secrets

package
v0.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2026 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Overview

Package secrets implements `secrets create`: an agent (or developer), acting for a signed-in user, creates a user-owned key in the vault constellation.

Flow (the key-creation-grants design, CLI/user path):

  1. Generate an ephemeral RA-TLS client leaf; its SHA-256 thumbprint is the holder-of-key binding (`cnf.x5t#S256`).
  2. Build the KeyPolicy (owner = Oidc{privasys.id, sub}, owner may export/ delete; exportable).
  3. Ask the IdP for a key-creation grant bound to that policy + thumbprint.
  4. Generate the secret material.
  5. Shamir-split it and create one share per vault over mutual RA-TLS, presenting the leaf (so the vault's cnf check passes).

The cert/policy/grant steps are plain Go (here). Step 5 dials the vaults over RA-TLS and lives behind the `ratls` build tag (see create_ratls.go); the released binary is always built with it.

Index

Constants

View Source
const (
	// vault-v0.24.0 (grant + operation-bound export step-up), live on the 4 prod
	// vaults (Paris + London, 8443/8444) since 2026-06-26. Bump this on each prod
	// vault MRENCLAVE cutover.
	DefaultMRENCLAVE = "f463b560dfaa4e30fe01165e4feb733eb94463143b0096afd18f83dd7008a9c5"
	DefaultAttServer = "https://as.privasys.org/verify"
)
View Source
const AppDEKGenerationSize = 16

AppDEKGenerationSize is the byte length of the generation prefix the enclave-os manager prepends to each app volume-DEK share (its `generationSize` const). App-DEK exports set ExportParams.GenerationSize to this.

Variables

View Source
var DefaultEndpoints = []string{
	"141.94.219.130:8443", "141.94.219.130:8444",
	"198.244.201.58:8443", "198.244.201.58:8444",
}

Defaults for the production vault constellation (see infrastructure.md): the 2-of-4 SGX constellation across Paris + London, its current MRENCLAVE, and the attestation server. Override per-invocation when the vault is upgraded.

Functions

func UnwrapInVault added in v0.18.0

func UnwrapInVault(ctx context.Context, p VaultOpParams, ciphertext, iv, aad []byte) (plaintext []byte, vaultEp string, err error)

func WrapInVault added in v0.18.0

func WrapInVault(ctx context.Context, p VaultOpParams, plaintext, aad []byte) (ciphertext, iv []byte, vaultEp string, err error)

Types

type CreateParams

type CreateParams struct {
	Issuer     string   // IdP origin
	Bearer     string   // the user's access token
	Sub        string   // the user's subject (owner of the key)
	Handle     string   // vault key handle, must fall under users/<sub>/
	Secret     []byte   // the key material
	Exportable bool     // whether the owner may export it later
	Endpoints  []string // constellation vault endpoints (host:port)
	Threshold  int      // Shamir k (e.g. 2 of n)
	MRENCLAVE  string   // expected vault MRENCLAVE (hex)
	AttServer  string   // attestation server verify endpoint
	AttToken   string   // aud=attestation-server bearer for quote verification
}

CreateParams carries everything needed to create a user secret.

type ExportParams

type ExportParams struct {
	Issuer        string           // IdP origin
	Bearer        string           // the user's access token (owner)
	Sub           string           // the user's subject (owner of the key)
	Handle        string           // vault key handle (users/<sub>/...)
	Endpoints     []string         // constellation vault endpoints (host:port)
	Threshold     int              // Shamir k (vaults needed to reconstruct)
	MRENCLAVE     string           // expected vault MRENCLAVE (hex)
	AttServer     string           // attestation server verify endpoint
	AttToken      string           // aud=attestation-server bearer for quote verification
	RequireStepUp bool             // when set, drive an operation-bound WebAuthn step-up (Assert)
	Assert        StepUpAssertFunc // produces the WebAuthn step-up assertion
	// GenerationSize > 0 means the per-vault material is generation-prefixed
	// (`generation(GenerationSize) || share`), the layout the enclave-os manager
	// uses for app volume DEKs. 0 (default) = raw shares (user secrets).
	GenerationSize int
}

ExportParams carries everything needed to export a user secret. Authn is the owner OIDC bearer plus a fresh, operation-bound WebAuthn step-up (driven via Assert); the key material is reconstructed from the vault shares in memory and returned only to the caller (never logged or printed).

type ExportResult

type ExportResult struct {
	Handle      string `json:"handle"`
	Retrieved   int    `json:"retrieved"` // vaults that returned a share
	Total       int    `json:"total"`
	Threshold   int    `json:"threshold"`
	Fingerprint string `json:"fingerprint"` // sha256: of the reconstructed key
}

ExportResult summarises an export (no key material).

func Export

func Export(ctx context.Context, p ExportParams) ([]byte, *ExportResult, error)

Export is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

type PublicKeyResult added in v0.17.0

type PublicKeyResult struct {
	KeyType   string `json:"key_type"`
	PublicKey []byte `json:"-"`
	Vault     string `json:"vault"`
}

PublicKeyResult is a key's public half (signing keys).

func GetPublicKeyInVault added in v0.17.0

func GetPublicKeyInVault(ctx context.Context, p VaultOpParams) (*PublicKeyResult, error)

type Result

type Result struct {
	Handle     string `json:"handle"`
	Created    int    `json:"created"` // vaults that accepted a share
	Total      int    `json:"total"`
	Threshold  int    `json:"threshold"`
	Exportable bool   `json:"exportable"`
	Thumbprint string `json:"cnf_x5t_s256"`
	Endpoint   string `json:"endpoint,omitempty"` // single-enclave keys: the holding vault
}

Result summarises a created secret (no key material).

func Create

func Create(ctx context.Context, p CreateParams) (*Result, error)

Create is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

func CreateAesKeyInVault added in v0.18.0

func CreateAesKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

func CreateInVault

func CreateInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

CreateInVault is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

func CreateSigningKeyInVault added in v0.17.0

func CreateSigningKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

CreateSigningKeyInVault, SignInVault and GetPublicKeyInVault dial the vault constellation over RA-TLS and are unavailable without the `ratls` build.

type SignResult added in v0.17.0

type SignResult struct {
	Signature []byte `json:"-"`
	Alg       string `json:"alg"`
	Vault     string `json:"vault"`
}

SignResult is an in-enclave signature (the private key never left the vault).

func SignInVault added in v0.17.0

func SignInVault(ctx context.Context, p VaultOpParams, message []byte) (*SignResult, error)

type StepUpAssertFunc

type StepUpAssertFunc func(ctx context.Context, optionsJSON []byte) (assertionJSON []byte, err error)

StepUpAssertFunc produces the WebAuthn assertion (the JSON body the IdP's /fido2/vault-approval/complete expects) for the given assertion options. The signer holds the user's credential (the wallet / a passkey); this package and the CLI binary never see the signing key. In E2E the mock wallet provides it.

type VaultAddressing

type VaultAddressing struct {
	Handle    string
	Endpoints []string
	MRENCLAVE string
	AttServer string
	Threshold int
}

VaultAddressing is the constellation a vault key is created on, returned by the platform alongside the grant.

type VaultCreateParams

type VaultCreateParams struct {
	Sub        string // the key owner's subject
	Secret     []byte // the key material
	Exportable bool
	AttToken   string // aud=attestation-server bearer for quote verification
	// MintGrant asks the platform to mint a grant for a key bound to the agent's
	// holder-of-key cnf, returning the grant and the constellation addressing.
	MintGrant func(ctx context.Context, cnf string) (grant string, addr VaultAddressing, err error)
}

VaultCreateParams creates a key in a user-facing vault using a grant the platform mints (the platform authors the policy + catalogues the key; the agent creates the material). The platform never sees the material.

type VaultOpParams added in v0.17.0

type VaultOpParams struct {
	Handle     string   // the key handle (vaults/<vault-id>/<name>)
	Endpoints  []string // constellation vault endpoints to try (the holder is one of them)
	MRENCLAVE  string   // expected vault MRENCLAVE (hex)
	AttServer  string   // attestation server verify endpoint
	AttToken   string   // aud=attestation-server bearer for quote verification
	OwnerToken string   // the owner's OIDC bearer (aud = the vault audience)
}

VaultOpParams addresses an existing key in the constellation for an owner-authenticated in-enclave operation (Sign / GetKeyInfo). The owner authenticates with their OIDC bearer (the key policy's owner principal); no holder-of-key cert is needed once the key exists.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL