credentials

package
v0.3.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 2, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	KsSealNone = sealType(0) // TODO: phase out, all ServerCredStore must encrypt ServerCard keys.
	KsSealAead = sealType(1)
)
View Source 
const (
	// All package errors are wrapping Error
	Error           = errorFlag("credentials: error")
	ErrCardMutation = errorFlag("credentials: Card RealmId & IdToken can not change")
	ErrValidation   = errorFlag("credentials: Failed validation")
	ErrNotFound     = errorFlag("credentials: Not found")
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AccessKeys added in v0.3.11 

type AccessKeys struct {
	// IdKey is used as a server-side identifier for Card or EnrollAuthorization subjects.
	IdKey [32]byte

	// StorageKey is used to protect subject sensitive data.
	StorageKey [32]byte
}

AccessKeys holds the result of HKDF-based derivations from either IdToken or EnrollToken.

func (*AccessKeys) Check added in v0.3.11 

func (self *AccessKeys) Check() error

Check returns an error if the AccessKeys are invalid.

type Card 

type Card struct {
	ID      int              `json:"-" cbor:"-"` // ClientCredStore identifier
	RealmId RealmId          `json:"rid" cbor:"1,keyasint"`
	IdToken IdToken          `json:"idt" cbor:"2,keyasint"`                         // used as CardId with OTK
	UserId  string           `json:"user_id,omitempty" cbor:"3,keyasint,omitempty"` // used as CardId with OTP
	Kh      PrivateKeyHandle `json:"sk" cbor:"4,keyasint"`                          // uses Kh.PrivateKey to obtain the ecdh.PrivateKey
	Psk     []byte           `json:"psk" cbor:"5,keyasint"`
	AppName string           `json:"app_name" cbor:"6,keyasint"`
	AppDesc string           `json:"app_desc,omitempty" cbor:"7,keyasint,omitempty"`
	Label   string           `json:"label,omitempty" cbor:"9,keyasint,omitempty"`
}

Card holds keys necessary for validating/generating EPHEMSEC OTP/OTK.

func (*Card) Check 

func (self *Card) Check() error

Check returns an error if the Card is invalid.

func (Card) Info 

func (self Card) Info() CardInfo

Info returns a CardInfo{} extracted from self.

type CardIdGenerator added in v0.3.11 

type CardIdGenerator struct {
	// contains filtered or unexported fields
}

CardIdGenerator coordinates generation of client and server identifiers for a Card credential.

func NewCardIdGenerator added in v0.3.11 

func NewCardIdGenerator(uid UserIdFactory, idh *IdHasher) (*CardIdGenerator, error)

func (*CardIdGenerator) GenCardIds added in v0.3.11 

func (self *CardIdGenerator) GenCardIds(realmId []byte, userdata json.RawMessage, dst *CardRef) error

GenCardIds initializes dst CardRef.

type CardInfo 

type CardInfo struct {
	ID      int    `json:"-" cbor:"-"` // ClientCredStore identifier
	RealmId []byte `json:"rid" cbor:"1,keyasint"`
	AppName string `json:"app_name" cbor:"6,keyasint"`
	AppDesc string `json:"app_desc,omitempty" cbor:"7,keyasint,omitempty"`
	Label   string `json:"label,omitempty" cbor:"9,keyasint,omitempty"`
}

CardInfo holds Card information useful for display. CardInfo can be used to read Card cbor/json encoding.

type CardQuery 

type CardQuery struct {
	RealmId []byte
	MinId   int // minimum Card.ID
	Limit   int // maximum number of selected items
}

CardQuery parametrizes ClientCredStore ListInfo.

type CardRef added in v0.3.11 

type CardRef struct {
	// ClientIdToken is held by the client and used to derive access keys.
	ClientIdToken [32]byte

	// ClientUserId is optional.
	// When present it is used to derive a ClientIdToken.
	ClientUserId string

	// ServerCardId is held by the server and used to load a Card.
	// It derives from ClientIdToken.
	ServerCardId [32]byte
}

CardRef represents the client/server linkage for a Card credential.

func (*CardRef) Check added in v0.3.13 

func (self *CardRef) Check() error

type ClientCredStore 

type ClientCredStore interface {

	// SaveCard saves card in the ClientCredStore.
	// It errors if the card could not be saved.
	SaveCard(card *Card) error

	// RemoveCard removes the Card with cId ID from the ClientCredStore.
	// It returns true if the Card was effectively removed.
	RemoveCard(cId int) (bool, error)

	// LoadById loads the Card with ID cid into dst.
	// It returns true if the Card was found and successfully loaded.
	LoadById(cid int, dst *Card) (bool, error)

	// ListInfo returns a list of CardInfo that matches qry.
	ListInfo(qry CardQuery) ([]CardInfo, error)

	// CardCount returns the number of Card in the ClientCredStore.
	// It returns -1 in case of error.
	CardCount() int
}

type EnrollAccess added in v0.3.11 

type EnrollAccess interface {
	EnrollKey
	// contains filtered or unexported methods
}

EnrollAccess is a sealed interface representing keys that can both locate and read EnrollAuthorization secrets. It extends EnrollKey with access rights.

Variants:

  • EnrollToken: the client-held 32-byte token; It grants the right to register a card in a Realm.

type EnrollAuthorization 

type EnrollAuthorization struct {
	EnrollId EnrollIdKey     `json:"-" cbor:"-"`
	RealmId  RealmId         `json:"rid" cbor:"1,keyasint"`
	AppName  string          `json:"app_name" cbor:"2,keyasint"`
	AppDesc  string          `json:"app_desc,omitempty" cbor:"3,keyasint,omitempty"`
	UserData json.RawMessage `json:"user_data,omitempty" cbor:"5,keyasint,omitempty"`
}

EnrollAuthorization contains Card creation information.

func (*EnrollAuthorization) Check 

func (self *EnrollAuthorization) Check() error

Check returns an error if the EnrollAuthorization is invalid.

type EnrollId added in v0.3.11 

type EnrollId int

EnrollId is a surrogate integer key for store implementations that maintain their own indexed identity (e.g. auto-increment primary keys).

Support for EnrollId is optional and depends on the ServerCredStore implementation. It is intended as a fast-path lookup alternative to EnrollIdKey.

type EnrollIdKey added in v0.3.11 

type EnrollIdKey []byte

EnrollIdKey is a 32-byte server-side EnrollAuthorization identifier derived from an EnrollToken

It provides direct, opaque access to an EnrollAuthorization without exposing the originating EnrollToken.

func (EnrollIdKey) Check added in v0.3.11 

func (self EnrollIdKey) Check() error

Check returns an error if the EnrollIdKey is not a valid 32-byte key.

type EnrollKey added in v0.3.11 

type EnrollKey interface {
	// contains filtered or unexported methods
}

EnrollKey is a sealed interface representing any key that can locate an EnrollAuthorization on the server side. It is the sum type for all the lookup strategies.

Variants:

  • EnrollIdKey: a 32-byte derived key, produced by hashing an EnrollToken.
  • EnrollId: a surrogate integer key, for store implementations that maintain their own indexed identity.
  • EnrollToken: a 32-byte client-held token. Implements both lookup and access.

type EnrollToken added in v0.3.11 

type EnrollToken []byte

EnrollToken is a 32-byte client-held credential.

EnrollTokens are randomly generated (256 bits entropy)

As EnrollKey, an EnrollToken can locate an EnrollAuthorization by first deriving its EnrollIdKey via [IdHasher.DeriveFromEnrollToken]. As EnrollAccess, it additionally grants the right to read EnrollAuthorization secrets and register a new ServerCard in the [EnrollAuthorization.Realm].

func (EnrollToken) Check added in v0.3.11 

func (self EnrollToken) Check() error

Check returns an error if the EnrollToken is not exactly 32 bytes.

type IdHasher added in v0.3.11 

type IdHasher struct {
	// contains filtered or unexported fields
}

IdHasher manages domain-separated HKDF-based derivations used by the credential system.

It encapsulates context-specific salts derived from a high-entropy server seed.

