Documentation
¶
Index ¶
- Constants
- func NewSecurityProviderAdapter(cryptoProvider *StandardCrypto, defaultKeys, legacyKeys []string) trust.KeyService
- func TDFSalt() []byte
- type BasicManager
- func (b *BasicManager) Close()
- func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ...) (ocrypto.ProtectedKey, error)
- func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetails, ...) (ocrypto.ProtectedKey, error)
- func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (ocrypto.Encapsulator, error)
- func (b *BasicManager) Name() string
- type Config
- type Error
- type InProcessProvider
- func (a *InProcessProvider) Close()
- func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ...) (ocrypto.ProtectedKey, error)
- func (a *InProcessProvider) DeriveKey(_ context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, ...) (ocrypto.ProtectedKey, error)
- func (a *InProcessProvider) FindKeyByAlgorithm(_ context.Context, algorithm string, legacy bool) (trust.KeyDetails, error)
- func (a *InProcessProvider) FindKeyByID(_ context.Context, id trust.KeyIdentifier) (trust.KeyDetails, error)
- func (a *InProcessProvider) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (trust.Encapsulator, error)
- func (a *InProcessProvider) ListKeys(ctx context.Context) ([]trust.KeyDetails, error)
- func (a *InProcessProvider) ListKeysWith(ctx context.Context, opts trust.ListKeyOptions) ([]trust.KeyDetails, error)
- func (a *InProcessProvider) LogValue() slog.Value
- func (a *InProcessProvider) Name() string
- func (a *InProcessProvider) String() string
- func (a *InProcessProvider) WithLogger(logger *slog.Logger) *InProcessProvider
- type KeyDetailsAdapter
- func (k *KeyDetailsAdapter) Algorithm() ocrypto.KeyType
- func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)
- func (k *KeyDetailsAdapter) ExportPrivateKey(_ context.Context) (*trust.PrivateKey, error)
- func (k *KeyDetailsAdapter) ExportPublicKey(_ context.Context, format trust.KeyType) (string, error)
- func (k *KeyDetailsAdapter) ID() trust.KeyIdentifier
- func (k *KeyDetailsAdapter) IsLegacy() bool
- func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig
- func (k *KeyDetailsAdapter) System() string
- type KeyPairInfo
- type OCEncapsulator
- type StandardConfig
- type StandardCrypto
- func (s StandardCrypto) Close()
- func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, ciphertext []byte, ...) (ocrypto.ProtectedKey, error)
- func (s StandardCrypto) ECCertificate(kid string) (string, error)
- func (s *StandardCrypto) ECDecrypt(ctx context.Context, keyID string, ephemeralPublicKey, ciphertext []byte) (ocrypto.ProtectedKey, error)
- func (s StandardCrypto) ECPublicKey(kid string) (string, error)
- func (s StandardCrypto) FindKID(alg string) string
- func (s StandardCrypto) ListKIDsByAlgorithm(alg string) ([]string, error)
- func (s StandardCrypto) RSADecrypt(_ crypto.Hash, kid string, _ string, ciphertext []byte) ([]byte, error)
- func (s StandardCrypto) RSAPublicKey(kid string) (string, error)
- func (s StandardCrypto) RSAPublicKeyAsJSON(kid string) (string, error)
- type StandardECCrypto
- type StandardKeyInfo
- type StandardRSACrypto
Constants ¶
const ( // Key agreement along P-256 AlgorithmECP256R1 = "ec:secp256r1" // Key agreement along P-384 AlgorithmECP384R1 = "ec:secp384r1" // Key agreement along P-521 AlgorithmECP521R1 = "ec:secp521r1" // Used for encryption with RSA of the KAO AlgorithmRSA2048 = "rsa:2048" AlgorithmRSA4096 = "rsa:4096" )
const ( ErrCertNotFound = Error("not found") ErrNoKeys = Error("keys not found") ErrKeyPairInfoNotFound = Error("key pair info not found") ErrKeyPairInfoMalformed = Error("key pair info malformed") ErrCertificateEncode = Error("certificate encode error") ErrPublicKeyMarshal = Error("public key marshal error") ErrHSMUnexpected = Error("hsm unexpected") ErrHSMDecrypt = Error("hsm decrypt error") ErrHSMNotFound = Error("hsm unavailable") ErrKeyConfig = Error("key configuration error") ErrUnknownHashFunction = Error("unknown hash function") )
const (
// BasicManagerName is the unique identifier for the BasicManager.
BasicManagerName = "opentdf.io/basic"
)
Variables ¶
This section is empty.
Functions ¶
func NewSecurityProviderAdapter ¶ added in v0.5.3
func NewSecurityProviderAdapter(cryptoProvider *StandardCrypto, defaultKeys, legacyKeys []string) trust.KeyService
NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider
Types ¶
type BasicManager ¶ added in v0.5.5
type BasicManager struct {
// contains filtered or unexported fields
}
func NewBasicManager ¶ added in v0.5.5
func (*BasicManager) Close ¶ added in v0.5.5
func (b *BasicManager) Close()
func (*BasicManager) Decrypt ¶ added in v0.5.5
func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)
func (*BasicManager) DeriveKey ¶ added in v0.5.5
func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ocrypto.ProtectedKey, error)
func (*BasicManager) GenerateECSessionKey ¶ added in v0.5.5
func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (ocrypto.Encapsulator, error)
func (*BasicManager) Name ¶ added in v0.5.5
func (b *BasicManager) Name() string
type Config ¶
type Config struct {
Type string `mapstructure:"type" json:"type"`
// StandardConfig is the configuration for the standard key provider
StandardConfig StandardConfig `mapstructure:"standard" json:"standard"`
}
type InProcessProvider ¶ added in v0.5.3
type InProcessProvider struct {
// contains filtered or unexported fields
}
InProcessProvider adapts a CryptoProvider to the SecurityProvider interface
func (*InProcessProvider) Close ¶ added in v0.5.3
func (a *InProcessProvider) Close()
Close releases any resources held by the provider
func (*InProcessProvider) Decrypt ¶ added in v0.5.3
func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)
Decrypt implements the unified decryption method for both RSA and EC
func (*InProcessProvider) DeriveKey ¶ added in v0.5.3
func (a *InProcessProvider) DeriveKey(_ context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ocrypto.ProtectedKey, error)
DeriveKey computes an ECDH shared secret and derives an AES key via HKDF.
func (*InProcessProvider) FindKeyByAlgorithm ¶ added in v0.5.3
func (a *InProcessProvider) FindKeyByAlgorithm(_ context.Context, algorithm string, legacy bool) (trust.KeyDetails, error)
FindKeyByAlgorithm finds a key by algorithm using the underlying CryptoProvider. This will only return default keys if legacy is false. If legacy is true, it will return the first legacy key found that matches the algorithm.
func (*InProcessProvider) FindKeyByID ¶ added in v0.5.3
func (a *InProcessProvider) FindKeyByID(_ context.Context, id trust.KeyIdentifier) (trust.KeyDetails, error)
FindKeyByID finds a key by ID
func (*InProcessProvider) GenerateECSessionKey ¶ added in v0.5.3
func (a *InProcessProvider) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (trust.Encapsulator, error)
GenerateECSessionKey generates a session key for ECDH-based response encryption.
func (*InProcessProvider) ListKeys ¶ added in v0.5.3
func (a *InProcessProvider) ListKeys(ctx context.Context) ([]trust.KeyDetails, error)
ListKeys lists all available keys
func (*InProcessProvider) ListKeysWith ¶ added in v0.9.0
func (a *InProcessProvider) ListKeysWith(ctx context.Context, opts trust.ListKeyOptions) ([]trust.KeyDetails, error)
func (*InProcessProvider) LogValue ¶ added in v0.11.5
func (a *InProcessProvider) LogValue() slog.Value
Implement slog.LogValuer for slog logging.
func (*InProcessProvider) Name ¶ added in v0.5.3
func (a *InProcessProvider) Name() string
Name returns the name of the provider
func (*InProcessProvider) String ¶ added in v0.11.5
func (a *InProcessProvider) String() string
Implement fmt.Stringer so Index's default to our String() method
func (*InProcessProvider) WithLogger ¶ added in v0.5.3
func (a *InProcessProvider) WithLogger(logger *slog.Logger) *InProcessProvider
WithLogger sets the logger for the adapter
type KeyDetailsAdapter ¶ added in v0.5.3
type KeyDetailsAdapter struct {
// contains filtered or unexported fields
}
KeyDetailsAdapter adapts CryptoProvider to KeyDetails
func (*KeyDetailsAdapter) Algorithm ¶ added in v0.5.3
func (k *KeyDetailsAdapter) Algorithm() ocrypto.KeyType
func (*KeyDetailsAdapter) ExportCertificate ¶ added in v0.5.3
func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)
func (*KeyDetailsAdapter) ExportPrivateKey ¶ added in v0.5.5
func (k *KeyDetailsAdapter) ExportPrivateKey(_ context.Context) (*trust.PrivateKey, error)
func (*KeyDetailsAdapter) ExportPublicKey ¶ added in v0.5.3
func (*KeyDetailsAdapter) ID ¶ added in v0.5.3
func (k *KeyDetailsAdapter) ID() trust.KeyIdentifier
func (*KeyDetailsAdapter) IsLegacy ¶ added in v0.5.3
func (k *KeyDetailsAdapter) IsLegacy() bool
func (*KeyDetailsAdapter) ProviderConfig ¶ added in v0.7.0
func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig
func (*KeyDetailsAdapter) System ¶ added in v0.5.3
func (k *KeyDetailsAdapter) System() string
Mode returns the mode of the key details
type KeyPairInfo ¶ added in v0.4.7
type KeyPairInfo struct {
// Valid algorithm. May be able to be derived from Private but it is better to just say it.
Algorithm string `mapstructure:"alg" json:"alg"`
// Key identifier. Should be short
KID string `mapstructure:"kid" json:"kid"`
// Implementation specific locator for private key;
// for 'standard' crypto service this is the path to a PEM file
Private string `mapstructure:"private" json:"private"`
// Optional locator for the corresponding certificate.
// If not found, only public key (derivable from Private) is available.
Certificate string `mapstructure:"cert" json:"cert"`
// Optional enumeration of intended usages of keypair
Usage string `mapstructure:"usage" json:"usage"`
// Optional long form description of key pair including purpose and life cycle information
Purpose string `mapstructure:"purpose" json:"purpose"`
}
type OCEncapsulator ¶ added in v0.10.0
type OCEncapsulator struct {
ocrypto.PublicKeyEncryptor
}
func (*OCEncapsulator) Encapsulate ¶ added in v0.10.0
func (e *OCEncapsulator) Encapsulate(dek ocrypto.ProtectedKey) ([]byte, error)
func (*OCEncapsulator) PublicKeyAsPEM ¶ added in v0.10.0
func (e *OCEncapsulator) PublicKeyAsPEM() (string, error)
type StandardConfig ¶
type StandardConfig struct {
Keys []KeyPairInfo `mapstructure:"keys" json:"keys"`
// Deprecated
RSAKeys map[string]StandardKeyInfo `mapstructure:"rsa,omitempty" json:"rsa,omitempty"`
// Deprecated
ECKeys map[string]StandardKeyInfo `mapstructure:"ec,omitempty" json:"ec,omitempty"`
}
func (StandardConfig) IsEmpty ¶ added in v0.5.3
func (sc StandardConfig) IsEmpty() bool
type StandardCrypto ¶
type StandardCrypto struct {
// contains filtered or unexported fields
}
func NewCryptoProvider ¶
func NewCryptoProvider(cfg Config) (*StandardCrypto, error)
func NewStandardCrypto ¶
func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error)
NewStandardCrypto Create a new instance of standard crypto
func (StandardCrypto) Close ¶
func (s StandardCrypto) Close()
func (*StandardCrypto) Decrypt ¶ added in v0.5.3
func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ocrypto.ProtectedKey, error)
Decrypt implements the SecurityProvider Decrypt method
func (StandardCrypto) ECCertificate ¶ added in v0.4.4
func (s StandardCrypto) ECCertificate(kid string) (string, error)
func (*StandardCrypto) ECDecrypt ¶ added in v0.4.39
func (s *StandardCrypto) ECDecrypt(ctx context.Context, keyID string, ephemeralPublicKey, ciphertext []byte) (ocrypto.ProtectedKey, error)
ECDecrypt uses hybrid ECIES to decrypt the data.
func (StandardCrypto) ECPublicKey ¶
func (s StandardCrypto) ECPublicKey(kid string) (string, error)
Exports the EC public key with kid as a pem encode pkix
func (StandardCrypto) FindKID ¶ added in v0.4.7
func (s StandardCrypto) FindKID(alg string) string
func (StandardCrypto) ListKIDsByAlgorithm ¶ added in v0.5.3
func (s StandardCrypto) ListKIDsByAlgorithm(alg string) ([]string, error)
ListKIDsByAlgorithm returns a list of key identifiers for the specified algorithm Errors if no keys are found of the requested algorithm.
func (StandardCrypto) RSADecrypt ¶
func (StandardCrypto) RSAPublicKey ¶
func (s StandardCrypto) RSAPublicKey(kid string) (string, error)
func (StandardCrypto) RSAPublicKeyAsJSON ¶
func (s StandardCrypto) RSAPublicKeyAsJSON(kid string) (string, error)
type StandardECCrypto ¶
type StandardECCrypto struct {
KeyPairInfo
// contains filtered or unexported fields
}
type StandardKeyInfo ¶
type StandardRSACrypto ¶
type StandardRSACrypto struct {
KeyPairInfo
// contains filtered or unexported fields
}