Documentation ¶
Overview ¶
Package sec provides security primitives for the SporeDB mycelium.
Index ¶
- Variables
- func Fingerprint(data []byte) string
- type ByIdentity
- type ErrInsufficientTrust
- type ErrUnknownIdentity
- type Exporter
- type Importer
- type KeyEd25519
- type KeyRing
- type KeyRingEd25519
- func (k *KeyRingEd25519) AddPublic(identity string, trust TrustLevel, data []byte) (err error)
- func (k *KeyRingEd25519) AddSignature(identity, from string, signature *Signature) error
- func (k *KeyRingEd25519) CreatePrivate(password *memguard.LockedBuffer) (err error)
- func (k *KeyRingEd25519) Export(identity string) ([]byte, error)
- func (k *KeyRingEd25519) GetPublic(identity string) (data []byte, trust TrustLevel, err error)
- func (k *KeyRingEd25519) GetSignatures(identity string) map[string]*Signature
- func (k *KeyRingEd25519) Import(data []byte, identity string, trust TrustLevel) error
- func (k *KeyRingEd25519) ListPublic() []ListedKey
- func (k *KeyRingEd25519) LockPrivate() (err error)
- func (k *KeyRingEd25519) Locked() bool
- func (k *KeyRingEd25519) MarshalBinary() ([]byte, error)
- func (k *KeyRingEd25519) RemovePublic(identity string)
- func (k *KeyRingEd25519) Sign(cleartext []byte) (signature []byte, err error)
- func (k *KeyRingEd25519) Trusted(identity string) error
- func (k *KeyRingEd25519) UnlockPrivate(password *memguard.LockedBuffer) (err error)
- func (k *KeyRingEd25519) UnmarshalBinary(data []byte) error
- func (k *KeyRingEd25519) Verify(from string, cleartext, signature []byte) error
- type ListedKey
- type PrivateKeyHolder
- type PublicKeysHolder
- type Signature
- type TrustLevel
Constants ¶
This section is empty.
Variables ¶
var ( ErrKeyRingLocked = errors.New("keyring is locked") ErrInvalidIdentity = errors.New("invalid identity") ErrInvalidPublicKey = errors.New("invalid public key") ErrInvalidSignature = errors.New("invalid signature") )
Error messages.
var TrustThreshold = TrustHIGH
TrustThreshold is the default required TrustLevel for a verification operation.
Functions ¶
func Fingerprint ¶
Fingerprint is a helper function to get a human-friendly representation of one's key.
Types ¶
type ByIdentity ¶
type ByIdentity []ListedKey
ByIdentity is a helper to sort ListeKey by their identity.
func (ByIdentity) Len ¶
func (a ByIdentity) Len() int
func (ByIdentity) Less ¶
func (a ByIdentity) Less(i, j int) bool
func (ByIdentity) Swap ¶
func (a ByIdentity) Swap(i, j int)
type ErrInsufficientTrust ¶
ErrInsufficientTrust is returned when a verification cannot be performed due to a lack of trust in one's public key.
func (ErrInsufficientTrust) Error ¶
func (e ErrInsufficientTrust) Error() string
Error returns error's string value.
type ErrUnknownIdentity ¶
type ErrUnknownIdentity struct {
I string
}
ErrUnknownIdentity is returned when an operation is asked for an unknown identity.
func (ErrUnknownIdentity) Error ¶
func (e ErrUnknownIdentity) Error() string
Error returns error's string value.
type Exporter ¶
type Exporter interface { encoding.BinaryMarshaler Export(identity string) ([]byte, error) }
Exporter shall export a particular credential or a whole set.
type Importer ¶
type Importer interface { encoding.BinaryUnmarshaler Import(data []byte, identity string, trust TrustLevel) error }
Importer shall import a particular credential or a whole set.
type KeyEd25519 ¶
type KeyEd25519 struct { Public ed25519.PublicKey Signatures map[string]*Signature // contains filtered or unexported fields }
KeyEd25519 is the representation of a Key for the KeyRingEd25519.
func (*KeyEd25519) Info ¶
func (k *KeyEd25519) Info() (identity string, data []byte, trust TrustLevel)
Info shall be used to get basic informations about this key.
type KeyRing ¶
type KeyRing interface { PrivateKeyHolder PublicKeysHolder Exporter Importer }
KeyRing shall store private and public keys while providing cryptographic functions.
type KeyRingEd25519 ¶
type KeyRingEd25519 struct {
// contains filtered or unexported fields
}
KeyRingEd25519 is a KeyRing saving data as PEM, and using the Ed25519 high-speed high-security signatures algorithm.
This KeyRing also provides a lazy web of trust computation feature, similar to PGP's web of trust.
func NewKeyRingEd25519 ¶
func NewKeyRingEd25519() *KeyRingEd25519
NewKeyRingEd25519 instanciates a new KeyRingEd25519. It MUST be called to create a new KeyRing.
func (*KeyRingEd25519) AddPublic ¶
func (k *KeyRingEd25519) AddPublic(identity string, trust TrustLevel, data []byte) (err error)
AddPublic adds or overwrite a new public key in the keyring. It resets the related signatures if the key is modified.
This function is thread-safe.
func (*KeyRingEd25519) AddSignature ¶
func (k *KeyRingEd25519) AddSignature(identity, from string, signature *Signature) error
AddSignature adds a signature to the identity, from signer "from". If "from" equals the empty string, the KeyRing adds a new signature to the identity using its own private key.
It may returns ErrKeyRingLocked or ErrUnknownIdentity.
