Documentation ¶
Index ¶
- Constants
- Variables
- type CertificateProfile
- type Client
- type Crypto
- func (client *Crypto) CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) Configure() error
- func (client *Crypto) DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
- func (client *Crypto) GenerateKeyPair(key types.KeyIdentifier) (crypto.PublicKey, error)
- func (client *Crypto) GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error)
- func (client *Crypto) GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error)
- func (client *Crypto) GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
- func (client *Crypto) GetTLSCertificate(caKey types.KeyIdentifier) (*x509.Certificate, crypto.PrivateKey, error)
- func (client *Crypto) PrivateKeyExists(key types.KeyIdentifier) bool
- func (client *Crypto) Sign(data []byte, key types.KeyIdentifier) ([]byte, error)
- func (client *Crypto) SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, ...) ([]byte, error)
- func (client Crypto) SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, ...) ([]byte, error)
- func (client *Crypto) SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error)
- func (client Crypto) TrustStore() cert.TrustStore
- func (client *Crypto) VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error)
- func (client *Crypto) VerifyWith(data []byte, sig []byte, key jwk.Key) (bool, error)
- type CryptoConfig
Constants ¶
const MinKeySize = 2048
MinKeySize defines the minimum (RSA) key size
const TLSCertificateValidityInDays = 60
TLSCertificateValidityInDays holds the number of days issued TLS certificates are valid
Variables ¶
var ErrCSRSignatureInvalid = core.NewError("CSR signature is invalid", false)
ErrCSRSignatureInvalid indicates the signature on the CSR (Proof of Possesion) is invalid
var ErrCertificateNotTrusted = errors.New("X.509 certificate not trusted")
ErrCertificateNotTrusted indicates that the X.509 certificate is not trusted noinspection GoErrorStringFormat
var ErrIllegalNonce = core.NewError("illegal nonce given", false)
ErrIllegalNonce indicates an incorrect nonce
var ErrInvalidAlgorithm = core.NewError("invalid algorithm for public key", false)
ErrInvalidAlgorithm indicates an invalid public key was used
var ErrInvalidCertChain = errors.New("X.509 certificate chain is invalid")
ErrInvalidCertChain indicates that the provided X.509 certificate chain is invalid noinspection GoErrorStringFormat
var ErrInvalidKeyIdentifier = core.NewError("invalid key identifier", false)
ErrInvalidKeyIdentifier is returned when the provided key identifier isn't valid
var ErrInvalidKeySize = core.NewError(fmt.Sprintf("invalid keySize, needs to be at least %d bits", MinKeySize), false)
ErrInvalidKeySize is returned when the keySize for new keys is too short
var ErrMissingActor = core.NewError("missing actor", false)
ErrMissingActor indicates the actor is missing
var ErrMissingSubject = core.NewError("missing subject", false)
ErrMissingSubject indicates the Subject is missing
var ErrUnableToParseCSR = core.NewError("unable to parse CSR", false)
ErrUnableToParseCSR indicates the CSR is invalid
var ErrUnknownCA = core.NewError("unknown CA", false)
ErrUnknownCA indicates that the signing CA is unknown (e.g. its keys are unavailable for signing)
Functions ¶
This section is empty.
Types ¶
type CertificateProfile ¶
type CertificateProfile struct { KeyUsage x509.KeyUsage ExtKeyUsage []x509.ExtKeyUsage IsCA bool // MaxPathLen is ignored when IsCa = false MaxPathLen int // NumDaysValid is the number of days the certificate is valid, starting today NumDaysValid int // contains filtered or unexported fields }
CertificateProfile is used to specify input parameters for certificate issuance.
type Client ¶
type Client interface { // DecryptKeyAndCipherText decrypts a cipherText using the given key (private key must be present). DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error) // EncryptKeyAndPlainText encrypts a piece of data for the given public keys EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error) // CalculateExternalId calculates an externalId for a (custodian, subject, actor) triple using the given key (private key must be present). CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error) // GenerateKeyPair generates a key pair. If the key already exists, it is overwritten and associated certificates are removed. GenerateKeyPair(key types.KeyIdentifier) (crypto.PublicKey, error) // SignFor signs a piece of data using the given key (private key must be present). Sign(data []byte, key types.KeyIdentifier) ([]byte, error) // SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store. SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error) // GetPrivateKey returns the specified private key (for e.g. signing) in non-exportable form. GetPrivateKey(key types.KeyIdentifier) (crypto.Signer, error) // VerifyWith verifies a signature for a given jwk VerifyWith(data []byte, sig []byte, jwk jwk.Key) (bool, error) // GetTLSCertificate retrieves a TLS certificate which is issued under the given key. If there's no TLS certificate for the // given entity or it has expired, a new certificate will be issued. As such, the key MUST be a Certificate Authority // or otherwise an error will be returned. // // If all goes well, the TLS certificate is returned alongside the corresponding private key. GetTLSCertificate(caKey types.KeyIdentifier) (*x509.Certificate, crypto.PrivateKey, error) // GetPublicKeyAsPEM returns the PEM encoded PublicKey GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error) // GetPublicKeyAsJWK returns the JWK encoded PublicKey for a given legal entity GetPublicKeyAsJWK(key types.KeyIdentifier) (jwk.Key, error) // SignJWT creates a signed JWT using the given key and map of claims (private key must be present). SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error) // SignJWSEphemeral signs payload according to the JWS spec with a temporary key and certificate which are generated just for this operation. // In other words, the key and certificate are not stored and cannot be used for any other cryptographic operation. // The certificate's validity is as short as possible, just spanning the instant of signing. // payload: data to be signed // caKey: key of the Certificate Authority which should issue the certificate (private key and certificate must be present). // csr: Certificate Signing Request which is used for issuing the X.509 certificate which is included in the JWS. // The CSR indicates which entity (e.g. vendor, organization, etc) is signing the payload. // signingTime: instant which is checked later when verifying the signature. The certificate will just span this instant. SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error) // VerifyJWS verifies a JWS ("signature"): it parses the JWS, checks if it's been signed with the expected algorithm, // if it's signed with a certificate supplied in the "x5c" field of the JWS, if the certificate is trusted according // to the certificate verifier and whether the certificate was valid at the time of signing ("signingTime"). // If the verification succeeds the payload that the JWS protects is returned. // If any of the verifications fail an error is returned (and no payload). VerifyJWS(signature []byte, signingTime time.Time, certVerifier cert.Verifier) ([]byte, error) // PrivateKeyExists returns if the specified private key eixsts. PrivateKeyExists(key types.KeyIdentifier) bool // TrustStore returns the trust store backing the crypto module. TrustStore() cert.TrustStore }
CryptoClient defines the functions than can be called by a Cmd, Direct or via rest call.
func NewCryptoClient ¶
func NewCryptoClient() Client
NewCryptoClient returns a CryptoClient which either resolves call directly to the engine or uses a REST client.
type Crypto ¶
type Crypto struct { Storage storage.Storage Config CryptoConfig // contains filtered or unexported fields }
default implementation for CryptoInstance
func CryptoInstance ¶
func CryptoInstance() *Crypto
func (*Crypto) CalculateExternalId ¶ added in v0.14.0
func (client *Crypto) CalculateExternalId(subject string, actor string, key types.KeyIdentifier) ([]byte, error)
CalculateExternalId creates an unique identifier which is repeatable. It uses the legalEntity private key as key. This is not for security but does generate the same unique identifier every time. It should only be used as unique identifier for consent records. Using the private key also ensure the BSN can not be deduced from the externalID. todo: check by others if this makes sense
func (*Crypto) Configure ¶
Configure loads the given configurations in the engine. Any wrong combination will return an error
func (*Crypto) DecryptKeyAndCipherText ¶ added in v0.14.0
func (client *Crypto) DecryptKeyAndCipherText(cipherText types.DoubleEncryptedCipherText, key types.KeyIdentifier) ([]byte, error)
Main decryption function, first the symmetric key will be decrypted using the private key of the legal entity. The resulting symmetric key will then be used to decrypt the given cipherText.
func (*Crypto) EncryptKeyAndPlainText ¶ added in v0.14.0
func (client *Crypto) EncryptKeyAndPlainText(plainText []byte, keys []jwk.Key) (types.DoubleEncryptedCipherText, error)
EncryptKeyAndPlainTextFor encrypts a piece of data for the given public key
func (*Crypto) GenerateKeyPair ¶ added in v0.14.0
GenerateKeyPair generates a new key pair. If a key pair with the same identifier already exists, it is overwritten.
func (*Crypto) GetPrivateKey ¶ added in v0.14.0
GetPrivateKey returns the specified private key. It can be used for signing, but cannot be exported.
func (*Crypto) GetPublicKeyAsJWK ¶ added in v0.14.0
PublicKeyInJWK loads the key from storage and wraps it in a Key format. Supports RSA, ECDSA and Symmetric style keys
func (*Crypto) GetPublicKeyAsPEM ¶ added in v0.14.0
func (client *Crypto) GetPublicKeyAsPEM(key types.KeyIdentifier) (string, error)
PublicKeyInPEM loads the key from storage and returns it as PEM encoded. Only supports RSA style keys
func (*Crypto) GetTLSCertificate ¶ added in v0.14.0
func (client *Crypto) GetTLSCertificate(caKey types.KeyIdentifier) (*x509.Certificate, crypto.PrivateKey, error)
func (*Crypto) PrivateKeyExists ¶ added in v0.14.0
func (client *Crypto) PrivateKeyExists(key types.KeyIdentifier) bool
PrivateKeyExists checks storage for an entry for the given legal entity and returns true if it exists
func (*Crypto) Sign ¶ added in v0.14.0
SignFor signs a piece of data using the given key. It is expected that the plain data is given, and it uses the SHA256 hashing function. todo: SHA_256?
func (*Crypto) SignCertificate ¶
func (client *Crypto) SignCertificate(subjectKey types.KeyIdentifier, caKey types.KeyIdentifier, pkcs10 []byte, profile CertificateProfile) ([]byte, error)
SignCertificate issues a certificate by signing a PKCS10 certificate request. The private key of the specified CA should be available in the key store.
func (Crypto) SignJWSEphemeral ¶ added in v0.14.0
func (client Crypto) SignJWSEphemeral(payload []byte, caKey types.KeyIdentifier, csr x509.CertificateRequest, signingTime time.Time) ([]byte, error)
func (*Crypto) SignJWT ¶ added in v0.14.0
func (client *Crypto) SignJWT(claims map[string]interface{}, key types.KeyIdentifier) (string, error)
SignJwtFor creates a signed JWT given a legalEntity and map of claims
func (Crypto) TrustStore ¶ added in v0.14.0
func (client Crypto) TrustStore() cert.TrustStore
type CryptoConfig ¶
Directories ¶
Path | Synopsis |
---|---|
The backend package contains the various options for storing the actual private keys.
|
The backend package contains the various options for storing the actual private keys. |
types and interfaces used by all other packages
|
types and interfaces used by all other packages |