Documentation
¶
Index ¶
- Constants
- Variables
- func Parent(name string) (string, string)
- type Attestation
- type AttestationAttribute
- type AttestationCertChain
- type CloudKMS
- func (k *CloudKMS) Close() error
- func (k *CloudKMS) CreateDecrypter(req *apiv1.CreateDecrypterRequest) (crypto.Decrypter, error)
- func (k *CloudKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
- func (k *CloudKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
- func (k *CloudKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
- func (k *CloudKMS) VerifyAttestation(ctx context.Context, name string) (*Attestation, error)
- type Decrypter
- type KeyManagementClient
- type Signer
Constants ¶
const Scheme = string(apiv1.CloudKMS)
Scheme is the scheme used in uris, the string "cloudkms".
Variables ¶
var ErrTooManyRetries = errors.New("too many retries")
ErrTooManyRetries is the type of error when a method attempts too many retries.
Functions ¶
Types ¶
type Attestation ¶ added in v0.61.0
type Attestation struct {
Valid bool
Generated bool
Extractable bool
KeyType string
Algorithm string
Format string
Content []byte
CertChain *AttestationCertChain
PublicKeyAttributes []AttestationAttribute
PrivateKeyAttributes []AttestationAttribute
SymmetricKeyAttributes []AttestationAttribute
}
type AttestationAttribute ¶ added in v0.61.0
func (AttestationAttribute) String ¶ added in v0.61.0
func (v AttestationAttribute) String() string
type AttestationCertChain ¶ added in v0.61.0
type CloudKMS ¶
type CloudKMS struct {
// contains filtered or unexported fields
}
CloudKMS implements a KMS using Google's Cloud apiv1.
func NewCloudKMS ¶
func NewCloudKMS(client KeyManagementClient) *CloudKMS
NewCloudKMS creates a CloudKMS with a given client.
func (*CloudKMS) CreateDecrypter ¶ added in v0.31.0
CreateDecrypter implements the apiv1.Decrypter interface and returns a crypto.Decrypter backed by a decryption key in Google Cloud KMS.
func (*CloudKMS) CreateKey ¶
func (k *CloudKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
CreateKey creates in Google's Cloud KMS a new asymmetric key for signing.
func (*CloudKMS) CreateSigner ¶
CreateSigner returns a new cloudkms signer configured with the given signing key name.
func (*CloudKMS) GetPublicKey ¶
GetPublicKey gets from Google's Cloud KMS a public key by name. Key names follow the pattern:
projects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})/cryptoKeyVersions/([a-zA-Z0-9_-]{1,63})
func (*CloudKMS) VerifyAttestation ¶ added in v0.61.0
VerifyAttestation obtains and validates the attestation from an object in Cloud HSM.
Experimental ¶
Notice: This API is EXPERIMENTAL and may be changed or removed in a later release.
type Decrypter ¶ added in v0.31.0
type Decrypter struct {
// contains filtered or unexported fields
}
Decrypter implements a crypto.Decrypter using Google Cloud KMS.
func NewDecrypter ¶ added in v0.31.0
func NewDecrypter(client KeyManagementClient, decryptionKey string) (*Decrypter, error)
NewDecrypter creates a new crypto.Decrypter backed by the given Google Cloud KMS decryption key.
func (*Decrypter) Decrypt ¶ added in v0.31.0
func (d *Decrypter) Decrypt(_ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error)
Decrypt decrypts ciphertext using the decryption key backed by Google Cloud KMS and returns the plaintext bytes. An error is returned when decryption fails. Google Cloud KMS only supports RSA keys with 2048, 3072 or 4096 bits and will always use OAEP. It supports SHA1, SHA256 and SHA512. Labels are not supported. Before calling out to GCP, some validation is performed so that known bad parameters are detected client-side and a more meaningful error is returned for those cases.
Also see https://cloud.google.com/kms/docs/algorithms#asymmetric_encryption_algorithms.
type KeyManagementClient ¶
type KeyManagementClient interface {
Close() error
GetPublicKey(context.Context, *kmspb.GetPublicKeyRequest, ...gax.CallOption) (*kmspb.PublicKey, error)
AsymmetricSign(context.Context, *kmspb.AsymmetricSignRequest, ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error)
AsymmetricDecrypt(context.Context, *kmspb.AsymmetricDecryptRequest, ...gax.CallOption) (*kmspb.AsymmetricDecryptResponse, error)
CreateCryptoKey(context.Context, *kmspb.CreateCryptoKeyRequest, ...gax.CallOption) (*kmspb.CryptoKey, error)
GetKeyRing(context.Context, *kmspb.GetKeyRingRequest, ...gax.CallOption) (*kmspb.KeyRing, error)
CreateKeyRing(context.Context, *kmspb.CreateKeyRingRequest, ...gax.CallOption) (*kmspb.KeyRing, error)
CreateCryptoKeyVersion(context.Context, *kmspb.CreateCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error)
GetCryptoKeyVersion(context.Context, *kmspb.GetCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error)
}
KeyManagementClient defines the methods on KeyManagementClient that this package will use. This interface will be used for unit testing.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer implements a crypto.Signer using Google's Cloud KMS.
func NewSigner ¶
func NewSigner(c KeyManagementClient, signingKey string) (*Signer, error)
NewSigner creates a new crypto.Signer the given CloudKMS signing key.
func (*Signer) SignatureAlgorithm ¶
func (s *Signer) SignatureAlgorithm() x509.SignatureAlgorithm
SignatureAlgorithm returns the algorithm that must be specified in a certificate to sign. This is specially important to distinguish RSA and RSAPSS schemas.
Source Files