ehsm

package module

v0.4.0 Latest Latest Go to latest Published: Sep 4, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/syan10/sigstore

Links

Open Source Insights

README ¶

Start on the EHSM source

./run_with_single.sh

Cosign invokes the EHSM service process

After configuring the Go environment, add it to the import of the main.go file of cosign.

_ "github.com/syan10/sigstore/pkg/signature/kms/ehsm"

Update the GitHub repository and rebuild the cosign.

go mod tidy
go install ./cmd/cosign

Start EHSM using cosign

Set environment variables EHSM_APPID、EHSM_APIKEY、EHSM_ADDR，for example

export EHSM_APPID=49b84175-1a82-419d-be35-fba6bc85ee69
export EHSM_APIKEY=B8FM3GVex6FAP45yeDuwSvuShjtn3gEJ
export EHSM_ADDR=https://10.112.241.110:9002

Generate keys

To generate keys using a KMS provider,Generate cosign.pub to store the public key, and some key files to store the keyid.

 cosign generate-key-pair --kms ehsm://<some key>

Sign and Verify

For example

IMAGE DIGEST = lisiteng123/ubuntu@sha256:dfa84ec91daba0fecef93302a6f5754566a0249e90626dc7d289746ae412af75

Use keys for signing and authentication.

cosign sign --key ehsm://<some key> IMAGE DIGEST
cosign verify --key ehsm://<some key> IMAGE DIGEST

Reference https://docs.sigstore.dev/cosign/kms_support/

Documentation ¶

Index ¶

Constants
func ValidReference(ref string) error
type SignerVerifier
- func LoadSignerVerifier(referenceStr string, hashFunc crypto.Hash, opts ...signature.RPCOption) (*SignerVerifier, error)

Constants ¶

View Source

const (
	EH_RSA_4096 = "EH_RSA_4096"
	EH_RSA_3072 = "EH_RSA_3072"
	EH_RSA_2048 = "EH_RSA_2048"
	EH_EC_P256  = "EH_EC_P256"
	EH_EC_P256K = "EH_EC_P256K"
	EH_EC_P224  = "EH_EC_P224"
	EH_EC_P384  = "EH_EC_P384"
	EH_EC_P521  = "EH_EC_P521"
)

nolint:revive

View Source

const (

	// ReferenceScheme schemes for various KMS services are copied from https://github.com/google/go-cloud/tree/master/secrets
	ReferenceScheme = "ehsm://"
)

Variables ¶

This section is empty.

Functions ¶

func ValidReference ¶

func ValidReference(ref string) error

ValidReference returns a non-nil error if the reference string is invalid

Types ¶

type SignerVerifier ¶

type SignerVerifier struct {
	// contains filtered or unexported fields
}

SignerVerifier creates and verifies digital signatures over a message using EHSM KMS service

func LoadSignerVerifier ¶

func LoadSignerVerifier(referenceStr string, hashFunc crypto.Hash, opts ...signature.RPCOption) (*SignerVerifier, error)

LoadSignerVerifier generates signatures using the specified key object in Ehsm and hash algorithm.

It also can verify signatures (via a remote vall to the Ehsm instance). hashFunc should be set to crypto.Hash(0) if the key referred to by referenceStr is an ED25519 signing key.

func (SignerVerifier) CreateKey ¶

func (e SignerVerifier) CreateKey(_ context.Context, algorithm string) (crypto.PublicKey, error)

CreateKey attempts to create a new key in ehsm with the specified algorithm.

func (*SignerVerifier) CryptoSigner ¶

func (e *SignerVerifier) CryptoSigner(ctx context.Context, errFunc func(error)) (crypto.Signer, crypto.SignerOpts, error)

CryptoSigner returns a crypto.Signer object that uses the underlying SignerVerifier, along with a crypto.SignerOpts object that allows the KMS to be used in APIs that only accept the standard golang objects

func (*SignerVerifier) DefaultAlgorithm ¶

func (*SignerVerifier) DefaultAlgorithm() string

DefaultAlgorithm returns the default algorithm for the EHSM service

func (SignerVerifier) PublicKey ¶

func (e SignerVerifier) PublicKey(_ ...signature.PublicKeyOption) (crypto.PublicKey, error)

PublicKey returns the public key that can be used to verify signatures created by this signer. All options provided in arguments to this method are ignored.

func (SignerVerifier) SignMessage ¶

func (e SignerVerifier) SignMessage(message io.Reader, opts ...signature.SignOption) ([]byte, error)

SignMessage signs the provided message using Ehsm KMS. If the message is provided, this method will compute the digest according to the hash function specified when the HashiehsmSigner was created.

SignMessage recognizes the following Options listed in order of preference:

- WithDigest()

All other options are ignored if specified.

func (*SignerVerifier) SupportedAlgorithms ¶

func (*SignerVerifier) SupportedAlgorithms() []string

SupportedAlgorithms returns the list of algorithms supported by the EHSM service

func (SignerVerifier) VerifySignature ¶

func (e SignerVerifier) VerifySignature(sig, message io.Reader, opts ...signature.VerifyOption) error

VerifySignature verifies the signature for the given message. Unless provided in an option, the digest of the message will be computed using the hash function specified when the SignerVerifier was created.

This function returns nil if the verification succeeded, and an error message otherwise.

This function recognizes the following Options listed in order of preference:

- WithDigest()

- WithCryptoSignerOpts()

All other options are ignored if specified.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL