keys

package

v11.3.4 Latest Latest Go to latest Published: Dec 14, 2022 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/zmb3/teleport

Documentation ¶

Overview ¶

Package keys defines common interfaces for Teleport client keys.

Index ¶

Constants
func IsPrivateKeyPolicyError(err error) bool
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)
func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)
type AttestationData
type AttestationStatement
- func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement
- func GetAttestationStatement(priv *PrivateKey) (*AttestationStatement, error)
type HardwareSigner
type PrivateKey
type PrivateKeyPolicy
- func GetPrivateKeyPolicy(priv *PrivateKey) PrivateKeyPolicy
- func ParsePrivateKeyPolicyError(err error) (PrivateKeyPolicy, error)
- func (p PrivateKeyPolicy) VerifyPolicy(policy PrivateKeyPolicy) error

Constants ¶

View Source

const (
	PKCS1PrivateKeyType = "RSA PRIVATE KEY"
	PKCS8PrivateKeyType = "PRIVATE KEY"
	ECPrivateKeyType    = "EC PRIVATE KEY"
)

Variables ¶

This section is empty.

Functions ¶

func IsPrivateKeyPolicyError ¶

func IsPrivateKeyPolicyError(err error) bool

IsPrivateKeyPolicyError returns true if the given error is a private key policy error.

func LoadX509KeyPair ¶

func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair parse a tls.Certificate from a private key file and certificate file. This should be used instead of tls.LoadX509KeyPair to support non-raw private keys, like PIV keys.

func NewPrivateKeyPolicyError ¶

func NewPrivateKeyPolicyError(p PrivateKeyPolicy) error

func X509KeyPair ¶

func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error)

X509KeyPair parse a tls.Certificate from a private key PEM and certificate PEM. This should be used instead of tls.X509KeyPair to support non-raw private keys, like PIV keys.

Types ¶

type AttestationData ¶

type AttestationData struct {
	// PublicKeyDER is the public key in PKIX, ASN.1 DER form.
	PublicKeyDER []byte `json:"public_key"`
	// PrivateKeyPolicy specifies the private key policy supported by the associated private key.
	PrivateKeyPolicy PrivateKeyPolicy `json:"private_key_policy"`
}

AttestationData is verified attestation data for a public key.

type AttestationStatement ¶

type AttestationStatement attestation.AttestationStatement

AttestationStatement is an attestation statement for a hardware private key that supports json marshaling through the standard json/encoding package.

func AttestationStatementFromProto ¶

func AttestationStatementFromProto(att *attestation.AttestationStatement) *AttestationStatement

AttestationStatementFromProto converts an AttestationStatement from its protobuf form.

func GetAttestationStatement ¶

func GetAttestationStatement(priv *PrivateKey) (*AttestationStatement, error)

GetAttestationStatement returns an AttestationStatement for the given private key. If the given private key does not have a HardwareSigner, then a nil statement and error will be returned.

func (*AttestationStatement) MarshalJSON ¶

func (ar *AttestationStatement) MarshalJSON() ([]byte, error)

MarshalJSON implements custom protobuf json marshaling.

func (*AttestationStatement) ToProto ¶

func (ar *AttestationStatement) ToProto() *attestation.AttestationStatement

ToProto converts this AttestationStatement to its protobuf form.

func (*AttestationStatement) UnmarshalJSON ¶

func (ar *AttestationStatement) UnmarshalJSON(buf []byte) error

UnmarshalJSON implements custom protobuf json unmarshaling.

type HardwareSigner ¶

type HardwareSigner interface {
	crypto.Signer

	// GetAttestationStatement returns an AttestationStatement for this private key.
	GetAttestationStatement() (*AttestationStatement, error)

	// GetPrivateKeyPolicy returns the PrivateKeyPolicy supported by this private key.
	GetPrivateKeyPolicy() PrivateKeyPolicy
}

HardwareSigner is a crypto.Signer which can be attested as being backed by a hardware key. This enables the ability to enforce hardware key private key policies.

type PrivateKey ¶

type PrivateKey struct {
	crypto.Signer
	// contains filtered or unexported fields
}

PrivateKey implements crypto.Signer with additional helper methods. The underlying private key may be a standard crypto.Signer implemented in the standard library (aka *rsa.PrivateKey, *ecdsa.PrivateKey, or ed25519.PrivateKey), or it may be a custom implementation for a non-standard private key, such as a hardware key.

func GetOrGenerateYubiKeyPrivateKey ¶

func GetOrGenerateYubiKeyPrivateKey(touchRequired bool) (*PrivateKey, error)

func LoadKeyPair ¶

func LoadKeyPair(privFile, sshPubFile string) (*PrivateKey, error)

LoadKeyPair returns the PrivateKey for the given private and public key files.

func LoadPrivateKey ¶

func LoadPrivateKey(keyFile string) (*PrivateKey, error)

LoadPrivateKey returns the PrivateKey for the given key file.

func NewPrivateKey ¶

func NewPrivateKey(signer crypto.Signer, keyPEM []byte) (*PrivateKey, error)

NewPrivateKey returns a new PrivateKey for the given crypto.Signer.

func ParseKeyPair ¶

func ParseKeyPair(privPEM, marshalledSSHPub []byte) (*PrivateKey, error)

ParseKeyPair returns the PrivateKey for the given private and public key PEM blocks.

func ParsePrivateKey ¶

func ParsePrivateKey(keyPEM []byte) (*PrivateKey, error)

ParsePrivateKey returns the PrivateKey for the given key PEM block.

func (*PrivateKey) AsAgentKey ¶

func (k *PrivateKey) AsAgentKey(sshCert *ssh.Certificate) (agent.AddedKey, error)

AsAgentKey converts PrivateKey to a agent.AddedKey. If the given PrivateKey is not supported as an agent key, a trace.NotImplemented error is returned.

func (*PrivateKey) MarshalSSHPublicKey ¶

func (k *PrivateKey) MarshalSSHPublicKey() []byte

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) PPKFile ¶

func (k *PrivateKey) PPKFile() ([]byte, error)

PPKFile returns a PuTTY PPK-formatted keypair

func (*PrivateKey) PrivateKeyPEM ¶

func (k *PrivateKey) PrivateKeyPEM() []byte

PrivateKeyPEM returns PEM encoded private key data. This may be data necessary to retrieve the key, such as a YubiKey serial number and slot, or it can be a PKCS marshaled private key.

The resulting PEM encoded data should only be decoded with ParsePrivateKey to prevent errors from parsing non PKCS marshaled keys, such as a PIV key.

func (*PrivateKey) RSAPrivateKeyPEM ¶

func (k *PrivateKey) RSAPrivateKeyPEM() ([]byte, error)

RSAPrivateKeyPEM returns a PEM encoded RSA private key for the given key. If the given key is not an RSA key, then an error will be returned.

This is used by some integrations which currently only support raw RSA private keys, like Kubernetes, MongoDB, and PPK files for windows.

func (*PrivateKey) SSHPublicKey ¶

func (k *PrivateKey) SSHPublicKey() ssh.PublicKey

SSHPublicKey returns the ssh.PublicKey representiation of the public key.

func (*PrivateKey) TLSCertificate ¶

func (k *PrivateKey) TLSCertificate(certPEMBlock []byte) (tls.Certificate, error)

TLSCertificate parses the given TLS certificate(s) paired with the private key to rerturn a tls.Certificate, ready to be used in a TLS handshake.

type PrivateKeyPolicy ¶

type PrivateKeyPolicy string

PrivateKeyPolicy is a requirement for client private key storage.

const (
	// PrivateKeyPolicyNone means that the client can store their private keys
	// anywhere (usually on disk).
	PrivateKeyPolicyNone PrivateKeyPolicy = "none"
	// PrivateKeyPolicyHardwareKey means that the client must use a valid
	// hardware key to generate and store their private keys securely.
	PrivateKeyPolicyHardwareKey PrivateKeyPolicy = "hardware_key"
	// PrivateKeyPolicyHardwareKeyTouch means that the client must use a valid
	// hardware key to generate and store their private keys securely, and
	// this key must require touch to be accessed and used.
	PrivateKeyPolicyHardwareKeyTouch PrivateKeyPolicy = "hardware_key_touch"
)

func GetPrivateKeyPolicy ¶

func GetPrivateKeyPolicy(priv *PrivateKey) PrivateKeyPolicy

GetPrivateKeyPolicy returns the PrivateKeyPolicy that applies to the given private key.

func ParsePrivateKeyPolicyError ¶

func ParsePrivateKeyPolicyError(err error) (PrivateKeyPolicy, error)

ParsePrivateKeyPolicyError checks if the given error is a private key policy error and returns the contained unmet PrivateKeyPolicy.

func (PrivateKeyPolicy) VerifyPolicy ¶

func (p PrivateKeyPolicy) VerifyPolicy(policy PrivateKeyPolicy) error

VerifyPolicy verifies that the given policy meets the requirements of this policy. If not, it will return a private key policy error, which can be parsed to retrieve the unmet policy.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL