security

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2026 License: BSD-3-Clause-Clear Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Key agreement along P-256
	AlgorithmECP256R1 = "ec:secp256r1"
	// Key agreement along P-384
	AlgorithmECP384R1 = "ec:secp384r1"
	// Key agreement along P-521
	AlgorithmECP521R1 = "ec:secp521r1"

	// Used for encryption with RSA of the KAO
	AlgorithmRSA2048 = "rsa:2048"
	AlgorithmRSA4096 = "rsa:4096"

	// Used for hybrid X-Wing wrapping of the KAO
	AlgorithmHPQTXWing = "hpqt:xwing"

	// Used for hybrid NIST EC + ML-KEM wrapping of the KAO
	AlgorithmHPQTSecp256r1MLKEM768  = "hpqt:secp256r1-mlkem768"
	AlgorithmHPQTSecp384r1MLKEM1024 = "hpqt:secp384r1-mlkem1024"
)
View Source 
const (
	ErrCertNotFound         = Error("not found")
	ErrNoKeys               = Error("keys not found")
	ErrKeyPairInfoNotFound  = Error("key pair info not found")
	ErrKeyPairInfoMalformed = Error("key pair info malformed")
	ErrCertificateEncode    = Error("certificate encode error")
	ErrPublicKeyMarshal     = Error("public key marshal error")
	ErrHSMUnexpected        = Error("hsm unexpected")
	ErrHSMDecrypt           = Error("hsm decrypt error")
	ErrHSMNotFound          = Error("hsm unavailable")
	ErrKeyConfig            = Error("key configuration error")
	ErrUnknownHashFunction  = Error("unknown hash function")
)
View Source 
const (
	// BasicManagerName is the unique identifier for the BasicManager.
	BasicManagerName = "opentdf.io/basic"
)

Variables

View Source 
var BasicManagerSupportedAlgorithms = []ocrypto.KeyType{
	ocrypto.RSA2048Key,
	ocrypto.RSA4096Key,
	ocrypto.EC256Key,
	ocrypto.EC384Key,
	ocrypto.EC521Key,
	ocrypto.HybridXWingKey,
	ocrypto.HybridSecp256r1MLKEM768Key,
	ocrypto.HybridSecp384r1MLKEM1024Key,
}

BasicManagerSupportedAlgorithms is the canonical set of algorithms the BasicManager knows how to serve when a key has been provisioned. Keep in sync with the switch in Decrypt.

View Source 
var InProcessSupportedAlgorithms = []ocrypto.KeyType{
	ocrypto.RSA2048Key,
	ocrypto.RSA4096Key,
	ocrypto.EC256Key,
	ocrypto.HybridXWingKey,
	ocrypto.HybridSecp256r1MLKEM768Key,
	ocrypto.HybridSecp384r1MLKEM1024Key,
}

InProcessSupportedAlgorithms is the canonical set of algorithms the InProcessProvider knows how to serve when a corresponding key is loaded. Keep in sync with the switch in Decrypt.

Functions

func NewSecurityProviderAdapter added in v0.5.3 

func NewSecurityProviderAdapter(cryptoProvider *StandardCrypto, defaultKeys, legacyKeys []string) trust.KeyService

NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider

func TDFSalt added in v0.5.3 

func TDFSalt() []byte

Types

type BasicManager added in v0.5.5 

type BasicManager struct {
	// contains filtered or unexported fields
}

func NewBasicManager added in v0.5.5 

func NewBasicManager(logger *logger.Logger, c *cache.Cache, rootKey string) (*BasicManager, error)

func (*BasicManager) Close added in v0.5.5 

func (b *BasicManager) Close()

func (*BasicManager) Decrypt added in v0.5.5 

func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)

func (*BasicManager) DeriveKey added in v0.5.5 

func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ocrypto.ProtectedKey, error)

func (*BasicManager) GenerateECSessionKey added in v0.5.5 

func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (ocrypto.Encapsulator, error)

func (*BasicManager) Name added in v0.5.5 

func (b *BasicManager) Name() string

type Config 

type Config struct {
	Type string `mapstructure:"type" json:"type"`
	// StandardConfig is the configuration for the standard key provider
	StandardConfig StandardConfig `mapstructure:"standard" json:"standard"`
}

func (Config) IsEmpty added in v0.5.3 

func (c Config) IsEmpty() bool

type Error 

type Error string

func (Error) Error 

func (e Error) Error() string

type InProcessProvider added in v0.5.3 

type InProcessProvider struct {
	// contains filtered or unexported fields
}

InProcessProvider adapts a CryptoProvider to the SecurityProvider interface

func (*InProcessProvider) Close added in v0.5.3 

func (a *InProcessProvider) Close()

Close releases any resources held by the provider

func (*InProcessProvider) Decrypt added in v0.5.3 

func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)

Decrypt implements the unified decryption method for both RSA and EC

func (*InProcessProvider) DeriveKey added in v0.5.3 

func (a *InProcessProvider) DeriveKey(_ context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ocrypto.ProtectedKey, error)

DeriveKey computes an ECDH shared secret and derives an AES key via HKDF.

func (*InProcessProvider) FindKeyByAlgorithm added in v0.5.3 

func (a *InProcessProvider) FindKeyByAlgorithm(_ context.Context, algorithm string, legacy bool) (trust.KeyDetails, error)

FindKeyByAlgorithm finds a key by algorithm using the underlying CryptoProvider. This will only return default keys if legacy is false. If legacy is true, it will return the first legacy key found that matches the algorithm.

func (*InProcessProvider) FindKeyByID added in v0.5.3 

func (a *InProcessProvider) FindKeyByID(_ context.Context, id trust.KeyIdentifier) (trust.KeyDetails, error)

FindKeyByID finds a key by ID

func (*InProcessProvider) GenerateECSessionKey added in v0.5.3 

func (a *InProcessProvider) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (ocrypto.Encapsulator, error)

GenerateECSessionKey generates a session key for ECDH-based response encryption.

func (*InProcessProvider) ListKeys added in v0.5.3 

func (a *InProcessProvider) ListKeys(ctx context.Context) ([]trust.KeyDetails, error)

ListKeys lists all available keys

func (*InProcessProvider) ListKeysWith added in v0.9.0 

func (a *InProcessProvider) ListKeysWith(ctx context.Context, opts trust.ListKeyOptions) ([]trust.KeyDetails, error)

func (*InProcessProvider) LogValue added in v0.11.5 

func (a *InProcessProvider) LogValue() slog.Value

Implement slog.LogValuer for slog logging.

func (*InProcessProvider) Name added in v0.5.3 

func (a *InProcessProvider) Name() string

Name returns the name of the provider

func (*InProcessProvider) String added in v0.11.5 

func (a *InProcessProvider) String() string

Implement fmt.Stringer so Index's default to our String() method

func (*InProcessProvider) WithLogger added in v0.5.3 

func (a *InProcessProvider) WithLogger(logger *slog.Logger) *InProcessProvider

WithLogger sets the logger for the adapter

type KeyDetailsAdapter added in v0.5.3 

type KeyDetailsAdapter struct {
	// contains filtered or unexported fields
}

KeyDetailsAdapter adapts CryptoProvider to KeyDetails

func (*KeyDetailsAdapter) Algorithm added in v0.5.3 

func (k *KeyDetailsAdapter) Algorithm() ocrypto.KeyType

func (*KeyDetailsAdapter) ExportCertificate added in v0.5.3 

func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)

func (*KeyDetailsAdapter) ExportPrivateKey added in v0.5.5 

func (k *KeyDetailsAdapter) ExportPrivateKey(_ context.Context) (*trust.PrivateKey, error)

func (*KeyDetailsAdapter) ExportPublicKey added in v0.5.3 

func (k *KeyDetailsAdapter) ExportPublicKey(_ context.Context, format trust.KeyType) (string, error)

func (*KeyDetailsAdapter) ID added in v0.5.3 

func (k *KeyDetailsAdapter) ID() trust.KeyIdentifier

func (*KeyDetailsAdapter) IsLegacy added in v0.5.3 

func (k *KeyDetailsAdapter) IsLegacy() bool

func (*KeyDetailsAdapter) ProviderConfig added in v0.7.0 

func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig

func (*KeyDetailsAdapter) System added in v0.5.3 

func (k *KeyDetailsAdapter) System() string

Mode returns the mode of the key details

type KeyPairInfo added in v0.4.7 

type KeyPairInfo struct {
	// Valid algorithm. May be able to be derived from Private but it is better to just say it.
	Algorithm string `mapstructure:"alg" json:"alg"`
	// Key identifier. Should be short
	KID string `mapstructure:"kid" json:"kid"`
	// Implementation specific locator for private key;
	// for 'standard' crypto service this is the path to a PEM file
	Private string `mapstructure:"private" json:"private"`
	// Optional locator for the corresponding certificate.
	// If not found, only public key (derivable from Private) is available.
	Certificate string `mapstructure:"cert" json:"cert"`
	// Optional enumeration of intended usages of keypair
	Usage string `mapstructure:"usage" json:"usage"`
	// Optional long form description of key pair including purpose and life cycle information
	Purpose string `mapstructure:"purpose" json:"purpose"`
}

type OCEncapsulator added in v0.10.0 

type OCEncapsulator struct {
	ocrypto.PublicKeyEncryptor
}

func (*OCEncapsulator) Encapsulate added in v0.10.0 

func (e *OCEncapsulator) Encapsulate(dek ocrypto.ProtectedKey) ([]byte, error)

func (*OCEncapsulator) PublicKeyAsPEM added in v0.10.0 

func (e *OCEncapsulator) PublicKeyAsPEM() (string, error)

type StandardConfig 

type StandardConfig struct {
	Keys []KeyPairInfo `mapstructure:"keys" json:"keys"`
	// Deprecated
	RSAKeys map[string]StandardKeyInfo `mapstructure:"rsa,omitempty" json:"rsa,omitempty"`
	// Deprecated
	ECKeys map[string]StandardKeyInfo `mapstructure:"ec,omitempty" json:"ec,omitempty"`
}

func (StandardConfig) IsEmpty added in v0.5.3 

func (sc StandardConfig) IsEmpty() bool

type StandardCrypto 

type StandardCrypto struct {
	// contains filtered or unexported fields
}

func NewCryptoProvider 

func NewCryptoProvider(cfg Config) (*StandardCrypto, error)

func NewStandardCrypto 

func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error)

NewStandardCrypto Create a new instance of standard crypto

func (StandardCrypto) Close 

func (s StandardCrypto) Close()

func (*StandardCrypto) Decrypt added in v0.5.3 

func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)

Decrypt implements the SecurityProvider Decrypt method

func (StandardCrypto) ECCertificate added in v0.4.4 

func (s StandardCrypto) ECCertificate(kid string) (string, error)

func (*StandardCrypto) ECDecrypt added in v0.4.39 

func (s *StandardCrypto) ECDecrypt(ctx context.Context, keyID string, ephemeralPublicKey, ciphertext []byte) (ocrypto.ProtectedKey, error)

ECDecrypt uses hybrid ECIES to decrypt the data.

func (StandardCrypto) ECPublicKey 

func (s StandardCrypto) ECPublicKey(kid string) (string, error)

Exports the EC public key with kid as a pem encode pkix

func (StandardCrypto) FindKID added in v0.4.7 

func (s StandardCrypto) FindKID(alg string) string

func (StandardCrypto) HybridPublicKey added in v0.16.0 

func (s StandardCrypto) HybridPublicKey(kid string) (string, error)

func (StandardCrypto) ListKIDsByAlgorithm added in v0.5.3 

func (s StandardCrypto) ListKIDsByAlgorithm(alg string) ([]string, error)

ListKIDsByAlgorithm returns a list of key identifiers for the specified algorithm Errors if no keys are found of the requested algorithm.

func (StandardCrypto) RSADecrypt 

func (s StandardCrypto) RSADecrypt(_ crypto.Hash, kid string, _ string, ciphertext []byte) ([]byte, error)

func (StandardCrypto) RSAPublicKey 

func (s StandardCrypto) RSAPublicKey(kid string) (string, error)

func (StandardCrypto) RSAPublicKeyAsJSON 

func (s StandardCrypto) RSAPublicKeyAsJSON(kid string) (string, error)

func (StandardCrypto) XWingPublicKey added in v0.16.0 

func (s StandardCrypto) XWingPublicKey(kid string) (string, error)

type StandardECCrypto 

type StandardECCrypto struct {
	KeyPairInfo
	// contains filtered or unexported fields
}

type StandardHybridCrypto added in v0.16.0 

type StandardHybridCrypto struct {
	KeyPairInfo
	// contains filtered or unexported fields
}

type StandardKeyInfo 

type StandardKeyInfo struct {
	PrivateKeyPath string `mapstructure:"private_key_path" json:"private_key_path"`
	PublicKeyPath  string `mapstructure:"public_key_path" json:"public_key_path"`
}

type StandardRSACrypto 

type StandardRSACrypto struct {
	KeyPairInfo
	// contains filtered or unexported fields
}

type StandardXWingCrypto added in v0.16.0 

type StandardXWingCrypto struct {
	KeyPairInfo
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.