IdHasher is safe for concurrent use.

func NewIdHasher added in v0.3.11 

func NewIdHasher(seed []byte) (*IdHasher, error)

NewIdHasher initializes an IdHasher using the provided seed as the root secret for all HKDF-based derivations performed by this instance.

The seed is used to derive context-specific salts and functions as a server-side diversification secret (similar to a pepper).

Security considerations:

  • If IdTokens are high-entropy (e.g., randomly generated 256-bit values), seed secrecy provides defense-in-depth and domain separation but is not strictly required to preserve IdToken unpredictability.

  • If IdTokens may be deterministically derived from low-entropy inputs (e.g., UserId), keeping the seed secret prevents offline enumeration and precomputation attacks in case server-side card storage is exposed.

Changing the seed invalidates all previously derived identifiers and will prevent existing cards from being located. The seed should therefore be **stable** for the lifetime of stored credentials within a given deployment.

For production use, the seed should be generated with high entropy and stored using appropriate operational protections.

func (*IdHasher) DeriveFromCardAccess added in v0.3.11 

func (self *IdHasher) DeriveFromCardAccess(sca ServerCardAccess, dst *AccessKeys) error

DeriveFromCardAccess derives access keys from a ServerCardAccess key.

It produces domain-separated keys for:

  • IdKey: used as a server-side card identifier.
  • StorageKey: used to protect card-related stored data.

The derivation is deterministic and bound to the IdHasher seed.

func (*IdHasher) DeriveFromEnrollAccess added in v0.3.11 

func (self *IdHasher) DeriveFromEnrollAccess(ea EnrollAccess, dst *AccessKeys) error

DeriveFromEnrollAccess derives access keys from an EnrollAccess.

It produces domain-separated keys for:

  • IdKey: used as a server-side EnrollAuthorization identifier.
  • StorageKey: used to protect EnrollAuthorization user data.

The derivation is deterministic and bound to the IdHasher seed.

func (*IdHasher) IdTokenOfUserId added in v0.3.11 

func (self *IdHasher) IdTokenOfUserId(realmId []byte, userId string, dst []byte) ([]byte, error)

IdTokenOfUserId deterministically derives a 32-byte IdToken from a (realmId, userId) pair.

The derivation uses HKDF with a context-specific salt derived from the IdHasher seed. If userId has low entropy, the secrecy of the seed protects against offline guessing attacks.

realmId must be exactly 32 bytes and uniquely identify a security domain. The returned IdToken is suitable for subsequent key derivations but must not be assumed to contain full entropy unless userId does.

type IdToken added in v0.3.11 

type IdToken []byte

IdToken is a 32-byte client-held credential.

IdTokens are either randomly generated (high-entropy) or deterministically derived from a UserId via HKDF (see IdHasher.IdTokenOfUserId). In the latter case, secrecy of the IdHasher seed is required to prevent offline enumeration.

As ServerCardKey, an IdToken can locate a Card by first deriving its ServerCardIdKey via [IdHasher.DeriveFromIdToken]. As ServerCardAccess, it additionally grants the right to read Card secrets.

func (IdToken) Check added in v0.3.11 

func (self IdToken) Check() error

Check returns an error if the IdToken is not exactly 32 bytes.

type KeyStore 

type KeyStore interface {
	// GetServerKey loads realm static Keypair in srvkey.
	// It returns true if the Keypair was effectively loaded.
	GetServerKey(ctx context.Context, realmId []byte, name string, srvkey *ServerKey) bool

	// SaveServer saves srvkey in the KeyStore.
	// It errors if the srvkey could not be saved.
	SaveServerKey(ctx context.Context, name string, srvkey ServerKey) error
}

KeyStore allows loading KerPass service "static" Keypair. Those Keypairs are used to secure service connections.

type MemClientCredStore 

type MemClientCredStore struct {
	// contains filtered or unexported fields
}

MemClientCredStore provides "in memory" implementation of ClientCredStore.

func NewMemClientCredStore 

func NewMemClientCredStore() *MemClientCredStore

func (*MemClientCredStore) CardCount 

func (self *MemClientCredStore) CardCount() int

Size returns the number of Card in the MemClientCredStore.

func (*MemClientCredStore) ListInfo 

func (self *MemClientCredStore) ListInfo(qry CardQuery) ([]CardInfo, error)

ListInfo returns a list of CardInfo that matches qry.

func (*MemClientCredStore) LoadById 

func (self *MemClientCredStore) LoadById(cid int, dst *Card) (bool, error)

LoadById loads the Card with ID cid into dst. It returns true if the Card was found and successfully loaded.

func (*MemClientCredStore) RemoveCard 

func (self *MemClientCredStore) RemoveCard(cId int) (bool, error)

RemoveCard removes the Card with cId ID from the MemClientCredStore. It returns true if the Card was effectively removed.

func (*MemClientCredStore) SaveCard 

func (self *MemClientCredStore) SaveCard(card *Card) error

SaveCard saves card in the MemClientCredStore It errors if the card could not be saved.

type MemKeyStore 

type MemKeyStore struct {
	// contains filtered or unexported fields
}

MemKeyStore provides "in memory" implementation of KeyStore.

func NewMemKeyStore 

func NewMemKeyStore() *MemKeyStore

func (*MemKeyStore) GetServerKey 

func (self *MemKeyStore) GetServerKey(_ context.Context, realmId []byte, name string, srvkey *ServerKey) bool

GetServerKey loads realm static Keypair in srvkey. It returns true if the Keypair was effectively loaded.

func (*MemKeyStore) SaveServerKey 

func (self *MemKeyStore) SaveServerKey(_ context.Context, name string, srvkey ServerKey) error

SaveServer saves srvkey in the KeyStore. It errors if the srvkey could not be saved.

type MemServerCredStore 

type MemServerCredStore struct {
	// contains filtered or unexported fields
}

MemServerCredStore provides "in memory" implementation of ServerCredStore.

func NewMemServerCredStore 

func NewMemServerCredStore() (*MemServerCredStore, error)

func (*MemServerCredStore) AuthorizationCount 

func (self *MemServerCredStore) AuthorizationCount(_ context.Context) (int, error)

AuthorizationCount returns the number of EnrollAuthorization in the MemServerCredStore.

func (*MemServerCredStore) CardCount 

func (self *MemServerCredStore) CardCount(_ context.Context) (int, error)

CardCount returns the number of ServerCard in the MemServerCredStore.

func (*MemServerCredStore) ListRealm 

func (self *MemServerCredStore) ListRealm(_ context.Context) ([]Realm, error)

ListRealm lists the Realms in the ServerCredStore. It errors if the ServerCredStore is not reachable.

func (*MemServerCredStore) LoadCard 

func (self *MemServerCredStore) LoadCard(_ context.Context, cardId ServerCardAccess, dst *ServerCard) error

LoadCard loads stored card data in dst. It errors if card data were not successfully loaded.

func (*MemServerCredStore) LoadRealm 

func (self *MemServerCredStore) LoadRealm(_ context.Context, realmId RealmId, dst *Realm) error

LoadRealm loads realm data for realmId into dst. It errors if realm data were not successfully loaded.

func (*MemServerCredStore) PopEnrollAuthorization 

func (self *MemServerCredStore) PopEnrollAuthorization(_ context.Context, etk EnrollAccess, authorization *EnrollAuthorization) error

PopEnrollAuthorization loads authorization data and remove it from the MemServerCredStore. It errors if authorization data were not successfully loaded.

func (*MemServerCredStore) RemoveCard 

func (self *MemServerCredStore) RemoveCard(_ context.Context, cardId ServerCardKey) bool

RemoveCard removes the ServerCard with cardId identifier from the MemServerCredStore. It returns true if the ServerCard was effectively removed.

func (*MemServerCredStore) RemoveRealm 

func (self *MemServerCredStore) RemoveRealm(_ context.Context, realmId RealmId) error

RemoveRealm removes the Realm with realmId identifier from the ServerCredStore. It errors if the ServerCredStore is not reachable or if realmId does not exists.

func (*MemServerCredStore) SaveCard 

func (self *MemServerCredStore) SaveCard(_ context.Context, cardId ServerCardAccess, card *ServerCard) error

SaveCard saves card in the MemServerCredStore. It errors if the card could not be saved.

func (*MemServerCredStore) SaveEnrollAuthorization 

func (self *MemServerCredStore) SaveEnrollAuthorization(_ context.Context, etk EnrollAccess, atz *EnrollAuthorization) error

SaveEnrollAuthorization saves atz authorization in the MemServerCredStore. It errors if the authorization could not be saved.

func (*MemServerCredStore) SaveRealm 

func (self *MemServerCredStore) SaveRealm(_ context.Context, realm *Realm) error

SaveRealm saves realm into the ServerCredStore. It errors if realm could not be saved.

type OtkId added in v0.3.11 

type OtkId = IdToken

OtkId is an alias for IdToken used as an identifier when authenticating with OTK.

type OtpId added in v0.3.11 

type OtpId struct {
	Realm    RealmId
	Username string
}

OtpId identifies a Card via the OTP authentication path, using a (realm, username) pair.

It is used when a client authenticates with a one-time password rather than presenting an IdToken directly. The server resolves OtpId to a Card by looking up the username within the given realm.

func (OtpId) Check added in v0.3.11 

func (self OtpId) Check() error

Check returns an error if the OtpId is invalid.

type PrivateKeyHandle 

type PrivateKeyHandle struct {
	*ecdh.PrivateKey
}

PrivateKeyHandle "extends" ecdh.PrivateKey to support CBOR/JSON marshal/unmarshal.

func (PrivateKeyHandle) IsZero added in v0.3.2 

func (self PrivateKeyHandle) IsZero() bool

func (PrivateKeyHandle) MarshalBinary 

func (self PrivateKeyHandle) MarshalBinary() ([]byte, error)

func (PrivateKeyHandle) MarshalJSON 

func (self PrivateKeyHandle) MarshalJSON() ([]byte, error)

func (*PrivateKeyHandle) UnmarshalBinary 

func (self *PrivateKeyHandle) UnmarshalBinary(data []byte) error

func (*PrivateKeyHandle) UnmarshalJSON 

func (self *PrivateKeyHandle) UnmarshalJSON(data []byte) error

type PublicKeyHandle 

type PublicKeyHandle struct {
	*ecdh.PublicKey
}

PublicKeyHandle "extends" ecdh.PublicKey to support CBOR/JSON marshal/unmarshal.

func (PublicKeyHandle) IsZero added in v0.3.2 

func (self PublicKeyHandle) IsZero() bool

func (PublicKeyHandle) MarshalBinary 

func (self PublicKeyHandle) MarshalBinary() ([]byte, error)

func (PublicKeyHandle) MarshalJSON 

func (self PublicKeyHandle) MarshalJSON() ([]byte, error)

func (*PublicKeyHandle) UnmarshalBinary 

func (self *PublicKeyHandle) UnmarshalBinary(data []byte) error

func (*PublicKeyHandle) UnmarshalJSON 

func (self *PublicKeyHandle) UnmarshalJSON(data []byte) error

type Realm 

type Realm struct {
	RealmId RealmId `json:"id" cbor:"1,keyasint"`
	AppName string  `json:"app_name" cbor:"2,keyasint"`
	AppDesc string  `json:"app_desc,omitempty" cbor:"3,keyasint,omitempty"`
}

A Realm is a trusted domain managed by a single authority, within which Cards and Application can mutually verify each other’s identity.

func GetRealmInfo added in v0.3.3 

func GetRealmInfo(ctx context.Context, authServerUrl string, realmId []byte) (*Realm, error)

GetRealmInfo retrieves realm information from a remote authentication server. It makes an HTTP GET request to the specified authServerUrl, appending the base64-encoded realmId with .cbor extension to the path "/get-realm-infos/".

The function expects the server to implement the same protocol as RealmInfoHandler, returning realm data in CBOR format on success or HTTP 404 if the realm is not found.

func (*Realm) Check 

func (self *Realm) Check() error

Check returns an error if the Realm is invalid.

type RealmId added in v0.3.11 

type RealmId []byte

RealmId is the root hash of the Realm's CA public key Merkle tree.

It is a stable, permanent identifier for a security domain: it does not change when the active CA signing key is rotated. Because the Merkle tree commits to all authorized CA keys, a RealmId is self-sufficient — it is all that is needed to validate any certificate issued within the realm.

RealmId is not randomly generated: it is deterministically derived from CA key material and must be at least 32 bytes.

func (RealmId) Check added in v0.3.11 

func (self RealmId) Check() error

Check returns an error if the RealmId is not at least 32 bytes.

type RealmInfoHandler added in v0.3.3 

type RealmInfoHandler struct {
	// contains filtered or unexported fields
}

RealmInfoHandler is an HTTP handler that serves realm information in CBOR format. It retrieves realm data from a ServerCredStore and serializes it for HTTP delivery.

func NewRealmInfoHandler added in v0.3.3 

func NewRealmInfoHandler(credStore ServerCredStore) (*RealmInfoHandler, error)

NewRealmInfoHandler creates a new RealmInfoHandler with the provided ServerCredStore. It returns an error if credStore is nil.

func (*RealmInfoHandler) ServeHTTP added in v0.3.3 

func (self *RealmInfoHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP allows retrieving Realm information using HTTP GET.

The handler must be registered with an http.ServeMux at a URL path that ends with "/get-realm-infos/{realmId}". This exact path segment "get-realm-infos" is required to guarantee interoperability with the GetRealmInfo function.

Example registration pattern: 

mux.Handle("GET /get-realm-infos/{realmId}", handler)

The handler expects the {realmId} path segment to contain urlsafe base64 encoding of the desired Realm identifier with a .cbor extension appended. Example request: GET /get-realm-infos/abc123...xyz.cbor

In production environments, this endpoint will typically be served as static files to improve performance and scalability. For this reason, all client errors (invalid requests, unknown realms, etc.) return HTTP 404 status to maintain compatibility with static file serving.

type ServerCard 

type ServerCard struct {
	CardId  ServerCardIdKey `json:"-" cbor:"-"`
	RealmId RealmId         `json:"rid" cbor:"2,keyasint"`
	Kh      PublicKeyHandle `json:"pubkey" cbor:"3,keyasint"` // uses Kh.PublicKey to obtain the ecdh.PublicKey
	Psk     []byte          `json:"psk" cbor:"4,keyasint"`
}

ServerCard holds keys necessary for validating/generating EPHEMSEC OTP/OTK.

func (*ServerCard) Check 

func (self *ServerCard) Check() error

Check returns an error if the ServerCard is invalid.

type ServerCardAccess added in v0.3.11 

type ServerCardAccess interface {
	ServerCardKey
	// contains filtered or unexported methods
}

ServerCardAccess is a sealed interface representing keys that can both locate and read Card secrets. It extends ServerCardKey with access rights.

Variants:

  • IdToken: the client-held 32-byte token; grants access when presented directly.
  • OtpId: a (realm, username) pair; grants access via the OTP authentication path.

type ServerCardId added in v0.3.11 

type ServerCardId int

ServerCardId is a surrogate integer key for store implementations that maintain their own indexed identity (e.g. auto-increment primary keys).

Support for ServerCardId is optional and depends on the ServerCredStore implementation. It is intended as a fast-path lookup alternative to ServerCardIdKey.

type ServerCardIdKey added in v0.3.11 

type ServerCardIdKey []byte

ServerCardIdKey is a 32-byte server-side card identifier derived from an IdToken

It provides direct, opaque access to a Card without exposing the originating IdToken.

func (ServerCardIdKey) Check added in v0.3.11 

func (self ServerCardIdKey) Check() error

Check returns an error if the ServerCardIdKey is not a valid 32-byte key.

type ServerCardKey added in v0.3.11 

type ServerCardKey interface {
	// contains filtered or unexported methods
}

ServerCardKey is a sealed interface representing any key that can locate a Card on the server side. It is the sum type for all card lookup strategies.

Variants:

  • ServerCardIdKey: a 32-byte derived key, produced by hashing an IdToken.
  • ServerCardId: a surrogate integer key, for store implementations that maintain their own indexed identity.
  • IdToken: a 32-byte client-held token. Implements both lookup and access.
  • OtpId: a (realm, username) pair for OTP-based authentication paths.

type ServerCredStore 

type ServerCredStore interface {

	// ListRealm lists the Realm in the ServerCredStore.
	// It errors if the ServerCredStore is not reachable.
	ListRealm(ctx context.Context) ([]Realm, error)

	// LoadRealm loads realm data for realmId into dst.
	// It errors if realm data were not successfully loaded.
	LoadRealm(ctx context.Context, realmId RealmId, dst *Realm) error

	// SaveRealm saves realm into the ServerCredStore.
	// SaveRealm may modify realm before/after saving it, eg to record actual storage key.
	// It errors if realm could not be saved.
	SaveRealm(ctx context.Context, realm *Realm) error

	// RemoveRealm removes the Realm with realmId identifier from the ServerCredStore.
	// It errors if the ServerCredStore is not reachable or if realmId does not exists.
	RemoveRealm(ctx context.Context, realmId RealmId) error

	// PopEnrollAuthorization loads authorization data and remove it from the ServerCredStore.
	// It errors if authorization data were not successfully loaded.
	PopEnrollAuthorization(ctx context.Context, authId EnrollAccess, authorization *EnrollAuthorization) error

	// SaveEnrollAuthorization saves authorization in the ServerCredStore.
	// SaveEnrollAuthorization may modify authorization before/after saving it, eg to record actual storage key.
	// It errors if the authorization could not be saved.
	SaveEnrollAuthorization(ctx context.Context, authId EnrollAccess, authorization *EnrollAuthorization) error

	// AuthorizationCount returns the number of EnrollAuthorization in the ServerCredStore.
	AuthorizationCount(ctx context.Context) (int, error)

	// LoadCard loads stored card data in dst.
	// It errors if card data were not successfully loaded.
	LoadCard(ctx context.Context, cardId ServerCardAccess, dst *ServerCard) error

	// SaveCard saves card in the ServerCredStore.
	// SaveCard may modify card before/after saving it, eg to record actual storage key.
	// It errors if the card could not be saved.
	SaveCard(ctx context.Context, cardId ServerCardAccess, card *ServerCard) error

	// RemoveCard removes the ServerCard with cardId identifier from the ServerCredStore.
	// It returns true if the ServerCard was effectively removed.
	RemoveCard(ctx context.Context, cardId ServerCardKey) bool

	// CountCard returns the number of ServerCard in the ServerCredStore.
	CardCount(ctx context.Context) (int, error)
}

ServerCredStore gives access to KerPass server credential database.

type ServerKey 

type ServerKey struct {
	RealmId     []byte           `json:"1" cbor:"1,keyasint"`
	Kh          PrivateKeyHandle `json:"2" cbor:"2,keyasint"` // uses Kh.PrivateKey to obtain the ecdh.PrivateKey
	Certificate []byte           `json:"3" cbor:"3,keyasint"`
}

ServerKey holds an ecdh.PrivateKey with Realm certificate.

func (ServerKey) Check 

func (self ServerKey) Check() error

Check returns an error if the ServerKey is invalid.

type SrvStorageAdapter added in v0.3.11 

type SrvStorageAdapter struct {
	// contains filtered or unexported fields
}

SrvStorageAdapter transforms ServerCard and EnrollAuthorization into encrypted storage representations. It uses IdHasher-derived keys to protect sensitive key material and user data at rest.

func NewSrvStorageAdapter added in v0.3.11 

func NewSrvStorageAdapter(idHasher *IdHasher) (*SrvStorageAdapter, error)

NewSrvStorageAdapter creates a SrvStorageAdapter using the provided IdHasher for key derivation.

func (*SrvStorageAdapter) FromCardStorage added in v0.3.11 

func (self *SrvStorageAdapter) FromCardStorage(aks *AccessKeys, src *SrvStoreCard, dst *ServerCard) error

FromCardStorage deserializes and decrypts a SrvStoreCard into a ServerCard. It unseals KeyData using the provided AccessKeys and reconstructs the card.

func (*SrvStorageAdapter) FromEnrollAuthorizationStorage added in v0.3.11 

func (self *SrvStorageAdapter) FromEnrollAuthorizationStorage(aks *AccessKeys, src *SrvStoreEnrollAuthorization, dst *EnrollAuthorization) error

FromEnrollAuthorizationStorage deserializes and decrypts a SrvStoreEnrollAuthorization into an EnrollAuthorization. It unseals UserData using the provided AccessKeys and reconstructs the EnrollAuthorization.

func (*SrvStorageAdapter) GetCardAccess added in v0.3.11 

func (self *SrvStorageAdapter) GetCardAccess(sca ServerCardAccess, dst *AccessKeys) error

GetCardAccess derives AccessKeys from a ServerCardAccess credential. The returned keys are used to encrypt/decrypt card data in storage.

func (*SrvStorageAdapter) GetEnrollAuthorizationAccess added in v0.3.11 

func (self *SrvStorageAdapter) GetEnrollAuthorizationAccess(ea EnrollAccess, dst *AccessKeys) error

GetEnrollAuthorizationAccess derives AccessKeys from an EnrollAccess credential. The returned keys are used to encrypt/decrypt user data in storage.

func (*SrvStorageAdapter) ToCardStorage added in v0.3.11 

func (self *SrvStorageAdapter) ToCardStorage(aks *AccessKeys, src *ServerCard, dst *SrvStoreCard) error

ToCardStorage serializes a ServerCard into storage form. It marshals key material (Kh, Psk) and seals it using the provided AccessKeys.

func (*SrvStorageAdapter) ToEnrollAuthorizationStorage added in v0.3.11 

func (self *SrvStorageAdapter) ToEnrollAuthorizationStorage(aks *AccessKeys, src *EnrollAuthorization, dst *SrvStoreEnrollAuthorization) error

ToEnrollAuthorizationStorage serializes an EnrollAuthorization into storage form. It hashes the EnrollToken identifier that grants authorization to create a new Card and encrypts the UserData.

type SrvStoreCard 

type SrvStoreCard struct {
	ID       ServerCardIdKey
	RealmId  RealmId
	SealType sealType
	KeyData  []byte
}

SrvStoreCard is the storage representation of a ServerCard. It separates identity (ID, RealmId) from encrypted key material (KeyData).

func (*SrvStoreCard) Check added in v0.3.11 

func (self *SrvStoreCard) Check() error

Check returns an error if the SrvStoreCard is invalid.

type SrvStoreEnrollAuthorization added in v0.3.11 

type SrvStoreEnrollAuthorization struct {
	ID       EnrollIdKey
	RealmId  RealmId
	AppName  string
	AppDesc  string
	SealType sealType
	UserData []byte
}

SrvStoreEnrollAuthorization is the storage representation of an EnrollAuthorization. It allows encrypting the UserData.

func (*SrvStoreEnrollAuthorization) Check added in v0.3.11 

func (self *SrvStoreEnrollAuthorization) Check() error

Check returns an error if the SrvStoreEnrollAuthorization is invalid.

type UserIdFactory added in v0.3.11 

type UserIdFactory interface {
	// MakeUserId returns an UserId string generated after processing "User Data" ud
	MakeUserId(ud json.RawMessage) (string, error)
}

UserIdFactory defines the interface used to deterministically derive a UserId string from arbitrary user-provided data.

Implementations must ensure that the returned UserId is stable for the same input and normalized consistently, as it may participate in cryptographic derivations (e.g., IdToken generation).

type UserIdFactoryFunc added in v0.3.11 

type UserIdFactoryFunc func(json.RawMessage) (string, error)

UserIdFactoryFunc is an adapter type to allow using ordinary functions as UserIdFactory.

func (UserIdFactoryFunc) MakeUserId added in v0.3.11 

func (self UserIdFactoryFunc) MakeUserId(ud json.RawMessage) (string, error)

Source Files

View all Source files

Directories

Path Synopsis
Package boltdb provides a persistent credentials.ClientCredStore that keeps data in a file.
 Package boltdb provides a persistent credentials.ClientCredStore that keeps data in a file.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.