Documentation
¶
Overview ¶
kms package 提供统一加密服务。
Index ¶
- Constants
- Variables
- func CheckKeyForCreate(keyInfo KeyInfo) error
- func RegisterPlugin(kind PluginKind, create PluginCreateFn) error
- func RegisterStore(kind StoreKind, create StoreCreateFn) error
- type AsymmetricDecryptRequest
- type AsymmetricDecryptResponse
- type AsymmetricPlugin
- type BasePlugin
- type CreateKeyRequest
- type CreateKeyResponse
- type CustomerMasterKeySpec
- type DecryptRequest
- type DecryptResponse
- type DescribeKeyRequest
- type DescribeKeyResponse
- type EncryptRequest
- type EncryptResponse
- type GenerateDataKeyRequest
- type GenerateDataKeyResponse
- type GetPublicKeyRequest
- type Key
- func (k *Key) GetCreatedAt() *time.Time
- func (k *Key) GetDescription() string
- func (k *Key) GetKeyID() string
- func (k *Key) GetKeySpec() CustomerMasterKeySpec
- func (k *Key) GetKeyState() KeyState
- func (k *Key) GetKeyUsage() KeyUsage
- func (k *Key) GetPluginKind() PluginKind
- func (k *Key) GetPrimaryKeyVersion() KeyVersionInfo
- func (k *Key) GetUpdatedAt() *time.Time
- func (k *Key) New() KeyInfo
- func (k *Key) SetCreatedAt(t time.Time)
- func (k *Key) SetDescription(desc string)
- func (k *Key) SetKeyID(keyID string)
- func (k *Key) SetKeySpec(spec CustomerMasterKeySpec)
- func (k *Key) SetKeyState(state KeyState)
- func (k *Key) SetKeyUsage(usage KeyUsage)
- func (k *Key) SetPluginKind(pluginKind PluginKind)
- func (k *Key) SetPrimaryKeyVersion(version KeyVersionInfo)
- func (k *Key) SetUpdatedAt(t time.Time)
- type KeyInfo
- type KeyListEntry
- type KeyMetadata
- type KeyState
- type KeyUsage
- type KeyVersion
- func (k *KeyVersion) GetCreatedAt() *time.Time
- func (k *KeyVersion) GetSymmetricKeyBase64() string
- func (k *KeyVersion) GetUpdatedAt() *time.Time
- func (k *KeyVersion) GetVersionID() string
- func (k *KeyVersion) New() KeyVersionInfo
- func (k *KeyVersion) SetCreatedAt(t time.Time)
- func (k *KeyVersion) SetSymmetricKeyBase64(s string)
- func (k *KeyVersion) SetUpdatedAt(t time.Time)
- func (k *KeyVersion) SetVersionID(s string)
- type KeyVersionInfo
- type ListKeysRequest
- type ListKeysResponse
- type Plugin
- type PluginCreateFn
- type PluginKind
- type PublicKey
- type RequestValidator
- type RotateKeyVersionRequest
- type RotateKeyVersionResponse
- type Store
- type StoreCreateFn
- type StoreKind
- type SymmetricPlugin
Constants ¶
View Source
const ( PluginKind_DICE_KMS PluginKind = "DICE_KMS" PluginKind_AWS_KMS PluginKind = "AWS_KMS" PluginKind_ALIYUN_KMS PluginKind = "ALIYUN_KMS" StoreKind_ETCD StoreKind = "ETCD" StoreKind_MYSQL StoreKind = "MYSQL" CustomerMasterKeySpec_SYMMETRIC_DEFAULT CustomerMasterKeySpec = "SYMMETRIC_DEFAULT" // AES-256-GCM ; default CustomerMasterKeySpec_ASYMMETRIC_RSA_2048 CustomerMasterKeySpec = "RSA_2048" CustomerMasterKeySpec_ASYMMETRIC_RSA_3072 CustomerMasterKeySpec = "RSA_3072" CustomerMasterKeySpec_ASYMMETRIC_RSA_4096 CustomerMasterKeySpec = "RSA_4096" KeyUsage_ENCRYPT_DECRYPT KeyUsage = "ENCRYPT_DECRYPT" KeyUsage_SIGN_VERIFY KeyUsage = "SIGN_VERIFY" KeyStateEnabled KeyState = "Enabled" KeyStateDisabled KeyState = "Disabled" KeyStatePendingDeletion KeyState = "PendingDeletion" KeyStatePendingImport KeyState = "PendingImport" )
View Source
const (
CtxKeyConfigMap = "configMap"
)
View Source
const (
CtxKeyKmsRequestID = "KmsRequestID"
)
Variables ¶
View Source
var PluginFactory = map[PluginKind]PluginCreateFn{}
View Source
var StoreFactory = map[StoreKind]StoreCreateFn{}
Functions ¶
func CheckKeyForCreate ¶
func RegisterPlugin ¶
func RegisterPlugin(kind PluginKind, create PluginCreateFn) error
func RegisterStore ¶
func RegisterStore(kind StoreKind, create StoreCreateFn) error
Types ¶
type AsymmetricDecryptResponse ¶
type AsymmetricDecryptResponse struct {
PlaintextBase64 []byte `json:"plaintextBase64,omitempty"`
}
type AsymmetricPlugin ¶
type AsymmetricPlugin interface {
GetPublicKey(ctx context.Context, req *GetPublicKeyRequest) (*PublicKey, error)
// AsymmetricDecrypt decrypts data that was encrypted with a public key retrieved from GetPublicKey
// corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.
AsymmetricDecrypt(ctx context.Context, req *AsymmetricDecryptRequest) (*AsymmetricDecryptResponse, error)
}
AsymmetricPlugin 非对称加密插件 加密流程: 1. GetPublicKey 获取公钥 2. 使用公钥加密数据 3. 存储加密后的数据以及密钥版本 解密流程: 1. 调用 AsymmetricDecrypt,传入密文和 解密
type BasePlugin ¶
type BasePlugin interface {
// CreateKey create symmetric or asymmetric CMK
CreateKey(ctx context.Context, req *CreateKeyRequest) (*CreateKeyResponse, error)
DescribeKey(ctx context.Context, req *DescribeKeyRequest) (*DescribeKeyResponse, error)
ListKeys(ctx context.Context, req *ListKeysRequest) (*ListKeysResponse, error)
}
type CreateKeyRequest ¶
type CreateKeyRequest struct {
PluginKind PluginKind `json:"pluginKind,omitempty"`
CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"`
KeyUsage KeyUsage `json:"keyUsage,omitempty"`
Description string `json:"description,omitempty"`
}
func (*CreateKeyRequest) ValidateRequest ¶
func (req *CreateKeyRequest) ValidateRequest() error
type CreateKeyResponse ¶
type CreateKeyResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type CustomerMasterKeySpec ¶
type CustomerMasterKeySpec string
type DecryptRequest ¶
type DecryptRequest struct {
KeyID string `json:"keyID,omitempty"`
// The encrypted data.
// A base64-encoded string.
CiphertextBase64 string `json:"ciphertextBase64,omitempty"`
}
func (*DecryptRequest) ValidateRequest ¶
func (req *DecryptRequest) ValidateRequest() error
type DecryptResponse ¶
type DecryptResponse struct {
PlaintextBase64 string `json:"plaintextBase64,omitempty"`
}
type DescribeKeyRequest ¶
type DescribeKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*DescribeKeyRequest) ValidateRequest ¶
func (req *DescribeKeyRequest) ValidateRequest() error
type DescribeKeyResponse ¶
type DescribeKeyResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type EncryptRequest ¶
type EncryptRequest struct {
KeyID string `json:"keyID,omitempty"`
// Required. The data to encrypt. Must be no larger than 64KiB.
// A base64-encoded string.
PlaintextBase64 string `json:"plaintextBase64,omitempty"`
}
func (*EncryptRequest) ValidateRequest ¶
func (req *EncryptRequest) ValidateRequest() error
type EncryptResponse ¶
type GenerateDataKeyRequest ¶
type GenerateDataKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*GenerateDataKeyRequest) ValidateRequest ¶
func (req *GenerateDataKeyRequest) ValidateRequest() error
type GenerateDataKeyResponse ¶
type GetPublicKeyRequest ¶
type GetPublicKeyRequest struct {
KeyID string `json:"keyID,omitempty"`
}
type Key ¶
type Key struct {
PluginKind PluginKind `json:"pluginKind,omitempty"`
KeyID string `json:"keyID,omitempty"`
PrimaryKeyVersion KeyVersion `json:"primaryKeyVersion,omitempty"`
KeySpec CustomerMasterKeySpec `json:"keySpec,omitempty"`
KeyUsage KeyUsage `json:"keyUsage,omitempty"`
KeyState KeyState `json:"keyState,omitempty"`
Description string `json:"description,omitempty"`
CreatedAt *time.Time `json:"createdAt,omitempty"`
UpdatedAt *time.Time `json:"updatedAt,omitempty"`
}
func (*Key) GetCreatedAt ¶
func (*Key) GetDescription ¶
func (*Key) GetKeySpec ¶
func (k *Key) GetKeySpec() CustomerMasterKeySpec
func (*Key) GetKeyState ¶
func (*Key) GetKeyUsage ¶
func (*Key) GetPluginKind ¶
func (k *Key) GetPluginKind() PluginKind
func (*Key) GetPrimaryKeyVersion ¶
func (k *Key) GetPrimaryKeyVersion() KeyVersionInfo
func (*Key) GetUpdatedAt ¶
func (*Key) SetCreatedAt ¶
func (*Key) SetDescription ¶
func (*Key) SetKeySpec ¶
func (k *Key) SetKeySpec(spec CustomerMasterKeySpec)
func (*Key) SetKeyState ¶
func (*Key) SetKeyUsage ¶
func (*Key) SetPluginKind ¶
func (k *Key) SetPluginKind(pluginKind PluginKind)
func (*Key) SetPrimaryKeyVersion ¶
func (k *Key) SetPrimaryKeyVersion(version KeyVersionInfo)
func (*Key) SetUpdatedAt ¶
type KeyInfo ¶
type KeyInfo interface {
New() KeyInfo
GetPluginKind() PluginKind
SetPluginKind(PluginKind)
GetKeyID() string
SetKeyID(string)
GetPrimaryKeyVersion() KeyVersionInfo
SetPrimaryKeyVersion(KeyVersionInfo)
GetKeySpec() CustomerMasterKeySpec
SetKeySpec(CustomerMasterKeySpec)
GetKeyUsage() KeyUsage
SetKeyUsage(KeyUsage)
GetKeyState() KeyState
SetKeyState(KeyState)
GetDescription() string
SetDescription(string)
GetCreatedAt() *time.Time
SetCreatedAt(time.Time)
GetUpdatedAt() *time.Time
SetUpdatedAt(time.Time)
}
type KeyListEntry ¶
type KeyListEntry struct {
KeyID string `json:"keyID,omitempty"`
}
type KeyMetadata ¶
type KeyMetadata struct {
KeyID string `json:"keyID,omitempty"`
PrimaryKeyVersionID string `json:"primaryKeyVersionID,omitempty"`
CustomerMasterKeySpec CustomerMasterKeySpec `json:"customerMasterKeySpec,omitempty"`
KeyUsage KeyUsage `json:"keyUsage,omitempty"`
KeyState KeyState `json:"keyState,omitempty"`
Description string `json:"description,omitempty"`
}
func GetKeyMetadata ¶
func GetKeyMetadata(keyInfo KeyInfo) KeyMetadata
type KeyVersion ¶
type KeyVersion struct {
VersionID string `json:"versionID,omitempty"`
// base64 encoded
SymmetricKeyBase64 string `json:"symmetricKeyBase64,omitempty"`
CreatedAt *time.Time `json:"createdAt,omitempty"`
UpdatedAt *time.Time `json:"updatedAt,omitempty"`
}
func (*KeyVersion) GetCreatedAt ¶
func (k *KeyVersion) GetCreatedAt() *time.Time
func (*KeyVersion) GetSymmetricKeyBase64 ¶
func (k *KeyVersion) GetSymmetricKeyBase64() string
func (*KeyVersion) GetUpdatedAt ¶
func (k *KeyVersion) GetUpdatedAt() *time.Time
func (*KeyVersion) GetVersionID ¶
func (k *KeyVersion) GetVersionID() string
func (*KeyVersion) New ¶
func (k *KeyVersion) New() KeyVersionInfo
func (*KeyVersion) SetCreatedAt ¶
func (k *KeyVersion) SetCreatedAt(t time.Time)
func (*KeyVersion) SetSymmetricKeyBase64 ¶
func (k *KeyVersion) SetSymmetricKeyBase64(s string)
func (*KeyVersion) SetUpdatedAt ¶
func (k *KeyVersion) SetUpdatedAt(t time.Time)
func (*KeyVersion) SetVersionID ¶
func (k *KeyVersion) SetVersionID(s string)
type KeyVersionInfo ¶
type ListKeysRequest ¶
type ListKeysRequest struct {
}
type ListKeysResponse ¶
type ListKeysResponse struct {
Keys []KeyListEntry `json:"keys,omitempty"`
}
type Plugin ¶
type Plugin interface {
Kind() PluginKind
SetStore(Store)
BasePlugin
SymmetricPlugin
AsymmetricPlugin
}
type PluginCreateFn ¶
PluginCreateFn be used to create a kms plugin instance
type PluginKind ¶
type PluginKind string
func (PluginKind) String ¶
func (s PluginKind) String() string
func (PluginKind) Validate ¶
func (s PluginKind) Validate() bool
type RequestValidator ¶
type RequestValidator interface {
ValidateRequest() error
}
type RotateKeyVersionRequest ¶
type RotateKeyVersionRequest struct {
KeyID string `json:"keyID,omitempty"`
}
func (*RotateKeyVersionRequest) ValidateRequest ¶
func (req *RotateKeyVersionRequest) ValidateRequest() error
type RotateKeyVersionResponse ¶
type RotateKeyVersionResponse struct {
KeyMetadata KeyMetadata `json:"keyMetadata,omitempty"`
}
type Store ¶
type Store interface {
// PluginKind is key store type
GetKind() StoreKind
// Create create and store new CMK
CreateKey(info KeyInfo) error
// GetKey use keyID to find CMK
GetKey(keyID string) (KeyInfo, error)
// ListByKind use plugin type to list CMKs
ListKeysByKind(kind PluginKind) ([]string, error)
// DeleteByKeyID use keyID to delete CMK
DeleteByKeyID(keyID string) error
// GetKeyVersion use keyID and keyVersionID to find keyVersion
GetKeyVersion(keyID, keyVersionID string) (KeyVersionInfo, error)
// RotateKeyVersion rotate key version
RotateKeyVersion(keyID string, newKeyVersionInfo KeyVersionInfo) (KeyVersionInfo, error)
}
Store the key information storage interface
type StoreCreateFn ¶
StoreCreateFn be used to create a kms plugin instance
type SymmetricPlugin ¶
type SymmetricPlugin interface {
Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error)
Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error)
// GenerateDataKey generate AES 256 DEK, encrypted by CMK
// 典型使用场景(信封加密):
// 在本地进行数据加密:
// 1. 调用 GenerateDataKey 获取 DEK(数据加密密钥)
// 2. 使用 DEK 的明文,在本地完成离线数据加密,随后清除内存中的 DEK 明文
// 3. 将 DEK 的密文,和本地离线加密后的数据一并进行存储
// 在本地进行数据解密:
// 1. 调用 Decrypt 解密本地存储的 DEK 密文,获取 DEK 明文
// 2. 使用 DEK 明文,在本地完成离线数据解密,随后清除内存中的 DEK 明文
GenerateDataKey(ctx context.Context, req *GenerateDataKeyRequest) (*GenerateDataKeyResponse, error)
// RotateKeyVersion rotate key version for CMK manually, old key version still can be used to decrypt old data
RotateKeyVersion(ctx context.Context, req *RotateKeyVersionRequest) (*RotateKeyVersionResponse, error)
}
SymmetricPlugin 对称加密插件 加密流程: 1. 调用 Encrypt 进行加密 解密流程: 1. 调用 Decrypt 进行解密
Source Files
Click to show internal directories.
Click to hide internal directories.