interfaces used by all other packages

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL