apiv1

package

v0.21.0 Latest Latest Go to latest Published: Oct 7, 2022 License: Apache-2.0 Imports: 7 Imported by: 15

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/smallstep/crypto

Links

Open Source Insights

Documentation ¶

Index ¶

func Register(t Type, fn KeyManagerNewFunc)
type AlreadyExistsError
- func (e AlreadyExistsError) Error() string
type Attester
type CertificateManager
type CreateAttestationRequest
type CreateAttestationResponse
type CreateDecrypterRequest
type CreateKeyRequest
type CreateKeyResponse
type CreateSignerRequest
type Decrypter
type GetPublicKeyRequest
type KeyManager
type KeyManagerNewFunc
- func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool)
type LoadCertificateRequest
type NameValidator
type NotImplementedError
- func (e NotImplementedError) Error() string
type Options
- func (o *Options) GetType() (Type, error)
- func (o *Options) Validate() error
type PINPolicy
type ProtectionLevel
- func (p ProtectionLevel) String() string
type SignatureAlgorithm
- func (s SignatureAlgorithm) String() string
type StoreCertificateRequest
type TouchPolicy
type Type

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Register ¶

func Register(t Type, fn KeyManagerNewFunc)

Register adds to the registry a method to create a KeyManager of type t.

Types ¶

type AlreadyExistsError ¶ added in v0.20.0

type AlreadyExistsError struct {
	Message string
}

AlreadyExistsError is the type of error returned if a key already exists. This is currently only implmented on pkcs11.

func (AlreadyExistsError) Error ¶ added in v0.20.0

func (e AlreadyExistsError) Error() string

type Attester ¶ added in v0.19.0

type Attester interface {
	CreateAttestation(req *CreateAttestationRequest) (*CreateAttestationResponse, error)
}

Attester is the interface implemented by the KMS that can respond with an attestation certificate or key.

Experimental ¶

Notice: This API is EXPERIMENTAL and may be changed or removed in a later release.

type CertificateManager ¶

type CertificateManager interface {
	LoadCertificate(req *LoadCertificateRequest) (*x509.Certificate, error)
	StoreCertificate(req *StoreCertificateRequest) error
}

CertificateManager is the interface implemented by the KMS that can load and store x509.Certificates.

type CreateAttestationRequest ¶ added in v0.19.0

type CreateAttestationRequest struct {
	Name string
}

CreateAttestationRequest is the parameter used in the kms.CreateAttestation method.

Experimental ¶

Notice: This API is EXPERIMENTAL and may be changed or removed in a later release.

type CreateAttestationResponse ¶ added in v0.19.0

type CreateAttestationResponse struct {
	Certificate      *x509.Certificate
	CertificateChain []*x509.Certificate
	PublicKey        crypto.PublicKey
}

CreateAttestationResponse is the response value of the kms.CreateAttestation method.

Experimental ¶

Notice: This API is EXPERIMENTAL and may be changed or removed in a later release.

type CreateDecrypterRequest ¶

type CreateDecrypterRequest struct {
	Decrypter        crypto.Decrypter
	DecryptionKey    string
	DecryptionKeyPEM []byte
	Password         []byte
}

CreateDecrypterRequest is the parameter used in the kms.Decrypt method.

type CreateKeyRequest ¶

type CreateKeyRequest struct {
	// Name represents the key name or label used to identify a key.
	//
	// Used by: awskms, cloudkms, azurekms, pkcs11, yubikey.
	Name string

	// SignatureAlgorithm represents the type of key to create.
	SignatureAlgorithm SignatureAlgorithm

	// Bits is the number of bits on RSA keys.
	Bits int

	// ProtectionLevel specifies how cryptographic operations are performed.
	// Used by: cloudkms, azurekms.
	ProtectionLevel ProtectionLevel

	// Extractable defines if the new key may be exported from the HSM under a
	// wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit.
	//
	// Used by: pkcs11
	Extractable bool

	// PINPolicy defines PIN requirements when signing or decrypting with an
	// asymmetric key.
	//
	// Used by: yubikey
	PINPolicy PINPolicy

	// TouchPolicy represents proof-of-presence requirements when signing or
	// decrypting with asymmetric key in a given slot.
	//
	// Used by: yubikey
	TouchPolicy TouchPolicy
}

CreateKeyRequest is the parameter used in the kms.CreateKey method.

type CreateKeyResponse ¶

type CreateKeyResponse struct {
	Name                string
	PublicKey           crypto.PublicKey
	PrivateKey          crypto.PrivateKey
	CreateSignerRequest CreateSignerRequest
}

CreateKeyResponse is the response value of the kms.CreateKey method.

type CreateSignerRequest ¶

type CreateSignerRequest struct {
	Signer        crypto.Signer
	SigningKey    string
	SigningKeyPEM []byte
	TokenLabel    string
	PublicKey     string
	PublicKeyPEM  []byte
	Password      []byte
}

CreateSignerRequest is the parameter used in the kms.CreateSigner method.

type Decrypter ¶

type Decrypter interface {
	CreateDecrypter(req *CreateDecrypterRequest) (crypto.Decrypter, error)
}

Decrypter is an interface implemented by KMSes that are used in operations that require decryption

type GetPublicKeyRequest ¶

type GetPublicKeyRequest struct {
	Name string
}

GetPublicKeyRequest is the parameter used in the kms.GetPublicKey method.

type KeyManager ¶

type KeyManager interface {
	GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
	CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
	CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
	Close() error
}

KeyManager is the interface implemented by all the KMS.

type KeyManagerNewFunc ¶

type KeyManagerNewFunc func(ctx context.Context, opts Options) (KeyManager, error)

KeyManagerNewFunc is the type that represents the method to initialize a new KeyManager.

func LoadKeyManagerNewFunc ¶

func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool)

LoadKeyManagerNewFunc returns the function initialize a KayManager.

type LoadCertificateRequest ¶

type LoadCertificateRequest struct {
	Name string
}

LoadCertificateRequest is the parameter used in the LoadCertificate method of a CertificateManager.

type NameValidator ¶

type NameValidator interface {
	ValidateName(s string) error
}

NameValidator is an interface that KeyManager can implement to validate a given name or URI.

type NotImplementedError ¶ added in v0.20.0

type NotImplementedError struct {
	Message string
}

NotImplementedError is the type of error returned if an operation is not implemented.

func (NotImplementedError) Error ¶ added in v0.20.0

func (e NotImplementedError) Error() string

type Options ¶

type Options struct {
	// The type of the KMS to use.
	Type Type `json:"type"`

	// Path to the credentials file used in CloudKMS and AmazonKMS.
	CredentialsFile string `json:"credentialsFile,omitempty"`

	// URI is based on the PKCS #11 URI Scheme defined in
	// https://tools.ietf.org/html/rfc7512 and represents the configuration used
	// to connect to the KMS.
	//
	// Used by: pkcs11
	URI string `json:"uri,omitempty"`

	// Pin used to access the PKCS11 module. It can be defined in the URI using
	// the pin-value or pin-source properties.
	Pin string `json:"pin,omitempty"`

	// ManagementKey used in YubiKeys. Default management key is the hexadecimal
	// string 010203040506070801020304050607080102030405060708:
	//   []byte{
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
	//   }
	ManagementKey string `json:"managementKey,omitempty"`

	// Region to use in AmazonKMS.
	Region string `json:"region,omitempty"`

	// Profile to use in AmazonKMS.
	Profile string `json:"profile,omitempty"`
}

Options are the KMS options. They represent the kms object in the ca.json.

func (*Options) GetType ¶

func (o *Options) GetType() (Type, error)

GetType returns the type in the type property or the one present in the URI.

func (*Options) Validate ¶

func (o *Options) Validate() error

Validate checks the fields in Options.

type PINPolicy ¶ added in v0.21.0

type PINPolicy int

PINPolicy represents PIN requirements when signing or decrypting with an asymmetric key in a given slot. PINPolicy is used by the YubiKey KMS.

const (
	PINPolicyNever PINPolicy = iota + 1
	PINPolicyOnce
	PINPolicyAlways
)

PIN policies supported by this package. The values must match the ones in github.com/go-piv/piv-go/piv.

Caching for PINPolicyOnce isn't supported on YubiKey versions older than 4.3.0 due to issues with verifying if a PIN is needed. If specified, a PIN will be required for every operation.

type ProtectionLevel ¶

type ProtectionLevel int

ProtectionLevel specifies on some KMS how cryptographic operations are performed.

const (
	// Protection level not specified.
	UnspecifiedProtectionLevel ProtectionLevel = iota
	// Crypto operations are performed in software.
	Software
	// Crypto operations are performed in a Hardware Security Module.
	HSM
)

func (ProtectionLevel) String ¶

func (p ProtectionLevel) String() string

String returns a string representation of p.

type SignatureAlgorithm ¶

type SignatureAlgorithm int

SignatureAlgorithm used for cryptographic signing.

const (
	// Not specified.
	UnspecifiedSignAlgorithm SignatureAlgorithm = iota
	// RSASSA-PKCS1-v1_5 key and a SHA256 digest.
	SHA256WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA384 digest.
	SHA384WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA512 digest.
	SHA512WithRSA
	// RSASSA-PSS key with a SHA256 digest.
	SHA256WithRSAPSS
	// RSASSA-PSS key with a SHA384 digest.
	SHA384WithRSAPSS
	// RSASSA-PSS key with a SHA512 digest.
	SHA512WithRSAPSS
	// ECDSA on the NIST P-256 curve with a SHA256 digest.
	ECDSAWithSHA256
	// ECDSA on the NIST P-384 curve with a SHA384 digest.
	ECDSAWithSHA384
	// ECDSA on the NIST P-521 curve with a SHA512 digest.
	ECDSAWithSHA512
	// EdDSA on Curve25519 with a SHA512 digest.
	PureEd25519
)

func (SignatureAlgorithm) String ¶

func (s SignatureAlgorithm) String() string

String returns a string representation of s.

type StoreCertificateRequest ¶

type StoreCertificateRequest struct {
	Name        string
	Certificate *x509.Certificate

	// Extractable defines if the new certificate may be exported from the HSM
	// under a wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit.
	//
	// Used by: pkcs11
	Extractable bool
}

StoreCertificateRequest is the parameter used in the StoreCertificate method of a CertificateManager.

type TouchPolicy ¶ added in v0.21.0

type TouchPolicy int

TouchPolicy represents proof-of-presence requirements when signing or decrypting with asymmetric key in a given slot. TouchPolicy is used by the YubiKey KMS.

const (
	TouchPolicyNever TouchPolicy = iota + 1
	TouchPolicyAlways
	TouchPolicyCached
)

Touch policies supported by this package. The values must match the ones in github.com/go-piv/piv-go/piv.

type Type ¶

type Type string

Type represents the KMS type used.

const (
	// DefaultKMS is a KMS implementation using software.
	DefaultKMS Type = ""
	// SoftKMS is a KMS implementation using software.
	SoftKMS Type = "softkms"
	// CloudKMS is a KMS implementation using Google's Cloud KMS.
	CloudKMS Type = "cloudkms"
	// AmazonKMS is a KMS implementation using Amazon AWS KMS.
	AmazonKMS Type = "awskms"
	// PKCS11 is a KMS implementation using the PKCS11 standard.
	PKCS11 Type = "pkcs11"
	// YubiKey is a KMS implementation using a YubiKey PIV.
	YubiKey Type = "yubikey"
	// SSHAgentKMS is a KMS implementation using ssh-agent to access keys.
	SSHAgentKMS Type = "sshagentkms"
	// AzureKMS is a KMS implementation using Azure Key Vault.
	AzureKMS Type = "azurekms"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL