Documentation
¶
Overview ¶
Package kas is a reverse proxy.
It translates gRPC into RESTful JSON APIs.
Index ¶
- Constants
- Variables
- func RegisterAccessServiceHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error
- func RegisterAccessServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client AccessServiceClient) error
- func RegisterAccessServiceHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, ...) (err error)
- func RegisterAccessServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux, server AccessServiceServer) error
- func RegisterAccessServiceServer(s grpc.ServiceRegistrar, srv AccessServiceServer)
- type AccessServiceClient
- type AccessServiceServer
- type InfoRequest
- type InfoResponse
- type KeyAccess
- func (*KeyAccess) Descriptor() ([]byte, []int)deprecated
- func (x *KeyAccess) GetEncryptedMetadata() string
- func (x *KeyAccess) GetEphemeralPublicKey() string
- func (x *KeyAccess) GetHeader() []byte
- func (x *KeyAccess) GetKasUrl() string
- func (x *KeyAccess) GetKeyType() string
- func (x *KeyAccess) GetKid() string
- func (x *KeyAccess) GetPolicyBinding() *PolicyBinding
- func (x *KeyAccess) GetProtocol() string
- func (x *KeyAccess) GetSplitId() string
- func (x *KeyAccess) GetWrappedKey() []byte
- func (*KeyAccess) ProtoMessage()
- func (x *KeyAccess) ProtoReflect() protoreflect.Message
- func (x *KeyAccess) Reset()
- func (x *KeyAccess) String() string
- type KeyAccessRewrapResult
- func (*KeyAccessRewrapResult) Descriptor() ([]byte, []int)deprecated
- func (x *KeyAccessRewrapResult) GetError() string
- func (x *KeyAccessRewrapResult) GetKasWrappedKey() []byte
- func (x *KeyAccessRewrapResult) GetKeyAccessObjectId() string
- func (x *KeyAccessRewrapResult) GetMetadata() map[string]*structpb.Value
- func (m *KeyAccessRewrapResult) GetResult() isKeyAccessRewrapResult_Result
- func (x *KeyAccessRewrapResult) GetStatus() string
- func (*KeyAccessRewrapResult) ProtoMessage()
- func (x *KeyAccessRewrapResult) ProtoReflect() protoreflect.Message
- func (x *KeyAccessRewrapResult) Reset()
- func (x *KeyAccessRewrapResult) String() string
- type KeyAccessRewrapResult_Error
- type KeyAccessRewrapResult_KasWrappedKey
- type LegacyPublicKeyRequest
- func (*LegacyPublicKeyRequest) Descriptor() ([]byte, []int)deprecated
- func (x *LegacyPublicKeyRequest) GetAlgorithm() string
- func (*LegacyPublicKeyRequest) ProtoMessage()
- func (x *LegacyPublicKeyRequest) ProtoReflect() protoreflect.Message
- func (x *LegacyPublicKeyRequest) Reset()
- func (x *LegacyPublicKeyRequest) String() string
- type PolicyBinding
- func (*PolicyBinding) Descriptor() ([]byte, []int)deprecated
- func (x *PolicyBinding) GetAlgorithm() string
- func (x *PolicyBinding) GetHash() string
- func (*PolicyBinding) ProtoMessage()
- func (x *PolicyBinding) ProtoReflect() protoreflect.Message
- func (x *PolicyBinding) Reset()
- func (x *PolicyBinding) String() string
- type PolicyRewrapResult
- func (*PolicyRewrapResult) Descriptor() ([]byte, []int)deprecated
- func (x *PolicyRewrapResult) GetPolicyId() string
- func (x *PolicyRewrapResult) GetResults() []*KeyAccessRewrapResult
- func (*PolicyRewrapResult) ProtoMessage()
- func (x *PolicyRewrapResult) ProtoReflect() protoreflect.Message
- func (x *PolicyRewrapResult) Reset()
- func (x *PolicyRewrapResult) String() string
- type PublicKeyRequest
- func (*PublicKeyRequest) Descriptor() ([]byte, []int)deprecated
- func (x *PublicKeyRequest) GetAlgorithm() string
- func (x *PublicKeyRequest) GetFmt() string
- func (x *PublicKeyRequest) GetV() string
- func (*PublicKeyRequest) ProtoMessage()
- func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message
- func (x *PublicKeyRequest) Reset()
- func (x *PublicKeyRequest) String() string
- type PublicKeyResponse
- func (*PublicKeyResponse) Descriptor() ([]byte, []int)deprecated
- func (x *PublicKeyResponse) GetKid() string
- func (x *PublicKeyResponse) GetPublicKey() string
- func (*PublicKeyResponse) ProtoMessage()
- func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message
- func (x *PublicKeyResponse) Reset()
- func (x *PublicKeyResponse) String() string
- type RewrapRequest
- type RewrapResponse
- func (*RewrapResponse) Descriptor() ([]byte, []int)deprecated
- func (x *RewrapResponse) GetEntityWrappedKey() []bytedeprecated
- func (x *RewrapResponse) GetMetadata() map[string]*structpb.Valuedeprecated
- func (x *RewrapResponse) GetResponses() []*PolicyRewrapResult
- func (x *RewrapResponse) GetSchemaVersion() stringdeprecated
- func (x *RewrapResponse) GetSessionPublicKey() string
- func (*RewrapResponse) ProtoMessage()
- func (x *RewrapResponse) ProtoReflect() protoreflect.Message
- func (x *RewrapResponse) Reset()
- func (x *RewrapResponse) String() string
- type UnimplementedAccessServiceServer
- func (UnimplementedAccessServiceServer) LegacyPublicKey(context.Context, *LegacyPublicKeyRequest) (*wrapperspb.StringValue, error)
- func (UnimplementedAccessServiceServer) PublicKey(context.Context, *PublicKeyRequest) (*PublicKeyResponse, error)
- func (UnimplementedAccessServiceServer) Rewrap(context.Context, *RewrapRequest) (*RewrapResponse, error)
- type UnsafeAccessServiceServer
- type UnsignedRewrapRequest
- func (*UnsignedRewrapRequest) Descriptor() ([]byte, []int)deprecated
- func (x *UnsignedRewrapRequest) GetAlgorithm() stringdeprecated
- func (x *UnsignedRewrapRequest) GetClientPublicKey() string
- func (x *UnsignedRewrapRequest) GetKeyAccess() *KeyAccessdeprecated
- func (x *UnsignedRewrapRequest) GetPolicy() stringdeprecated
- func (x *UnsignedRewrapRequest) GetRequests() []*UnsignedRewrapRequest_WithPolicyRequest
- func (*UnsignedRewrapRequest) ProtoMessage()
- func (x *UnsignedRewrapRequest) ProtoReflect() protoreflect.Message
- func (x *UnsignedRewrapRequest) Reset()
- func (x *UnsignedRewrapRequest) String() string
- type UnsignedRewrapRequest_WithKeyAccessObject
- func (*UnsignedRewrapRequest_WithKeyAccessObject) Descriptor() ([]byte, []int)deprecated
- func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObject() *KeyAccess
- func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObjectId() string
- func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoMessage()
- func (x *UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect() protoreflect.Message
- func (x *UnsignedRewrapRequest_WithKeyAccessObject) Reset()
- func (x *UnsignedRewrapRequest_WithKeyAccessObject) String() string
- type UnsignedRewrapRequest_WithPolicy
- func (*UnsignedRewrapRequest_WithPolicy) Descriptor() ([]byte, []int)deprecated
- func (x *UnsignedRewrapRequest_WithPolicy) GetBody() string
- func (x *UnsignedRewrapRequest_WithPolicy) GetId() string
- func (*UnsignedRewrapRequest_WithPolicy) ProtoMessage()
- func (x *UnsignedRewrapRequest_WithPolicy) ProtoReflect() protoreflect.Message
- func (x *UnsignedRewrapRequest_WithPolicy) Reset()
- func (x *UnsignedRewrapRequest_WithPolicy) String() string
- type UnsignedRewrapRequest_WithPolicyRequest
- func (*UnsignedRewrapRequest_WithPolicyRequest) Descriptor() ([]byte, []int)deprecated
- func (x *UnsignedRewrapRequest_WithPolicyRequest) GetAlgorithm() string
- func (x *UnsignedRewrapRequest_WithPolicyRequest) GetKeyAccessObjects() []*UnsignedRewrapRequest_WithKeyAccessObject
- func (x *UnsignedRewrapRequest_WithPolicyRequest) GetPolicy() *UnsignedRewrapRequest_WithPolicy
- func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoMessage()
- func (x *UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect() protoreflect.Message
- func (x *UnsignedRewrapRequest_WithPolicyRequest) Reset()
- func (x *UnsignedRewrapRequest_WithPolicyRequest) String() string
Constants ¶
View Source
const ( AccessService_PublicKey_FullMethodName = "/kas.AccessService/PublicKey" AccessService_LegacyPublicKey_FullMethodName = "/kas.AccessService/LegacyPublicKey" AccessService_Rewrap_FullMethodName = "/kas.AccessService/Rewrap" )
Variables ¶
View Source
var AccessService_ServiceDesc = grpc.ServiceDesc{ ServiceName: "kas.AccessService", HandlerType: (*AccessServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "PublicKey", Handler: _AccessService_PublicKey_Handler, }, { MethodName: "LegacyPublicKey", Handler: _AccessService_LegacyPublicKey_Handler, }, { MethodName: "Rewrap", Handler: _AccessService_Rewrap_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "kas/kas.proto", }
AccessService_ServiceDesc is the grpc.ServiceDesc for AccessService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
View Source
var File_kas_kas_proto protoreflect.FileDescriptor
Functions ¶
func RegisterAccessServiceHandler ¶
func RegisterAccessServiceHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error
RegisterAccessServiceHandler registers the http handlers for service AccessService to "mux". The handlers forward requests to the grpc endpoint over "conn".
func RegisterAccessServiceHandlerClient ¶
func RegisterAccessServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client AccessServiceClient) error
RegisterAccessServiceHandlerClient registers the http handlers for service AccessService to "mux". The handlers forward requests to the grpc endpoint over the given implementation of "AccessServiceClient". Note: the gRPC framework executes interceptors within the gRPC handler. If the passed in "AccessServiceClient" doesn't go through the normal gRPC flow (creating a gRPC client etc.) then it will be up to the passed in "AccessServiceClient" to call the correct interceptors.
func RegisterAccessServiceHandlerFromEndpoint ¶
func RegisterAccessServiceHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) (err error)
RegisterAccessServiceHandlerFromEndpoint is same as RegisterAccessServiceHandler but automatically dials to "endpoint" and closes the connection when "ctx" gets done.
func RegisterAccessServiceHandlerServer ¶
func RegisterAccessServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux, server AccessServiceServer) error
RegisterAccessServiceHandlerServer registers the http handlers for service AccessService to "mux". UnaryRPC :call AccessServiceServer directly. StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906. Note that using this registration option will cause many gRPC library features to stop working. Consider using RegisterAccessServiceHandlerFromEndpoint instead.
func RegisterAccessServiceServer ¶
func RegisterAccessServiceServer(s grpc.ServiceRegistrar, srv AccessServiceServer)
Types ¶
type AccessServiceClient ¶
type AccessServiceClient interface {
PublicKey(ctx context.Context, in *PublicKeyRequest, opts ...grpc.CallOption) (*PublicKeyResponse, error)
// Deprecated: Do not use.
// Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients
//
// This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead.
//
// buf:lint:ignore RPC_RESPONSE_STANDARD_NAME
LegacyPublicKey(ctx context.Context, in *LegacyPublicKeyRequest, opts ...grpc.CallOption) (*wrapperspb.StringValue, error)
Rewrap(ctx context.Context, in *RewrapRequest, opts ...grpc.CallOption) (*RewrapResponse, error)
}
AccessServiceClient is the client API for AccessService service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewAccessServiceClient ¶
func NewAccessServiceClient(cc grpc.ClientConnInterface) AccessServiceClient
type AccessServiceServer ¶
type AccessServiceServer interface {
PublicKey(context.Context, *PublicKeyRequest) (*PublicKeyResponse, error)
// Deprecated: Do not use.
// Endpoint intended for gRPC Gateway's REST endpoint to provide v1 compatibility with older TDF clients
//
// This endpoint is not recommended for use in new applications, prefer the v2 endpoint ('PublicKey') instead.
//
// buf:lint:ignore RPC_RESPONSE_STANDARD_NAME
LegacyPublicKey(context.Context, *LegacyPublicKeyRequest) (*wrapperspb.StringValue, error)
Rewrap(context.Context, *RewrapRequest) (*RewrapResponse, error)
// contains filtered or unexported methods
}
AccessServiceServer is the server API for AccessService service. All implementations must embed UnimplementedAccessServiceServer for forward compatibility
type InfoRequest ¶
type InfoRequest struct {
// contains filtered or unexported fields
}
func (*InfoRequest) Descriptor
deprecated
func (*InfoRequest) Descriptor() ([]byte, []int)
Deprecated: Use InfoRequest.ProtoReflect.Descriptor instead.
func (*InfoRequest) ProtoMessage ¶
func (*InfoRequest) ProtoMessage()
func (*InfoRequest) ProtoReflect ¶
func (x *InfoRequest) ProtoReflect() protoreflect.Message
func (*InfoRequest) Reset ¶
func (x *InfoRequest) Reset()
func (*InfoRequest) String ¶
func (x *InfoRequest) String() string
type InfoResponse ¶
type InfoResponse struct {
Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
// contains filtered or unexported fields
}
Service application level metadata
func (*InfoResponse) Descriptor
deprecated
func (*InfoResponse) Descriptor() ([]byte, []int)
Deprecated: Use InfoResponse.ProtoReflect.Descriptor instead.
func (*InfoResponse) GetVersion ¶
func (x *InfoResponse) GetVersion() string
func (*InfoResponse) ProtoMessage ¶
func (*InfoResponse) ProtoMessage()
func (*InfoResponse) ProtoReflect ¶
func (x *InfoResponse) ProtoReflect() protoreflect.Message
func (*InfoResponse) Reset ¶
func (x *InfoResponse) Reset()
func (*InfoResponse) String ¶
func (x *InfoResponse) String() string
type KeyAccess ¶ added in v0.2.23
type KeyAccess struct {
// Base64-encoded encrypted metadata containing additional key information
// Optional: Not used during KAS rewrap operations (client-side only)
// KAS service passes this through without processing or validation
EncryptedMetadata string `protobuf:"bytes,1,opt,name=encrypted_metadata,json=encryptedMetadata,proto3" json:"encrypted_metadata,omitempty"`
// Policy binding ensuring cryptographic integrity between policy and wrapped key
// Required: ZTDF (contains hash and algorithm)
// Links the policy to the wrapped key cryptographically
PolicyBinding *PolicyBinding `protobuf:"bytes,2,opt,name=policy_binding,json=policyBinding,proto3" json:"policy_binding,omitempty"`
// Protocol identifier for the key access mechanism
// Optional: Defaults to 'kas'
// Typically: 'kas' for standard Key Access Service protocol
// Example: "kas"
Protocol string `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
// Type of key wrapping used for the data encryption key
// Required: Always
// Values: 'wrapped' (RSA-wrapped for ZTDF), 'ec-wrapped' (experimental ECDH-wrapped)
KeyType string `protobuf:"bytes,4,opt,name=key_type,json=type,proto3" json:"key_type,omitempty"`
// URL of the Key Access Server that can unwrap this key
// Optional: May be omitted if KAS URL is known from context
// Used to route rewrap requests to the correct KAS instance
// Example: "https://kas.example.com"
KasUrl string `protobuf:"bytes,5,opt,name=kas_url,json=url,proto3" json:"kas_url,omitempty"`
// Key identifier for the KAS public key used for wrapping
// Optional: ZTDF (may specify which KAS key to use, required if present in the TDF)
// References a specific public key in the KAS key storage (either local keyring or KAS Registry service)
// Example: "k1", "ec-key-2024"
Kid string `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
// Split identifier for key splitting scenarios
// Optional: ZTDF (used in advanced key splitting configurations)
// Used when keys are split across multiple parties for enhanced security
SplitId string `protobuf:"bytes,7,opt,name=split_id,json=sid,proto3" json:"split_id,omitempty"`
// Client-generated data encryption key wrapped by KAS
// Required: Always
// Contains the actual DEK encrypted with KAS's public key
// This is the core cryptographic material needed for TDF decryption
WrappedKey []byte `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
// Complete header containing all metadata and policy information (for formats that embed it)
// Optional: Not used by ZTDF (policy and metadata are separate)
// Contains magic bytes, version, algorithm, policy, and ephemeral key information
Header []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
// Ephemeral public key for ECDH key derivation (ec-wrapped type only)
// Required: When key_type="ec-wrapped" (experimental ECDH-based ZTDF)
// Omitted: When key_type="wrapped" (RSA-based ZTDF)
// Should be a PEM-encoded PKCS#8 (ASN.1) formatted public key
// Used to derive the symmetric key for unwrapping the DEK
EphemeralPublicKey string `protobuf:"bytes,10,opt,name=ephemeral_public_key,json=ephemeralPublicKey,proto3" json:"ephemeral_public_key,omitempty"`
// contains filtered or unexported fields
}
Key Access Object containing cryptographic material and metadata for TDF decryption
func (*KeyAccess) Descriptor
deprecated
added in
v0.2.23
func (*KeyAccess) GetEncryptedMetadata ¶ added in v0.2.23
func (*KeyAccess) GetEphemeralPublicKey ¶ added in v0.2.27
func (*KeyAccess) GetKeyType ¶ added in v0.2.23
func (*KeyAccess) GetPolicyBinding ¶ added in v0.2.23
func (x *KeyAccess) GetPolicyBinding() *PolicyBinding
func (*KeyAccess) GetProtocol ¶ added in v0.2.23
func (*KeyAccess) GetSplitId ¶ added in v0.2.23
func (*KeyAccess) GetWrappedKey ¶ added in v0.2.23
func (*KeyAccess) ProtoMessage ¶ added in v0.2.23
func (*KeyAccess) ProtoMessage()
func (*KeyAccess) ProtoReflect ¶ added in v0.2.23
func (x *KeyAccess) ProtoReflect() protoreflect.Message
type KeyAccessRewrapResult ¶ added in v0.2.23
type KeyAccessRewrapResult struct {
// Metadata associated with this KAO result (e.g., required obligations)
// Optional: May contain obligation requirements or other policy metadata
// Common keys: "X-Required-Obligations" with array of obligation FQNs
Metadata map[string]*structpb.Value `` /* 157-byte string literal not displayed */
// Identifier matching the key_access_object_id from the request
// Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject
KeyAccessObjectId string `protobuf:"bytes,2,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
// Status of the rewrap operation for this KAO
// Required: Always
// Values: "permit" (success), "fail" (failure)
Status string `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
// Result of the rewrap operation - either success or error
//
// Types that are assignable to Result:
//
// *KeyAccessRewrapResult_KasWrappedKey
// *KeyAccessRewrapResult_Error
Result isKeyAccessRewrapResult_Result `protobuf_oneof:"result"`
// contains filtered or unexported fields
}
Result of a key access object rewrap operation
func (*KeyAccessRewrapResult) Descriptor
deprecated
added in
v0.2.23
func (*KeyAccessRewrapResult) Descriptor() ([]byte, []int)
Deprecated: Use KeyAccessRewrapResult.ProtoReflect.Descriptor instead.
func (*KeyAccessRewrapResult) GetError ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) GetError() string
func (*KeyAccessRewrapResult) GetKasWrappedKey ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) GetKasWrappedKey() []byte
func (*KeyAccessRewrapResult) GetKeyAccessObjectId ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) GetKeyAccessObjectId() string
func (*KeyAccessRewrapResult) GetMetadata ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) GetMetadata() map[string]*structpb.Value
func (*KeyAccessRewrapResult) GetResult ¶ added in v0.2.23
func (m *KeyAccessRewrapResult) GetResult() isKeyAccessRewrapResult_Result
func (*KeyAccessRewrapResult) GetStatus ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) GetStatus() string
func (*KeyAccessRewrapResult) ProtoMessage ¶ added in v0.2.23
func (*KeyAccessRewrapResult) ProtoMessage()
func (*KeyAccessRewrapResult) ProtoReflect ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) ProtoReflect() protoreflect.Message
func (*KeyAccessRewrapResult) Reset ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) Reset()
func (*KeyAccessRewrapResult) String ¶ added in v0.2.23
func (x *KeyAccessRewrapResult) String() string
type KeyAccessRewrapResult_Error ¶ added in v0.2.23
type KeyAccessRewrapResult_Error struct {
// Error message when rewrap failed
// Present when status="fail"
// Human-readable description of the failure reason
Error string `protobuf:"bytes,5,opt,name=error,proto3,oneof"`
}
type KeyAccessRewrapResult_KasWrappedKey ¶ added in v0.2.23
type KeyAccessRewrapResult_KasWrappedKey struct {
// Successfully rewrapped key encrypted with the session key
// Present when status="permit"
// Contains the DEK encrypted with the ephemeral session key
KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kas_wrapped_key,json=kasWrappedKey,proto3,oneof"`
}
type LegacyPublicKeyRequest ¶
type LegacyPublicKeyRequest struct {
Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
// contains filtered or unexported fields
}
func (*LegacyPublicKeyRequest) Descriptor
deprecated
func (*LegacyPublicKeyRequest) Descriptor() ([]byte, []int)
Deprecated: Use LegacyPublicKeyRequest.ProtoReflect.Descriptor instead.
func (*LegacyPublicKeyRequest) GetAlgorithm ¶
func (x *LegacyPublicKeyRequest) GetAlgorithm() string
func (*LegacyPublicKeyRequest) ProtoMessage ¶
func (*LegacyPublicKeyRequest) ProtoMessage()
func (*LegacyPublicKeyRequest) ProtoReflect ¶
func (x *LegacyPublicKeyRequest) ProtoReflect() protoreflect.Message
func (*LegacyPublicKeyRequest) Reset ¶
func (x *LegacyPublicKeyRequest) Reset()
func (*LegacyPublicKeyRequest) String ¶
func (x *LegacyPublicKeyRequest) String() string
type PolicyBinding ¶ added in v0.2.23
type PolicyBinding struct {
// Cryptographic hashing algorithm used for policy binding
// Optional: ZTDF (when policy_binding is an object)
// Value: Always "HS256" (HMAC-SHA256) - other algorithms not supported
// Example: "HS256"
Algorithm string `protobuf:"bytes,1,opt,name=algorithm,json=alg,proto3" json:"algorithm,omitempty"`
// HMAC-SHA256 hash of the base64-encoded policy using the DEK as the secret key
// 4.2.2 TDFs are hex and base64 encoded before HMAC computation
// Required: ZTDF (when policy_binding is an object)
// Links the policy content to the wrapped DEK cryptographically via HMAC
// Computed as HMAC-SHA256(DEK, base64_policy) then hex-encoded and base64-encoded
Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
// contains filtered or unexported fields
}
Policy binding ensures cryptographic integrity between policy and wrapped key Prevents policy tampering by binding the policy hash to the encrypted key
func (*PolicyBinding) Descriptor
deprecated
added in
v0.2.23
func (*PolicyBinding) Descriptor() ([]byte, []int)
Deprecated: Use PolicyBinding.ProtoReflect.Descriptor instead.
func (*PolicyBinding) GetAlgorithm ¶ added in v0.2.23
func (x *PolicyBinding) GetAlgorithm() string
func (*PolicyBinding) GetHash ¶ added in v0.2.23
func (x *PolicyBinding) GetHash() string
func (*PolicyBinding) ProtoMessage ¶ added in v0.2.23
func (*PolicyBinding) ProtoMessage()
func (*PolicyBinding) ProtoReflect ¶ added in v0.2.23
func (x *PolicyBinding) ProtoReflect() protoreflect.Message
func (*PolicyBinding) Reset ¶ added in v0.2.23
func (x *PolicyBinding) Reset()
func (*PolicyBinding) String ¶ added in v0.2.23
func (x *PolicyBinding) String() string
type PolicyRewrapResult ¶ added in v0.2.23
type PolicyRewrapResult struct {
// Policy identifier matching the policy.id from the request
// Required: Always matches the ID from UnsignedRewrapRequest_WithPolicy
PolicyId string `protobuf:"bytes,1,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
// Results for each KAO under this policy
// Required: One result per KAO in the original request
Results []*KeyAccessRewrapResult `protobuf:"bytes,2,rep,name=results,proto3" json:"results,omitempty"`
// contains filtered or unexported fields
}
Result for all KAOs associated with a single policy
func (*PolicyRewrapResult) Descriptor
deprecated
added in
v0.2.23
func (*PolicyRewrapResult) Descriptor() ([]byte, []int)
Deprecated: Use PolicyRewrapResult.ProtoReflect.Descriptor instead.
func (*PolicyRewrapResult) GetPolicyId ¶ added in v0.2.23
func (x *PolicyRewrapResult) GetPolicyId() string
func (*PolicyRewrapResult) GetResults ¶ added in v0.2.23
func (x *PolicyRewrapResult) GetResults() []*KeyAccessRewrapResult
func (*PolicyRewrapResult) ProtoMessage ¶ added in v0.2.23
func (*PolicyRewrapResult) ProtoMessage()
func (*PolicyRewrapResult) ProtoReflect ¶ added in v0.2.23
func (x *PolicyRewrapResult) ProtoReflect() protoreflect.Message
func (*PolicyRewrapResult) Reset ¶ added in v0.2.23
func (x *PolicyRewrapResult) Reset()
func (*PolicyRewrapResult) String ¶ added in v0.2.23
func (x *PolicyRewrapResult) String() string
type PublicKeyRequest ¶
type PublicKeyRequest struct {
Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
Fmt string `protobuf:"bytes,2,opt,name=fmt,proto3" json:"fmt,omitempty"`
V string `protobuf:"bytes,3,opt,name=v,proto3" json:"v,omitempty"`
// contains filtered or unexported fields
}
func (*PublicKeyRequest) Descriptor
deprecated
func (*PublicKeyRequest) Descriptor() ([]byte, []int)
Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead.
func (*PublicKeyRequest) GetAlgorithm ¶
func (x *PublicKeyRequest) GetAlgorithm() string
func (*PublicKeyRequest) GetFmt ¶
func (x *PublicKeyRequest) GetFmt() string
func (*PublicKeyRequest) GetV ¶
func (x *PublicKeyRequest) GetV() string
func (*PublicKeyRequest) ProtoMessage ¶
func (*PublicKeyRequest) ProtoMessage()
func (*PublicKeyRequest) ProtoReflect ¶
func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message
func (*PublicKeyRequest) Reset ¶
func (x *PublicKeyRequest) Reset()
func (*PublicKeyRequest) String ¶
func (x *PublicKeyRequest) String() string
type PublicKeyResponse ¶
type PublicKeyResponse struct {
PublicKey string `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
Kid string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
// contains filtered or unexported fields
}
func (*PublicKeyResponse) Descriptor
deprecated
func (*PublicKeyResponse) Descriptor() ([]byte, []int)
Deprecated: Use PublicKeyResponse.ProtoReflect.Descriptor instead.
func (*PublicKeyResponse) GetKid ¶ added in v0.2.4
func (x *PublicKeyResponse) GetKid() string
func (*PublicKeyResponse) GetPublicKey ¶
func (x *PublicKeyResponse) GetPublicKey() string
func (*PublicKeyResponse) ProtoMessage ¶
func (*PublicKeyResponse) ProtoMessage()
func (*PublicKeyResponse) ProtoReflect ¶
func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message
func (*PublicKeyResponse) Reset ¶
func (x *PublicKeyResponse) Reset()
func (*PublicKeyResponse) String ¶
func (x *PublicKeyResponse) String() string
type RewrapRequest ¶
type RewrapRequest struct {
// A JWT signed by the DPoP (Demonstration of Proof of Possession) private key
// Required: Always
// Version differences:
// - v1 (legacy): Uses existing TDF spec schema in requestBody
// - v2 (bulk): Uses UnsignedRewrapRequest proto serialized as JSON in requestBody
SignedRequestToken string `protobuf:"bytes,1,opt,name=signed_request_token,json=signedRequestToken,proto3" json:"signed_request_token,omitempty"`
// contains filtered or unexported fields
}
Request to rewrap (decrypt and re-encrypt) TDF keys for client access
func (*RewrapRequest) Descriptor
deprecated
func (*RewrapRequest) Descriptor() ([]byte, []int)
Deprecated: Use RewrapRequest.ProtoReflect.Descriptor instead.
func (*RewrapRequest) GetSignedRequestToken ¶
func (x *RewrapRequest) GetSignedRequestToken() string
func (*RewrapRequest) ProtoMessage ¶
func (*RewrapRequest) ProtoMessage()
func (*RewrapRequest) ProtoReflect ¶
func (x *RewrapRequest) ProtoReflect() protoreflect.Message
func (*RewrapRequest) Reset ¶
func (x *RewrapRequest) Reset()
func (*RewrapRequest) String ¶
func (x *RewrapRequest) String() string
type RewrapResponse ¶
type RewrapResponse struct {
// Deprecated: Legacy metadata field
// Modern responses use metadata in individual KeyAccessRewrapResult
//
// Deprecated: Marked as deprecated in kas/kas.proto.
Metadata map[string]*structpb.Value `` /* 157-byte string literal not displayed */
// Deprecated: Legacy single entity wrapped key
// Modern responses use kas_wrapped_key in KeyAccessRewrapResult
//
// Deprecated: Marked as deprecated in kas/kas.proto.
EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
// KAS's ephemeral session public key in PEM format
// Required: For EC-based operations (key_type="ec-wrapped")
// Optional: Empty for RSA-based ZTDF (key_type="wrapped")
// Used by client to perform ECDH key agreement and decrypt the kas_wrapped_key values
SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
// Deprecated: Legacy schema version identifier
// Modern responses use implicit versioning
//
// Deprecated: Marked as deprecated in kas/kas.proto.
SchemaVersion string `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
// Policy-grouped rewrap results for the bulk API
// Required: Modern v2 API responses
// Each PolicyRewrapResult contains results for all KAOs under that policy
Responses []*PolicyRewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
// contains filtered or unexported fields
}
Response containing rewrapped keys and session information
func (*RewrapResponse) Descriptor
deprecated
func (*RewrapResponse) Descriptor() ([]byte, []int)
Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
func (*RewrapResponse) GetEntityWrappedKey
deprecated
func (x *RewrapResponse) GetEntityWrappedKey() []byte
Deprecated: Marked as deprecated in kas/kas.proto.
func (*RewrapResponse) GetMetadata
deprecated
func (x *RewrapResponse) GetMetadata() map[string]*structpb.Value
Deprecated: Marked as deprecated in kas/kas.proto.
func (*RewrapResponse) GetResponses ¶ added in v0.2.23
func (x *RewrapResponse) GetResponses() []*PolicyRewrapResult
func (*RewrapResponse) GetSchemaVersion
deprecated
func (x *RewrapResponse) GetSchemaVersion() string
Deprecated: Marked as deprecated in kas/kas.proto.
func (*RewrapResponse) GetSessionPublicKey ¶
func (x *RewrapResponse) GetSessionPublicKey() string
func (*RewrapResponse) ProtoMessage ¶
func (*RewrapResponse) ProtoMessage()
func (*RewrapResponse) ProtoReflect ¶
func (x *RewrapResponse) ProtoReflect() protoreflect.Message
func (*RewrapResponse) Reset ¶
func (x *RewrapResponse) Reset()
func (*RewrapResponse) String ¶
func (x *RewrapResponse) String() string
type UnimplementedAccessServiceServer ¶
type UnimplementedAccessServiceServer struct {
}
UnimplementedAccessServiceServer must be embedded to have forward compatible implementations.
func (UnimplementedAccessServiceServer) LegacyPublicKey ¶
func (UnimplementedAccessServiceServer) LegacyPublicKey(context.Context, *LegacyPublicKeyRequest) (*wrapperspb.StringValue, error)
func (UnimplementedAccessServiceServer) PublicKey ¶
func (UnimplementedAccessServiceServer) PublicKey(context.Context, *PublicKeyRequest) (*PublicKeyResponse, error)
func (UnimplementedAccessServiceServer) Rewrap ¶
func (UnimplementedAccessServiceServer) Rewrap(context.Context, *RewrapRequest) (*RewrapResponse, error)
type UnsafeAccessServiceServer ¶
type UnsafeAccessServiceServer interface {
// contains filtered or unexported methods
}
UnsafeAccessServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AccessServiceServer will result in compilation errors.
type UnsignedRewrapRequest ¶ added in v0.2.23
type UnsignedRewrapRequest struct {
// Client's public key in PEM format for establishing a session key
// Required: Always
// Used by KAS to generate an ephemeral session key for secure key exchange
ClientPublicKey string `protobuf:"bytes,1,opt,name=client_public_key,json=clientPublicKey,proto3" json:"client_public_key,omitempty"`
// List of policy requests to be processed
// Required: Always (at least one)
// Each request represents a policy with its associated key access objects
Requests []*UnsignedRewrapRequest_WithPolicyRequest `protobuf:"bytes,2,rep,name=requests,proto3" json:"requests,omitempty"`
// Deprecated: Legacy single Key Access Object
// Used for legacy non-bulk requests (v1 API)
// Modern clients should use the 'requests' field instead
//
// Deprecated: Marked as deprecated in kas/kas.proto.
KeyAccess *KeyAccess `protobuf:"bytes,3,opt,name=key_access,json=keyAccess,proto3" json:"key_access,omitempty"`
// Deprecated: Legacy single policy
// Used for legacy non-bulk requests (v1 API)
// Modern clients should use the 'requests' field instead
//
// Deprecated: Marked as deprecated in kas/kas.proto.
Policy string `protobuf:"bytes,4,opt,name=policy,proto3" json:"policy,omitempty"`
// Deprecated: Legacy algorithm specification
// Used for legacy non-bulk requests (v1 API)
// Modern clients should use the 'requests' field instead
//
// Deprecated: Marked as deprecated in kas/kas.proto.
Algorithm string `protobuf:"bytes,5,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
// contains filtered or unexported fields
}
Bulk-style Rewrap request structure that is serialized into JSON and signed within a Rewrap flow. This message represents the unsigned payload that gets embedded in a JWT as the 'requestBody' claim and signed with a DPoP key.
func (*UnsignedRewrapRequest) Descriptor
deprecated
added in
v0.2.23
func (*UnsignedRewrapRequest) Descriptor() ([]byte, []int)
Deprecated: Use UnsignedRewrapRequest.ProtoReflect.Descriptor instead.
func (*UnsignedRewrapRequest) GetAlgorithm
deprecated
added in
v0.2.27
func (x *UnsignedRewrapRequest) GetAlgorithm() string
Deprecated: Marked as deprecated in kas/kas.proto.
func (*UnsignedRewrapRequest) GetClientPublicKey ¶ added in v0.2.23
func (x *UnsignedRewrapRequest) GetClientPublicKey() string
func (*UnsignedRewrapRequest) GetKeyAccess
deprecated
added in
v0.2.27
func (x *UnsignedRewrapRequest) GetKeyAccess() *KeyAccess
Deprecated: Marked as deprecated in kas/kas.proto.
func (*UnsignedRewrapRequest) GetPolicy
deprecated
added in
v0.2.27
func (x *UnsignedRewrapRequest) GetPolicy() string
Deprecated: Marked as deprecated in kas/kas.proto.
func (*UnsignedRewrapRequest) GetRequests ¶ added in v0.2.23
func (x *UnsignedRewrapRequest) GetRequests() []*UnsignedRewrapRequest_WithPolicyRequest
func (*UnsignedRewrapRequest) ProtoMessage ¶ added in v0.2.23
func (*UnsignedRewrapRequest) ProtoMessage()
func (*UnsignedRewrapRequest) ProtoReflect ¶ added in v0.2.23
func (x *UnsignedRewrapRequest) ProtoReflect() protoreflect.Message
func (*UnsignedRewrapRequest) Reset ¶ added in v0.2.23
func (x *UnsignedRewrapRequest) Reset()
func (*UnsignedRewrapRequest) String ¶ added in v0.2.23
func (x *UnsignedRewrapRequest) String() string
type UnsignedRewrapRequest_WithKeyAccessObject ¶ added in v0.2.23
type UnsignedRewrapRequest_WithKeyAccessObject struct {
// Ephemeral, unique identifier for this KAO within the request
// Required: Always
// Example: "kao-0", "kao-1", "key-access-object-uuid"
KeyAccessObjectId string `protobuf:"bytes,1,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
// The actual Key Access Object containing cryptographic material and metadata
// Required: Always
KeyAccessObject *KeyAccess `protobuf:"bytes,2,opt,name=key_access_object,json=keyAccessObject,proto3" json:"key_access_object,omitempty"`
// contains filtered or unexported fields
}
Key Access Object wrapper with identifier
func (*UnsignedRewrapRequest_WithKeyAccessObject) Descriptor
deprecated
added in
v0.2.23
func (*UnsignedRewrapRequest_WithKeyAccessObject) Descriptor() ([]byte, []int)
Deprecated: Use UnsignedRewrapRequest_WithKeyAccessObject.ProtoReflect.Descriptor instead.
func (*UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObject ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObject() *KeyAccess
func (*UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObjectId ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObjectId() string
func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoMessage ¶ added in v0.2.23
func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoMessage()
func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect() protoreflect.Message
func (*UnsignedRewrapRequest_WithKeyAccessObject) Reset ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithKeyAccessObject) Reset()
func (*UnsignedRewrapRequest_WithKeyAccessObject) String ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithKeyAccessObject) String() string
type UnsignedRewrapRequest_WithPolicy ¶ added in v0.2.23
type UnsignedRewrapRequest_WithPolicy struct {
// An identifier unique within the scope of the rewrap request
// Used for mapping between request and response items.
// Required: Always
// Example: "policy", "policy-0", "policy-1"
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
// Policy content - format varies by TDF type:
// ZTDF: Base64-encoded JSON policy object containing attributes and other policy data
// Required: ZTDF (base64-encoded policy JSON)
Body string `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
// contains filtered or unexported fields
}
Policy metadata and content for a group of KeyAccessObjects
func (*UnsignedRewrapRequest_WithPolicy) Descriptor
deprecated
added in
v0.2.23
func (*UnsignedRewrapRequest_WithPolicy) Descriptor() ([]byte, []int)
Deprecated: Use UnsignedRewrapRequest_WithPolicy.ProtoReflect.Descriptor instead.
func (*UnsignedRewrapRequest_WithPolicy) GetBody ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicy) GetBody() string
func (*UnsignedRewrapRequest_WithPolicy) GetId ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicy) GetId() string
func (*UnsignedRewrapRequest_WithPolicy) ProtoMessage ¶ added in v0.2.23
func (*UnsignedRewrapRequest_WithPolicy) ProtoMessage()
func (*UnsignedRewrapRequest_WithPolicy) ProtoReflect ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicy) ProtoReflect() protoreflect.Message
func (*UnsignedRewrapRequest_WithPolicy) Reset ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicy) Reset()
func (*UnsignedRewrapRequest_WithPolicy) String ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicy) String() string
type UnsignedRewrapRequest_WithPolicyRequest ¶ added in v0.2.23
type UnsignedRewrapRequest_WithPolicyRequest struct {
// List of Key Access Objects associated with this policy
// Required: Always (at least one)
// Some formats require exactly one KAO per policy
KeyAccessObjects []*UnsignedRewrapRequest_WithKeyAccessObject `protobuf:"bytes,1,rep,name=key_access_objects,json=keyAccessObjects,proto3" json:"key_access_objects,omitempty"`
// Policy information for this group of KAOs
// Required: Always
Policy *UnsignedRewrapRequest_WithPolicy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
// Cryptographic algorithm identifier for the TDF type
// Optional: Defaults to rsa:2048 if omitted
// Values: "ec:secp256r1" (EC-based), "rsa:2048" (RSA-based), "" (defaults to rsa:2048)
// Example: "ec:secp256r1"
Algorithm string `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
// contains filtered or unexported fields
}
Request grouping policy with associated key access objects
func (*UnsignedRewrapRequest_WithPolicyRequest) Descriptor
deprecated
added in
v0.2.23
func (*UnsignedRewrapRequest_WithPolicyRequest) Descriptor() ([]byte, []int)
Deprecated: Use UnsignedRewrapRequest_WithPolicyRequest.ProtoReflect.Descriptor instead.
func (*UnsignedRewrapRequest_WithPolicyRequest) GetAlgorithm ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) GetAlgorithm() string
func (*UnsignedRewrapRequest_WithPolicyRequest) GetKeyAccessObjects ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) GetKeyAccessObjects() []*UnsignedRewrapRequest_WithKeyAccessObject
func (*UnsignedRewrapRequest_WithPolicyRequest) GetPolicy ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) GetPolicy() *UnsignedRewrapRequest_WithPolicy
func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoMessage ¶ added in v0.2.23
func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoMessage()
func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect() protoreflect.Message
func (*UnsignedRewrapRequest_WithPolicyRequest) Reset ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) Reset()
func (*UnsignedRewrapRequest_WithPolicyRequest) String ¶ added in v0.2.23
func (x *UnsignedRewrapRequest_WithPolicyRequest) String() string
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.