capi

package

v0.23.1 Latest Latest Go to latest Published: Nov 7, 2022 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/smallstep/crypto

Links

Open Source Insights

Documentation ¶

Rendered for windows/amd64

Index ¶

Constants
type BCRYPT_PKCS1_PADDING_INFO
type CAPIKMS
- func New(ctx context.Context, opts apiv1.Options) (*CAPIKMS, error)
type CAPISigner
- func (s *CAPISigner) Public() crypto.PublicKey
- func (s *CAPISigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
type CERT_ID_KEYIDORHASH
type CERT_ID_SERIAL
type CERT_ISSUER_SERIAL_NUMBER
type CRYPTOAPI_BLOB

Constants ¶

View Source

const (
	ProviderNameArg  = "provider"
	ContainerNameArg = "key"
	HashArg          = "sha1"
	StoreLocationArg = "store-location" // 'machine', 'user', etc
	StoreNameArg     = "store"          // 'MY', 'CA', 'ROOT', etc
	KeyIDArg         = "key-id"
	SerialNumberArg  = "serial"
	IssuerNameArg    = "issuer"
)

View Source

const (

	// Key storage properties
	NCRYPT_ALGORITHM_GROUP_PROPERTY = "Algorithm Group"
	NCRYPT_LENGTH_PROPERTY          = "Length"
	NCRYPT_KEY_TYPE_PROPERTY        = "Key Type"
	NCRYPT_UNIQUE_NAME_PROPERTY     = "Unique Name"
	NCRYPT_ECC_CURVE_NAME_PROPERTY  = "ECCCurveName"
	NCRYPT_IMPL_TYPE_PROPERTY       = "Impl Type"
	NCRYPT_PROV_HANDLE              = "Provider Handle"
	NCRYPT_PIN_PROPERTY             = "SmartCardPin"
	NCRYPT_SECURE_PIN_PROPERTY      = "SmartCardSecurePin"
	NCRYPT_READER_PROPERTY          = "SmartCardReader"
	NCRYPT_ALGORITHM_PROPERTY       = "Algorithm Name"
	NCRYPT_PCP_USAGE_AUTH_PROPERTY  = "PCP_USAGEAUTH"

	// Key Storage Flags
	NCRYPT_MACHINE_KEY_FLAG = 0x00000001

	// Errors
	NTE_NOT_SUPPORTED         = uint32(0x80090029)
	NTE_INVALID_PARAMETER     = uint32(0x80090027)
	NTE_BAD_FLAGS             = uint32(0x80090009)
	NTE_NO_MORE_ITEMS         = uint32(0x8009002A)
	NTE_BAD_KEYSET            = uint32(0x80090016)
	SCARD_W_CANCELLED_BY_USER = uint32(0x8010006E)

	BCRYPT_RSAPUBLIC_BLOB = "RSAPUBLICBLOB"
	BCRYPT_ECCPUBLIC_BLOB = "ECCPUBLICBLOB"

	// winerror.h constants
	CRYPT_E_NOT_FOUND                    = uint32(0x80092004)
	CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG  = uint32(0x00010000)
	CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG = uint32(0x00020000)
	CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG   = uint32(0x00040000)

	CERT_ID_ISSUER_SERIAL_NUMBER = uint32(1)
	CERT_ID_KEY_IDENTIFIER       = uint32(2)
	CERT_ID_SHA1_HASH            = uint32(3)

	CERT_NAME_STR_COMMA_FLAG = uint32(0x04000000)
	CERT_SIMPLE_NAME_STR     = uint32(1)
	CERT_X500_NAME_STR       = uint32(3)

	AT_KEYEXCHANGE = uint32(1)
	AT_SIGNATURE   = uint32(2)

	ALG_RSA        = "RSA"
	ALG_ECDSA_P256 = "ECDSA_P256"
	ALG_ECDSA_P384 = "ECDSA_P384"
	ALG_ECDSA_P521 = "ECDSA_P521"

