payloads

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2025 License: Apache-2.0 Imports: 8 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ActivateRequestPayload 

type ActivateRequestPayload struct {
	// Determines the object being activated.
	// If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation requests the server to activate a Managed Cryptographic Object. The request SHALL NOT specify a Template object. The operation SHALL only be performed on an object in the Pre-Active state and has the effect of changing its state to Active, and setting its Activation Date to the current date and time.

func (*ActivateRequestPayload) Operation 

func (a *ActivateRequestPayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type ActivateResponsePayload 

type ActivateResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Response for the activate operation.

func (*ActivateResponsePayload) Operation 

func (a *ActivateResponsePayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type AddAttributeRequestPayload 

type AddAttributeRequestPayload struct {
	// The Unique Identifier of the object.
	// If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Specifies the attribute to be added as an attribute for the object.
	Attribute kmip.Attribute
}

This operation requests the server to add a new attribute instance to be associated with a Managed Object and set its value. The request contains the Unique Identifier of the Managed Object to which the attribute pertains, along with the attribute name and value. For single-instance attributes, this is how the attribute value is created. For multi-instance attributes, this is how the first and subsequent values are created. Existing attribute values SHALL only be changed by the Modify Attribute operation. Read-Only attributes SHALL NOT be added using the Add Attribute operation. The Attribute Index SHALL NOT be specified in the request. The response returns a new Attribute Index and the Attribute Index MAY be omitted if the index of the added attribute instance is 0. Multiple Add Attribute requests MAY be included in a single batched request to add multiple attributes.

func (*AddAttributeRequestPayload) Operation 

func (pl *AddAttributeRequestPayload) Operation() kmip.Operation

type AddAttributeResponsePayload 

type AddAttributeResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The added attribute associated with the object.
	Attribute kmip.Attribute
}

Response for the add-attribute operation.

func (*AddAttributeResponsePayload) Operation 

func (pl *AddAttributeResponsePayload) Operation() kmip.Operation

type ArchiveRequestPayload 

type ArchiveRequestPayload struct {
	// Determines the object being archived.
	// If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation is used to specify that a Managed Object MAY be archived. The actual time when the object is archived, the location of the archive, or level of archive hierarchy is determined by the policies within the key management system and is not specified by the client. The request contains the Unique Identifier of the Managed Object. Special authentication and authorization SHOULD be enforced to perform this request. Only the object owner or an authorized security officer SHOULD be allowed to issue this request. This request is only an indication from a client that, from its point of view, the key management system MAY archive the object.

func (*ArchiveRequestPayload) Operation 

func (pl *ArchiveRequestPayload) Operation() kmip.Operation

type ArchiveResponsePayload 

type ArchiveResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Respsonse for the archive operation.

func (*ArchiveResponsePayload) Operation 

func (pl *ArchiveResponsePayload) Operation() kmip.Operation

type CreateKeyPairRequestPayload 

type CreateKeyPairRequestPayload struct {
	// Specifies desired attributes in templates and/or as individual attributes to be associated with the new object that apply to both the Private and Public Key Objects.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	CommonTemplateAttribute *kmip.TemplateAttribute
	// Specifies templates and/or attributes to be associated with the new object that apply to the Private Key Object. Order of precedence applies.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	PrivateKeyTemplateAttribute *kmip.TemplateAttribute
	// Specifies templates and/or attributes to be associated with the new object that apply to the Public Key Object. Order of precedence applies.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	PublicKeyTemplateAttribute *kmip.TemplateAttribute
}

This operation requests the server to generate a new public/private key pair and register the two corresponding new Managed Cryptographic Objects.

The request contains attributes to be assigned to the objects (e.g., Cryptographic Algorithm, Cryptographic Length, etc.). Attributes and Template Names MAY be specified for both keys at the same time by specifying a Common Template-Attribute object in the request. Attributes not common to both keys (e.g., Name, Cryptographic Usage Mask) MAY be specified using the Private Key Template-Attribute and Public Key Template-Attribute objects in the request, which take precedence over the Common Template-Attribute object.

The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification. Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.

For the Private Key, the server SHALL create a Link attribute of Link Type Public Key pointing to the Public Key. For the Public Key, the server SHALL create a Link attribute of Link Type Private Key pointing to the Private Key. The response contains the Unique Identifiers of both created objects. The ID Placeholder value SHALL be set to the Unique Identifier of the Private Key.

For multi-instance attributes, the union of the values found in the templates and attributes of the Common, Private, and Public Key Template-Attribute SHALL be used. For single-instance attributes, the order of precedence is as follows:

  • attributes specified explicitly in the Private and Public Key Template-Attribute, then
  • attributes specified via templates in the Private and Public Key Template-Attribute, then
  • attributes specified explicitly in the Common Template-Attribute, then
  • attributes specified via templates in the Common Template-Attribute.

If there are multiple templates in the Common, Private, or Public Key Template-Attribute, then the last value of the single-instance attribute that conflicts takes precedence.

func (*CreateKeyPairRequestPayload) Operation 

func (a *CreateKeyPairRequestPayload) Operation() kmip.Operation

type CreateKeyPairResponsePayload 

type CreateKeyPairResponsePayload struct {
	// The Unique Identifier of the newly created Private Key object.
	PrivateKeyUniqueIdentifier string
	// The Unique Identifier of the newly created Public Key object.
	PublicKeyUniqueIdentifier string
	// An OPTIONAL list of attributes, for the Private Key Object, with values that were not specified in the request, but have been implicitly set by the key management server.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	PrivateKeyTemplateAttribute *kmip.TemplateAttribute
	// An OPTIONAL list of attributes, for the Public Key Object, with values that were not specified in the request, but have been implicitly set by the key management server.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	PublicKeyTemplateAttribute *kmip.TemplateAttribute
}

Response for the create key-pair operation.

func (*CreateKeyPairResponsePayload) Operation 

func (a *CreateKeyPairResponsePayload) Operation() kmip.Operation

type CreateRequestPayload 

type CreateRequestPayload struct {
	// Determines the type of object to be created.
	ObjectType kmip.ObjectType
	// Specifies desired attributes using to be associated with the new object templates and/or individual attributes.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	TemplateAttribute kmip.TemplateAttribute
}

This operation requests the server to generate a new symmetric key as a Managed Cryptographic Object. This operation is not used to create a Template object (see Register operation, Section 4.3).

The request contains information about the type of object being created, and some of the attributes to be assigned to the object (e.g., Cryptographic Algorithm, Cryptographic Length, etc.). This information MAY be specified by the names of Template objects that already exist.

The response contains the Unique Identifier of the created object. The server SHALL copy the Unique Identifier returned by this operation into the ID Placeholder variable.

func (*CreateRequestPayload) Operation 

func (a *CreateRequestPayload) Operation() kmip.Operation

type CreateResponsePayload 

type CreateResponsePayload struct {
	// Type of object created.
	ObjectType kmip.ObjectType
	// The Unique Identifier of the newly created object.
	UniqueIdentifier string
	// An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	Attributes *kmip.TemplateAttribute
}

Response for the create operation.

func (*CreateResponsePayload) Operation 

func (a *CreateResponsePayload) Operation() kmip.Operation

type DecryptRequestPayload 

type DecryptRequestPayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key to use for the decryption operation.
	// If omitted, then the ID Placeholder value SHALL be used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// The Cryptographic Parameters (Block Cipher Mode, Padding Method) corresponding to the particular decryption method requested.
	// If omitted then the Cryptographic Parameters associated with the Managed Cryptographic Object with the lowest Attribute Index SHALL be used.
	//
	// If there are no Cryptographic Parameters associated with the Managed Cryptographic Object and the algorithm requires parameters then
	// the operation SHALL return with a Result Status of Operation Failed.
	CryptographicParameters *kmip.CryptographicParameters
	// The data to be decrypted (as a Byte String).
	Data []byte `ttlv:",omitempty"`
	// The initialization vector, counter or nonce to be used (where appropriate).
	IVCounterNonce []byte `ttlv:",omitempty"`
	// Specifies the existing stream or by-parts cryptographic operation (as returned from a previous call to this operation).
	//
	// The Correlation Value is used in requests and responses in cryptographic operations that support multi-
	// part (streaming) operations. This is generated by the server and returned in the first response to an
	// operation that is being performed across multiple requests. Note: the server decides which operations are
	// supported for multi-part usage. A server-generated correlation value SHALL be specified in any
	// subsequent cryptographic operations that pertain to the original operation.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
	// Initial operation as Boolean.
	//
	// The Init Indicator is used in requests in cryptographic operations that support multi-part (streaming)
	// operations. This is provided in the first request with a value of True to an operation that is being
	// performed across multiple requests.
	InitIndicator *bool `ttlv:",version=v1.3.."`
	// Final operation as Boolean.
	//
	// The Final Indicator is used in requests in cryptographic operations that support multi-part (streaming)
	// operations. This is provided in the final (last) request with a value of True to an operation that is being
	// performed across multiple requests.
	FinalIndicator *bool `ttlv:",version=v1.3.."`
	// Additional data to be authenticated via the Authenticated Encryption Tag.
	// If supplied in multi-part decryption, this data MUST be supplied on the initial Decrypt request.
	//
	// The Authenticated Encryption Additional Data object is used in authenticated encryption and decryption
	// operations that require the optional additional data to be provided by the client.
	AuthenticatedEncryptionAdditionalData []byte `ttlv:",omitempty,version=v1.4.."`
	// Specifies the tag that will be needed to authenticate the decrypted data.
	// If supplied in multi-part decryption, this data MUST be supplied on the initial Decrypt request.
	//
	// The Authenticated Encryption Tag object is used to validate the integrity of the data encrypted and
	// decrypted in Authenticated Encryption modes. It is an output from the encryption process and an input to
	// the decryption process. See [SP800-38D].
	AuthenticatedEncryptionTag []byte `ttlv:",omitempty,version=v1.4.."`
}

This operation requests the server to perform a decryption operation on the provided data using a Managed Cryptographic Object as the key for the decryption operation.

The request contains information about the cryptographic parameters (mode and padding method), the data to be decrypted, and the IV/Counter/Nonce to use. The cryptographic parameters MAY be omitted from the request as they can be specified as associated attributes of the Managed Cryptographic Object. The initialization vector/counter/nonce MAY also be omitted from the request if the algorithm does not use an IV/Counter/Nonce.

func (*DecryptRequestPayload) Operation 

func (pl *DecryptRequestPayload) Operation() kmip.Operation

type DecryptResponsePayload 

type DecryptResponsePayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key used for the decryption operation.
	UniqueIdentifier string
	// The decrypted data (as a Byte String).
	Data []byte `ttlv:",omitempty"`
	// Specifies the stream or by-parts value to be provided in subsequent calls to this operation for performing cryptographic operations.
	//
	// The Correlation Value is used in requests and responses in cryptographic operations that support multi-
	// part (streaming) operations. This is generated by the server and returned in the first response to an
	// operation that is being performed across multiple requests. Note: the server decides which operations are
	// supported for multi-part usage. A server-generated correlation value SHALL be specified in any
	// subsequent cryptographic operations that pertain to the original operation.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
}

The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the decryption operation.

func (*DecryptResponsePayload) Operation 

func (pl *DecryptResponsePayload) Operation() kmip.Operation

type DeleteAttributeRequestPayload 

type DeleteAttributeRequestPayload struct {
	// Determines the object whose attributes are being deleted. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Specifies the name of the attribute associated with the object to be deleted.
	AttributeName kmip.AttributeName
	// Specifies the Index of the Attribute.
	AttributeIndex *int32
}

This operation requests the server to delete an attribute associated with a Managed Object. The request contains the Unique Identifier of the Managed Object whose attribute is to be deleted, the attribute name, and the OPTIONAL Attribute Index of the attribute. If no Attribute Index is specified in the request, then the Attribute Index SHALL be assumed to be 0. Attributes that are always REQUIRED to have a value SHALL never be deleted by this operation. Attempting to delete a non-existent attribute or specifying an Attribute Index for which there exists no Attribute Value SHALL result in an error. The response returns the deleted Attribute and the Attribute Index MAY be omitted if the index of the deleted attribute instance is 0. Multiple Delete Attribute requests MAY be included in a single batched request to delete multiple attributes.

func (*DeleteAttributeRequestPayload) Operation 

func (pl *DeleteAttributeRequestPayload) Operation() kmip.Operation

type DeleteAttributeResponsePayload 

type DeleteAttributeResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The deleted attribute associated with the object.
	Attribute kmip.Attribute
}

Response for the delete-attribute operation.

func (*DeleteAttributeResponsePayload) Operation 

func (pl *DeleteAttributeResponsePayload) Operation() kmip.Operation

type DestroyRequestPayload 

type DestroyRequestPayload struct {
	// Determines the object being destroyed. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation is used to indicate to the server that the key material for the specified Managed Object SHALL be destroyed. The meta-data for the key material MAY be retained by the server (e.g., used to ensure that an expired or revoked private signing key is no longer available). Special authentication and authorization SHOULD be enforced to perform this request. Only the object owner or an authorized security officer SHOULD be allowed to issue this request. If the Unique Identifier specifies a Template object, then the object itself, including all meta-data, SHALL be destroyed. Cryptographic Objects MAY only be destroyed if they are in either Pre-Active or Deactivated state.

func (*DestroyRequestPayload) Operation 

func (a *DestroyRequestPayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type DestroyResponsePayload 

type DestroyResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Response for the destroy operation.

func (*DestroyResponsePayload) Operation 

func (a *DestroyResponsePayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type DiscoverVersionsRequestPayload 

type DiscoverVersionsRequestPayload struct {
	// The list of protocol versions supported by the client ordered in decreasing order of preference.
	ProtocolVersion []kmip.ProtocolVersion
}

This operation is used by the client to determine a list of protocol versions that is supported by the server. The request payload contains an OPTIONAL list of protocol versions that is supported by the client. The protocol versions SHALL be ranked in decreasing order of preference.

The response payload contains a list of protocol versions that are supported by the server. The protocol versions are ranked in decreasing order of preference. If the client provides the server with a list of supported protocol versions in the request payload, the server SHALL return only the protocol versions that are supported by both the client and server. The server SHOULD list all the protocol versions supported by both client and server. If the protocol version specified in the request header is not specified in the request payload and the server does not support any protocol version specified in the request payload, the server SHALL return an empty list in the response payload. If no protocol versions are specified in the request payload, the server SHOULD return all the protocol versions that are supported by the server.

func (*DiscoverVersionsRequestPayload) Operation 

func (*DiscoverVersionsRequestPayload) Operation() kmip.Operation

type DiscoverVersionsResponsePayload 

type DiscoverVersionsResponsePayload struct {
	// The list of protocol versions supported by the server ordered in decreasing order of preference.
	ProtocolVersion []kmip.ProtocolVersion
}

Response for the discover-versions operation.

func (*DiscoverVersionsResponsePayload) Operation 

func (*DiscoverVersionsResponsePayload) Operation() kmip.Operation

type EncryptRequestPayload 

type EncryptRequestPayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key to
	// use for the encryption operation. If omitted, then the ID Placeholder value
	// SHALL be used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// The Cryptographic Parameters (Block Cipher Mode, Padding Method, RandomIV) corresponding to the
	// particular encryption method requested. If omitted then the Cryptographic Parameters associated
	// with the Managed Cryptographic Object with the lowest Attribute Index SHALL be used. If there are no Cryptographic
	// Parameters associated with the Managed Cryptographic Object and the algorithm requires parameters then
	// the operation SHALL return with a Result Status of Operation Failed.
	CryptographicParameters *kmip.CryptographicParameters
	// The data to be encrypted (as a Byte String).
	Data []byte `ttlv:",omitempty"`
	// The initialization vector, counter or nonce to be used (where appropriate).
	IVCounterNonce []byte `ttlv:",omitempty"`
	// Specifies the existing stream or by-parts cryptographic operation (as returned from a previous call to this operation).
	//
	// The Correlation Value is used in requests and responses in cryptographic operations that support multi-
	// part (streaming) operations. This is generated by the server and returned in the first response to an
	// operation that is being performed across multiple requests. Note: the server decides which operations are
	// supported for multi-part usage. A server-generated correlation value SHALL be specified in any
	// subsequent cryptographic operations that pertain to the original operation.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
	// Initial operation as Boolean.
	//
	// The Init Indicator is used in requests in cryptographic operations that support multi-part (streaming)
	// operations. This is provided in the first request with a value of True to an operation that is being
	// performed across multiple requests.
	InitIndicator *bool `ttlv:",version=v1.3.."`
	// Final operation as Boolean.
	//
	// The Final Indicator is used in requests in cryptographic operations that support multi-part (streaming)
	// operations. This is provided in the final (last) request with a value of True to an operation that is being
	// performed across multiple requests.
	FinalIndicator *bool `ttlv:",version=v1.3.."`
	// Any additional data to be authenticated via the Authenticated Encryption Tag.
	// If supplied in multi-part encryption, this data MUST be supplied on the initial Encrypt request.
	//
	// The Authenticated Encryption Additional Data object is used in authenticated encryption and decryption
	// operations that require the optional additional data to be provided by the client.
	AuthenticatedEncryptionAdditionalData []byte `ttlv:",omitempty,version=v1.4.."`
}

This operation requests the server to perform an encryption operation on the provided data using a Managed Cryptographic Object as the key for the encryption operation.

The request contains information about the cryptographic parameters (mode and padding method), the data to be encrypted, and the IV/Counter/Nonce to use. The cryptographic parameters MAY be omitted from the request as they can be specified as associated attributes of the Managed Cryptographic Object. The IV/Counter/Nonce MAY also be omitted from the request if the cryptographic parameters indicate that the server shall generate a Random IV on behalf of the client or the encryption algorithm does not need an IV/Counter/Nonce. The server does not store or otherwise manage the IV/Counter/Nonce.

If the Managed Cryptographic Object referenced has a Usage Limits attribute then the server SHALL obtain an allocation from the current Usage Limits value prior to performing the encryption operation. If the allocation is unable to be obtained the operation SHALL return with a result status of Operation Failed and result reason of Permission Denied.

func (*EncryptRequestPayload) Operation 

func (pl *EncryptRequestPayload) Operation() kmip.Operation

type EncryptResponsePayload 

type EncryptResponsePayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that was the key used for the encryption operation.
	UniqueIdentifier string
	// The encrypted data (as a Byte String).
	Data []byte `ttlv:",omitempty"`
	// The value used if the Cryptographic Parameters specified Random IV and the IV/Counter/Nonce value was not provided in the request
	// and the algorithm requires the provision of an IV/Counter/Nonce.
	IVCounterNonce []byte `ttlv:",omitempty"`
	// Specifies the stream or by-parts value to be provided in subsequent calls to this operation for performing cryptographic operations.
	//
	// The Correlation Value is used in requests and responses in cryptographic operations that support multi-
	// part (streaming) operations. This is generated by the server and returned in the first response to an
	// operation that is being performed across multiple requests. Note: the server decides which operations are
	// supported for multi-part usage. A server-generated correlation value SHALL be specified in any
	// subsequent cryptographic operations that pertain to the original operation.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
	// Specifies the tag that will be needed to authenticate the decrypted data.
	// Only returned on completion of the encryption of the last of the plaintext by an authenticated encryption cipher.
	//
	// The Authenticated Encryption Tag object is used to validate the integrity of the data encrypted and
	// decrypted in Authenticated Encryption modes. It is an output from the encryption process and an input to
	// the decryption process. See [SP800-38D].
	AuthenticatedEncryptionTag []byte `ttlv:",omitempty,version=v1.4.."`
}

The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the encryption operation.

func (*EncryptResponsePayload) Operation 

func (pl *EncryptResponsePayload) Operation() kmip.Operation

type GetAttributeListRequestPayload 

type GetAttributeListRequestPayload struct {
	// Determines the object whose attribute names are being requested. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation requests a list of the attribute names associated with a Managed Object. The object is specified by its Unique Identifier.

func (*GetAttributeListRequestPayload) Operation 

func (pl *GetAttributeListRequestPayload) Operation() kmip.Operation

type GetAttributeListResponsePayload 

type GetAttributeListResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The names of the available attributes associated with the object.
	AttributeName []kmip.AttributeName
}

Response for the get-attribute-list operation.

func (*GetAttributeListResponsePayload) Operation 

func (pl *GetAttributeListResponsePayload) Operation() kmip.Operation

type GetAttributesRequestPayload 

type GetAttributesRequestPayload struct {
	// Determines the object whose attributes are being requested. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Specifies the name of an attribute associated with the object.
	AttributeName []kmip.AttributeName
}

This operation requests one or more attributes associated with a Managed Object. The object is specified by its Unique Identifier, and the attributes are specified by their name in the request. If a specified attribute has multiple instances, then all instances are returned. If a specified attribute does not exist (i.e., has no value), then it SHALL NOT be present in the returned response. If no requested attributes exist, then the response SHALL consist only of the Unique Identifier. If no attribute name is specified in the request, all attributes SHALL be deemed to match the Get Attributes request. The same attribute name SHALL NOT be present more than once in a request.

func (*GetAttributesRequestPayload) Operation 

func (a *GetAttributesRequestPayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type GetAttributesResponsePayload 

type GetAttributesResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The requested attribute associated with the object.
	Attribute []kmip.Attribute
}

func (*GetAttributesResponsePayload) Operation 

func (a *GetAttributesResponsePayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type GetRequestPayload 

type GetRequestPayload struct {
	// Determines the object being requested. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Determines the key format type to be returned.
	KeyFormatType kmip.KeyFormatType `ttlv:",omitempty"`
	// Determines the Key Wrap Type of the returned key value.
	KeyWrapType kmip.KeyFormatType `ttlv:",omitempty,version=v1.4.."`
	// Determines the compression method for elliptic curve public keys.
	KeyCompressionType kmip.KeyCompressionType `ttlv:",omitempty"`
	// Specifies keys and other information for wrapping the returned object. This field SHALL NOT be specified if the requested object is a Template.
	KeyWrappingSpecification *kmip.KeyWrappingSpecification
}

This operation requests that the server returns the Managed Object specified by its Unique Identifier.

Only a single object is returned. The response contains the Unique Identifier of the object, along with the object itself, which MAY be wrapped using a wrapping key as specified in the request.

The following key format capabilities SHALL be assumed by the client; restrictions apply when the client requests the server to return an object in a particular format:

  • If a client registered a key in a given format, the server SHALL be able to return the key during the Get operation in the same format that was used when the key was registered.
  • Any other format conversion MAY be supported by the server.

If Key Format Type is specified to be PKCS#12 then the response payload SHALL be a PKCS#12 container as specified by [RFC7292]. The Unique Identifier SHALL be that of a private key to be included in the response. The container SHALL be protected using the Secret Data object specified via the private key’s Secret Data Link. The current certificate chain SHALL also be included as determined by using the private key’s Public Key link to get the corresponding public key, and then using that public key’s Certificate Link to get the base certificate, and then using each certificate’s Certificate Link to build the certificate chain. It is an error if there is more than one valid certificate chain.

func (*GetRequestPayload) Operation 

func (pl *GetRequestPayload) Operation() kmip.Operation

type GetResponsePayload 

type GetResponsePayload struct {
	// Type of object.
	ObjectType kmip.ObjectType
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The object being returned.
	Object kmip.Object
}

Response for the Get operation.

func (*GetResponsePayload) EcdsaPrivateKey 

func (pl *GetResponsePayload) EcdsaPrivateKey() (*ecdsa.PrivateKey, error)

func (*GetResponsePayload) EcdsaPublicKey 

func (pl *GetResponsePayload) EcdsaPublicKey() (*ecdsa.PublicKey, error)

func (*GetResponsePayload) Operation 

func (pl *GetResponsePayload) Operation() kmip.Operation

func (*GetResponsePayload) PemCertificate added in v0.2.0 

func (pl *GetResponsePayload) PemCertificate() (string, error)

PemCertificate returns the PEM encoded value of an x509 certificate. It returns an error if the kmip object is not a certificate of type X509, or if the certificate data is invalid.

func (*GetResponsePayload) PemPrivateKey added in v0.2.0 

func (pl *GetResponsePayload) PemPrivateKey() (string, error)

PemPrivateKey format the private key into the PEM encoding of its PKCS #8, ASN.1 DER form.

func (*GetResponsePayload) PemPublicKey added in v0.2.0 

func (pl *GetResponsePayload) PemPublicKey() (string, error)

PemPublicKey format the public key value into a PEM encoding of its PKIX, ASN.1 DER form. The encoded public key is a SubjectPublicKeyInfo structure (see RFC 5280, Section 4.1).

func (*GetResponsePayload) PrivateKey added in v0.2.0 

func (pl *GetResponsePayload) PrivateKey() (crypto.PrivateKey, error)

PrivateKey parses and return the private key object into a go crypto.PrivateKey object.

func (*GetResponsePayload) PublicKey added in v0.2.0 

func (pl *GetResponsePayload) PublicKey() (crypto.PublicKey, error)

PublicKey parses and return the public key object into a go crypto.PublicKey object.

func (*GetResponsePayload) RsaPrivateKey 

func (pl *GetResponsePayload) RsaPrivateKey() (*rsa.PrivateKey, error)

func (*GetResponsePayload) RsaPublicKey 

func (pl *GetResponsePayload) RsaPublicKey() (*rsa.PublicKey, error)

func (*GetResponsePayload) Secret 

func (pl *GetResponsePayload) Secret() ([]byte, error)

func (*GetResponsePayload) SecretString 

func (pl *GetResponsePayload) SecretString() (string, error)

func (*GetResponsePayload) SymmetricKey 

func (pl *GetResponsePayload) SymmetricKey() ([]byte, error)

func (*GetResponsePayload) TagDecodeTTLV 

func (pl *GetResponsePayload) TagDecodeTTLV(d *ttlv.Decoder, tag int) error

func (*GetResponsePayload) X509Certificate 

func (pl *GetResponsePayload) X509Certificate() (*x509.Certificate, error)

type GetUsageAllocationRequestPayload 

type GetUsageAllocationRequestPayload struct {
	// Determines the object whose usage allocation is being requested. If omitted, then the ID Placeholder is substituted by the server.
	UniqueIdentifier string `ttlv:",omitempty"`
	// The number of Usage Limits Units to be protected.
	UsageLimitsCount int64
}

This operation requests the server to obtain an allocation from the current Usage Limits value to allow the client to use the Managed Cryptographic Object for applying cryptographic protection. The allocation only applies to Managed Cryptographic Objects that are able to be used for applying protection (e.g., symmetric keys for encryption, private keys for signing, etc.) and is only valid if the Managed Cryptographic Object has a Usage Limits attribute. Usage for processing cryptographically protected information (e.g., decryption, verification, etc.) is not limited and is not able to be allocated. A Managed Cryptographic Object that has a Usage Limits attribute SHALL NOT be used by a client for applying cryptographic protection unless an allocation has been obtained using this operation. The operation SHALL only be requested during the time that protection is enabled for these objects (i.e., after the Activation Date and before the Protect Stop Date). If the operation is requested for an object that has no Usage Limits attribute, or is not an object that MAY be used for applying cryptographic protection, then the server SHALL return an error.

The field in the request specifies the number of units that the client needs to protect. If the requested amount is not available or if the Managed Object is not able to be used for applying cryptographic protection at this time, then the server SHALL return an error. The server SHALL assume that the entire allocated amount is going to be consumed. Once the entire allocated amount has been consumed, the client SHALL NOT continue to use the Managed Cryptographic Object for applying cryptographic protection until a new allocation is obtained.

func (*GetUsageAllocationRequestPayload) Operation 

func (pl *GetUsageAllocationRequestPayload) Operation() kmip.Operation

type GetUsageAllocationResponsePayload 

type GetUsageAllocationResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Response for the get-usage-allocation operation.

func (*GetUsageAllocationResponsePayload) Operation 

func (pl *GetUsageAllocationResponsePayload) Operation() kmip.Operation

type LocateRequestPayload 

type LocateRequestPayload struct {
	// An Integer object that indicates the maximum number of object identifiers the server MAY return.
	MaximumItems int32 `ttlv:",omitempty"`
	// An Integer object that indicates the number of object identifiers to skip that satisfy the identification criteria specified in the request.
	OffsetItems int32 `ttlv:",omitempty,version=1.3.."`
	// An Integer object (used as a bit mask) that indicates whether only on-line objects, only archived objects,
	// or both on-line and archived objects are to be searched. If omitted, then on-line only is assumed.
	StorageStatusMask kmip.StorageStatusMask `ttlv:",omitempty"`
	// An Enumeration object that indicates the object group member type.
	ObjectGroupMember kmip.ObjectGroupMember `ttlv:",omitempty,version=1.1.."`
	// Specifies an attribute and its value(s) that are REQUIRED to match those in a candidate object (according to the matching rules defined above).
	Attribute []kmip.Attribute
}

This operation requests that the server search for one or more Managed Objects, depending on the attributes specified in the request. All attributes are allowed to be used. However, Attribute Index values SHOULD NOT be specified in the request. Attribute Index values that are provided SHALL be ignored by the server. The request MAY contain a Maximum Items field, which specifies the maximum number of objects to be returned. If the Maximum Items field is omitted, then the server MAY return all objects matched, or MAY impose an internal maximum limit due to resource limitations.

The request MAY contain an Offset Items field, which specifies the number of objects to skip that satisfy the identification criteria specified in the request. An Offset Items field of 0 is the same as omitting the Offset Items field. If both Offset Items and Maximum Items are specified in the request, the server skips Offset Items objects and returns up to Maximum Items objects.

If more than one object satisfies the identification criteria specified in the request, then the response MAY contain Unique Identifiers for multiple Managed Objects. Returned objects SHALL match all of the attributes in the request. If no objects match, then an empty response payload is returned. If no attribute is specified in the request, any object SHALL be deemed to match the Locate request. The response MAY include Located Items which is the count of all objects that satisfy the identification criteria.

The server returns a list of Unique Identifiers of the found objects, which then MAY be retrieved using the Get operation. If the objects are archived, then the Recover and Get operations are REQUIRED to be used to obtain those objects. If a single Unique Identifier is returned to the client, then the server SHALL copy the Unique Identifier returned by this operation into the ID Placeholder variable.

If the Locate operation matches more than one object, and the Maximum Items value is omitted in the request, or is set to a value larger than one,

then the server SHALL empty the ID Placeholder, causing any subsequent operations that are batched with the Locate, and which do not specify a Unique Identifier explicitly, to fail. This ensures that these batched operations SHALL proceed only if a single object is returned by Locate.

Wild-cards or regular expressions (defined, e.g., in [ISO/IEC 9945-2]) MAY be supported by specific key management system implementations for matching attribute fields when the field type is a Text String or a Byte String.

The Date attributes in the Locate request (e.g., Initial Date, Activation Date, etc.) are used to specify a time or a time range for the search. If a single instance of a given Date attribute is used in the request (e.g., the Activation Date), then objects with the same Date attribute are considered to be matching candidate objects. If two instances of the same Date attribute are used (i.e., with two different values specifying a range), then objects for which the Date attribute is inside or at a limit of the range are considered to be matching candidate objects. If a Date attribute is set to its largest possible value, then it is equivalent to an undefined attribute. The KMIP Usage Guide [KMIP-UG] provides examples.

When the Cryptographic Usage Mask attribute is specified in the request, candidate objects are compared against this field via an operation that consists of a logical AND of the requested mask with the mask in the candidate object, and then a comparison of the resulting value with the requested mask. For example, if the request contains a mask value of 10001100010000, and a candidate object mask contains 10000100010000, then the logical AND of the two masks is 10000100010000, which is compared against the mask value in the request (10001100010000) and the match fails. This means that a matching candidate object has all of the bits set in its mask that are set in the requested mask, but MAY have additional bits set.

When the Usage Limits attribute is specified in the request, matching candidate objects SHALL have a Usage Limits Count and Usage Limits Total equal to or larger than the values specified in the request.

When an attribute that is defined as a structure is specified, all of the structure fields are not REQUIRED to be specified. For instance, for the Link attribute, if the Linked Object Identifier value is specified without the Link Type value, then matching candidate objects have the Linked Object Identifier as specified, irrespective of their Link Type.

When the Object Group attribute and the Object Group Member flag are specified in the request, and the value specified for Object Group Member is ‘Group Member Fresh’, matching candidate objects SHALL be fresh objects (see 3.34) from the object group. If there are no more fresh objects in the group, the server MAY choose to generate a new object on-the-fly, based on server policy. If the value specified for Object Group Member is ‘Group Member Default’, the server locates the default object as defined by server policy.

The Storage Status Mask field (see Section 9.1.3.3.2) is used to indicate whether only on-line objects, only archived objects, or both on-line and archived objects are to be searched. Note that the server MAY store attributes of archived objects in order to expedite Locate operations that search through archived objects.

func (*LocateRequestPayload) Operation 

func (a *LocateRequestPayload) Operation() kmip.Operation

type LocateResponsePayload 

type LocateResponsePayload struct {
	// An Integer object that indicates the number of object identifiers that satisfy the identification criteria specified in the request.
	// A server MAY elect to omit this value from the Response if it is unable or unwilling to determine the total count of matched items.
	//
	// A server MAY elect to return the Located Items value even if Offset Items is not present in the Request.
	LocatedItems *int32 `ttlv:",version=1.3.."`
	// The Unique Identifier of the located objects.
	UniqueIdentifier []string
}

func (*LocateResponsePayload) Operation 

func (a *LocateResponsePayload) Operation() kmip.Operation

type ModifyAttributeRequestPayload 

type ModifyAttributeRequestPayload struct {
	// The Unique Identifier of the object. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Specifies the attribute associated with the object to be modified.
	Attribute kmip.Attribute
}

This operation requests the server to modify the value of an existing attribute instance associated with a Managed Object. The request contains the Unique Identifier of the Managed Object whose attribute is to be modified, the attribute name, the OPTIONAL Attribute Index, and the new value. If no Attribute Index is specified in the request, then the Attribute Index SHALL be assumed to be 0. Only existing attributes MAY be changed via this operation. New attributes SHALL only be added by the Add Attribute operation. Only the specified instance of the attribute SHALL be modified. Specifying an Attribute Index for which there exists no Attribute object SHALL result in an error. 

The response returns the modified Attribute (new value) and the Attribute Index MAY be omitted if the index of the modified attribute instance is 0.

Multiple Modify Attribute requests MAY be included in a single batched request to modify multiple attributes.

func (*ModifyAttributeRequestPayload) Operation 

func (pl *ModifyAttributeRequestPayload) Operation() kmip.Operation

type ModifyAttributeResponsePayload 

type ModifyAttributeResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// The modified attribute associated with the object with the new value.
	Attribute kmip.Attribute
}

Response for the Modify-Attribute operation.

func (*ModifyAttributeResponsePayload) Operation 

func (pl *ModifyAttributeResponsePayload) Operation() kmip.Operation

type ObtainLeaseRequestPayload 

type ObtainLeaseRequestPayload struct {
	// Determines the object for which the lease is being obtained. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation requests the server to obtain a new Lease Time for a specified Managed Object. The Lease Time is an interval value that determines when the client's internal cache of information about the object expires and needs to be renewed. If the returned value of the lease time is zero, then the server is indicating that no lease interval is effective, and the client MAY use the object without any lease time limit. If a client's lease expires, then the client SHALL NOT use the associated cryptographic object until a new lease is obtained. If the server determines that a new lease SHALL NOT be issued for the specified cryptographic object, then the server SHALL respond to the Obtain Lease request with an error.

The response payload for the operation contains the current value of the Last Change Date attribute for the object. This MAY be used by the client to determine if any of the attributes cached by the client need to be refreshed, by comparing this time to the time when the attributes were previously obtained.

func (*ObtainLeaseRequestPayload) Operation 

func (pl *ObtainLeaseRequestPayload) Operation() kmip.Operation

type ObtainLeaseResponsePayload 

type ObtainLeaseResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
	// An interval (in seconds) that specifies the amount of time that the object MAY be used until a new lease needs to be obtained.
	LeaseTime time.Duration
	// The date and time indicating when the latest change was made to the contents or any attribute of the specified object.
	LastChangeDate time.Time
}

Response for the ObtainLease operation.

func (*ObtainLeaseResponsePayload) Operation 

func (pl *ObtainLeaseResponsePayload) Operation() kmip.Operation

type QueryRequestPayload 

type QueryRequestPayload struct {
	// Determines the information being queried.
	QueryFunction []kmip.QueryFunction
}

This operation is used by the client to interrogate the server to determine its capabilities and/or protocol mechanisms. The Query operation SHOULD be invocable by unauthenticated clients to interrogate server features and functions. The Query Function field in the request SHALL contain one or more of the following items:

  • Query Operations
  • Query Objects
  • Query Server Information
  • Query Application Namespaces
  • Query Extension List
  • Query Extension Map
  • Query Attestation Types
  • Query RNGs
  • Query Validations
  • Query Profiles
  • Query Capabilities
  • Query Client Registration Methods

The Operation fields in the response contain Operation enumerated values, which SHALL list all the operations that the server supports. If the request contains a Query Operations value in the Query Function field, then these fields SHALL be returned in the response.

The Object Type fields in the response contain Object Type enumerated values, which SHALL list all the object types that the server supports. If the request contains a Query Objects value in the Query Function field, then these fields SHALL be returned in the response.

The Server Information field in the response is a structure containing vendor-specific fields and/or substructures. If the request contains a Query Server Information value in the Query Function field, then this field SHALL be returned in the response.

The Application Namespace fields in the response contain the namespaces that the server SHALL generate values for if requested by the client (see Section 3.36). These fields SHALL only be returned in the response if the request contains a Query Application Namespaces value in the Query Function field.

The Extension Information fields in the response contain the descriptions of Objects with Item Tag values in the Extensions range that are supported by the server (see Section 2.1.9). If the request contains a Query Extension List and/or Query Extension Map value in the Query Function field, then the Extensions Information fields SHALL be returned in the response. If the Query Function field contains the Query Extension Map value, then the Extension Tag and Extension Type fields SHALL be specified in the Extension Information values. If both Query Extension List and Query Extension Map are specified in the request, then only the response to Query Extension Map SHALL be returned and the Query Extension List SHALL be ignored.

The Attestation Type fields in the response contain Attestation Type enumerated values, which SHALL list all the attestation types that the server supports. If the request contains a Query Attestation Types value in the Query Function field, then this field SHALL be returned in the response if the server supports any Attestation Types.

The RNG Parameters fields in the response SHALL list all the Random Number Generators that the server supports. If the request contains a Query RNGs value in the Query Function field, then this field SHALL be returned in the response. If the server is unable to specify details of the RNG then it SHALL return an RNG Parameters with the RNG Algorithm enumeration of Unspecified.

The Validation Information field in the response is a structure containing details of each formal validation which the server asserts. If the request contains a Query Validations value, then zero or more Validation Information fields SHALL be returned in the response. A server MAY elect to return no validation information in the response.

A Profile Information field in the response is a structure containing details of the profiles that a server supports including potentially how it supports that profile. If the request contains a Query Profiles value in the Query Function field, then this field SHALL be returned in the response if the server supports any Profiles.

The Capability Information fields in the response contain details of the capability of the server.

The Client Registration Method fields in the response contain Client Registration Method enumerated values, which SHALL list all the client registration methods that the server supports. If the request contains a Query Client Registration Methods value in the Query Function field, then this field SHALL be returned in the response if the server supports any Client Registration Methods.

Note that the response payload is empty if there are no values to return.

func (*QueryRequestPayload) Operation 

func (pl *QueryRequestPayload) Operation() kmip.Operation

type QueryResponsePayload 

type QueryResponsePayload struct {
	// Specifies an Operation that is supported by the server.
	Operations []kmip.Operation `ttlv:"Operation"`
	// Specifies a Managed Object Type that is supported by the server.
	ObjectType []kmip.ObjectType
	// SHALL be returned if Query Server Information is requested. The Vendor Identification SHALL be a text string that uniquely identifies the vendor.
	VendorIdentification string `ttlv:",omitempty"`
	// Contains vendor-specific information possibly be of interest to the client.
	ServerInformation *ttlv.Value
	// Specifies an Application Namespace supported by the server.
	ApplicationNamespace []string
	// SHALL be returned if Query Extension List or Query Extension Map is requested and supported by the server.
	ExtensionInformation []kmip.ExtensionInformation `ttlv:",version=v1.1.."`
	// Specifies an Attestation Type that is supported by the server.
	AttestationType []kmip.AttestationType `ttlv:",version=v1.2.."`
	// Specifies the RNG that is supported by the server.
	RNGParameters []kmip.RNGParameters `ttlv:",version=v1.3.."`
	// Specifies the Profiles that are supported by the server.
	ProfileInformation []kmip.ProfileInformation `ttlv:",version=v1.3.."`
	// Specifies the validations that are supported by the server.
	ValidationInformation []kmip.ValidationInformation `ttlv:",version=v1.3.."`
	// Specifies the capabilities that are supported by the server.
	CapabilityInformation []kmip.CapabilityInformation `ttlv:",version=v1.3.."`
	// Specifies a Client Registration Method that is supported by the server.
	ClientRegistrationMethod []kmip.ClientRegistrationMethod `ttlv:",version=v1.3.."`
}

Response for the Query operation.

func (*QueryResponsePayload) Operation 

func (pl *QueryResponsePayload) Operation() kmip.Operation

type RecoverRequestPayload 

type RecoverRequestPayload struct {
	UniqueIdentifier string `ttlv:",omitempty"`
}

This operation is used to obtain access to a Managed Object that has been archived. This request MAY need asynchronous polling to obtain the response due to delays caused by retrieving the object from the archive. Once the response is received, the object is now on-line, and MAY be obtained (e.g., via a Get operation). Special authentication and authorization SHOULD be enforced to perform this request.

func (*RecoverRequestPayload) Operation 

func (pl *RecoverRequestPayload) Operation() kmip.Operation

type RecoverResponsePayload 

type RecoverResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Response for the recover operation.

func (*RecoverResponsePayload) Operation 

func (pl *RecoverResponsePayload) Operation() kmip.Operation

type RegisterRequestPayload 

type RegisterRequestPayload struct {
	// Determines the type of object being registered.
	ObjectType kmip.ObjectType
	// Specifies desired object attributes to be associated with the new object using templates and/or individual attributes.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	TemplateAttribute kmip.TemplateAttribute
	// The object being registered. The object and attributes MAY be wrapped.
	Object kmip.Object
}

This operation requests the server to register a Managed Object that was created by the client or obtained by the client through some other means, allowing the server to manage the object. The arguments in the request are similar to those in the Create operation, but contain the object itself for storage by the server.

The request contains information about the type of object being registered and attributes to be assigned to the object (e.g., Cryptographic Algorithm, Cryptographic Length, etc.). This information SHALL be specified by the use of a Template-Attribute object.

The response contains the Unique Identifier assigned by the server to the registered object. The server SHALL copy the Unique Identifier returned by this operations into the ID Placeholder variable. The Initial Date attribute of the object SHALL be set to the current time.

If a Managed Cryptographic Object is registered, then the following attributes SHALL be included in the Register request, either explicitly, or via specification of a template that contains the attribute:

  • Cryptographic Algorithm: MAY be omitted only if this information is encapsulated in the Key Block. Does not apply to Secret Data. If present, then Cryptographic Length below SHALL also be present.
  • Cryptographic Length: MAY be omitted only if this information is encapsulated in the Key Block. Does not apply to Secret Data. If present, then Cryptographic Algorithm above SHALL also be present.
  • Certificate Length: Only applies to Certificates.
  • Cryptographic Usage Mask
  • Digital Signature Algorithm: MAY be omitted only if this information is encapsulated in the Certificate object. Only applies to Certificates.

func (*RegisterRequestPayload) Operation 

func (pl *RegisterRequestPayload) Operation() kmip.Operation

func (*RegisterRequestPayload) TagDecodeTTLV 

func (pl *RegisterRequestPayload) TagDecodeTTLV(d *ttlv.Decoder, tag int) error

type RegisterResponsePayload 

type RegisterResponsePayload struct {
	// The Unique Identifier of the newly registered object.
	UniqueIdentifier string
	// An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	TemplateAttribute *kmip.TemplateAttribute
}

Response for the Register operation.

func (*RegisterResponsePayload) Operation 

func (pl *RegisterResponsePayload) Operation() kmip.Operation

type RekeyRequestPayload 

type RekeyRequestPayload struct {
	// Determines the existing Symmetric Key being re-keyed. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// An Interval object indicating the difference between the Initialization Date and the Activation Date of the replacement key to be created.
	Offset *time.Duration
	// Specifies desired object attributes using templates and/or individual attributes.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	TemplateAttribute *kmip.TemplateAttribute
}

This request is used to generate a replacement key for an existing symmetric key. It is analogous to the Create operation, except that attributes of the replacement key are copied from the existing key, with the exception of the attributes listed in Random Number Generator 3.44.

As the replacement key takes over the name attribute of the existing key, Re-key SHOULD only be performed once on a given key.

The server SHALL copy the Unique Identifier of the replacement key returned by this operation into the ID Placeholder variable.

For the existing key, the server SHALL create a Link attribute of Link Type Replacement Object pointing to the replacement key. For the replacement key, the server SHALL create a Link attribute of Link Type Replaced Key pointing to the existing key.

An Offset MAY be used to indicate the difference between the Initialization Date and the Activation Date of the replacement key. If no Offset is specified, the Activation Date, Process Start Date, Protect Stop Date and Deactivation Date values are copied from the existing key.

If Offset is set and dates exist for the existing key, then the dates of the replacement key SHALL be set based on the dates of the existing key as follows:

  • Initial Date (IT1) -> Initial Date (IT2) > IT1
  • Activation Date (AT1) -> Activation Date (AT2) = IT2+ Offset
  • Process Start Date (CT1) -> Process Start Date = CT1+(AT2- AT1)
  • Protect Stop Date (TT1) -> Protect Stop Date = TT1+(AT2- AT1)
  • Deactivation Date (DT1) -> Deactivation Date = DT1+(AT2- AT1)

Attributes requiring special handling when creating the replacement key are:

  • Initial Date: Set to the current time
  • Destroy Date: Not set
  • Compromise Occurrence Date: Not set
  • Compromise Date: Not set
  • Revocation Reason: Not set
  • Unique Identifier: New value generated
  • Usage Limits: The Total value is copied from the existing key, and the Count value in the existing key is set to the Total value.
  • Name: Set to the name(s) of the existing key; all name attributes are removed from the existing key.
  • State: Set based on attributes values, such as dates
  • Digest: Recomputed from the replacement key value
  • Link: Set to point to the existing key as the replaced key
  • Last Change Date: Set to current time
  • Random Number Generator: Set to the random number generator used for creating the new managed object. Not copied from the original object.

func (*RekeyRequestPayload) Operation 

func (a *RekeyRequestPayload) Operation() kmip.Operation

type RekeyResponsePayload 

type RekeyResponsePayload struct {
	// The Unique Identifier of the newly-created replacement Symmetric Key.
	UniqueIdentifier string
	// An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
	//
	// The Template Managed Object is deprecated as of version 1.3 of this specification and MAY be removed from subsequent versions of the specification.
	// Individual Attributes SHOULD be used in operations which currently support use of a Name within a Template-Attribute to reference a Template.
	TemplateAttribute *kmip.TemplateAttribute
}

Response for the Re-Key operation.

func (*RekeyResponsePayload) Operation 

func (a *RekeyResponsePayload) Operation() kmip.Operation

type RevokeRequestPayload 

type RevokeRequestPayload struct {
	// Determines the object being revoked. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// Specifies the reason for revocation.
	RevocationReason kmip.RevocationReason
	// SHOULD be specified if the Revocation Reason is 'key compromise' or ‘CA compromise’ and SHALL NOT be specified for other Revocation Reason enumerations.
	CompromiseOccurrenceDate *time.Time
}

This operation requests the server to revoke a Managed Cryptographic Object or an Opaque Object. The request SHALL NOT specify a Template object. The request contains a reason for the revocation (e.g., “key compromise”, “cessation of operation”, etc.). Special authentication and authorization SHOULD be enforced to perform this request. Only the object owner or an authorized security officer SHOULD be allowed to issue this request. The operation has one of two effects. If the revocation reason is “key compromise” or “CA compromise”, then the object is placed into the “compromised” state; the Date is set to the current date and time; and the Compromise Occurrence Date is set to the value (if provided) in the Revoke request and if a value is not provided in the Revoke request then Compromise Occurrence Date SHOULD be set to the Initial Date for the object. If the revocation reason is neither “key compromise” nor “CA compromise”, the object is placed into the “deactivated” state, and the Deactivation Date is set to the current date and time.

func (*RevokeRequestPayload) Operation 

func (a *RevokeRequestPayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type RevokeResponsePayload 

type RevokeResponsePayload struct {
	// The Unique Identifier of the object.
	UniqueIdentifier string
}

Response for the Revoke operation.

func (*RevokeResponsePayload) Operation 

func (a *RevokeResponsePayload) Operation() kmip.Operation

Operation implements kmip.OperationPayload.

type SignRequestPayload added in v0.2.4 

type SignRequestPayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key to use for the signature operation. If
	// omitted, then the ID Placeholder value SHALL be used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// The Cryptographic Parameters (Digital Signature Algorithm or Cryptographic Algorithm and Hashing Algorithm) corresponding
	// to the particular signature generation method requested. If omitted then the Cryptographic Parameters associated
	// with the Managed Cryptographic Object with the lowest Attribute Index SHALL be used.
	// If there are no Cryptographic Parameters associated with the Managed Cryptographic Object and the algorithm requires parameters then
	// the operation SHALL return with a Result Status of Operation Failed.
	CryptographicParameters *kmip.CryptographicParameters
	// The data to be signed. Mandatory for kmip 1.2 or single-part operation, unless Digested Data is supplied. Optional for multi-part.
	Data []byte `ttlv:",omitempty"`
	// The digested data to be signed.
	DigestedData []byte `ttlv:",omitempty,version=v1.4.."`
	// Specifies the existing stream or by parts cryptographic operation (as returned from a previous call to this operation).
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
	// Initial operation.
	InitIndicator *bool `ttlv:",version=v1.3.."`
	// Final operation.
	FinalIndicator *bool `ttlv:",version=v1.3.."`
}

This operation requests the server to perform a signature operation on the provided data using a Managed Cryptographic Object as the key for the signature operation. The request contains information about the cryptographic parameters (digital signature algorithm or cryptographic algorithm and hash algorithm) and the data to be signed. The cryptographic parameters MAY be omitted from the request as they can be specified as associated attributes of the Managed Cryptographic Object.

If the Managed Cryptographic Object referenced has a Usage Limits attribute then the server SHALL obtain an allocation from the current Usage Limits value prior to performing the signing operation. If the allocation is unable to be obtained the operation SHALL return with a result status of Operation Failed and result reason of Permission Denied.

func (*SignRequestPayload) Operation added in v0.2.4 

func (pl *SignRequestPayload) Operation() kmip.Operation

type SignResponsePayload added in v0.2.4 

type SignResponsePayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key used for the signature operation.
	UniqueIdentifier string
	// The signed data. Mandatory for kmip 1.2 or single-part operation, not for multi-part.
	SignatureData []byte `ttlv:",omitempty"`
	// Specifies the stream or by-parts value to be provided in subsequent calls to this operation for performing cryptographic operations.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
}

Response for the sign operation.

The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the result of the signature operation.

The success or failure of the operation is indicated by the Result Status (and if failure the Result Reason) in the response header.

func (*SignResponsePayload) Operation added in v0.2.4 

func (pl *SignResponsePayload) Operation() kmip.Operation

type SignatureVerifyRequestPayload added in v0.2.4 

type SignatureVerifyRequestPayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key to use for the signature verify operation.
	// If omitted, then the ID Placeholder value SHALL be used by the server as the Unique Identifier.
	UniqueIdentifier string `ttlv:",omitempty"`
	// The Cryptographic Parameters (Digital Signature Algorithm or Cryptographic Algorithm and Hashing Algorithm)
	// corresponding to the particular signature verification method requested. If omitted then the Cryptographic
	// Parameters associated with the Managed Cryptographic Object with the lowest Attribute Index SHALL be used.
	//
	// If there are no Cryptographic Parameters associated with the Managed Cryptographic Object and the algorithm requires
	// parameters then the operation SHALL return with a Result Status of Operation Failed.
	CryptographicParameters *kmip.CryptographicParameters
	// The data that was signed.
	Data []byte `ttlv:",omitempty"`
	// The digested data to be verified.
	DigestedData []byte `ttlv:",omitempty,version=v1.4.."`
	// The signature to be verified. Mandatory for kmip 1.2 or for single-part operation. Not for multi-part.
	SignatureData []byte `ttlv:",omitempty"`
	// Specifies the existing stream or by-parts cryptographic operation (as returned from a previous call to this operation).
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
	// Initial operation.
	InitIndicator *bool `ttlv:",version=v1.3.."`
	// Final operation.
	FinalIndicator *bool `ttlv:",version=v1.3.."`
}

This operation requests the server to perform a signature verify operation on the provided data using a Managed Cryptographic Object as the key for the signature verification operation. The request contains information about the cryptographic parameters (digital signature algorithm or cryptographic algorithm and hash algorithm) and the signature to be verified and MAY contain the data that was passed to the signing operation (for those algorithms which need the original data to verify a signature).

The cryptographic parameters MAY be omitted from the request as they can be specified as associated attributes of the Managed Cryptographic Object.

func (*SignatureVerifyRequestPayload) Operation added in v0.2.4 

func (pl *SignatureVerifyRequestPayload) Operation() kmip.Operation

type SignatureVerifyResponsePayload added in v0.2.4 

type SignatureVerifyResponsePayload struct {
	// The Unique Identifier of the Managed Cryptographic Object that is the key used for the verification operation.
	UniqueIdentifier string
	// An Enumeration object indicating whether the signature is valid, invalid, or unknown.
	ValidityIndicator kmip.ValidityIndicator
	// The OPTIONAL recovered data (as a Byte String) for those signature algorithms where data recovery from the signature is supported.
	Data []byte `ttlv:",omitempty"`
	// Specifies the stream or by-parts value to be provided in subsequent calls to this operation for performing cryptographic operations.
	CorrelationValue []byte `ttlv:",omitempty,version=v1.3.."`
}

Response for SignatureVerify operation.

The response contains the Unique Identifier of the Managed Cryptographic Object used as the key and the OPTIONAL data recovered from the signature (for those signature algorithms where data recovery from the signature is supported). The validity of the signature is indicated by the Validity Indicator field.

The success or failure of the operation is indicated by the Result Status (and if failure the Result Reason) in the response header.

func (*SignatureVerifyResponsePayload) Operation added in v0.2.4 

func (pl *SignatureVerifyResponsePayload) Operation() kmip.Operation

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.