This function is thread-safe.
func (*KeyRingEd25519) CreatePrivate ¶
func (k *KeyRingEd25519) CreatePrivate(password *memguard.LockedBuffer) (err error)
CreatePrivate generates a new Ed25519 private key and its associated PEM-armored block.
func (*KeyRingEd25519) Export ¶
func (k *KeyRingEd25519) Export(identity string) ([]byte, error)
Export exports a public key to a PEM block.
func (*KeyRingEd25519) GetPublic ¶
func (k *KeyRingEd25519) GetPublic(identity string) (data []byte, trust TrustLevel, err error)
GetPublic returns the stored public key for the provided identity. Providing the empty identity will return self public key.
It may returns ErrKeyRingLocked or ErrUnknownIdentity.
This function is thread-safe.
func (*KeyRingEd25519) GetSignatures ¶
func (k *KeyRingEd25519) GetSignatures(identity string) map[string]*Signature
GetSignatures returns a map of (signer, signatures) where the provided identity is the signee. This function is thread-safe.
func (*KeyRingEd25519) Import ¶
func (k *KeyRingEd25519) Import(data []byte, identity string, trust TrustLevel) error
Import imports a public PEM block to the keyring. Identity must be defined, and third-party signatures are verified afterwards.
This function accepts following results of function Export: - Local exports (without any headears) - Third-party exports (with "identity" header set)
- If the provided identity is different that the "identity" header, an error is returned
This function is thread-safe.
func (*KeyRingEd25519) ListPublic ¶
func (k *KeyRingEd25519) ListPublic() []ListedKey
ListPublic returns every stored public key. The self public key is also included.
func (*KeyRingEd25519) LockPrivate ¶
func (k *KeyRingEd25519) LockPrivate() (err error)
LockPrivate locks the KeyRing by removing any remaining clear private key data in memory.
func (*KeyRingEd25519) Locked ¶
func (k *KeyRingEd25519) Locked() bool
Locked returns wether the KeyRing is currently locked or not (private key in cleartext in memory).
func (*KeyRingEd25519) MarshalBinary ¶
func (k *KeyRingEd25519) MarshalBinary() ([]byte, error)
MarshalBinary returns a PEM-armored version of this KeyRing.
func (*KeyRingEd25519) RemovePublic ¶
func (k *KeyRingEd25519) RemovePublic(identity string)
RemovePublic removes a key from the KeyRing. This function is thread-safe.
func (*KeyRingEd25519) Sign ¶
func (k *KeyRingEd25519) Sign(cleartext []byte) (signature []byte, err error)
Sign signs the message with the unlocked private key. This function is thread-safe.
func (*KeyRingEd25519) Trusted ¶
func (k *KeyRingEd25519) Trusted(identity string) error
Trusted shall return nil if an identity is currently trusted by the keyring.
It may returns ErrUnknownIdentity or ErrInsufficientTrust.
This function is thread-safe.
func (*KeyRingEd25519) UnlockPrivate ¶
func (k *KeyRingEd25519) UnlockPrivate(password *memguard.LockedBuffer) (err error)
UnlockPrivate tries to decypher the private key block in memory.
func (*KeyRingEd25519) UnmarshalBinary ¶
func (k *KeyRingEd25519) UnmarshalBinary(data []byte) error
UnmarshalBinary rebuilds a KeyRing from its PEM-armored version. - It may not return an error if a parse error is encountered ; - NewKeyRingEd25519 must be called before to instantiate the KeyRing.
func (*KeyRingEd25519) Verify ¶
func (k *KeyRingEd25519) Verify(from string, cleartext, signature []byte) error
Verify checks the message signed by "from". The addition of local trust and third-party trust levels must be greater or equals than TrustThreshold.
It may returns ErrUnknownIdentity, ErrInsufficientTrust or ErrInvalidSignature.
This function is thread-safe.
type ListedKey ¶
type ListedKey interface {
Info() (identity string, data []byte, trust TrustLevel)
}
ListedKey shall contain one function returning basic informations about one's key.
type PrivateKeyHolder ¶
type PrivateKeyHolder interface { Locked() bool LockPrivate() error UnlockPrivate(password *memguard.LockedBuffer) error CreatePrivate(password *memguard.LockedBuffer) error Sign(cleartext []byte) (signature []byte, err error) }
PrivateKeyHolder shall be designed to safely keep one private key.
type PublicKeysHolder ¶
type PublicKeysHolder interface { AddPublic(identity string, trust TrustLevel, data []byte) error ListPublic() []ListedKey GetPublic(identity string) (data []byte, trust TrustLevel, err error) RemovePublic(identity string) GetSignatures(identity string) map[string]*Signature AddSignature(identity, from string, signature *Signature) error Verify(from string, cleartext, signature []byte) (err error) Trusted(identity string) error }
PublicKeysHolder shall be designed to keep several public keys and associated signatures.
type Signature ¶
type Signature struct { Data []byte Trust TrustLevel }
Signature represents a local or third-party public key's signature.
type TrustLevel ¶
type TrustLevel byte
TrustLevel is a representation of a public key's trust.
const ( TrustNONE TrustLevel = 0x00 TrustLOW TrustLevel = 0x01 TrustHIGH TrustLevel = 0x03 TrustULTIMATE TrustLevel = 0xff )
TrustLevel available values.
func ParseTrust ¶
func ParseTrust(trust string) (TrustLevel, error)
ParseTrust returns a TrustLevel from its string representation.
func (TrustLevel) Add ¶
func (t TrustLevel) Add(t2 TrustLevel) TrustLevel
Add returns a safe addition between two TrustLevels.
func (TrustLevel) Min ¶
func (t TrustLevel) Min(t2 TrustLevel) TrustLevel
Min returns the minimum value between two TrustLevels.
func (TrustLevel) String ¶
func (t TrustLevel) String() string