Documentation
¶
Overview ¶
Package secrets implements `secrets create`: an agent (or developer), acting for a signed-in user, creates a user-owned key in the vault constellation.
Flow (the key-creation-grants design, CLI/user path):
- Generate an ephemeral RA-TLS client leaf; its SHA-256 thumbprint is the holder-of-key binding (`cnf.x5t#S256`).
- Build the KeyPolicy (owner = Oidc{privasys.id, sub}, owner may export/ delete; exportable).
- Ask the IdP for a key-creation grant bound to that policy + thumbprint.
- Generate the secret material.
- Shamir-split it and create one share per vault over mutual RA-TLS, presenting the leaf (so the vault's cnf check passes).
The cert/policy/grant steps are plain Go (here). Step 5 dials the vaults over RA-TLS and lives behind the `ratls` build tag (see create_ratls.go); the released binary is always built with it.
Index ¶
- Constants
- Variables
- func DestroyKeyInVault(ctx context.Context, p VaultOpParams) (deletedOn []string, err error)
- func DigestBytes(in []byte) ([]byte, error)
- func UnwrapInVault(ctx context.Context, p VaultOpParams, ciphertext, iv, aad []byte) (plaintext []byte, vaultEp string, err error)
- func WrapInVault(ctx context.Context, p VaultOpParams, plaintext, aad, iv []byte) (ciphertext, gotIV []byte, vaultEp string, err error)
- type AuditRecord
- type CreateParams
- type ExportParams
- type ExportResult
- type PublicKeyResult
- type Result
- func Create(ctx context.Context, p CreateParams) (*Result, error)
- func CreateAesKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
- func CreateInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
- func CreateSigningKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
- type SignResult
- type StepUpAssertFunc
- type VaultAddressing
- type VaultCreateParams
- type VaultOpParams
Constants ¶
const ( // Fallback pin (vault-v0.26.0, Paris+London 8443/8444). The directory is the // source of truth; this is only used if /api/v1/vaults can't be reached. DefaultMRENCLAVE = "d881cff03f1d3be5899fde6605b37fe4e859e5d6c99dd8cbf3bcbc023fe26215" DefaultAttServer = "https://as.privasys.org/verify" )
const AppDEKGenerationSize = 16
AppDEKGenerationSize is the byte length of the generation prefix the enclave-os manager prepends to each app volume-DEK share (its `generationSize` const). App-DEK exports set ExportParams.GenerationSize to this.
Variables ¶
var DefaultEndpoints = []string{
"141.94.219.130:8443", "141.94.219.130:8444",
"198.244.201.58:8443", "198.244.201.58:8444",
}
Last-resort fallbacks for the production vault constellation, used only when the live directory (GET /api/v1/vaults) is unavailable. The CLI normally discovers the active constellation (endpoints + MRENCLAVE + attestation server) from the directory — the same source container apps and the SDK use — so these need not track every vault cutover. The 2-of-4 SGX constellation across Paris + London.
Functions ¶
func DestroyKeyInVault ¶ added in v0.19.0
func DestroyKeyInVault(ctx context.Context, p VaultOpParams) (deletedOn []string, err error)
func DigestBytes ¶ added in v0.24.0
DigestBytes normalises a pre-hashed sign input to the raw 32-byte SHA-256 digest: 64 hex chars (the natural CLI/agent form) or the 32 raw bytes.
func UnwrapInVault ¶ added in v0.18.0
func WrapInVault ¶ added in v0.18.0
Types ¶
type AuditRecord ¶ added in v0.22.0
type AuditRecord struct {
Seq uint64 `json:"seq"`
Ts uint64 `json:"ts"`
Op string `json:"op"`
Caller string `json:"caller"`
Decision string `json:"decision"`
Reason string `json:"reason,omitempty"`
}
AuditRecord is one entry of a key's tamper-evident audit log (who did what).
func ReadAuditInVault ¶ added in v0.22.0
func ReadAuditInVault(ctx context.Context, p VaultOpParams, limit int) ([]AuditRecord, string, error)
type CreateParams ¶
type CreateParams struct {
Issuer string // IdP origin
Bearer string // the user's access token
Sub string // the user's subject (owner of the key)
Handle string // vault key handle, must fall under users/<sub>/
Secret []byte // the key material
Exportable bool // whether the owner may export it later
Endpoints []string // constellation vault endpoints (host:port)
Threshold int // Shamir k (e.g. 2 of n)
MRENCLAVE string // expected vault MRENCLAVE (hex)
AttServer string // attestation server verify endpoint
AttToken string // aud=attestation-server bearer for quote verification
}
CreateParams carries everything needed to create a user secret.
type ExportParams ¶
type ExportParams struct {
Issuer string // IdP origin
Bearer string // the user's access token (owner)
Sub string // the user's subject (owner of the key)
Handle string // vault key handle (users/<sub>/...)
