algorithms

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 18, 2025 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package algorithms implements JWT signing algorithm support for use with Vault's Transit engine.

The package provides a registry of supported algorithms and their implementations. Each algorithm handles its specific signing parameters and verification logic.

Supported Algorithms: - ECDSA

  • ES256 (P-256 + SHA-256)
  • ES384 (P-384 + SHA-384)
  • ES512 (P-521 + SHA-512)

- RSA PKCS1v15

  • RS256 (RSA-2048 + SHA-256)
  • RS384 (RSA-3072 + SHA-384)
  • RS512 (RSA-4096 + SHA-512)

- RSA-PSS

  • PS256 (RSA-2048 + SHA-256)
  • PS384 (RSA-3072 + SHA-384)
  • PS512 (RSA-4096 + SHA-512)

Each algorithm implementation: - Provides appropriate Vault signing parameters - Handles signature verification - Specifies required key types - Manages cryptographic operations

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidSignature     = errors.New("invalid signature format")
	ErrUnsupportedAlgorithm = errors.New("unsupported algorithm")
	ErrInvalidKeyType       = errors.New("invalid key type")
)

Functions

func List 

func List() []string

List returns all registered algorithm names Used for validating algorithm selection and documentation

func Register 

func Register(alg Algorithm)

Register adds an algorithm to the registry Called by algorithm implementations in their init() functions Each algorithm must have a unique name

Types

type Algorithm 

type Algorithm interface {
	// Name returns the algorithm name (e.g., "ES256", "RS256")
	Name() string

	// Hash returns the hash function used by the algorithm
	Hash() crypto.Hash

	// VaultKeyType returns the required Vault Transit key type
	// Examples: "ecdsa-p256", "rsa-2048"
	VaultKeyType() string

	// SigningParams returns algorithm-specific Vault signing parameters
	// Including base params (prehashed, hash_algorithm) and algorithm specific ones
	// All algorithms use marshaling_algorithm=jws
	SigningParams() map[string]interface{}

	// Verify verifies the signature against the message using given public key
	// Key must be *ecdsa.PublicKey or *rsa.PublicKey matching the algorithm
	Verify(message, signature []byte, key interface{}) error

	// KeyCheck validates the key type for verification
	// Returns ErrInvalidKeyType if key type doesn't match algorithm
	KeyCheck(key interface{}) error
}

Algorithm defines how different signing algorithms process signatures

func Get 

func Get(name string) (Algorithm, error)

Get retrieves an algorithm from the registry by name Returns ErrUnsupportedAlgorithm if algorithm not found Supported algorithms: - ES256, ES384, ES512 (ECDSA) - RS256, RS384, RS512 (RSA PKCS1v15) - PS256, PS384, PS512 (RSA-PSS)

func NewECDSAAlgorithm 

func NewECDSAAlgorithm(name string, hash crypto.Hash, curve ellipticCurve) Algorithm

NewECDSAAlgorithm creates a new ECDSA algorithm instance Supported names: ES256, ES384, ES512 Each algorithm requires the corresponding Vault key type: - ES256: ecdsa-p256 - ES384: ecdsa-p384 - ES512: ecdsa-p521

func NewRSAAlgorithm 

func NewRSAAlgorithm(name string, hash crypto.Hash, pad padding) Algorithm

NewRSAAlgorithm creates a new RSA algorithm instance Supports both PKCS1v15 (RS*) and PSS (PS*) padding Required Vault key types based on hash size: - SHA-256: rsa-2048 - SHA-384: rsa-3072 - SHA-512: rsa-4096

type BaseAlgorithm 

type BaseAlgorithm struct {
	// contains filtered or unexported fields
}

BaseAlgorithm provides common functionality for all algorithms

func (*BaseAlgorithm) Hash 

func (b *BaseAlgorithm) Hash() crypto.Hash

func (*BaseAlgorithm) KeyCheck 

func (b *BaseAlgorithm) KeyCheck(key interface{}) error

func (*BaseAlgorithm) Name 

func (b *BaseAlgorithm) Name() string

func (*BaseAlgorithm) SigningParams 

func (b *BaseAlgorithm) SigningParams() map[string]interface{}

func (*BaseAlgorithm) VaultKeyType 

func (b *BaseAlgorithm) VaultKeyType() string

type ECDSAAlgorithm 

type ECDSAAlgorithm struct {
	BaseAlgorithm
	// contains filtered or unexported fields
}

NewECDSAAlgorithm creates a new ECDSA algorithm instance

func (*ECDSAAlgorithm) SigningParams 

func (e *ECDSAAlgorithm) SigningParams() map[string]interface{}

SigningParams returns algorithm-specific Vault signing parameters

func (*ECDSAAlgorithm) Verify 

func (e *ECDSAAlgorithm) Verify(message, signature []byte, key interface{}) error

Verify verifies an ECDSA signature in raw R||S format

type ECDSASignature 

type ECDSASignature struct {
	R, S *big.Int
}

ECDSASignature represents the R and S components of an ECDSA signature

type KeyType 

type KeyType int

KeyType represents supported key types 

const (
	KeyTypeECDSA KeyType = iota
	KeyTypeRSA
)

type RSAAlgorithm 

type RSAAlgorithm struct {
	BaseAlgorithm
	// contains filtered or unexported fields
}

RSAAlgorithm implements the Algorithm interface for RSA signatures

func (*RSAAlgorithm) SigningParams 

func (r *RSAAlgorithm) SigningParams() map[string]interface{}

SigningParams returns algorithm-specific Vault signing parameters

func (*RSAAlgorithm) Verify 

func (r *RSAAlgorithm) Verify(message, signature []byte, key interface{}) error

Verify verifies an RSA signature

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.