Documentation
¶
Index ¶
- type DelegatingKeyService
- func (d *DelegatingKeyService) Close()
- func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte, ...) (ProtectedKey, error)
- func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifier, ephemeralPublicKeyBytes []byte, ...) (ProtectedKey, error)
- func (d *DelegatingKeyService) FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (KeyDetails, error)
- func (d *DelegatingKeyService) FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)
- func (d *DelegatingKeyService) GenerateECSessionKey(ctx context.Context, ephemeralPublicKey string) (Encapsulator, error)
- func (d *DelegatingKeyService) ListKeys(ctx context.Context) ([]KeyDetails, error)
- func (d *DelegatingKeyService) Name() string
- func (d *DelegatingKeyService) RegisterKeyManager(name string, factory KeyManagerFactory)
- func (d *DelegatingKeyService) SetDefaultMode(name string)
- type Encapsulator
- type KeyDetails
- type KeyIdentifier
- type KeyIndex
- type KeyManager
- type KeyManagerFactory
- type KeyManagerFactoryOptions
- type KeyService
- type KeyType
- type NamedKeyManagerFactory
- type PrivateKey
- type ProtectedKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DelegatingKeyService ¶
type DelegatingKeyService struct {
// contains filtered or unexported fields
}
DelegatingKeyService is a key service that multiplexes between key managers based on the key's mode.
func NewDelegatingKeyService ¶
func (*DelegatingKeyService) Close ¶
func (d *DelegatingKeyService) Close()
func (*DelegatingKeyService) Decrypt ¶
func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ProtectedKey, error)
func (*DelegatingKeyService) DeriveKey ¶
func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifier, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error)
func (*DelegatingKeyService) FindKeyByAlgorithm ¶
func (d *DelegatingKeyService) FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (KeyDetails, error)
Implementing KeyIndex methods
func (*DelegatingKeyService) FindKeyByID ¶
func (d *DelegatingKeyService) FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)
func (*DelegatingKeyService) GenerateECSessionKey ¶
func (d *DelegatingKeyService) GenerateECSessionKey(ctx context.Context, ephemeralPublicKey string) (Encapsulator, error)
func (*DelegatingKeyService) ListKeys ¶
func (d *DelegatingKeyService) ListKeys(ctx context.Context) ([]KeyDetails, error)
func (*DelegatingKeyService) Name ¶
func (d *DelegatingKeyService) Name() string
Implementing KeyManager methods
func (*DelegatingKeyService) RegisterKeyManager ¶
func (d *DelegatingKeyService) RegisterKeyManager(name string, factory KeyManagerFactory)
func (*DelegatingKeyService) SetDefaultMode ¶ added in v0.5.5
func (d *DelegatingKeyService) SetDefaultMode(name string)
type Encapsulator ¶
type Encapsulator interface {
// Encrypt wraps a secret key with the encapsulation key
Encrypt(data []byte) ([]byte, error)
// PublicKeyInPemFormat Returns public key in pem format, or the empty string if not present
PublicKeyInPemFormat() (string, error)
// For EC schemes, this method returns the public part of the ephemeral key.
// Otherwise, it returns nil.
EphemeralKey() []byte
}
type KeyDetails ¶
type KeyDetails interface {
// ID returns the unique identifier for the key
ID() KeyIdentifier
// Algorithm returns the algorithm used by the key
Algorithm() string
// IsLegacy returns true if this is a legacy key that should only be used for decryption
IsLegacy() bool
// ExportPrivateKey exports the private key in the specified format
// Returns error if key is not exportable
ExportPrivateKey(ctx context.Context) (*PrivateKey, error)
// ExportPublicKey exports the public key in the specified format
ExportPublicKey(ctx context.Context, format KeyType) (string, error)
// ExportCertificate exports the certificate associated with the key, if available
ExportCertificate(ctx context.Context) (string, error)
// Gets the mode indicator for the key; this is used to lookup the appropriate KeyManager.
System() string
// Get the provider configutaiton for the key
ProviderConfig() *policy.KeyProviderConfig
}
KeyDetails provides information about a specific key
type KeyIndex ¶
type KeyIndex interface {
// FindKeyByAlgorithm returns a key for the specified algorithm
// If includeLegacy is true, legacy keys will be included in the search
FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (KeyDetails, error)
// FindKeyByID returns a key with the specified ID
FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)
// ListKeys returns all available keys
ListKeys(ctx context.Context) ([]KeyDetails, error)
}
KeyIndex provides methods to locate keys by various criteria
type KeyManager ¶
type KeyManager interface {
// Name is a unique identifier for the key manager.
// This can be used by the KeyDetail.System() method to determine which KeyManager to use,
// when multiple KeyManagers are installed.
Name() string
// Decrypt decrypts data that was encrypted with the key identified by keyID
// For EC keys, ephemeralPublicKey must be non-nil
// For RSA keys, ephemeralPublicKey should be nil
// Returns an UnwrappedKeyData interface for further operations
Decrypt(ctx context.Context, key KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ProtectedKey, error)
// DeriveKey computes an agreed upon secret key, which NanoTDF may directly as the DEK or a key split
DeriveKey(ctx context.Context, key KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error)
// GenerateECSessionKey generates a private session key, for use with a client-provided ephemeral public key
GenerateECSessionKey(ctx context.Context, ephemeralPublicKey string) (Encapsulator, error)
// Close releases any resources held by the provider
Close()
}
KeyManager combines key lookup functionality with cryptographic operations
type KeyManagerFactory ¶
type KeyManagerFactory func(opts *KeyManagerFactoryOptions) (KeyManager, error)
KeyManagerFactory defines the signature for functions that can create KeyManager instances.
type KeyManagerFactoryOptions ¶ added in v0.7.0
type KeyService ¶
type KeyService interface {
KeyIndex
KeyManager
}
Helper interface for unified key management objects
type NamedKeyManagerFactory ¶ added in v0.7.0
type NamedKeyManagerFactory struct {
Name string
Factory KeyManagerFactory
}
NamedKeyManagerFactory pairs a KeyManagerFactory with its intended registration name.
type PrivateKey ¶ added in v0.5.5
type PrivateKey struct {
// Key ID of the Key used to wrap the private key
WrappingKeyID KeyIdentifier
// Wrapped Key is the encrypted private key
WrappedKey string
}
type ProtectedKey ¶
type ProtectedKey interface {
// VerifyBinding checks if the policy binding matches the given policy data
VerifyBinding(ctx context.Context, policy, binding []byte) error
// Export returns the raw key data, optionally encrypting it with the provided encryptor
Export(encryptor Encapsulator) ([]byte, error)
// Used to decrypt encrypted policies and metadata
DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)
}
ProtectedKey represents a decrypted key with operations that can be performed on it
Source Files
Click to show internal directories.
Click to hide internal directories.