secrets

package
v0.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2026 License: AGPL-3.0 Imports: 22 Imported by: 0

Documentation

Overview

Package secrets implements `secrets create`: an agent (or developer), acting for a signed-in user, creates a user-owned key in the vault constellation.

Flow (the key-creation-grants design, CLI/user path):

  1. Generate an ephemeral RA-TLS client leaf; its SHA-256 thumbprint is the holder-of-key binding (`cnf.x5t#S256`).
  2. Build the KeyPolicy (owner = Oidc{privasys.id, sub}, owner may export/ delete; exportable).
  3. Ask the IdP for a key-creation grant bound to that policy + thumbprint.
  4. Generate the secret material.
  5. Shamir-split it and create one share per vault over mutual RA-TLS, presenting the leaf (so the vault's cnf check passes).

The cert/policy/grant steps are plain Go (here). Step 5 dials the vaults over RA-TLS and lives behind the `ratls` build tag (see create_ratls.go); the released binary is always built with it.

Index

Constants

View Source
const (
	// Fallback pin (vault-v0.26.0, Paris+London 8443/8444). The directory is the
	// source of truth; this is only used if /api/v1/vaults can't be reached.
	DefaultMRENCLAVE = "d881cff03f1d3be5899fde6605b37fe4e859e5d6c99dd8cbf3bcbc023fe26215"
	DefaultAttServer = "https://as.privasys.org/verify"
)
View Source
const AppDEKGenerationSize = 16

AppDEKGenerationSize is the byte length of the generation prefix the enclave-os manager prepends to each app volume-DEK share (its `generationSize` const). App-DEK exports set ExportParams.GenerationSize to this.

Variables

View Source
var DefaultEndpoints = []string{
	"141.94.219.130:8443", "141.94.219.130:8444",
	"198.244.201.58:8443", "198.244.201.58:8444",
}

Last-resort fallbacks for the production vault constellation, used only when the live directory (GET /api/v1/vaults) is unavailable. The CLI normally discovers the active constellation (endpoints + MRENCLAVE + attestation server) from the directory — the same source container apps and the SDK use — so these need not track every vault cutover. The 2-of-4 SGX constellation across Paris + London.

Functions

func DestroyKeyInVault added in v0.19.0

func DestroyKeyInVault(ctx context.Context, p VaultOpParams) (deletedOn []string, err error)

func DigestBytes added in v0.24.0

func DigestBytes(in []byte) ([]byte, error)

DigestBytes normalises a pre-hashed sign input to the raw 32-byte SHA-256 digest: 64 hex chars (the natural CLI/agent form) or the 32 raw bytes.

func OpenBrowser added in v0.27.0

func OpenBrowser(rawURL string) error

OpenBrowser launches rawURL in the user's default browser, best-effort. Under WSL it prefers wslview (opens the Windows browser, which holds the passkey / can bridge to the phone) before falling back to xdg-open.

func RequestStepUpViaBrowser added in v0.27.0

func RequestStepUpViaBrowser(ctx context.Context, issuer, bearer, operation, handle, measurementDigestHex string, policyVersion uint32, actx approvalContext, open BrowserOpener, out io.Writer) (string, error)

func UnwrapInVault added in v0.18.0

func UnwrapInVault(ctx context.Context, p VaultOpParams, ciphertext, iv, aad []byte) (plaintext []byte, vaultEp string, err error)

func WrapInVault added in v0.18.0

func WrapInVault(ctx context.Context, p VaultOpParams, plaintext, aad, iv []byte) (ciphertext, gotIV []byte, vaultEp string, err error)

Types

type AuditRecord added in v0.22.0

type AuditRecord struct {
	Seq      uint64 `json:"seq"`
	Ts       uint64 `json:"ts"`
	Op       string `json:"op"`
	Caller   string `json:"caller"`
	Decision string `json:"decision"`
	Reason   string `json:"reason,omitempty"`
}

AuditRecord is one entry of a key's tamper-evident audit log (who did what).

func ReadAuditInVault added in v0.22.0

func ReadAuditInVault(ctx context.Context, p VaultOpParams, limit int) ([]AuditRecord, string, error)

type BrowserOpener added in v0.27.0

type BrowserOpener func(rawURL string) error

BrowserOpener launches a URL in the user's browser. It is best-effort: the caller always prints the URL too, so a launch failure is not fatal.

type CreateParams

type CreateParams struct {
	Issuer     string   // IdP origin
	Bearer     string   // the user's access token
	Sub        string   // the user's subject (owner of the key)
	Handle     string   // vault key handle, must fall under users/<sub>/
	Secret     []byte   // the key material
	Exportable bool     // whether the owner may export it later
	Endpoints  []string // constellation vault endpoints (host:port)
	Threshold  int      // Shamir k (e.g. 2 of n)
	MRENCLAVE  string   // expected vault MRENCLAVE (hex)
	AttServer  string   // attestation server verify endpoint
	AttToken   string   // aud=attestation-server bearer for quote verification
}

CreateParams carries everything needed to create a user secret.

type ExportParams

type ExportParams struct {
	Issuer        string           // IdP origin
	Bearer        string           // the user's access token (owner)
	Sub           string           // the user's subject (owner of the key)
	Handle        string           // vault key handle (users/<sub>/...)
	Endpoints     []string         // constellation vault endpoints (host:port)
	Threshold     int              // Shamir k (vaults needed to reconstruct)
	MRENCLAVE     string           // expected vault MRENCLAVE (hex)
	AttServer     string           // attestation server verify endpoint
	AttToken      string           // aud=attestation-server bearer for quote verification
	RequireStepUp bool             // when set, drive an operation-bound WebAuthn step-up (Assert)
	Assert        StepUpAssertFunc // produces the WebAuthn step-up assertion
	// GenerationSize > 0 means the per-vault material is generation-prefixed
	// (`generation(GenerationSize) || share`), the layout the enclave-os manager
	// uses for app volume DEKs. 0 (default) = raw shares (user secrets).
	GenerationSize int
}

ExportParams carries everything needed to export a user secret. Authn is the owner OIDC bearer plus a fresh, operation-bound WebAuthn step-up (driven via Assert); the key material is reconstructed from the vault shares in memory and returned only to the caller (never logged or printed).

type ExportResult

type ExportResult struct {
	Handle      string `json:"handle"`
	Retrieved   int    `json:"retrieved"` // vaults that returned a share
	Total       int    `json:"total"`
	Threshold   int    `json:"threshold"`
	Fingerprint string `json:"fingerprint"` // sha256: of the reconstructed key
}

ExportResult summarises an export (no key material).

func Export

func Export(ctx context.Context, p ExportParams) ([]byte, *ExportResult, error)

Export is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

type PublicKeyResult added in v0.17.0

type PublicKeyResult struct {
	KeyType   string `json:"key_type"`
	PublicKey []byte `json:"-"`
	Vault     string `json:"vault"`
}

PublicKeyResult is a key's public half (signing keys).

func GetPublicKeyInVault added in v0.17.0

func GetPublicKeyInVault(ctx context.Context, p VaultOpParams) (*PublicKeyResult, error)

type Result

type Result struct {
	Handle     string `json:"handle"`
	Created    int    `json:"created"` // vaults that accepted a share
	Total      int    `json:"total"`
	Threshold  int    `json:"threshold"`
	Exportable bool   `json:"exportable"`
	Thumbprint string `json:"cnf_x5t_s256"`
	Endpoint   string `json:"endpoint,omitempty"` // single-enclave keys: the holding vault
}

Result summarises a created secret (no key material).

func Create

func Create(ctx context.Context, p CreateParams) (*Result, error)

Create is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

func CreateAesKeyInVault added in v0.18.0

func CreateAesKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

func CreateInVault

func CreateInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

CreateInVault is unavailable without the RA-TLS build (it dials the vault constellation over RA-TLS). Released binaries are built with `-tags ratls`.

func CreateSigningKeyInVault added in v0.17.0

func CreateSigningKeyInVault(ctx context.Context, p VaultCreateParams) (*Result, error)

CreateSigningKeyInVault, SignInVault and GetPublicKeyInVault dial the vault constellation over RA-TLS and are unavailable without the `ratls` build.

type SignResult added in v0.17.0

type SignResult struct {
	Signature []byte `json:"-"`
	Alg       string `json:"alg"`
	Vault     string `json:"vault"`
}

SignResult is an in-enclave signature (the private key never left the vault).

func SignInVault added in v0.17.0

func SignInVault(ctx context.Context, p VaultOpParams, message []byte) (*SignResult, error)

func SignPrehashInVault added in v0.23.0

func SignPrehashInVault(ctx context.Context, p VaultOpParams, digest []byte) (*SignResult, error)

type StepUpAssertFunc

type StepUpAssertFunc func(ctx context.Context, optionsJSON []byte) (assertionJSON []byte, err error)

StepUpAssertFunc produces the WebAuthn assertion (the JSON body the IdP's /fido2/vault-approval/complete expects) for the given assertion options. The signer holds the user's credential (the wallet / a passkey); this package and the CLI binary never see the signing key. In E2E the mock wallet provides it.

type VaultAddressing

type VaultAddressing struct {
	Handle    string
	Endpoints []string
	MRENCLAVE string
	AttServer string
	Threshold int
}

VaultAddressing is the constellation a vault key is created on, returned by the platform alongside the grant.

type VaultCreateParams

type VaultCreateParams struct {
	Sub        string // the key owner's subject
	Secret     []byte // the key material
	Exportable bool
	AttToken   string // aud=attestation-server bearer for quote verification
	// MintGrant asks the platform to mint a grant for a key bound to the agent's
	// holder-of-key cnf, returning the grant and the constellation addressing.
	MintGrant func(ctx context.Context, cnf string) (grant string, addr VaultAddressing, err error)
}

VaultCreateParams creates a key in a user-facing vault using a grant the platform mints (the platform authors the policy + catalogues the key; the agent creates the material). The platform never sees the material.

type VaultOpParams added in v0.17.0

type VaultOpParams struct {
	Handle     string   // the key handle (vaults/<vault-id>/<name>)
	Endpoints  []string // constellation vault endpoints to try (the holder is one of them)
	MRENCLAVE  string   // expected vault MRENCLAVE (hex)
	AttServer  string   // attestation server verify endpoint
	AttToken   string   // aud=attestation-server bearer for quote verification
	OwnerToken string   // the owner's OIDC bearer (aud = the vault audience)
}

VaultOpParams addresses an existing key in the constellation for an owner-authenticated in-enclave operation (Sign / GetKeyInfo). The owner authenticates with their OIDC bearer (the key policy's owner principal); no holder-of-key cert is needed once the key exists.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL