attestedkms

package module

v0.1.1 Latest Latest Go to latest Published: Jul 31, 2025 License: MIT Imports: 19 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/distributed-lab/enclave-extras

Links

Open Source Insights

README ¶

Attested KMS

This is a wrapper over classic KMS that allows you to implicitly perform operations that support AWS Nitro Enclave attestation. That is, the result of a request, such as GenerateDataKeyPair, will be the same as in classic KMS. Attested KMS automatically adds an attestation document to supported operations and automatically decrypts the response.

Documentation ¶

Index ¶

func EnsureDER(raw []byte) ([]byte, error)
func ParsePKCS8PrivateKey(derBytes []byte) (key any, err error)
func ParseSubjectPublicKeyInfo(derBytes []byte) (any, error)
type EncryptedContentInfo
type EnvelopedData
type KMSEnclaveClient
- func NewFromConfig(cfg aws.Config, attestationDoc []byte, rsaPrivateKey *rsa.PrivateKey, ...) *KMSEnclaveClient
type KeyTransRecipientInfo
type PKCS7
- func ParsePKCS7(raw []byte) (*PKCS7, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func EnsureDER ¶

func EnsureDER(raw []byte) ([]byte, error)

Convert BER or DER in DER ASN.1 format

func ParsePKCS8PrivateKey ¶

func ParsePKCS8PrivateKey(derBytes []byte) (key any, err error)

Wrapped x509.ParsePKCS8PrivateKey() with support secp256k1

ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.

It returns a *rsa.PrivateKey, an *ecdsa.PrivateKey, an [ed25519.PrivateKey] (not a pointer), or an *[ecdh.PrivateKey] (for X25519). More types might be supported in the future.

This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".

func ParseSubjectPublicKeyInfo ¶

func ParseSubjectPublicKeyInfo(derBytes []byte) (any, error)

Wrapped x509.ParsePKIXPublicKey() with support secp256k1

ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form. The encoded public key is a SubjectPublicKeyInfo structure (see RFC 5280, Section 4.1).

It returns a *rsa.PublicKey, *[dsa.PublicKey], *ecdsa.PublicKey, [ed25519.PublicKey] (not a pointer), or *[ecdh.PublicKey] (for X25519). More types might be supported in the future.

This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".

Types ¶

type EncryptedContentInfo ¶

type EncryptedContentInfo struct {
	ContentType                asn1.ObjectIdentifier
	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedContent           [][]byte `asn1:"set,tag:0"`
}

type EnvelopedData ¶

type EnvelopedData struct {
	Version              int
	RecipientInfos       []KeyTransRecipientInfo `asn1:"set"`
	EncryptedContentInfo EncryptedContentInfo
}

type KMSEnclaveClient ¶

type KMSEnclaveClient struct {
	kms.Client
	// contains filtered or unexported fields
}

func NewFromConfig ¶

func NewFromConfig(cfg aws.Config, attestationDoc []byte, rsaPrivateKey *rsa.PrivateKey, optFns ...func(*kms.Options)) *KMSEnclaveClient

func (*KMSEnclaveClient) Decrypt ¶

func (k *KMSEnclaveClient) Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error)

The function is intended only for use with attestation, the output is no different from the usual use, i.e. the developer does not need to decrypt CiphertextForRecipient himself, but simply pass rsa.PrivateKey, the public key of which was in the attestation document.

func (*KMSEnclaveClient) GenerateDataKey ¶

func (k *KMSEnclaveClient) GenerateDataKey(ctx context.Context, params *kms.GenerateDataKeyInput, optFns ...func(*kms.Options)) (*kms.GenerateDataKeyOutput, error)

The function is intended only for use with attestation, the output is no different from the usual use, i.e. the developer does not need to decrypt CiphertextForRecipient himself, but simply pass rsa.PrivateKey, the public key of which was in the attestation document.

func (*KMSEnclaveClient) GenerateDataKeyPair ¶

func (k *KMSEnclaveClient) GenerateDataKeyPair(ctx context.Context, params *kms.GenerateDataKeyPairInput, optFns ...func(*kms.Options)) (*kms.GenerateDataKeyPairOutput, error)

The function is intended only for use with attestation, the output is no different from the usual use, i.e. the developer does not need to decrypt CiphertextForRecipient himself, but simply pass rsa.PrivateKey, the public key of which was in the attestation document.

To parse the public and private keys for the secp256k1 curve, you cannot use the usual functions from x509. Therefore, there are overrides for some functions that allow you to parse secp256k1: ParseSubjectPublicKeyInfo and ParsePKCS8PrivateKey

func (*KMSEnclaveClient) GenerateRandom ¶

func (k *KMSEnclaveClient) GenerateRandom(ctx context.Context, params *kms.GenerateRandomInput, optFns ...func(*kms.Options)) (*kms.GenerateRandomOutput, error)

The function is intended only for use with attestation, the output is no different from the usual use, i.e. the developer does not need to decrypt CiphertextForRecipient himself, but simply pass rsa.PrivateKey, the public key of which was in the attestation document.

type KeyTransRecipientInfo ¶

type KeyTransRecipientInfo struct {
	Version                int
	RID                    []byte `asn1:"tag:0"`
	KeyEncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedKey           []byte
}

type PKCS7 ¶

type PKCS7 struct {
	ContentType asn1.ObjectIdentifier
	Content     EnvelopedData `asn1:"explicit,tag:0"`
}

func ParsePKCS7 ¶

func ParsePKCS7(raw []byte) (*PKCS7, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL