trust

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 27, 2025 License: BSD-3-Clause-Clear Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type DelegatingKeyService 

type DelegatingKeyService struct {
	// contains filtered or unexported fields
}

DelegatingKeyService is a key service that multiplexes between key managers based on the key's mode.

func NewDelegatingKeyService 

func NewDelegatingKeyService(index KeyIndex, l *logger.Logger, c *cache.Cache) *DelegatingKeyService

func (*DelegatingKeyService) Close 

func (d *DelegatingKeyService) Close()

func (*DelegatingKeyService) Decrypt 

func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ProtectedKey, error)

func (*DelegatingKeyService) DeriveKey 

func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifier, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error)

func (*DelegatingKeyService) FindKeyByAlgorithm 

func (d *DelegatingKeyService) FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (KeyDetails, error)

Implementing KeyIndex methods

func (*DelegatingKeyService) FindKeyByID 

func (d *DelegatingKeyService) FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)

func (*DelegatingKeyService) GenerateECSessionKey 

func (d *DelegatingKeyService) GenerateECSessionKey(ctx context.Context, ephemeralPublicKey string) (Encapsulator, error)

func (*DelegatingKeyService) ListKeys 

func (d *DelegatingKeyService) ListKeys(ctx context.Context) ([]KeyDetails, error)

func (*DelegatingKeyService) ListKeysWith added in v0.9.0 

func (d *DelegatingKeyService) ListKeysWith(ctx context.Context, opts ListKeyOptions) ([]KeyDetails, error)

func (*DelegatingKeyService) Name 

func (d *DelegatingKeyService) Name() string

Implementing KeyManager methods

func (*DelegatingKeyService) RegisterKeyManager 

func (d *DelegatingKeyService) RegisterKeyManager(name string, factory KeyManagerFactory)

func (*DelegatingKeyService) SetDefaultMode added in v0.5.5 

func (d *DelegatingKeyService) SetDefaultMode(name string)

type Encapsulator 

type Encapsulator interface {
	// Encrypt wraps a secret key with the encapsulation key
	Encrypt(data []byte) ([]byte, error)

	// PublicKeyInPemFormat Returns public key in pem format, or the empty string if not present
	PublicKeyInPemFormat() (string, error)

	// For EC schemes, this method returns the public part of the ephemeral key.
	// Otherwise, it returns nil.
	EphemeralKey() []byte
}

type KeyDetails 

type KeyDetails interface {
	// ID returns the unique identifier for the key
	ID() KeyIdentifier

	// Algorithm returns the algorithm used by the key
	Algorithm() ocrypto.KeyType

	// IsLegacy returns true if this is a legacy key that should only be used for decryption
	IsLegacy() bool

	// ExportPrivateKey exports the private key in the specified format
	// Returns error if key is not exportable
	ExportPrivateKey(ctx context.Context) (*PrivateKey, error)

	// ExportPublicKey exports the public key in the specified format
	ExportPublicKey(ctx context.Context, format KeyType) (string, error)

	// ExportCertificate exports the certificate associated with the key, if available
	ExportCertificate(ctx context.Context) (string, error)

	// Gets the mode indicator for the key; this is used to lookup the appropriate KeyManager.
	System() string

	// Get the provider configutaiton for the key
	ProviderConfig() *policy.KeyProviderConfig
}

KeyDetails provides information about a specific key

type KeyIdentifier 

type KeyIdentifier string

KeyIdentifier uniquely identifies a key

type KeyIndex 

type KeyIndex interface {
	// FindKeyByAlgorithm returns a key for the specified algorithm
	// If includeLegacy is true, legacy keys will be included in the search
	FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (KeyDetails, error)

	// FindKeyByID returns a key with the specified ID
	FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)

	// ListKeys returns all available keys
	ListKeys(ctx context.Context) ([]KeyDetails, error)

	// List keys with options
	ListKeysWith(ctx context.Context, opts ListKeyOptions) ([]KeyDetails, error)
}

KeyIndex provides methods to locate keys by various criteria

type KeyManager 

type KeyManager interface {
	// Name is a unique identifier for the key manager.
	// This can be used by the KeyDetail.System() method to determine which KeyManager to use,
	// when multiple KeyManagers are installed.
	Name() string

	// Decrypt decrypts data that was encrypted with the key identified by keyID
	// For EC keys, ephemeralPublicKey must be non-nil
	// For RSA keys, ephemeralPublicKey should be nil
	// Returns an UnwrappedKeyData interface for further operations
	Decrypt(ctx context.Context, key KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (ProtectedKey, error)

	// DeriveKey computes an agreed upon secret key, which NanoTDF may directly as the DEK or a key split
	DeriveKey(ctx context.Context, key KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error)

	// GenerateECSessionKey generates a private session key, for use with a client-provided ephemeral public key
	GenerateECSessionKey(ctx context.Context, ephemeralPublicKey string) (Encapsulator, error)

	// Close releases any resources held by the provider
	Close()
}

KeyManager combines key lookup functionality with cryptographic operations

type KeyManagerFactory 

type KeyManagerFactory func(opts *KeyManagerFactoryOptions) (KeyManager, error)

KeyManagerFactory defines the signature for functions that can create KeyManager instances.

type KeyManagerFactoryOptions added in v0.7.0 

type KeyManagerFactoryOptions struct {
	Logger *logger.Logger
	Cache  *cache.Cache
}

type KeyService 

type KeyService interface {
	KeyIndex
	KeyManager
}

Helper interface for unified key management objects

type KeyType 

type KeyType int

KeyType represents the format in which a key can be exported 

const (
	// KeyTypeJWK represents a key in JWK format
	KeyTypeJWK KeyType = iota
	// KeyTypePKCS8 represents a key in PKCS8 format
	KeyTypePKCS8
)

type ListKeyOptions added in v0.9.0 

type ListKeyOptions struct {
	LegacyOnly bool
}

Key Options to pass into ListKeysWith when filtering keys

type NamedKeyManagerFactory added in v0.7.0 

type NamedKeyManagerFactory struct {
	Name    string
	Factory KeyManagerFactory
}

NamedKeyManagerFactory pairs a KeyManagerFactory with its intended registration name.

type PrivateKey added in v0.5.5 

type PrivateKey struct {
	// Key ID of the Key used to wrap the private key
	WrappingKeyID KeyIdentifier
	// Wrapped Key is the encrypted private key
	WrappedKey string
}

type ProtectedKey 

type ProtectedKey interface {
	// VerifyBinding checks if the policy binding matches the given policy data
	VerifyBinding(ctx context.Context, policy, binding []byte) error

	// Export returns the raw key data, optionally encrypting it with the provided encryptor
	Export(encryptor Encapsulator) ([]byte, error)

	// Used to decrypt encrypted policies and metadata
	DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)
}

ProtectedKey represents a decrypted key with operations that can be performed on it

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.