keystore

package
v0.38.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 2, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package keystore provides named key-material management for GoBricks applications: RSA key pairs and raw symmetric secrets (HMAC/CMAC keys, HKDF input).

Material is loaded at startup from files or base64-encoded values (typically injected via environment variables for Kubernetes/EKS deployments). Once loaded, the store is read-only and safe for concurrent access. Each entry is either an RSA pair or a symmetric secret — a mixed entry is rejected by the config layer at startup (structural detection, no explicit discriminator).

Configuration

Keys are configured in YAML under the "keystore" section: 

keystore:
  secret_min_length: 32                        # default 32; 0 disables
  keys:
    signing:
      public:
        file: "certs/signing_public.der"       # Local dev
      private:
        value: "${SIGNING_PRIVATE_KEY_BASE64}"  # EKS (base64-encoded DER)
    mac-key:
      secret:
        value: "${MAC_KEY_BASE64}"              # base64 raw key material

Usage

Register the module before modules that need keys: 

fw.RegisterModules(
    keystore.NewModule(),
    &myapp.JWEModule{},
)

Access keys via ModuleDeps (nil-check for fail-fast if keys are required): 

func (m *Module) Init(deps *app.ModuleDeps) error {
    if deps.KeyStore == nil {
        return fmt.Errorf("KeyStore required but not configured")
    }
    m.keyStore = deps.KeyStore
    return nil
}

privKey, err := m.keyStore.PrivateKey("signing")

Secret returns a defensive copy of symmetric key material; the caller owns the slice and may zeroize it after use: 

macKey, err := m.keyStore.Secret("mac-key")

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Module 

type Module struct {
	// contains filtered or unexported fields
}

Module implements the GoBricks app.Module interface for named key-material management. It loads named RSA key pairs and raw symmetric secrets at startup and provides them to other modules via deps.KeyStore.

Register before modules that need keys: 

fw.RegisterModules(
    keystore.NewModule(),
    &myapp.JWEModule{},
)

func NewModule 

func NewModule() *Module

NewModule creates a new Module instance.

func (*Module) Init 

func (m *Module) Init(deps *app.ModuleDeps) error

Init implements app.Module. Loads all configured key material (RSA pairs and symmetric secrets) and validates it. Fails fast on any error.

func (*Module) KeyStore 

func (m *Module) KeyStore() app.KeyStore

KeyStore implements app.KeyStoreProvider.

func (*Module) Name 

func (m *Module) Name() string

Name implements app.Module.

func (*Module) Shutdown 

func (m *Module) Shutdown() error

Shutdown implements app.Module.

Source Files

View all Source files

Directories

Path Synopsis
Package testing provides test utilities for the keystore package.
 Package testing provides test utilities for the keystore package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.