README
¶
Tang.go
Tang.go pure-go library that implement server side of ECMR key exchange. It functionally similar to Tang project.
The library also provides a convenient way to perform ECMR exchange with a specific key
Usage
package main
import "github.com/anatol/tang.go"
func main() {
// Start Tang service
srv := tang.NewServer()
keySet, _ := tang.ReadKeysFromDir("/var/db/tang")
srv.Keys = keySet
srv.Addr = ":0"
_ = srv.ListenAndServe()
}
Or you can operate with keyset directly and do you own server-side exchange manually:
package main
import (
"github.com/anatol/tang.go"
"github.com/lestrrat-go/jwx/jwk"
)
func main() {
ks := tang.NewKeySet()
priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
key, err := jwk.New(priv)
key.Set(jwk.KeyOpsKey, []jwk.KeyOperation{jwk.KeyOpDeriveKey})
key.Set(jwk.AlgorithmKey, "ECMR")
ks.AppendKey(key, true)
privRec, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
pubRec := privRec.Public()
keyRec, err := jwk.New(pubRec)
keyRec.Set(jwk.AlgorithmKey, "ECMR")
finalKey, err := ks.RecoverKey("$THP_OF_THE_GENERATED_KEY", keyRec)
var finalKeyPub ecdsa.PublicKey
finalKey.Raw(&finalKeyPub)
// finalKeyPub.X and finalKeyPub.Y are going to be your derived values
}
Acknowledgments
This project has been inspired by:
Important contributions to this project are done by:
Documentation
¶
Index ¶
- func GenerateExchangeKey() (jwk.Key, error)
- func GenerateVerifyKey() (jwk.Key, error)
- func ReverseTangHandshake(address string, ks *KeySet) error
- type KeySet
- func (ks *KeySet) AppendKey(jwkKey jwk.Key, advertised bool) error
- func (ks *KeySet) ByThumbprint(thumbprint string) (*tangKey, error)
- func (ks *KeySet) RecomputeAdvertisements() error
- func (ks *KeySet) Recover(thp string, data []byte) ([]byte, error)
- func (ks *KeySet) RecoverKey(thp string, webKey jwk.Key) (jwk.Key, error)
- type NativeServer
- type Server
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateExchangeKey ¶
GenerateExchangeKey generates an exchange key for Tang
func GenerateVerifyKey ¶
GenerateVerifyKey generates a verify/sign key for Tang
func ReverseTangHandshake ¶
ReverseTangHandshake performs a key exchange with "remote" clevis client
Types ¶
type KeySet ¶
type KeySet struct {
DefaultAdvertisement []byte
// contains filtered or unexported fields
}
KeySet represents a set of all keys handled by Tang
func ReadKeys ¶
ReadKeys reads all key files and as wells as keys from the given directories and makes a KeySet instance out of it. Any key file that starts from "." (dot) is marked as non-advertised. In case of directory scanning only files with *.jwk suffix are parsed as keys, other files are ignored
func (*KeySet) AppendKey ¶
AppendKey appends the given key to the KeySet. Advertisements are not recalculated.
func (*KeySet) ByThumbprint ¶
func (*KeySet) RecomputeAdvertisements ¶
RecomputeAdvertisements recomputes advertisement files for the keys and default for the KeySet itself
type NativeServer ¶
NativeServer is a server implementation that redirects requests to the native "tangd" binary. This code is useful for tests or when one needs a wrapper around tangd binary.
func NewNativeServer ¶
func NewNativeServer(keysDir string, port int) (*NativeServer, error)
NewNativeServer creates instance of a native Tang server
Source Files
Directories