Endpoints []string // constellation vault endpoints (host:port)
Threshold int // Shamir k (vaults needed to reconstruct)
MRENCLAVE string // expected vault MRENCLAVE (hex)
AttServer string // attestation server verify endpoint
AttToken string // aud=attestation-server bearer for quote verification
RequireStepUp bool // when set, drive an operation-bound WebAuthn step-up (Assert)
Assert StepUpAssertFunc // produces the WebAuthn step-up assertion
// GenerationSize > 0 means the per-vault material is generation-prefixed
// (`generation(GenerationSize) || share`), the layout the enclave-os manager
// uses for app volume DEKs. 0 (default) = raw shares (user secrets).
GenerationSize int
}
ExportParams carries everything needed to export a user secret. Authn is the owner OIDC bearer plus a fresh, operation-bound WebAuthn step-up (driven via Assert); the key material is reconstructed from the vault shares in memory and returned only to the caller (never logged or printed).
type ExportResult ¶
type ExportResult struct {
Handle string `json:"handle"`
Retrieved int `json:"retrieved"` // vaults that returned a share
Total int `json:"total"`
Threshold int `json:"threshold"`
Fingerprint string `json:"fingerprint"` // sha256: of the reconstructed key
}
ExportResult summarises an export (no key material).
func Export ¶
func Export(ctx context.Context, p ExportParams) ([]byte, *ExportResult, error)
Export is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.
type PublicKeyResult ¶ added in v0.17.0
type PublicKeyResult struct {
KeyType string `json:"key_type"`
PublicKey []byte `json:"-"`
Vault string `json:"vault"`
}
PublicKeyResult is a key's public half (signing keys).
func GetPublicKeyInVault ¶ added in v0.17.0
func GetPublicKeyInVault(ctx context.Context, p VaultOpParams) (*PublicKeyResult, error)
type Result ¶
type Result struct {
Handle string `json:"handle"`
Created int `json:"created"` // vaults that accepted a share
Total int `json:"total"`
Threshold int `json:"threshold"`
Exportable bool `json:"exportable"`
Thumbprint string `json:"cnf_x5t_s256"`
Endpoint string `json:"endpoint,omitempty"` // single-enclave keys: the holding vault
}
Result summarises a created secret (no key material).
func Create ¶
func Create(ctx context.Context, p CreateParams) (*Result, error)
Create is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.
func CreateAesKeyInVault ¶ added in v0.18.0
func CreateAesKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
func CreateInVault ¶
func CreateInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
CreateInVault is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.
func CreateSigningKeyInVault ¶ added in v0.17.0
func CreateSigningKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)
CreateSigningKeyInVault, SignInVault and GetPublicKeyInVault dial the vault constellation over RA-TLS and are unavailable without the `ratls` build.
type SignResult ¶ added in v0.17.0
type SignResult struct {
Signature []byte `json:"-"`
Alg string `json:"alg"`
Vault string `json:"vault"`
}
SignResult is an in-enclave signature (the private key never left the vault).
func SignInVault ¶ added in v0.17.0
func SignInVault(ctx context.Context, p VaultOpParams, message []byte) (*SignResult, error)
func SignPrehashInVault ¶ added in v0.23.0
func SignPrehashInVault(ctx context.Context, p VaultOpParams, digest []byte) (*SignResult, error)
type StepUpAssertFunc ¶
type StepUpAssertFunc func(ctx context.Context, optionsJSON []byte) (assertionJSON []byte, err error)
StepUpAssertFunc produces the WebAuthn assertion (the JSON body the IdP's /fido2/vault-approval/complete expects) for the given assertion options. The signer holds the user's credential (the wallet / a passkey); this package and the CLI binary never see the signing key. In E2E the mock wallet provides it.
type VaultAddressing ¶
type VaultAddressing struct {
Handle string
Endpoints []string
MRENCLAVE string
AttServer string
Threshold int
}
VaultAddressing is the constellation a vault key is created on, returned by the platform alongside the grant.
type VaultCreateParams ¶
type VaultCreateParams struct {
Sub string // the key owner's subject
Secret []byte // the key material
Exportable bool
AttToken string // aud=attestation-server bearer for quote verification
// MintGrant asks the platform to mint a grant for a key bound to the agent's
// holder-of-key cnf, returning the grant and the constellation addressing.
MintGrant func(ctx context.Context, cnf string) (grant string, addr VaultAddressing, err error)
}
VaultCreateParams creates a key in a user-facing vault using a grant the platform mints (the platform authors the policy + catalogues the key; the agent creates the material). The platform never sees the material.
type VaultOpParams ¶ added in v0.17.0
type VaultOpParams struct {
Handle string // the key handle (vaults/<vault-id>/<name>)
Endpoints []string // constellation vault endpoints to try (the holder is one of them)
MRENCLAVE string // expected vault MRENCLAVE (hex)
AttServer string // attestation server verify endpoint
AttToken string // aud=attestation-server bearer for quote verification
OwnerToken string // the owner's OIDC bearer (aud = the vault audience)
}
VaultOpParams addresses an existing key in the constellation for an owner-authenticated in-enclave operation (Sign / GetKeyInfo). The owner authenticates with their OIDC bearer (the key policy's owner principal); no holder-of-key cert is needed once the key exists.