	ProviderMSKSP = "Microsoft Software Key Storage Provider"
	ProviderMSSC  = "Microsoft Smart Card Key Storage Provider"
	ProviderMSPCP = "Microsoft Platform Crypto Provider"
)

View Source

const Scheme = "capi"

Scheme is the scheme used in uris.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BCRYPT_PKCS1_PADDING_INFO ¶

type BCRYPT_PKCS1_PADDING_INFO struct {
	// contains filtered or unexported fields
}

type CAPIKMS ¶

type CAPIKMS struct {
	// contains filtered or unexported fields
}

CAPIKMS implements a KMS using Windows CryptoAPI (CAPI) and Next-Gen CryptoAPI (CNG).

The URI format used in CAPIKMS is the following:

capi:provider=STORAGE-PROVIDER;key=KEY-NAME

For certificates:

capi:store-location=[machine|user];store=My;sha1=<THUMBPRINT>
capi:store-location=[machine|user];store=My;key-id=<X509v3 Subject Key Identifier>
capi:store-location=[machine|user];store=My;issuer=<Issuer CN>;serial=<Certificate SN>

The scheme is "capi";

"provider" is the provider name and can be one of: - "Microsoft Software Key Storage Provider" - "Microsoft Smart Card Key Storage Provider" - "Microsoft Platform Crypto Provider" if not set it defaults to "Microsoft Software Key Storage Provider"

"key" key container name. If not set one is generated. "store-location" specifies the certificate store location - "user" or "machine" "store" certificate store name - "My", "Root", and "CA" are some examples "sha1" sha1 thumbprint of the certificate to load in hex format "key-id" X509v3 Subject Key Identifier of the certificate to load in hex format "serial" serial number of the certificate to load in hex format "issuer" Common Name of the certificate issuer

func New ¶

func New(ctx context.Context, opts apiv1.Options) (*CAPIKMS, error)

New returns a new CAPIKMS.

func (*CAPIKMS) Close ¶

func (k *CAPIKMS) Close() error

func (*CAPIKMS) CreateKey ¶

func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)

CreateKey generates a new key in the storage provider using nCryptCreatePersistedKey

func (*CAPIKMS) CreateSigner ¶

func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)

CreateSigner returns a nce crypto.Signer that will sign using the key passed in via the URI.

func (*CAPIKMS) GetPublicKey ¶

func (k *CAPIKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)

GetPublicKey returns the public key from the key id (Microsoft calls it 'Key Container Name') passed in via the URI

func (*CAPIKMS) LoadCertificate ¶

func (k *CAPIKMS) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)

LoadCertificate will return an x509.Certificate if passed a URI containing a subject key identifier (key-id) or sha1 hash

func (*CAPIKMS) StoreCertificate ¶

func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error

type CAPISigner ¶

type CAPISigner struct {
	PublicKey crypto.PublicKey
	// contains filtered or unexported fields
}

func (*CAPISigner) Public ¶

func (s *CAPISigner) Public() crypto.PublicKey

func (*CAPISigner) Sign ¶

func (s *CAPISigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

type CERT_ID_KEYIDORHASH ¶

type CERT_ID_KEYIDORHASH struct {
	KeyIDOrHash CRYPTOAPI_BLOB
	// contains filtered or unexported fields
}

CERT_ID - https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id TODO: might be able to merge these two types into one that uses interface{} instead

type CERT_ID_SERIAL ¶

type CERT_ID_SERIAL struct {
	Serial CERT_ISSUER_SERIAL_NUMBER
	// contains filtered or unexported fields
}

type CERT_ISSUER_SERIAL_NUMBER ¶

type CERT_ISSUER_SERIAL_NUMBER struct {
	Issuer       CRYPTOAPI_BLOB
	SerialNumber CRYPTOAPI_BLOB
}

CERT_ISSUER_SERIAL_NUMBER -- https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_issuer_serial_number

type CRYPTOAPI_BLOB ¶

type CRYPTOAPI_BLOB struct {
	// contains filtered or unexported fields
}

CRYPTOAPI_BLOB -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL