README
¶
SimpleKeyManager Plugin
A simple keymanager plugin for beckn-onix that reads Ed25519 and X25519 keys from configuration instead of using external secret management systems like HashiCorp Vault.
Overview
This plugin provides a lightweight alternative to the vault keymanager by reading cryptographic keys directly from configuration. It's designed for development environments and simpler deployments that don't require the complexity of external secret management.
Features
- Ed25519 + X25519 Key Support: Supports Ed25519 signing keys and X25519 encryption keys
- Configuration-Based: Reads keys from YAML configuration instead of environment variables
- Multiple Formats: Supports both PEM and Base64 encoded keys
- Auto-detection: Automatically detects key format (PEM vs Base64)
- Zero Dependencies: No external services required (unlike vault keymanager)
- Memory Storage: Stores keysets in memory for fast access
Configuration
Basic Configuration
In your beckn-onix configuration file:
plugins:
keymanager:
id: simplekeymanager
config:
networkParticipant: bap-network
keyId: bap-network-key
signingPrivateKey: uc5WYG/eke0PVGyQ9JNVLpwQL0K9JIZfHfqUHdLBTaY=
signingPublicKey: kUSiFNAD3+6oE7KffKucxZ74e6g4i9VM6ypImg4rVCM=
encrPrivateKey: uc5WYG/eke0PVGyQ9JNVLpwQL0K9JIZfHfqUHdLBTaY=
encrPublicKey: kUSiFNAD3+6oE7KffKucxZ74e6g4i9VM6ypImg4rVCM=
Configuration Options
| Field | Type | Required | Description |
|---|---|---|---|
networkParticipant |
string | Yes | Identifier for the keyset, represents subscriberId or networkParticipant name |
keyId |
string | Yes | Unique Key id for the keyset |
signingPrivateKey |
string | Yes* | Ed25519 private key for signing (Base64 or PEM) |
signingPublicKey |
string | Yes* | Ed25519 public key for signing (Base64 or PEM) |
encrPrivateKey |
string | Yes* | X25519 private key for encryption (Base64 or PEM) |
encrPublicKey |
string | Yes* | X25519 public key for encryption (Base64 or PEM) |
*Required if any key is provided. If keys are configured, all four keys must be provided.
Key Generation
Ed25519 Signing Keys
# Generate Ed25519 signing key pair
openssl genpkey -algorithm Ed25519 -out signing_private.pem
openssl pkey -in signing_private.pem -pubout -out signing_public.pem
# Convert to base64 (single line)
signing_private_b64=$(openssl pkey -in signing_private.pem -outform DER | base64 -w 0)
signing_public_b64=$(openssl pkey -in signing_public.pem -pubin -outform DER | base64 -w 0)
X25519 Encryption Keys
# Generate X25519 encryption key pair
openssl genpkey -algorithm X25519 -out encr_private.pem
openssl pkey -in encr_private.pem -pubout -out encr_public.pem
# Convert to base64 (single line)
encr_private_b64=$(openssl pkey -in encr_private.pem -outform DER | base64 -w 0)
encr_public_b64=$(openssl pkey -in encr_public.pem -pubin -outform DER | base64 -w 0)
Usage
The plugin implements the same KeyManager interface as the vault keymanager:
GenerateKeyset() (*model.Keyset, error)- Generate new key pairInsertKeyset(ctx, keyID, keyset) error- Store keyset in memoryKeyset(ctx, keyID) (*model.Keyset, error)- Retrieve keyset from memoryDeleteKeyset(ctx, keyID) error- Delete keyset from memoryLookupNPKeys(ctx, subscriberID, uniqueKeyID) (string, string, error)- Lookup public keys from registry
Example Usage in Code
// The keyset from config is automatically loaded with the configured keyId
keyset, err := keyManager.Keyset(ctx, "bap-network")
if err != nil {
log.Fatal(err)
}
// Generate new keys programmatically
newKeyset, err := keyManager.GenerateKeyset()
if err != nil {
log.Fatal(err)
}
// Store the new keyset
err = keyManager.InsertKeyset(ctx, "new-key-id", newKeyset)
if err != nil {
log.Fatal(err)
}
Comparison with Vault KeyManager
| Feature | SimpleKeyManager | Vault KeyManager |
|---|---|---|
| Setup Complexity | Very Low (config only) | High (requires Vault) |
| Configuration | YAML configuration | Vault connection + secrets |
| Dependencies | None | HashiCorp Vault |
| Security | Basic (config-based) | Advanced (centralized secrets) |
| Key Rotation | Manual config update | Automated options |
| Audit Logging | Application logs only | Full audit trails |
| Multi-tenancy | Limited (memory-based) | Full support |
| Best for | Development/Testing/Simple deployments | Production/Enterprise |
Testing
Run tests with:
cd pkg/plugin/implementation/simplekeymanager
go test -v ./...
Installation
- The plugin is automatically built with beckn-onix
- Configure the plugin in your beckn-onix configuration file. Change in configuration requires restart of service.
- The plugin will be loaded automatically when beckn-onix starts
Security Considerations
- Configuration files contain sensitive key material
- Use proper file permissions for config files
- Implement regular key rotation
License
This plugin follows the same license as the main beckn-onix project.
Documentation
¶
Index ¶
- Variables
- func ValidateCfg(cfg *Config) error
- type Config
- type SimpleKeyMgr
- func (skm *SimpleKeyMgr) DeleteKeyset(ctx context.Context, keyID string) error
- func (skm *SimpleKeyMgr) GenerateKeyset() (*model.Keyset, error)
- func (skm *SimpleKeyMgr) InsertKeyset(ctx context.Context, keyID string, keys *model.Keyset) error
- func (skm *SimpleKeyMgr) Keyset(ctx context.Context, keyID string) (*model.Keyset, error)
- func (skm *SimpleKeyMgr) LookupNPKeys(ctx context.Context, subscriberID, uniqueKeyID string) (string, string, error)
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ErrEmptyKeyID indicates that the provided key ID is empty. ErrEmptyKeyID = errors.New("invalid request: keyID cannot be empty") // ErrNilKeySet indicates that the provided keyset is nil. ErrNilKeySet = errors.New("keyset cannot be nil") // ErrEmptySubscriberID indicates that the provided subscriber ID is empty. ErrEmptySubscriberID = errors.New("invalid request: subscriberID cannot be empty") // ErrEmptyUniqueKeyID indicates that the provided unique key ID is empty. ErrEmptyUniqueKeyID = errors.New("invalid request: uniqueKeyID cannot be empty") // ErrSubscriberNotFound indicates that no subscriber was found with the provided credentials. ErrSubscriberNotFound = errors.New("no subscriber found with given credentials") // ErrNilCache indicates that the cache implementation is nil. ErrNilCache = errors.New("cache implementation cannot be nil") // ErrNilRegistryLookup indicates that the registry lookup implementation is nil. ErrNilRegistryLookup = errors.New("registry lookup implementation cannot be nil") // ErrKeysetNotFound indicates that the requested keyset was not found. ErrKeysetNotFound = errors.New("keyset not found") // ErrInvalidConfig indicates that the configuration is invalid. ErrInvalidConfig = errors.New("invalid configuration") )
Functions ¶
func ValidateCfg ¶
ValidateCfg validates the SimpleKeyManager configuration.
Types ¶
type Config ¶
type Config struct {
NetworkParticipant string `yaml:"networkParticipant" json:"networkParticipant"`
KeyID string `yaml:"keyId" json:"keyId"`
SigningPrivateKey string `yaml:"signingPrivateKey" json:"signingPrivateKey"`
SigningPublicKey string `yaml:"signingPublicKey" json:"signingPublicKey"`
EncrPrivateKey string `yaml:"encrPrivateKey" json:"encrPrivateKey"`
EncrPublicKey string `yaml:"encrPublicKey" json:"encrPublicKey"`
}
Config holds configuration parameters for SimpleKeyManager.
type SimpleKeyMgr ¶
type SimpleKeyMgr struct {
Registry definition.RegistryLookup
Cache definition.Cache
// contains filtered or unexported fields
}
SimpleKeyMgr provides methods for managing cryptographic keys using configuration.
func New ¶
func New(ctx context.Context, cache definition.Cache, registryLookup definition.RegistryLookup, cfg *Config) (*SimpleKeyMgr, func() error, error)
New creates a new SimpleKeyMgr instance with the provided configuration, cache, and registry lookup.
func (*SimpleKeyMgr) DeleteKeyset ¶
func (skm *SimpleKeyMgr) DeleteKeyset(ctx context.Context, keyID string) error
DeleteKeyset deletes the keyset for the given key ID from memory.
func (*SimpleKeyMgr) GenerateKeyset ¶
func (skm *SimpleKeyMgr) GenerateKeyset() (*model.Keyset, error)
GenerateKeyset generates a new signing (Ed25519) and encryption (X25519) key pair.
func (*SimpleKeyMgr) InsertKeyset ¶
InsertKeyset stores the given keyset in memory under the specified key ID.
func (*SimpleKeyMgr) LookupNPKeys ¶
func (skm *SimpleKeyMgr) LookupNPKeys(ctx context.Context, subscriberID, uniqueKeyID string) (string, string, error)
LookupNPKeys retrieves the signing and encryption public keys for the given subscriber ID and unique key ID.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.